vidar | 6dfe4ea4f42f1cd4111a449e6fcae596c3884f6016f0ed5d0f36adff1acf0d88

Analysis

max time kernel
146s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
29-10-2024 06:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-29_45f6af3f1ad22c109e6d1792de150d6e_poet-rat_snatch.exe
Size

24.7MB
MD5

45f6af3f1ad22c109e6d1792de150d6e
SHA1

5fc5bc9c90ee17197abdec68b6bf1e4a04f62d3c
SHA256

6dfe4ea4f42f1cd4111a449e6fcae596c3884f6016f0ed5d0f36adff1acf0d88
SHA512

e328e51323889f5620aa734ab057c266a0fac7a843442aed5192b6d74b8cee4a6a0ea0e0698d40f1f9b4922e2cb6c58dd18e52e206fa388e668e6557e76e06e5
SSDEEP

98304:XvkH7wY4yuW07JJkTXzEuo70QfTIgQBojs+5qSyHSgCBOvMOefSQOMaHH0+nn87b:fkb7CzTmKjs/HjCYkOeCMa0+nn8/CEb

Score

10^/10

vidar credential_access discovery spyware stealer

Malware Config

Extracted

Family

vidar

https://t.me/asg7rd

https://steamcommunity.com/profiles/76561199794498376

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6

Signatures

Detect Vidar Stealer 19 IoCs

stealer

resource	yara_rule
behavioral2/memory/2432-5-0x0000000000400000-0x0000000000700000-memory.dmp	family_vidar_v7
behavioral2/memory/2432-6-0x0000000000400000-0x0000000000700000-memory.dmp	family_vidar_v7
behavioral2/memory/2432-9-0x0000000000400000-0x0000000000700000-memory.dmp	family_vidar_v7
behavioral2/memory/2432-25-0x0000000000400000-0x0000000000700000-memory.dmp	family_vidar_v7
behavioral2/memory/2432-71-0x0000000000400000-0x0000000000700000-memory.dmp	family_vidar_v7
behavioral2/memory/2432-78-0x0000000000400000-0x0000000000700000-memory.dmp	family_vidar_v7
behavioral2/memory/2432-84-0x0000000000400000-0x0000000000700000-memory.dmp	family_vidar_v7
behavioral2/memory/2432-85-0x0000000000400000-0x0000000000700000-memory.dmp	family_vidar_v7
behavioral2/memory/2432-86-0x0000000000400000-0x0000000000700000-memory.dmp	family_vidar_v7
behavioral2/memory/2432-277-0x0000000000400000-0x0000000000700000-memory.dmp	family_vidar_v7
behavioral2/memory/2432-441-0x0000000000400000-0x0000000000700000-memory.dmp	family_vidar_v7
behavioral2/memory/2432-447-0x0000000000400000-0x0000000000700000-memory.dmp	family_vidar_v7
behavioral2/memory/2432-448-0x0000000000400000-0x0000000000700000-memory.dmp	family_vidar_v7
behavioral2/memory/2432-455-0x0000000000400000-0x0000000000700000-memory.dmp	family_vidar_v7
behavioral2/memory/2432-471-0x0000000000400000-0x0000000000700000-memory.dmp	family_vidar_v7
behavioral2/memory/2432-474-0x0000000000400000-0x0000000000700000-memory.dmp	family_vidar_v7
behavioral2/memory/2432-479-0x0000000000400000-0x0000000000700000-memory.dmp	family_vidar_v7
behavioral2/memory/2432-480-0x0000000000400000-0x0000000000700000-memory.dmp	family_vidar_v7
behavioral2/memory/2432-481-0x0000000000400000-0x0000000000700000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar
Downloads MZ/PE file

Uses browser remote debugging 2 TTPs 9 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
3560	msedge.exe
5024	msedge.exe
4468	msedge.exe
1572	msedge.exe
4840	msedge.exe
4620	chrome.exe
4356	chrome.exe
4472	chrome.exe
2320	chrome.exe

Loads dropped DLL 3 IoCs

pid	Process
2432	BitLockerToGo.exe
2432	BitLockerToGo.exe
2432	BitLockerToGo.exe

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3576 set thread context of 2432	3576	2024-10-29_45f6af3f1ad22c109e6d1792de150d6e_poet-rat_snatch.exe	93

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-29_45f6af3f1ad22c109e6d1792de150d6e_poet-rat_snatch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	BitLockerToGo.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	BitLockerToGo.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3616	timeout.exe

