44caliber | hxxps://disk[.]yandex[.]ru/d/Q42s_pnSqJua_Q

Analysis

max time kernel
297s
max time network
300s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05-09-2024 18:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://disk.yandex.ru/d/Q42s_pnSqJua_Q

Score

10^/10

44caliber credential_access discovery persistence privilege_escalation spyware stealer

Malware Config

Extracted

Family

44caliber

https://discord.com/api/webhooks/1281303908660281428/jXn9yXul8brFynrNiXN5SE_S3niS-acS9ruuV1vZVWEusJ7Aq-GhraVebMHzlm2Ch5SA

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Downloads MZ/PE file
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 12 IoCs

pid	Process
2296	7z2408-x64.exe
724	7zFM.exe
1412	steam.exe
2888	steam.exe
2860	steam.exe
3396	steam.exe
1440	steam.exe
1680	steam.exe
4164	steam.exe
2636	steam.exe
3244	steam.exe
3396	steam.exe

Loads dropped DLL 2 IoCs

pid	Process
3492	Process not Found
724	7zFM.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 11 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
132	freegeoip.app
134	freegeoip.app
135	freegeoip.app
138	freegeoip.app
139	freegeoip.app
140	freegeoip.app
127	freegeoip.app
129	freegeoip.app
137	freegeoip.app
126	freegeoip.app
136	freegeoip.app

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\readme.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\7z.dll	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lt.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mr.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ne.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ru.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\he.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\id.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pa-in.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spc.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\en.ttt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eo.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fi.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lij.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\7z.sfx	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ky.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tk.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-cn.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\be.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ko.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sv.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\vi.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\is.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ja.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nb.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tg.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\io.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mn.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mk.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\7-zip32.dll	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\History.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fy.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ms.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\si.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fr.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hi.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nn.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ps.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ug.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\yo.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.dll	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\da.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\de.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uk.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ta.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tr.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz-cyrl.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tt.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\th.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\es.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spl.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nl.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sq.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\License.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fa.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lv.txt	7z2408-x64.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7z2408-x64.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 22 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension"	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension"	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2412658365-3084825385-3340777666-1000\{61399BE2-D189-49D3-B1E6-BD65C6C8289E}	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip32.dll"	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip.dll"	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip	7z2408-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 624109.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 56 IoCs

pid	Process
3868	msedge.exe
3868	msedge.exe
824	msedge.exe
824	msedge.exe
1488	identity_helper.exe
1488	identity_helper.exe
464	msedge.exe
464	msedge.exe
2920	msedge.exe
2920	msedge.exe
2700	msedge.exe
2700	msedge.exe
1412	steam.exe
1412	steam.exe
1412	steam.exe
1412	steam.exe
2888	steam.exe
2888	steam.exe
2888	steam.exe
2888	steam.exe
2860	steam.exe
2860	steam.exe
2860	steam.exe
2860	steam.exe
3396	steam.exe
3396	steam.exe
3396	steam.exe
3396	steam.exe
1440	steam.exe
1440	steam.exe
1440	steam.exe
1440	steam.exe
1680	steam.exe
1680	steam.exe
1680	steam.exe
1680	steam.exe
4164	steam.exe
4164	steam.exe
4164	steam.exe
4164	steam.exe
2636	steam.exe
2636	steam.exe
2636	steam.exe
2636	steam.exe
3244	steam.exe
3244	steam.exe
3244	steam.exe
3244	steam.exe
3396	steam.exe
3396	steam.exe
3396	steam.exe
3396	steam.exe
3132	msedge.exe
3132	msedge.exe
3132	msedge.exe
3132	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
724	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs

pid	Process
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeRestorePrivilege	724	7zFM.exe
Token: 35	724	7zFM.exe
Token: SeSecurityPrivilege	724	7zFM.exe
Token: SeDebugPrivilege	1412	steam.exe
Token: SeDebugPrivilege	2888	steam.exe
Token: SeDebugPrivilege	2860	steam.exe
Token: SeDebugPrivilege	3396	steam.exe
Token: SeDebugPrivilege	1440	steam.exe
Token: SeDebugPrivilege	1680	steam.exe
Token: SeDebugPrivilege	4164	steam.exe
Token: SeDebugPrivilege	2636	steam.exe
Token: SeDebugPrivilege	3244	steam.exe
Token: SeDebugPrivilege	3396	steam.exe

