hxxps://github[.]com/can-kat/cstealer

Resubmissions

15/12/2024, 23:54

241215-3xxnbatjgv 10

15/12/2024, 23:51

241215-3v5wxavnal 8

Analysis

max time kernel
146s
max time network
144s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
15/12/2024, 23:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/can-kat/cstealer

Score

8^/10

defense_evasion discovery persistence

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
5180	python-3.13.1-amd64.exe
2536	python-3.13.1-amd64.exe

Loads dropped DLL 1 IoCs

pid	Process
2536	python-3.13.1-amd64.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\{1abbd55d-059a-4d1e-bdf1-35bb74697f5a} = "\"C:\\Users\\Admin\\AppData\\Local\\Package Cache\\{1abbd55d-059a-4d1e-bdf1-35bb74697f5a}\\python-3.13.1-amd64.exe\" /burn.runonce"	python-3.13.1-amd64.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs

Web Service

T1102

flow	ioc
15	raw.githubusercontent.com
27	camo.githubusercontent.com
30	camo.githubusercontent.com
31	camo.githubusercontent.com
32	camo.githubusercontent.com
25	camo.githubusercontent.com
26	raw.githubusercontent.com
28	camo.githubusercontent.com
29	camo.githubusercontent.com

Drops file in Windows directory 32 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\e59b6b4.msi	msiexec.exe
File created	C:\Windows\SystemTemp\~DF500C965AE8204525.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\e59b6b9.msi	msiexec.exe
File created	C:\Windows\Installer\e59b6be.msi	msiexec.exe
File created	C:\Windows\SystemTemp\~DF1F73D08DAD64E814.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBC53.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DFE0E0C266F339FFB3.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB7FC.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DF74D47ACDD50F4BEF.TMP	msiexec.exe
File created	C:\Windows\Installer\e59b6bd.msi	msiexec.exe
File created	C:\Windows\SystemTemp\~DFC4EE359C8D764714.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{B7C30E07-E007-43ED-A9E1-EEDA7F57C8BC}	msiexec.exe
File created	C:\Windows\SystemTemp\~DFC09982CF922531BD.TMP	msiexec.exe
File created	C:\Windows\Installer\e59b6b9.msi	msiexec.exe
File created	C:\Windows\SystemTemp\~DF20DD0D208E11AF7C.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DFD6C9428EE88DEF00.TMP	msiexec.exe
File created	C:\Windows\Installer\SourceHash{FE9B3181-7FDD-4F6A-855A-305940D9A6E8}	msiexec.exe
File created	C:\Windows\SystemTemp\~DF6B2B538C9324F5CD.TMP	msiexec.exe
File created	C:\Windows\Installer\e59b6c3.msi	msiexec.exe
File created	C:\Windows\Installer\e59b6b4.msi	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{8AFC9846-E7A8-4817-93FD-3542456A3E52}	msiexec.exe
File created	C:\Windows\SystemTemp\~DF7CEAA78B17FDBCD7.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DF4C10E98F2095B173.TMP	msiexec.exe
File created	C:\Windows\Installer\e59b6c2.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e59b6c3.msi	msiexec.exe
File created	C:\Windows\Installer\e59b6b8.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB964.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e59b6be.msi	msiexec.exe
File created	C:\Windows\SystemTemp\~DFE721A7A9F0D34614.TMP	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\python-3.13.1-amd64.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	python-3.13.1-amd64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	python-3.13.1-amd64.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 30 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Installer\Dependencies\{B7C30E07-E007-43ED-A9E1-EEDA7F57C8BC}\Dependents\{1abbd55d-059a-4d1e-bdf1-35bb74697f5a}	python-3.13.1-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Installer\Dependencies\{B7C30E07-E007-43ED-A9E1-EEDA7F57C8BC}\Dependents	python-3.13.1-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Installer\Dependencies\{FE9B3181-7FDD-4F6A-855A-305940D9A6E8}\Dependents\{1abbd55d-059a-4d1e-bdf1-35bb74697f5a}	python-3.13.1-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Installer\Dependencies\{29A3DBE6-A3D3-42C9-9338-A321F61C897A}	python-3.13.1-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Installer\Dependencies\{29A3DBE6-A3D3-42C9-9338-A321F61C897A}\ = "{29A3DBE6-A3D3-42C9-9338-A321F61C897A}"	python-3.13.1-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Installer\Dependencies\{29A3DBE6-A3D3-42C9-9338-A321F61C897A}\DisplayName = "Python 3.13.1 Standard Library (64-bit)"	python-3.13.1-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Installer\Dependencies\CPython-3.13\DisplayName = "Python 3.13.1 (64-bit)"	python-3.13.1-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Installer\Dependencies\{B7C30E07-E007-43ED-A9E1-EEDA7F57C8BC}	python-3.13.1-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Installer\Dependencies\{8AFC9846-E7A8-4817-93FD-3542456A3E52}\Version = "3.13.1150.0"	python-3.13.1-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Installer\Dependencies\{8AFC9846-E7A8-4817-93FD-3542456A3E52}\Dependents\{1abbd55d-059a-4d1e-bdf1-35bb74697f5a}	python-3.13.1-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Installer\Dependencies\CPython-3.13\Dependents\{1abbd55d-059a-4d1e-bdf1-35bb74697f5a}	python-3.13.1-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Installer\Dependencies\{FE9B3181-7FDD-4F6A-855A-305940D9A6E8}\Dependents	python-3.13.1-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Installer\Dependencies\CPython-3.13\ = "{1abbd55d-059a-4d1e-bdf1-35bb74697f5a}"	python-3.13.1-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Installer\Dependencies\{8AFC9846-E7A8-4817-93FD-3542456A3E52}\Dependents	python-3.13.1-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Installer\Dependencies\{29A3DBE6-A3D3-42C9-9338-A321F61C897A}\Version = "3.13.1150.0"	python-3.13.1-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Installer	python-3.13.1-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Installer\Dependencies\{FE9B3181-7FDD-4F6A-855A-305940D9A6E8}\Version = "3.13.1150.0"	python-3.13.1-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Installer\Dependencies\{FE9B3181-7FDD-4F6A-855A-305940D9A6E8}\DisplayName = "Python 3.13.1 Development Libraries (64-bit)"	python-3.13.1-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Installer\Dependencies\{8AFC9846-E7A8-4817-93FD-3542456A3E52}\ = "{8AFC9846-E7A8-4817-93FD-3542456A3E52}"	python-3.13.1-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Installer\Dependencies\{FE9B3181-7FDD-4F6A-855A-305940D9A6E8}\ = "{FE9B3181-7FDD-4F6A-855A-305940D9A6E8}"	python-3.13.1-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Installer\Dependencies\CPython-3.13	python-3.13.1-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Installer\Dependencies\CPython-3.13\Version = "3.13.1150.0"	python-3.13.1-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Installer\Dependencies\{B7C30E07-E007-43ED-A9E1-EEDA7F57C8BC}\Version = "3.13.1150.0"	python-3.13.1-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Installer\Dependencies\{8AFC9846-E7A8-4817-93FD-3542456A3E52}	python-3.13.1-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Installer\Dependencies\{B7C30E07-E007-43ED-A9E1-EEDA7F57C8BC}\ = "{B7C30E07-E007-43ED-A9E1-EEDA7F57C8BC}"	python-3.13.1-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Installer\Dependencies\{FE9B3181-7FDD-4F6A-855A-305940D9A6E8}	python-3.13.1-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Installer\Dependencies	python-3.13.1-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Installer\Dependencies\CPython-3.13\Dependents	python-3.13.1-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Installer\Dependencies\{B7C30E07-E007-43ED-A9E1-EEDA7F57C8BC}\DisplayName = "Python 3.13.1 Core Interpreter (64-bit)"	python-3.13.1-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Installer\Dependencies\{8AFC9846-E7A8-4817-93FD-3542456A3E52}\DisplayName = "Python 3.13.1 Executables (64-bit)"	python-3.13.1-amd64.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 167584.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\python-3.13.1-amd64.exe:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
2984	msedge.exe
2984	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
1724	msedge.exe
1724	msedge.exe
1976	identity_helper.exe
1976	identity_helper.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
720	msedge.exe
720	msedge.exe
4680	msiexec.exe
4680	msiexec.exe
4680	msiexec.exe
4680	msiexec.exe
4680	msiexec.exe
4680	msiexec.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