Enumerates system info in registry 2 TTPs 8 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133746568021914379"	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2432	BitLockerToGo.exe
2432	BitLockerToGo.exe
2432	BitLockerToGo.exe
2432	BitLockerToGo.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
2432	BitLockerToGo.exe
2432	BitLockerToGo.exe
2432	BitLockerToGo.exe
2432	BitLockerToGo.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
2608	msedge.exe
2608	msedge.exe
3560	msedge.exe
3560	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe
1552	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4620	chrome.exe
Token: SeCreatePagefilePrivilege	4620	chrome.exe
Token: SeShutdownPrivilege	4620	chrome.exe
Token: SeCreatePagefilePrivilege	4620	chrome.exe
Token: SeShutdownPrivilege	4620	chrome.exe
Token: SeCreatePagefilePrivilege	4620	chrome.exe
Token: SeShutdownPrivilege	4620	chrome.exe
Token: SeCreatePagefilePrivilege	4620	chrome.exe
Token: SeShutdownPrivilege	4620	chrome.exe
Token: SeCreatePagefilePrivilege	4620	chrome.exe
Token: SeShutdownPrivilege	4620	chrome.exe
Token: SeCreatePagefilePrivilege	4620	chrome.exe
Token: SeShutdownPrivilege	4620	chrome.exe
Token: SeCreatePagefilePrivilege	4620	chrome.exe
Token: SeShutdownPrivilege	4620	chrome.exe
Token: SeCreatePagefilePrivilege	4620	chrome.exe
Token: SeShutdownPrivilege	4620	chrome.exe
Token: SeCreatePagefilePrivilege	4620	chrome.exe

Suspicious use of FindShellTrayWindow 51 IoCs

pid	Process
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe
3560	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3576 wrote to memory of 2432	3576	2024-10-29_45f6af3f1ad22c109e6d1792de150d6e_poet-rat_snatch.exe	93
PID 3576 wrote to memory of 2432	3576	2024-10-29_45f6af3f1ad22c109e6d1792de150d6e_poet-rat_snatch.exe	93
PID 3576 wrote to memory of 2432	3576	2024-10-29_45f6af3f1ad22c109e6d1792de150d6e_poet-rat_snatch.exe	93
PID 3576 wrote to memory of 2432	3576	2024-10-29_45f6af3f1ad22c109e6d1792de150d6e_poet-rat_snatch.exe	93
PID 3576 wrote to memory of 2432	3576	2024-10-29_45f6af3f1ad22c109e6d1792de150d6e_poet-rat_snatch.exe	93
PID 3576 wrote to memory of 2432	3576	2024-10-29_45f6af3f1ad22c109e6d1792de150d6e_poet-rat_snatch.exe	93
PID 3576 wrote to memory of 2432	3576	2024-10-29_45f6af3f1ad22c109e6d1792de150d6e_poet-rat_snatch.exe	93
PID 3576 wrote to memory of 2432	3576	2024-10-29_45f6af3f1ad22c109e6d1792de150d6e_poet-rat_snatch.exe	93
PID 3576 wrote to memory of 2432	3576	2024-10-29_45f6af3f1ad22c109e6d1792de150d6e_poet-rat_snatch.exe	93
PID 3576 wrote to memory of 2432	3576	2024-10-29_45f6af3f1ad22c109e6d1792de150d6e_poet-rat_snatch.exe	93
PID 2432 wrote to memory of 4620	2432	BitLockerToGo.exe	96
PID 2432 wrote to memory of 4620	2432	BitLockerToGo.exe	96
PID 4620 wrote to memory of 220	4620	chrome.exe	97
PID 4620 wrote to memory of 220	4620	chrome.exe	97
PID 4620 wrote to memory of 2920	4620	chrome.exe	98
PID 4620 wrote to memory of 2920	4620	chrome.exe	98
PID 4620 wrote to memory of 2920	4620	chrome.exe	98
PID 4620 wrote to memory of 2920	4620	chrome.exe	98
PID 4620 wrote to memory of 2920	4620	chrome.exe	98
PID 4620 wrote to memory of 2920	4620	chrome.exe	98
PID 4620 wrote to memory of 2920	4620	chrome.exe	98
PID 4620 wrote to memory of 2920	4620	chrome.exe	98
PID 4620 wrote to memory of 2920	4620	chrome.exe	98
PID 4620 wrote to memory of 2920	4620	chrome.exe	98
PID 4620 wrote to memory of 2920	4620	chrome.exe	98
PID 4620 wrote to memory of 2920	4620	chrome.exe	98
PID 4620 wrote to memory of 2920	4620	chrome.exe	98
PID 4620 wrote to memory of 2920	4620	chrome.exe	98
PID 4620 wrote to memory of 2920	4620	chrome.exe	98
PID 4620 wrote to memory of 2920	4620	chrome.exe	98
PID 4620 wrote to memory of 2920	4620	chrome.exe	98
PID 4620 wrote to memory of 2920	4620	chrome.exe	98
PID 4620 wrote to memory of 2920	4620	chrome.exe	98
PID 4620 wrote to memory of 2920	4620	chrome.exe	98
PID 4620 wrote to memory of 2920	4620	chrome.exe	98
PID 4620 wrote to memory of 2920	4620	chrome.exe	98
PID 4620 wrote to memory of 2920	4620	chrome.exe	98
PID 4620 wrote to memory of 2920	4620	chrome.exe	98
PID 4620 wrote to memory of 2920	4620	chrome.exe	98
PID 4620 wrote to memory of 2920	4620	chrome.exe	98
PID 4620 wrote to memory of 2920	4620	chrome.exe	98
PID 4620 wrote to memory of 2920	4620	chrome.exe	98
PID 4620 wrote to memory of 2920	4620	chrome.exe	98
PID 4620 wrote to memory of 2920	4620	chrome.exe	98
PID 4620 wrote to memory of 4840	4620	chrome.exe	99
PID 4620 wrote to memory of 4840	4620	chrome.exe	99
PID 4620 wrote to memory of 2640	4620	chrome.exe	100
PID 4620 wrote to memory of 2640	4620	chrome.exe	100
PID 4620 wrote to memory of 2640	4620	chrome.exe	100
PID 4620 wrote to memory of 2640	4620	chrome.exe	100
PID 4620 wrote to memory of 2640	4620	chrome.exe	100
PID 4620 wrote to memory of 2640	4620	chrome.exe	100
PID 4620 wrote to memory of 2640	4620	chrome.exe	100
PID 4620 wrote to memory of 2640	4620	chrome.exe	100
PID 4620 wrote to memory of 2640	4620	chrome.exe	100
PID 4620 wrote to memory of 2640	4620	chrome.exe	100
PID 4620 wrote to memory of 2640	4620	chrome.exe	100
PID 4620 wrote to memory of 2640	4620	chrome.exe	100
PID 4620 wrote to memory of 2640	4620	chrome.exe	100
PID 4620 wrote to memory of 2640	4620	chrome.exe	100
PID 4620 wrote to memory of 2640	4620	chrome.exe	100
PID 4620 wrote to memory of 2640	4620	chrome.exe	100
PID 4620 wrote to memory of 2640	4620	chrome.exe	100
PID 4620 wrote to memory of 2640	4620	chrome.exe	100