Suspicious use of FindShellTrayWindow 46 IoCs

pid	Process
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
724	7zFM.exe
724	7zFM.exe
724	7zFM.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe
824	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2296	7z2408-x64.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 824 wrote to memory of 1044	824	msedge.exe	82
PID 824 wrote to memory of 1044	824	msedge.exe	82
PID 824 wrote to memory of 3832	824	msedge.exe	84
PID 824 wrote to memory of 3832	824	msedge.exe	84
PID 824 wrote to memory of 3832	824	msedge.exe	84
PID 824 wrote to memory of 3832	824	msedge.exe	84
PID 824 wrote to memory of 3832	824	msedge.exe	84
PID 824 wrote to memory of 3832	824	msedge.exe	84
PID 824 wrote to memory of 3832	824	msedge.exe	84
PID 824 wrote to memory of 3832	824	msedge.exe	84
PID 824 wrote to memory of 3832	824	msedge.exe	84
PID 824 wrote to memory of 3832	824	msedge.exe	84
PID 824 wrote to memory of 3832	824	msedge.exe	84
PID 824 wrote to memory of 3832	824	msedge.exe	84
PID 824 wrote to memory of 3832	824	msedge.exe	84
PID 824 wrote to memory of 3832	824	msedge.exe	84
PID 824 wrote to memory of 3832	824	msedge.exe	84
PID 824 wrote to memory of 3832	824	msedge.exe	84
PID 824 wrote to memory of 3832	824	msedge.exe	84
PID 824 wrote to memory of 3832	824	msedge.exe	84
PID 824 wrote to memory of 3832	824	msedge.exe	84
PID 824 wrote to memory of 3832	824	msedge.exe	84
PID 824 wrote to memory of 3832	824	msedge.exe	84
PID 824 wrote to memory of 3832	824	msedge.exe	84
PID 824 wrote to memory of 3832	824	msedge.exe	84
PID 824 wrote to memory of 3832	824	msedge.exe	84
PID 824 wrote to memory of 3832	824	msedge.exe	84
PID 824 wrote to memory of 3832	824	msedge.exe	84
PID 824 wrote to memory of 3832	824	msedge.exe	84
PID 824 wrote to memory of 3832	824	msedge.exe	84
PID 824 wrote to memory of 3832	824	msedge.exe	84
PID 824 wrote to memory of 3832	824	msedge.exe	84
PID 824 wrote to memory of 3832	824	msedge.exe	84
PID 824 wrote to memory of 3832	824	msedge.exe	84
PID 824 wrote to memory of 3832	824	msedge.exe	84
PID 824 wrote to memory of 3832	824	msedge.exe	84
PID 824 wrote to memory of 3832	824	msedge.exe	84
PID 824 wrote to memory of 3832	824	msedge.exe	84
PID 824 wrote to memory of 3832	824	msedge.exe	84
PID 824 wrote to memory of 3832	824	msedge.exe	84
PID 824 wrote to memory of 3832	824	msedge.exe	84
PID 824 wrote to memory of 3832	824	msedge.exe	84
PID 824 wrote to memory of 3868	824	msedge.exe	85
PID 824 wrote to memory of 3868	824	msedge.exe	85
PID 824 wrote to memory of 4436	824	msedge.exe	86
PID 824 wrote to memory of 4436	824	msedge.exe	86
PID 824 wrote to memory of 4436	824	msedge.exe	86
PID 824 wrote to memory of 4436	824	msedge.exe	86
PID 824 wrote to memory of 4436	824	msedge.exe	86
PID 824 wrote to memory of 4436	824	msedge.exe	86
PID 824 wrote to memory of 4436	824	msedge.exe	86
PID 824 wrote to memory of 4436	824	msedge.exe	86
PID 824 wrote to memory of 4436	824	msedge.exe	86
PID 824 wrote to memory of 4436	824	msedge.exe	86
PID 824 wrote to memory of 4436	824	msedge.exe	86
PID 824 wrote to memory of 4436	824	msedge.exe	86
PID 824 wrote to memory of 4436	824	msedge.exe	86
PID 824 wrote to memory of 4436	824	msedge.exe	86
PID 824 wrote to memory of 4436	824	msedge.exe	86
PID 824 wrote to memory of 4436	824	msedge.exe	86
PID 824 wrote to memory of 4436	824	msedge.exe	86
PID 824 wrote to memory of 4436	824	msedge.exe	86
PID 824 wrote to memory of 4436	824	msedge.exe	86
PID 824 wrote to memory of 4436	824	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://disk.yandex.ru/d/Q42s_pnSqJua_Q
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffab93046f8,0x7ffab9304708,0x7ffab9304718
  2⤵
  PID:1044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,8265175536962809475,8286929805528167311,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2028 /prefetch:2
  2⤵
  PID:3832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,8265175536962809475,8286929805528167311,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2072,8265175536962809475,8286929805528167311,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2760 /prefetch:8
  2⤵
  PID:4436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,8265175536962809475,8286929805528167311,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
  2⤵
  PID:4024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,8265175536962809475,8286929805528167311,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