pid	Process
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2536	python-3.13.1-amd64.exe
Token: SeIncreaseQuotaPrivilege	2536	python-3.13.1-amd64.exe
Token: SeSecurityPrivilege	4680	msiexec.exe
Token: SeCreateTokenPrivilege	2536	python-3.13.1-amd64.exe
Token: SeAssignPrimaryTokenPrivilege	2536	python-3.13.1-amd64.exe
Token: SeLockMemoryPrivilege	2536	python-3.13.1-amd64.exe
Token: SeIncreaseQuotaPrivilege	2536	python-3.13.1-amd64.exe
Token: SeMachineAccountPrivilege	2536	python-3.13.1-amd64.exe
Token: SeTcbPrivilege	2536	python-3.13.1-amd64.exe
Token: SeSecurityPrivilege	2536	python-3.13.1-amd64.exe
Token: SeTakeOwnershipPrivilege	2536	python-3.13.1-amd64.exe
Token: SeLoadDriverPrivilege	2536	python-3.13.1-amd64.exe
Token: SeSystemProfilePrivilege	2536	python-3.13.1-amd64.exe
Token: SeSystemtimePrivilege	2536	python-3.13.1-amd64.exe
Token: SeProfSingleProcessPrivilege	2536	python-3.13.1-amd64.exe
Token: SeIncBasePriorityPrivilege	2536	python-3.13.1-amd64.exe
Token: SeCreatePagefilePrivilege	2536	python-3.13.1-amd64.exe
Token: SeCreatePermanentPrivilege	2536	python-3.13.1-amd64.exe
Token: SeBackupPrivilege	2536	python-3.13.1-amd64.exe
Token: SeRestorePrivilege	2536	python-3.13.1-amd64.exe
Token: SeShutdownPrivilege	2536	python-3.13.1-amd64.exe
Token: SeDebugPrivilege	2536	python-3.13.1-amd64.exe
Token: SeAuditPrivilege	2536	python-3.13.1-amd64.exe
Token: SeSystemEnvironmentPrivilege	2536	python-3.13.1-amd64.exe
Token: SeChangeNotifyPrivilege	2536	python-3.13.1-amd64.exe
Token: SeRemoteShutdownPrivilege	2536	python-3.13.1-amd64.exe
Token: SeUndockPrivilege	2536	python-3.13.1-amd64.exe
Token: SeSyncAgentPrivilege	2536	python-3.13.1-amd64.exe
Token: SeEnableDelegationPrivilege	2536	python-3.13.1-amd64.exe
Token: SeManageVolumePrivilege	2536	python-3.13.1-amd64.exe
Token: SeImpersonatePrivilege	2536	python-3.13.1-amd64.exe
Token: SeCreateGlobalPrivilege	2536	python-3.13.1-amd64.exe
Token: SeRestorePrivilege	4680	msiexec.exe
Token: SeTakeOwnershipPrivilege	4680	msiexec.exe
Token: SeRestorePrivilege	4680	msiexec.exe
Token: SeTakeOwnershipPrivilege	4680	msiexec.exe
Token: SeRestorePrivilege	4680	msiexec.exe
Token: SeTakeOwnershipPrivilege	4680	msiexec.exe
Token: SeRestorePrivilege	4680	msiexec.exe
Token: SeTakeOwnershipPrivilege	4680	msiexec.exe
Token: SeRestorePrivilege	4680	msiexec.exe
Token: SeTakeOwnershipPrivilege	4680	msiexec.exe
Token: SeRestorePrivilege	4680	msiexec.exe
Token: SeTakeOwnershipPrivilege	4680	msiexec.exe
Token: SeRestorePrivilege	4680	msiexec.exe
Token: SeTakeOwnershipPrivilege	4680	msiexec.exe
Token: SeRestorePrivilege	4680	msiexec.exe
Token: SeTakeOwnershipPrivilege	4680	msiexec.exe
Token: SeRestorePrivilege	4680	msiexec.exe
Token: SeTakeOwnershipPrivilege	4680	msiexec.exe
Token: SeRestorePrivilege	4680	msiexec.exe
Token: SeTakeOwnershipPrivilege	4680	msiexec.exe
Token: SeRestorePrivilege	4680	msiexec.exe
Token: SeTakeOwnershipPrivilege	4680	msiexec.exe
Token: SeRestorePrivilege	4680	msiexec.exe
Token: SeTakeOwnershipPrivilege	4680	msiexec.exe
Token: SeRestorePrivilege	4680	msiexec.exe
Token: SeTakeOwnershipPrivilege	4680	msiexec.exe
Token: SeRestorePrivilege	4680	msiexec.exe
Token: SeTakeOwnershipPrivilege	4680	msiexec.exe
Token: SeRestorePrivilege	4680	msiexec.exe
Token: SeTakeOwnershipPrivilege	4680	msiexec.exe
Token: SeRestorePrivilege	4680	msiexec.exe
Token: SeTakeOwnershipPrivilege	4680	msiexec.exe

Suspicious use of FindShellTrayWindow 58 IoCs

pid	Process
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2536	python-3.13.1-amd64.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2632 wrote to memory of 4092	2632	msedge.exe	79
PID 2632 wrote to memory of 4092	2632	msedge.exe	79
PID 2632 wrote to memory of 2240	2632	msedge.exe	80
PID 2632 wrote to memory of 2240	2632	msedge.exe	80
PID 2632 wrote to memory of 2240	2632	msedge.exe	80
PID 2632 wrote to memory of 2240	2632	msedge.exe	80
PID 2632 wrote to memory of 2240	2632	msedge.exe	80
PID 2632 wrote to memory of 2240	2632	msedge.exe	80
PID 2632 wrote to memory of 2240	2632	msedge.exe	80
PID 2632 wrote to memory of 2240	2632	msedge.exe	80
PID 2632 wrote to memory of 2240	2632	msedge.exe	80
PID 2632 wrote to memory of 2240	2632	msedge.exe	80
PID 2632 wrote to memory of 2240	2632	msedge.exe	80
PID 2632 wrote to memory of 2240	2632	msedge.exe	80
PID 2632 wrote to memory of 2240	2632	msedge.exe	80
PID 2632 wrote to memory of 2240	2632	msedge.exe	80
PID 2632 wrote to memory of 2240	2632	msedge.exe	80
PID 2632 wrote to memory of 2240	2632	msedge.exe	80
PID 2632 wrote to memory of 2240	2632	msedge.exe	80
PID 2632 wrote to memory of 2240	2632	msedge.exe	80
PID 2632 wrote to memory of 2240	2632	msedge.exe	80
PID 2632 wrote to memory of 2240	2632	msedge.exe	80
PID 2632 wrote to memory of 2240	2632	msedge.exe	80
PID 2632 wrote to memory of 2240	2632	msedge.exe	80
PID 2632 wrote to memory of 2240	2632	msedge.exe	80
PID 2632 wrote to memory of 2240	2632	msedge.exe	80
PID 2632 wrote to memory of 2240	2632	msedge.exe	80
PID 2632 wrote to memory of 2240	2632	msedge.exe	80
PID 2632 wrote to memory of 2240	2632	msedge.exe	80
PID 2632 wrote to memory of 2240	2632	msedge.exe	80
PID 2632 wrote to memory of 2240	2632	msedge.exe	80
PID 2632 wrote to memory of 2240	2632	msedge.exe	80
PID 2632 wrote to memory of 2240	2632	msedge.exe	80
PID 2632 wrote to memory of 2240	2632	msedge.exe	80
PID 2632 wrote to memory of 2240	2632	msedge.exe	80
PID 2632 wrote to memory of 2240	2632	msedge.exe	80
PID 2632 wrote to memory of 2240	2632	msedge.exe	80
PID 2632 wrote to memory of 2240	2632	msedge.exe	80
PID 2632 wrote to memory of 2240	2632	msedge.exe	80
PID 2632 wrote to memory of 2240	2632	msedge.exe	80
PID 2632 wrote to memory of 2240	2632	msedge.exe	80
PID 2632 wrote to memory of 2240	2632	msedge.exe	80
PID 2632 wrote to memory of 2984	2632	msedge.exe	81
PID 2632 wrote to memory of 2984	2632	msedge.exe	81
PID 2632 wrote to memory of 3672	2632	msedge.exe	82
PID 2632 wrote to memory of 3672	2632	msedge.exe	82
PID 2632 wrote to memory of 3672	2632	msedge.exe	82
PID 2632 wrote to memory of 3672	2632	msedge.exe	82
PID 2632 wrote to memory of 3672	2632	msedge.exe	82
PID 2632 wrote to memory of 3672	2632	msedge.exe	82
PID 2632 wrote to memory of 3672	2632	msedge.exe	82
PID 2632 wrote to memory of 3672	2632	msedge.exe	82
PID 2632 wrote to memory of 3672	2632	msedge.exe	82
PID 2632 wrote to memory of 3672	2632	msedge.exe	82
PID 2632 wrote to memory of 3672	2632	msedge.exe	82
PID 2632 wrote to memory of 3672	2632	msedge.exe	82
PID 2632 wrote to memory of 3672	2632	msedge.exe	82
PID 2632 wrote to memory of 3672	2632	msedge.exe	82
PID 2632 wrote to memory of 3672	2632	msedge.exe	82
PID 2632 wrote to memory of 3672	2632	msedge.exe	82
PID 2632 wrote to memory of 3672	2632	msedge.exe	82
PID 2632 wrote to memory of 3672	2632	msedge.exe	82
PID 2632 wrote to memory of 3672	2632	msedge.exe	82
PID 2632 wrote to memory of 3672	2632	msedge.exe	82