  2⤵
  PID:4068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,8265175536962809475,8286929805528167311,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4940 /prefetch:1
  2⤵
  PID:5104
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,8265175536962809475,8286929805528167311,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5516 /prefetch:8
  2⤵
  PID:3144
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,8265175536962809475,8286929805528167311,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5516 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,8265175536962809475,8286929805528167311,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:1
  2⤵
  PID:260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,8265175536962809475,8286929805528167311,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:1
  2⤵
  PID:4128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,8265175536962809475,8286929805528167311,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6040 /prefetch:1
  2⤵
  PID:4992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,8265175536962809475,8286929805528167311,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4064 /prefetch:1
  2⤵
  PID:4760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2072,8265175536962809475,8286929805528167311,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5908 /prefetch:8
  2⤵
  PID:4128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,8265175536962809475,8286929805528167311,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:1
  2⤵
  PID:3608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2072,8265175536962809475,8286929805528167311,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3780 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,8265175536962809475,8286929805528167311,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2224 /prefetch:1
  2⤵
  PID:432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,8265175536962809475,8286929805528167311,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1300 /prefetch:1
  2⤵
  PID:4368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,8265175536962809475,8286929805528167311,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3780 /prefetch:1
  2⤵
  PID:2040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,8265175536962809475,8286929805528167311,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5972 /prefetch:1
  2⤵
  PID:1356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,8265175536962809475,8286929805528167311,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1880 /prefetch:1
  2⤵
  PID:4852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2072,8265175536962809475,8286929805528167311,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5836 /prefetch:8
  2⤵
  PID:3740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2072,8265175536962809475,8286929805528167311,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6444 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:2920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,8265175536962809475,8286929805528167311,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6468 /prefetch:1
  2⤵
  PID:4512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,8265175536962809475,8286929805528167311,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4732 /prefetch:1
  2⤵
  PID:4380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,8265175536962809475,8286929805528167311,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5916 /prefetch:1
  2⤵
  PID:3092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,8265175536962809475,8286929805528167311,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7064 /prefetch:1
  2⤵
  PID:5084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2072,8265175536962809475,8286929805528167311,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7116 /prefetch:8
  2⤵
  PID:3288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2072,8265175536962809475,8286929805528167311,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6404 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2700
- C:\Users\Admin\Downloads\7z2408-x64.exe
  "C:\Users\Admin\Downloads\7z2408-x64.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:2296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,8265175536962809475,8286929805528167311,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2332 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3132