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/can-kat/cstealer
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffca2cf3cb8,0x7ffca2cf3cc8,0x7ffca2cf3cd8
  2⤵
  PID:4092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,12487147318938194989,14360462414214285732,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1920 /prefetch:2
  2⤵
  PID:2240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1924,12487147318938194989,14360462414214285732,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1924,12487147318938194989,14360462414214285732,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2812 /prefetch:8
  2⤵
  PID:3672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,12487147318938194989,14360462414214285732,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,12487147318938194989,14360462414214285732,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1924,12487147318938194989,14360462414214285732,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5040 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1724
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1924,12487147318938194989,14360462414214285732,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5336 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,12487147318938194989,14360462414214285732,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:1
  2⤵
  PID:2168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,12487147318938194989,14360462414214285732,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5784 /prefetch:1
  2⤵
  PID:4204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,12487147318938194989,14360462414214285732,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5760 /prefetch:1
  2⤵
  PID:1668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,12487147318938194989,14360462414214285732,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5640 /prefetch:1
  2⤵
  PID:5420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,12487147318938194989,14360462414214285732,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:1
  2⤵
  PID:4636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,12487147318938194989,14360462414214285732,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
  2⤵
  PID:3384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,12487147318938194989,14360462414214285732,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:1
  2⤵
  PID:3348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,12487147318938194989,14360462414214285732,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:1
  2⤵
  PID:2396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,12487147318938194989,14360462414214285732,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5884 /prefetch:1
  2⤵
  PID:3804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,12487147318938194989,14360462414214285732,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6044 /prefetch:1
  2⤵
  PID:4372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,12487147318938194989,14360462414214285732,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:1
  2⤵
  PID:4912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,12487147318938194989,14360462414214285732,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6236 /prefetch:1
  2⤵
  PID:5284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,12487147318938194989,14360462414214285732,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5960 /prefetch:1
  2⤵
  PID:5232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1924,12487147318938194989,14360462414214285732,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6468 /prefetch:8
  2⤵
  PID:5036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,12487147318938194989,14360462414214285732,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4828 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1924,12487147318938194989,14360462414214285732,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4884 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:720
- C:\Users\Admin\Downloads\python-3.13.1-amd64.exe
  "C:\Users\Admin\Downloads\python-3.13.1-amd64.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5180
- - C:\Windows\Temp\{CFD9F10E-1779-4E64-88AC-DD934FD3E571}\.cr\python-3.13.1-amd64.exe
    "C:\Windows\Temp\{CFD9F10E-1779-4E64-88AC-DD934FD3E571}\.cr\python-3.13.1-amd64.exe" -burn.clean.room="C:\Users\Admin\Downloads\python-3.13.1-amd64.exe" -burn.filehandle.attached=752 -burn.filehandle.self=760
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:2536

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1564

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3540

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e59b6b7.rbs

Filesize
8KB

MD5
1b11fccb985b958ab75708fa4c0f15f2

SHA1
4c1a88e09e2a48eb80dbf6ef2846007379651945

SHA256
faff0bae88f7eb4163d6afcf728bfb36ca9bb0e372e57477101c200aac7f7db0

SHA512
5f06a37040cbdff31a850a50716c9994f9521069925ccf7c5c709231933f15d754d3f83242ccae55a6e3b66c766016ce1c9519e3d1dd3a3fffcfabe714793c51

Download Submit
C:\Config.Msi\e59b6bc.rbs

Filesize
12KB

MD5
e3ea1c787d5d076f368a9537eb20d52e

SHA1
be196050fd56810a74604ee6aaa2e6cc70e7dbe5

SHA256
fa2a60a5781d6ee52b157e48a9b294f20810777659acb83a6d1f29e36066481c

SHA512
abb2b6cb029c26919849be62c6dcfc25fbeaae430e011a26a860c982c7e766cfec4cd7b130283bc754107bb0cad00ed1664b154b3d2fe0062b73aae161f5ca4f

Download Submit
C:\Config.Msi\e59b6c1.rbs

Filesize
60KB

MD5
809719bfa2ff44b3eb4c555f44cb0917

SHA1
d386140c48262bb00be68c379e953bfb7f06212f

SHA256
b8e5c4c8323b3838a2cc59465328be81deac164bb4bebf3de030ee0bf8e30ad5

SHA512
c13d68600758c17f9b23048768fe3794e3ca6751c6d404437d868d58204579e2c019c757d262575810dbf804d82a82ebb5b5434d8045a7100685b0242371263e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77003E887FC21E505B9E28CBA30E18ED_8ACE642DC0A43382FABA7AE806561A50

Filesize
2KB

MD5
e032713109763fb87d2ef531dbe8de0c

SHA1
b1c72dacad4621586fa1e98972dc1cc4a2c309e6

SHA256
b41e8be5f1fa7818e4f9ba5d9b4798b66cf5a6b6b74e73f4c0ffd7180548ed31

SHA512
4cd9dd142f35f625b86d9064899f3795b15c89bb4ef90bebd732f42418dfabc33b25689213758f2dfd1cae8df05e0deb07a299e96868693c21caf33170e31ca0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\86844F70250DD8EF225D6B4178798C21_ACC1A26A3F5A815A00C8D5589432921F

Filesize
2KB

MD5
9356b69f2941e6b0ef5a416c032f5890

SHA1
b7a1a47d9e90269d119c7be49c3d5cbb6c6ae970

SHA256
b6899ad55c9328bad85b92c7bf912a3fa2e59c3d3c943cb4d556f13ba80ce8fc

SHA512
47eb30b9fcffcf2b7f326770766bb619c7fbec11cb09b7083f3eb9c9d2f69b3d8d9e3bcd814edf58893d2e2490b03b448b81ebdcacba9d9a538727fe3e89534b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A76F24BEACC5A31C76BB70908923C3E0

Filesize
3KB

MD5
732e30b929928cdab6dbb269b36de565

SHA1
d0219445080a6f990adfec61422e4944768a80fe

SHA256
5bdb083e32c1a0b664282feeb910bc303be61015d3609d8eb5539d622c38a891

SHA512
efc6b93bea773f07c1a6e2afabdab752e1048fb7258e3495e654590b7ac8b862c86e558ee5630265bb445d6753435ad99c61260ff04b990b9bd5a1e26463e4cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BD96F9183ADE69B6DF458457F594566C_2FB87024308E7E3EF5F507D037BAAF36

Filesize
1KB

MD5
dd64371c8cab799b25ef9f322c3d26ee

SHA1
a449fddac462a29c6d38bdda68c2845cf7e54764

SHA256
3ed6b8197eefc983b91ebf2ac2204ec0f1696fe0804341527da102cd1751a8da

SHA512
4530110498ed7e3ab9db5dd5167ed3a31855836dc8e6c2c31269e78ced75e0829309cbf6ab6f0872dcc83ca6115fca28c3dccf4032bb29f9dc3b096d91504739

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BD96F9183ADE69B6DF458457F594566C_BCBA69CD583ABE5D7D9F83714CC182C6

Filesize
2KB

MD5
2149233dabfb8181ce0d8b438fd928a6

SHA1
aeda921b0b12fdbf6b8e928de1bebfd18dde79f3

SHA256
a6cf0ac6fb608e250906aaf5630253183f6c7b811a2cca9cde3d9bb2aad92d9c

SHA512
0735f4a9090447ead264120570221a908aa20e374205833a3b49695dd0661c7b9e2b7e527b0689b173031be6ce2156dd8d64d501903daa89cd3a6f26e9966b03

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77003E887FC21E505B9E28CBA30E18ED_8ACE642DC0A43382FABA7AE806561A50

Filesize
556B

MD5
ff0abc164b39baba7ea4d83f06d6cd53

SHA1
044f2a0d90773616226385eac6b4b9a23121c38c

SHA256
017c54989d207848e23b68ce2944114be4f6d9e3611c49282cf12d3377e10e34

SHA512
d9fe2fe9229a19484127fa76e7b3f7508aaf338ff966f015c41be6b37f9002a335ca2b37022919c489ad5e16286f1a3e11973922bc6aa3588050ea24abd5c646

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\86844F70250DD8EF225D6B4178798C21_ACC1A26A3F5A815A00C8D5589432921F

Filesize
564B

MD5
2efe19f9e259a3298fe76e2b00b77ee1

SHA1
6d76bf15c4fb0b0fb5c5b23f94624644c54d6aa3

SHA256
afec305ea0609d31de985d005cacfa11ed6721f73b9cc83ce887b2b71f904ca2

SHA512
4273edb559b1cecce7564ec41cddb64d8efdee23ed6fd57111ae481ebd5ae651d52a4b2c59b2749b4b6b6bff63fe91d932c680b71753212dbc7766e7ef970f19

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A76F24BEACC5A31C76BB70908923C3E0