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2852

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:440

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3664

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Steam.rar"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:724

C:\Users\Admin\Desktop\steam\steam\steam.exe
"C:\Users\Admin\Desktop\steam\steam\steam.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1412

C:\Users\Admin\Desktop\steam\steam\steam.exe
"C:\Users\Admin\Desktop\steam\steam\steam.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2888

C:\Users\Admin\Desktop\steam\steam\steam.exe
"C:\Users\Admin\Desktop\steam\steam\steam.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2860

C:\Users\Admin\Desktop\steam\steam\steam.exe
"C:\Users\Admin\Desktop\steam\steam\steam.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3396

C:\Users\Admin\Desktop\steam\steam\steam.exe
"C:\Users\Admin\Desktop\steam\steam\steam.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1440

C:\Users\Admin\Desktop\steam\steam\steam.exe
"C:\Users\Admin\Desktop\steam\steam\steam.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1680

C:\Users\Admin\Desktop\steam\steam\steam.exe
"C:\Users\Admin\Desktop\steam\steam\steam.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4164

C:\Users\Admin\Desktop\steam\steam\steam.exe
"C:\Users\Admin\Desktop\steam\steam\steam.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2636

C:\Users\Admin\Desktop\steam\steam\steam.exe
"C:\Users\Admin\Desktop\steam\steam\steam.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3244

C:\Users\Admin\Desktop\steam\steam\steam.exe
"C:\Users\Admin\Desktop\steam\steam\steam.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7-zip.dll

Filesize
99KB

MD5
d346530e648e15887ae88ea34c82efc9

SHA1
5644d95910852e50a4b42375bddfef05f6b3490f

SHA256
f972b164d9a90821be0ea2f46da84dd65f85cd0f29cd1abba0c8e9a7d0140902

SHA512
62db21717f79702cbdd805109f30f51a7f7ff5f751dc115f4c95d052c5405eb34d5e8c5a83f426d73875591b7d463f00f686c182ef3850db2e25989ae2d83673

Download Submit
C:\Program Files\7-Zip\7z.dll

Filesize
1.8MB

MD5
1143c4905bba16d8cc02c6ba8f37f365

SHA1
db38ac221275acd087cf87ebad393ef7f6e04656

SHA256
e79ddfb6319dbf9bac6382035d23597dad979db5e71a605d81a61ee817c1e812

SHA512
b918ae107c179d0b96c8fb14c2d5f019cad381ba4dcdc760c918dfcd5429d1c9fb6ce23f4648823a0449cb8a842af47f25ede425a4e37a7b67eb291ce8cce894

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
963KB

MD5
004d7851f74f86704152ecaaa147f0ce

SHA1
45a9765c26eb0b1372cb711120d90b5f111123b3

SHA256
028cf2158df45889e9a565c9ce3c6648fb05c286b97f39c33317163e35d6f6be

SHA512
16ebda34803977a324f5592f947b32f5bb2362dd520dc2e97088d12729024498ddfa6800694d37f2e6e5c6fc8d4c6f603414f0c033df9288efc66a2c39b5ec29

Download Submit
C:\ProgramData\44\Browsers\Firefox\Bookmarks.txt

Filesize
420B

MD5
01735e34db13c5f93eead0f8572adb67

SHA1
5b819f76344907d93f62ecd11e2a2cbd514bee2f

SHA256
bca74f82c72da083cf88a725f198e0730982595bfa6a137e46d0b77b81552f4d

SHA512
e833925ccd15947e9234b72cf06e2620b3d982dd4840e5c5cae31634f437702b10c29db85fbb5115490f1d72f4bb5b935815fb14f6221ace756216604101924c