Filesize
290B

MD5
3849c6b39fb062194e8edf0c669ab1e0

SHA1
1ede4778d1dcc67e0d123924ff892cf744837bec

SHA256
372265cfa0328b0ae77e10f9abaffbc3375dbd575f39e4fd0cdcbf3056cd7f15

SHA512
86e75c60e89be896da3d6308bb75e9440ee82a584da31377cb245f7a8c541d10c185101e9a83c8a100f1446d5662cee9778358df33b88e41e1e098587fcd9bf3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BD96F9183ADE69B6DF458457F594566C_2FB87024308E7E3EF5F507D037BAAF36

Filesize
564B

MD5
31b86772f04567e363d88832a3a6a95e

SHA1
dbd2c63190422b34f578f15ed26bae27f1793bd6

SHA256
f4e6a9080baf5fb49d06c605c4df00d8cf2dada747b759d15d8562452c854933

SHA512
e72d7a385413ab247d9993968369defbfd570e85d437e287415b82c0b1379fa7a852e55bac479c28002d72eefa02fd6a5694edbb64b88a6b9838eac1428e5e2c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BD96F9183ADE69B6DF458457F594566C_BCBA69CD583ABE5D7D9F83714CC182C6

Filesize
642B

MD5
5d27a30a84c45cde9983970860f53eea

SHA1
dce107329f6b0726de23184bc2c08a65e0424dc5

SHA256
e693a18db8ba1827fe3d412dbc7fb2047047c89e052370b8d628a470501cdd80

SHA512
dfa254abd5bc331363dff29627dd775f4dd15249a4077254e3affeec2cc3ec2cafc776609d34f50cb936ae672bfcbd8df407b71c36932ffdc66da659ca7cb4e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fdee96b970080ef7f5bfa5964075575e

SHA1
2c821998dc2674d291bfa83a4df46814f0c29ab4

SHA256
a241023f360b300e56b2b0e1205b651e1244b222e1f55245ca2d06d3162a62f0

SHA512
20875c3002323f5a9b1b71917d6bd4e4c718c9ca325c90335bd475ddcb25eac94cb3f29795fa6476d6d6e757622b8b0577f008eec2c739c2eec71d2e8b372cff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
46e6ad711a84b5dc7b30b75297d64875

SHA1
8ca343bfab1e2c04e67b9b16b8e06ba463b4f485

SHA256
77b51492a40a511e57e7a7ecf76715a2fd46533c0f0d0d5a758f0224e201c77f

SHA512
8472710b638b0aeee4678f41ed2dff72b39b929b2802716c0c9f96db24c63096b94c9969575e4698f16e412f82668b5c9b5cb747e8a2219429dbb476a31d297e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
f62e89a46872098ba45aea5a7ff50553

SHA1
7f3bc90d0bdc13115fb474b443768352d9e333d7

SHA256
ebce75dde05a05047ea8fd21ccff74fc5cfdc9c0cedf5df1244fd5c8f46e97b2

SHA512
c088414cef1d75373007d46825b2bb1dc954de1d03d4265170de7205ea1dff63db371ee63710e470ad0fe18f2255fc5e5d18ebd8ea2c4cb9e8edde69db535aba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
8c305129cde44efd03aa19bf8d1fc1b8

SHA1
073961247301e38447893f08723d3e8b4c1b5a82

SHA256
7eabf93ede54d6a1b1ac4be061dc534fef6e6e090fad92fe0bed3b952db58e79

SHA512
55887e704294e6e0a202bd8f9a091a669da44d67b2d460f5690486f3c2910ba4998d17594eac2b223c1a7f6315bb66315edd9acc2760f3966b172f59af704b3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
6e755cd998709c95ee72e7b32950ca68

SHA1
27768abf2cbb7aa3f960fe22071ce76b2c8bd67d

SHA256
1dfc979f38eaed90a05632abfcf3e04fdb3bd5798a14f13bfbfb6bc6080070fd

SHA512
cc13147573e325c8705a9afcc5d6ca2a1188016fda67b267a5ad93bc66306747f1c77c6461f0763eb1a747749207dc452f052bb1238804a6ef7f240d61fd5cb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
17cae451b0e503a44b1a8179469c9d06

SHA1
bd0147e54ac563b638f6f05d3eaf2da882864c06

SHA256
9fa1f85eb89a8e7c1d0c8229545ff79321321d30181f5712154eb5146ef12591

SHA512
3af4ec96003b6e101af14288519fd7fc2f63240bfdc0cd2104ed30fa3163e53cc5c013d853adc2d0825966b598d1383b6be3fe2c77885587360c16436e766e37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
55c05e38d080c1fd0ee3982d7d97f529

SHA1
afa33b65349ec94776150843c02fefd08332599d

SHA256
c1835fc50fa61b3225178a09da8a1470448825d7da20a8874015dc0c87e63ec3

SHA512
fc456a934366f7b149e4b36d51c1729ad9f3f5d575080fa1d2bc54df51fdbc6597ca6102db70f3bd92c5ca0ccd5f3fdee895c8b90cba16a6623de019f685900b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e67b8a9be0c4065dce1d3ba1f299afe3

SHA1
8ca03460466fa5531a75fd0a7c748bbf0811ac10

SHA256
c6c43189c813cc44cfe7804f722111604acc726fc719d3b454ced8520d52ed30

SHA512
9aa5394bcfa44181bf90749d3d70084de8040835e14d69db1a70909253effa07870bbf3c8109b7041458deec27e2cf586e360813a61e0b4e3864b3619d6a2274

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
b96178ff26ea5980479c932f8971f57c

SHA1
568fd224d1a3efed7de14cb72f229825981274b6

SHA256
b39afea996f9c1a3207577549ed1ec6a5ed2892713bdaa27482f312178a70056

SHA512
2f9ea9f342f787be197ce8fcb23face7c0e60c043fb361888757633a757bcb39e39e5925f6430834ba7409e5f0e71005fec9651558a8ea2bc20de68cde3d0338

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57e148.TMP

Filesize
1KB

MD5
3dd7af87baaf68874c0ec966eef51bdd

SHA1
4eb30237d439d8c4f98df04a0a72282370f40bd0

SHA256
77f0042107f806ed2afedc83d6b405e4ace7d93fce4a45d571c5de09641c0150

SHA512
93e698c4cdbd8e91a4e105d5dfb3406b2ba5f8890f00b3c9d539ad821906c8f08e5d54fc6630d06d429ddd9ab7a9ff5a1ef821820110eb6a3ef33653f67d0137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
1119a4bad52a0bf9d0b140ad62cab0c3

SHA1
0d6398aef2bb81e27037869f83c63c306cce89e6

SHA256
67d36be2165dc914c8c4a2fd3a05d82e18759d883ed95e6034e1ec4a85937863

SHA512
66d7c8251c951926c0b0e0384de7f425926c946296ba33d82889efca9899243f3e6adb113aabe23bda5d598d421c54c35d43f84c9e7a29c22c0e6b5f02f9d99b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
e755bdd2ef506f43ed6ee36317324073

SHA1
a88ed8dd1a37a216bb77a3f5b988c44e642bb10c

SHA256
2e8102fa5febed111f42f1a19b304117b9e1f1e455535f8896edb1da9ca801ff

SHA512
5eb8f15d3773567cbfce800e54f8debbe387d7b106e7ea85fb5242054faee10db24c82d4ce6097f14a38a5262bffa3f620617ca9a0bd4c2c0b6c4356447502c7

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\.unverified\doc_JustForMe

Filesize
7.5MB

MD5
79b7681f7b418a1abf0bb3e93a4339a1

SHA1
b68795e85d381023be6f8dea1f6864590e72ca3b

SHA256
40d5284f0154fbef70d9b6f999a0b104ac0cd4747c2dcbc0c43236141c8a6ce2

SHA512
7518e11c333f77ca5b3635349c1bcffed8186fcf1ea48ab4ec889c719cd6b91aef106285cd9f3684e8a4f2be0b7faf20da597dc64401f40155ae29a561a1b215

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\.unverified\lib_JustForMe

Filesize
7.0MB

MD5
2972f3654040ea4adb652c51a6cf5877

SHA1
396dc152ba2bab2b64dfa72dfd4709a289281e87

SHA256
a1df9e299f0053e7972fcd29aed6935a14ddf2b285aab6c6792c43cf733242d3

SHA512
81fea7b671075d686e60651cbdba575a795a0625dfd42efe5aa73a1d857aa81e03e8b227a5ccc7c413a4641776eb6edd16060c7dfe73964033eedc00adaa9b7c

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\.unverified\tcltk_JustForMe

Filesize
3.1MB

MD5
7d0d8a5bf5879d29126655c2aaee889f

SHA1
c5311f41cbb8836cf9d0fa18461ef7ee9eaf8ece

SHA256
1e26fa2c0f37c1333a92e804f311e682d88cfc000ea19922658511dad6ed491a

SHA512
cd549fa8fd4fbc57cd8645951f6b386bb4254dec43cd60056ea9b4d3d8b6aa135a1d0769f96813dba13974c0fefea8b397089b87611b4b25eb4fa3cd2aeb6342

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\{8AFC9846-E7A8-4817-93FD-3542456A3E52}v3.13.1150.0\exe.msi

Filesize
776KB

MD5
b9d43d530e11b38d35ec8005bc4ad099

SHA1
1f61ffac82317f7dedcdca41867549aefaf71554

SHA256
7803a9ac06a96048683caa4349e01ff9ebbb7c71507aa90901860faf3f5dbed7

SHA512
86822f740855d7109bcfd967a27c9f30f0da97ee43cd65d7c0b5275d83477a28b15e9a41af0f005ac3f4717c03221c1cf0bdda8cffd3e46daff7297db2f31d6a

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\{B7C30E07-E007-43ED-A9E1-EEDA7F57C8BC}v3.13.1150.0\core.msi

Filesize
2.0MB

MD5
9832ee46c5bb0521099116cb98a9d274

SHA1
9f762e725c3b403ba39abdce213b52eb20c6077e

SHA256
d6af899999945c0499ffc7bf8491856d3189d49f5687824df50818e15b3db4c6

SHA512
f63462a5293f04c4a625050b45c959604c71cf53b7745bf3153b6827bb0fcefb94d52f9e5efaaf3826e1c3f139819053402da1d3c2bc73fdc5af1ea996441b9b

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\{FE9B3181-7FDD-4F6A-855A-305940D9A6E8}v3.13.1150.0\dev.msi

Filesize
480KB

MD5
413ebe88048335eee0adfbdd6212191f

SHA1
84ab3d3de2b0d5cb16406904f68e2fbaf514acac

SHA256
0110c69f11825868725603e1b729ebfbd692eb830892e45678d2d70e2581f41b

SHA512
9eddc5351bde0557775afba1cefc703dae570255f669acd6c801b17455545b6784113f28f48d362974d47609455f501711049aebb87f55fa50718b78a94ca3c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Python 3.13.1 (64-bit)_20241215235332_000_core_JustForMe.log