Download Submit
C:\ProgramData\44\Browsers\Firefox\Bookmarks.txt

Filesize
525B

MD5
74d90dd5a73f1679bd73fdce50983c50

SHA1
6f374995ce4842a9f07fc1a935833003066820bb

SHA256
da34d9a479cfcc31980c9be0a13eb90defa37ec3438f114f03f12649a415cfb9

SHA512
ad173b782022b72727c9a1d66aa7509ac316450d18561b018ddf563fe921636ea32d9615019ee0fb3be7a8b781154c5e09f6916547bbb7ab4484d3fea509b95f

Download Submit
C:\ProgramData\44\Browsers\Firefox\Bookmarks.txt

Filesize
630B

MD5
aef24d8d3c507674cea8b016e2f4e6a3

SHA1
411eb0cddf04fa969a50736544ac4a6a9a545b80

SHA256
0fe82ba06f72db753abdf7a51b016bb6ccb880deb1850f56c921264fb2d419da

SHA512
33904ba625025eb67370ac60d07a2150cb3e4228867716f109e7fb9a470e71987178f1aa209eac6de20734e4e41fbb336c0e9671b4397dab90edc2d6c41b883f

Download Submit
C:\ProgramData\44\Browsers\Firefox\Bookmarks.txt

Filesize
735B

MD5
fc161acb0edaa484d705d83835de0e24

SHA1
00850bbea1ef2db2a16dbb4427822bffbb173d54

SHA256
6f355f6b050ea450b7f36f8c66121c77fbd5fbf62fba28a5c3305e37977342be

SHA512
fdccf446d488e5561c71096e00200d384c7870d546433b8dffea7bad1807cc14a98bc6837dd10e12e8fbf70482cce8cf15b02062bbd1bd39dfc416dc67381a0e

Download Submit
C:\ProgramData\44\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\ProgramData\44\Browsers\Firefox\Bookmarks.txt

Filesize
210B

MD5
1267f4be35fbe5510886cf08ddee9fdd

SHA1
04e714a1c8a9d76e860c7cbbe7ebf62c71dea6b9

SHA256
ab038447adbfd1faf46f0d3bf6dc387621dc8435ab552696ec8d9bbe7a6a9ab3

SHA512
6f1bc0ad9eb850f37cddc2422e738f0cbbfe8a7a7e064c0c989cafbf0f7d5ae5bdfced4b3f93952688de3bfa338ff5a8c7258aff8397cdaccb36b23b5d16686b

Download Submit
C:\ProgramData\44\Browsers\Firefox\Bookmarks.txt

Filesize
315B

MD5
71227f862899452aa270d580a8b090c8

SHA1
13a6dc9506be2066777ec34acbe5ab62684c4929

SHA256
22e5316f3216208507c8ae67cbb2a90cfcf4389dae87f8f71c3388593eca57c1

SHA512
126c549e82d679bb9d3e229b09c3dded86b72aa5a98cb956a0d2a740ca43a4da14049134c3836c49ef50e76bb0a69fe158bb776a4c86a7e7b04893ced8ba5b5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\72ed001d-d021-4af4-b8e7-b98f9d1fa33f.tmp

Filesize
11KB

MD5
3bd2be6708a25dfc84c44294463ece47

SHA1
7d9c70bb5d568c16df1cf9cea1473e4f29c4b25a

SHA256
6fab173df3419cba68ff6637b7c58454c8ab03477adc355ed1bbeae5882ea7cf

SHA512
ecf2d3c9c8f17f253c4f424411d28cdd44608f4a98751bc55b88d3894646b6c7d4447d0068acad71e2960bd974ac58f83e4680d0b41e8b0a2efd34aaa7a10954

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ff63763eedb406987ced076e36ec9acf

SHA1
16365aa97cd1a115412f8ae436d5d4e9be5f7b5d

SHA256
8f460e8b7a67f0c65b7248961a7c71146c9e7a19772b193972b486dbf05b8e4c

SHA512
ce90336169c8b2de249d4faea2519bf7c3df48ae9d77cdf471dd5dbd8e8542d47d9348080a098074aa63c255890850ee3b80ddb8eef8384919fdca3bb9371d9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2783c40400a8912a79cfd383da731086