Filesize
3KB

MD5
59077e476fa610b2fb87a727b964276e

SHA1
3e21dbf2429c81ad782b873ab94e4428a2a7dd75

SHA256
9896f92a155126cb295cd8c59a7aa853eed967c97d02b960adf3d6caaafb9e21

SHA512
dc855c30b8cc5b5f5800c9a922bd386dd667c2b911f7a423949de6bcb2ebfa9b01e4c57c42ffb47504f473d5820921744bc536057f836c1a9fb74b4090de650b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Python 3.13.1 (64-bit)_20241215235332_001_exe_JustForMe.log

Filesize
1KB

MD5
bdc9a7d866b3f468b2aa4cc2255db959

SHA1
ef221aa2167806722b2317a875161bdbbca156b5

SHA256
1db23fde71eed9f64595bd2ef0355bd53a11c72c59581d056f327a62bcac2d30

SHA512
6497a6d5993ebc8f9e7505b9dc3a32e23e540f5dd7e709966013b33a5d1e46425fcba7a363f85eab884056440365d31860aa180e44559d03d9c683f51e6ad026

Download Submit
C:\Users\Admin\AppData\Local\Temp\Python 3.13.1 (64-bit)_20241215235332_002_dev_JustForMe.log

Filesize
3KB

MD5
d3a8d0d1cf2428728800769a3a8d7e25

SHA1
904523ba439eb143e7dd24de4603216fde3c94f7

SHA256
229991a82ee5f65dd40953df103cbe9e3f737bac3253c983575f22b5a02a7910

SHA512
4e889c30981383e905347679832498608e0ed69579bf66f2b25724284198084db260cc97ca29310bf579ee69bfac4ebb37b8085530607e64a415c3baa66e0e0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Python 3.13.1 (64-bit)_20241215235332_003_lib_JustForMe.log

Filesize
1KB

MD5
0cf9356376776009b5d225dde62705d0

SHA1
c9684741367b81cf8a0df6a44b01859f5b43f019

SHA256
8adf25f73dd566c0516c3bf77605bbdd48bd5af037e63e8f1fc6c0d41c579cde

SHA512
53179acb7c54596f62005c343cd670885feb7310da2264289b1f97e1d463b632842a4f587841b40149916a5bc1f4912fa0e19a3e10e95209fbc57bac2ba13d0e

Download Submit
C:\Users\Admin\Downloads\python-3.13.1-amd64.exe

Filesize
27.4MB

MD5
90176c0cfa29327ab08c6083dcdcc210

SHA1
cc0bcf37414be313526d63ef708fc85da3b693b1

SHA256
6b33fa9a439a86f553f9f60e538ccabc857d2f308bc77c477c04a46552ade81f

SHA512
5940aae44386f3622dee3f32e6a98073851a9f646da6bf3e04f050b9a9239e0ddf50b26e5e125154edc5bbebce7353d273950f1111e4ca5f2b4e2e4a7ac7cf92

Download Submit
C:\Users\Admin\Downloads\python-3.13.1-amd64.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Windows\Temp\{B66704BA-E231-45AC-BC6E-8627AA0DF985}\.ba\PythonBA.dll

Filesize
692KB

MD5
e8cd5641cae8ae7e9f98b8a3b7096808

SHA1
dd587894cad3122c1719def17f8377bb2bbbc05e

SHA256
898474ad4074571813416e58667a3b8a233e12e656579726c178ec71f794b268

SHA512
53034732df45527389362c2cc53d3ba0390bc4c1a7700b7d61d774d1eecdfed43381311c63b38861215813a674eb3fe865821cb352606522987fb2cfed2856e1

Download Submit
C:\Windows\Temp\{B66704BA-E231-45AC-BC6E-8627AA0DF985}\.ba\SideBar.png

Filesize
50KB

MD5
888eb713a0095756252058c9727e088a

SHA1
c14f69f2bef6bc3e2162b4dd78e9df702d94cdb4

SHA256
79434bd1368f47f08acf6db66638531d386bf15166d78d9bfea4da164c079067

SHA512
7c59f4ada242b19c2299b6789a65a1f34565fed78730c22c904db16a9872fe6a07035c6d46a64ee94501fbcd96de586a8a5303ca22f33da357d455c014820ca0

Download Submit
C:\Windows\Temp\{B66704BA-E231-45AC-BC6E-8627AA0DF985}\pip_JustForMe

Filesize
288KB

MD5
5bbb6f97ea39246742294fb822859983

SHA1
da5a3995f0768add0fb475bbfbc4b3b9052d4f0d

SHA256
6eee860000f74875435c512edc44633e767d109be3917ee4849ca33eccee6977

SHA512
e7e12576a4b1afcb71613a5047da366fa51a74b0d3460273b1c37f551a1d0e9abc6ff0c3d477a188d94e49b98c3456a5ddf87d07d783a03e45817a76b8215cae

Download Submit
C:\Windows\Temp\{CFD9F10E-1779-4E64-88AC-DD934FD3E571}\.cr\python-3.13.1-amd64.exe

Filesize
878KB

MD5
9bc2cfce73fe043e69c909fb1546dbbf

SHA1
8ee81917775b4bd60ea0592b2203d2219dc98cfa

SHA256
ba89d23a7c937c05feba316a927773faaf7becfb2279d9edac6cc11e31205e29

SHA512
4243b3923b998b21ed386750b179bf29bda164d6154e2f5cd744b361963c4e1025ed3d6d557f1cad672818a909cc8a5036cf14ccf4f5bdd1284db24156ad58e7

Download Submit