SHA1
001a131fe399c30973089e18358818090ca81789

SHA256
331fa67da5f67bbb42794c3aeab8f7819f35347460ffb352ccc914e0373a22c5

SHA512
b7c7d3aa966ad39a86aae02479649d74dcbf29d9cb3a7ff8b9b2354ea60704da55f5c0df803fd0a7191170a8e72fdd5eacfa1a739d7a74e390a7b74bdced1685

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
408B

MD5
9bec7bd9d77f738030e10c8af54ff118

SHA1
4a39e5b75e264dcf3c6190560e83cc42ed82924e

SHA256
742f81937b9d7a688e03f0fc34e17a24bb5e5b2b82a4f609c5c272cd64f92339

SHA512
21dd895fe8cf68782cd49e68aed62bb0ded201f09c61fce9be2a7b16a9ab833b5a198d83cd7ce580e7935165cb6528feba84764ddce51f9e1f5b584530ac2f19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
8b673e573ac0d50ffff48394a2bd3f44

SHA1
fc6482c7d24f61575660e801a8e1264ecf47d702

SHA256
c67b55494021e9671ee276ebe93346ada62f6ff5700c5392932ec78c9c9a8f3b

SHA512
43a209c7f012ee1c7769cb79679e7a2f5d4213298965e047c2c7d548e1e3ba7b60b29c83a72abf0f4563b4d65d1f10d8a9e0314d6133062d5b40ac1ed63b1882

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
32KB

MD5
94a6f8984973a71ed8af918f75b4b84c

SHA1
f32cf9de1bef81a7a2c26aebb2d69aecbc9e6f17

SHA256
65873e66145d2e4695b0438788f334670fbcafa2ab24eef9c814ca11548f7797

SHA512
b2dbc7730bde8032c2943eef34b029a9b0ed133e88f3ef3b49f55e242f98c6ff4819770905b5bfa0063d7aa99f3db1fe077ff3fb1a823693d5870e7ae0fe1ee4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
993B

MD5
773c416f134cab24675caef0131a10fe

SHA1
4cec0b239c7f24e89902878ccda959ea99370dca

SHA256
5fe6582377fb92a09a2c2343bb17eea247d3d5ac6c13712cb1fa8af2886aefbb

SHA512
cd2999fba18e24b30dd07bfefbfd2f0e6bddeafc0ba2f85f242c0ac240ecf6f3a4324ac5d40051a3f572d438c07adb57b88c92ca5d76c6be9c736e93b2a43010

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
9924404fbbb487940271c4820b6c0b0d

SHA1
5f35297aa76721ecf4bd70f75fa3fbf4210ee85d

SHA256
b7554d97090791645eb81106967253281a2adefae4d7d8e67f4a69ad8fe7cecf

SHA512
b34d67213e8751f4af858831ba877ab2b1a624450c6aacfe57a3ef146d7dff271226e2a18efc7a10e63e959d9a8a3b7b68167e8f1328b82ea3d52653ec24a8bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
94df98d7561146caa50dca62604c1e56

SHA1
6d91af100cf8234a085aeafa43ee61ba27c0ecf1

SHA256
43c2b173447ddffc311ca54a69fcc2c6a99123ad5acc543127bf298212254d48

SHA512
23d56283ae2d8e68ecc9c389cd6bafb66502109f5339d176067960b70cd740d1e646cab7b9838dc1f958b1324aa5c5671764c8454e1c36627bba2eddc47a2c12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0871608ab0714123f1f122a77a30a730

SHA1
4a91e31b91fc04d66a730363b6738770032901d2

SHA256
ed484824083356af6dd80f3ad8e5080679b71391ca74abb14f6379c650831f38

SHA512
e2a95a05351534927e320f6340afefa315c223770f861283f5772b15146da88f37398522b5fbdddc1334b8edc11cc7057d71fde3ca5c473a2ff95f5dfc8cd1f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
b45d9b35aeab22f678d8329e2ae8781f

SHA1
d06607174d7ec3d38077ed28a6142f8fd020d792

SHA256
64d69a5b9ec12effdec11211859caac36b7ea5b1009b918400bc1da9364a1366

SHA512
2e3340baf9d73e5057b8191df7887928325595dc0e1f2fad96159c0760fb12d61742be28949b3921958a079f1ab6aa3731cf0d00f4cd29d73917581edca997a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ffe6040cf62548494b256ed6439cc129

SHA1
a7c6f39b9b10ee730e7380b2cf8c18d568d4ca19

SHA256
97f38be0f0b3f588ecacf83c9d4731fe2d73e90c34b8b6a6b7f06e158c57b733

SHA512
931193d31b0565eef702c93cd122cc4eafef71948b92169d5fa6f857e67115412b4d60c23f4d3223c5e2817232a6bb3a1cada5e87ec9339bbf4e65adc094845d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
b62c976001c2c10ebaca61feea3daa03

SHA1
9c11ac588426da0ebeaf281b4aa0613516e7c5a5

SHA256
5c1d9835baeef0a5b05371793663290dfd8342aebc93edfb3d52d74c0c161e32

SHA512
1da8b932138562e745689ba874e1170920b2a4f29ab6ab3174bb0609413dcff58887ff0f65a76a8ad09ad1ac2883962309589ae0e88324c9a67d74c720ce9192

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe581cba.TMP

Filesize
707B

MD5
4d7bbc0f2ee0a8ab2061aaeb57943839

SHA1
be88eb06ea49d3714315c40f186178fc1617db9d

SHA256
2f26411a76237530a3996041ebfc1eb44af80e7d67a9f1e167d6bf0c40d63980

SHA512
87c3fa066d0befbd87513e9e81fe635489d810f9578582428c7034e8fa14607b7b1c1a9834e0173a084651743181297059d5f4f88b8f7ff925dcaa9cd61226da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data

Filesize
116KB

MD5
d20682d24ab566f07dc4811fea3b820a

SHA1
5acba869f666e2a67e6cda78cc17c57cdd182b4a

SHA256
aeedb99eb5708dc5647bd6280bff7ca8b144172bbbd195292fbb71f5ae2fca09

SHA512
cec5ae20767e21ed37f726f86385d80b7e19b86b4455a31514db50c87a7960d6e318ec7291b4a2e41ca7cff81d50f573aa4eeb1e7cd72b727f3977b466a953e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
3f823446f3963bca16ecdea14809d3ba

SHA1
132e481ff58d363a1ede83c02ecdad72060f8a6b

SHA256
d4bed203c2b5f1b1797626615ab18002506db9ff051ee5ede772f9f0fd956cde

SHA512
caf9135109a8b3fec5812fd156328cfa11531c1e021d12c5508945a9ff0e697fc2126ef3e5e1df544f40608b123c83544f51bb93807c94c5f4f4bc893adc65d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
bf69251beacca40c48b7fd2a1fb8b04c

SHA1
157efdd17f5f3ee5b873bbcd9215ed7feb88b372

SHA256
cfc8eaaf8d1ce003539f9e4dfba6741e3088a2882ab25829c3a43bd947540f99

SHA512
ef3a50062a534c683f6d4aa3c266ba86e5d0ad33d956844717612b6a3df018b4ef715153cebed8fd944b00c2e4d4ef627231d2f2b2ac1183d118f051c7c868c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC668.tmp.dat

Filesize
114KB

MD5
35fb57f056b0f47185c5dfb9a0939dba

SHA1
7c1b0bbbb77dbe46286078bca427202d494a5d36

SHA256
1dc436687ed65d9f2fcda9a68a812346f56f566f7671cbe1be0beaa157045294

SHA512
531351adffddc5a9c8c9d1fcba531d85747be0927156bae79106114b4bdc3f2fd2570c97bbfcec09265dcc87ed286655f2ab15fb3c7af0ad638a67a738f504c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC909.tmp.tmpdb

Filesize
5.0MB

MD5
14640ede02774424a6e16d3c3b459bd0

SHA1
00915b6769e94bc726b64a2decc881262b4f1b9f

SHA256
676e950074a335c14afceb09c942c56ad0988ad04221949f6bd83b67570d4483

SHA512
63b063abac61c8fabd140b138a629bc029bf82174578c7e018b12c831285cd30ec53bd43ce1243d903dcddd87facf6c740d04048512f8e42a84d4606365c47fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC919.tmp.dat

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC93B.tmp.tmpdb

Filesize
96KB

MD5
40f3eb83cc9d4cdb0ad82bd5ff2fb824

SHA1
d6582ba879235049134fa9a351ca8f0f785d8835

SHA256
cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0

SHA512
cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC93E.tmp.dat

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Roaming\44\Browsers\Cookies_Edge(26).txt

Filesize
5KB

MD5
817ecb844d9a10732f642a7c657dfa46

SHA1
7bbe1c8bfeeb72177963baedb975ce88349b8940

SHA256
9f7e4c590df1ffb291439d5df0aea4b31fb5ee79239d730e36e53f374235f884

SHA512
73c348183d3c4047c115780a1c2b6ad55d465ad6944c4dcbf9570b948a599f3b2fbc4ae1b7c68b18ad3268a7ccf2b8c4917d0bcac925f98dd658bc9a8d44e372

Download Submit
C:\Users\Admin\Desktop\steam\steam\Insidious.pdb

Filesize
965KB

MD5
cc82c8e74533a241028a700612f5c358

SHA1
f72e1fffe7afa75b54bf4758b29f844a61432cae

SHA256
18d5475e20aa0a1a30f66600de406f68b2567f2920ef79cd770eb0812224e259

SHA512
05bcabb7839ea703258e240d20e7d99a187cdad02e84f3ca3dc4e7e30c717066bd4daae85a80caf0cf1b1e98aa15dc842bccf52d084705b797bb5dae5d64522e

Download Submit
C:\Users\Admin\Desktop\steam\steam\steam.exe

Filesize
303KB

MD5
c1e66022ff335b6e4fc1d8bcfbd26cd8

SHA1
0055d102c04ac205dfd287a5d97e12e32869ebb6

SHA256
f1bb41a1b87bad0300578957690e677ed0aeff672584f9f6b47329d8a54b00db

SHA512
7e10831783b4aeca8826bb3ff1402fe87f3ea96b4c2611cb501a9c311eb08835114790ab5175ab5165347990a99e0fb627c0a6b1ff6dcbdfdb76a078052b2d8f

Download Submit
C:\Users\Admin\Downloads\Steam.rar

Filesize
286KB

MD5
26128137ef9a6a830e981d2339b8d1d2

SHA1
eac89ee86953433a4f5d373008a59ad7d7984e51

SHA256
c90cef004c42524992e691d3331ed57cceefe58adb399523311e0dd2a55e6f34

SHA512
396e1c3be20a4f00adf3cae3ad45d19b3c654894e247b3f04c2bd36b7b62358bf0031850091d268537e5c40fb645845121ef0ad168ba7f4bdc5e4fbd49c49368

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 624109.crdownload

Filesize
1.5MB

MD5
0330d0bd7341a9afe5b6d161b1ff4aa1

SHA1
86918e72f2e43c9c664c246e62b41452d662fbf3

SHA256
67cb9d3452c9dd974b04f4a5fd842dbcba8184f2344ff72e3662d7cdb68b099b

SHA512
850382414d9d33eab134f8bd89dc99759f8d0459b7ad48bd9588405a3705aeb2cd727898529e3f71d9776a42e141c717e844e0b5c358818bbeac01d096907ad1

Download Submit
memory/1412-686-0x000001D42CD40000-0x000001D42CD92000-memory.dmp

Filesize
328KB

Download