C:\Users\Admin\AppData\Local\Temp\2024-10-29_45f6af3f1ad22c109e6d1792de150d6e_poet-rat_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-29_45f6af3f1ad22c109e6d1792de150d6e_poet-rat_snatch.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3576
- C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
  "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2432
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Enumerates system info in registry
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:4620
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffef698cc40,0x7ffef698cc4c,0x7ffef698cc58
      4⤵
      PID:220
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1928,i,14987454590377083369,16469835658307318140,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1924 /prefetch:2
      4⤵
      PID:2920
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2088,i,14987454590377083369,16469835658307318140,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2140 /prefetch:3
      4⤵
      PID:4840
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2276,i,14987454590377083369,16469835658307318140,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2612 /prefetch:8
      4⤵
      PID:2640
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3204,i,14987454590377083369,16469835658307318140,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3216 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:4356
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3228,i,14987454590377083369,16469835658307318140,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3400 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:4472
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3656,i,14987454590377083369,16469835658307318140,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3852 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:2320
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4756,i,14987454590377083369,16469835658307318140,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4776 /prefetch:8
      4⤵
      PID:2292
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4336,i,14987454590377083369,16469835658307318140,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4868 /prefetch:8
      4⤵
      PID:1264
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4928,i,14987454590377083369,16469835658307318140,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4908 /prefetch:8
      4⤵
      PID:2304
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4796,i,14987454590377083369,16469835658307318140,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4788 /prefetch:8
      4⤵
      PID:4368
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    PID:3560
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffef5ee46f8,0x7ffef5ee4708,0x7ffef5ee4718
      4⤵
      Checks processor information in registry
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      PID:1552
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,6642903291357239138,11427958930534978013,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:2
      4⤵
      PID:4524
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2180,6642903291357239138,11427958930534978013,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2464 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2608
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2180,6642903291357239138,11427958930534978013,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2888 /prefetch:8
      4⤵
      PID:1064
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2180,6642903291357239138,11427958930534978013,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:5024
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2180,6642903291357239138,11427958930534978013,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:4468
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2180,6642903291357239138,11427958930534978013,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4880 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:1572
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2180,6642903291357239138,11427958930534978013,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5020 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:4840
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,6642903291357239138,11427958930534978013,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2340 /prefetch:2
      4⤵
      PID:224
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,6642903291357239138,11427958930534978013,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2
      4⤵
      PID:3592
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,6642903291357239138,11427958930534978013,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2488 /prefetch:2
      4⤵
      PID:3264
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,6642903291357239138,11427958930534978013,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3704 /prefetch:2
      4⤵
      PID:3752
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,6642903291357239138,11427958930534978013,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2308 /prefetch:2
      4⤵
      PID:4416
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,6642903291357239138,11427958930534978013,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=2368 /prefetch:2
      4⤵
      PID:4272
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\HDBKFHIJKJKE" & exit
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1128
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 10
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:3616

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1688

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Modify Authentication Process

T1556

Privilege Escalation

Defense Evasion

Modify Authentication Process

T1556

Credential Access

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\chrome.dll

Filesize
676KB

MD5
eda18948a989176f4eebb175ce806255

SHA1
ff22a3d5f5fb705137f233c36622c79eab995897

SHA256
81a4f37c5495800b7cc46aea6535d9180dadb5c151db6f1fd1968d1cd8c1eeb4

SHA512
160ed9990c37a4753fc0f5111c94414568654afbedc05308308197df2a99594f2d5d8fe511fd2279543a869ed20248e603d88a0b9b8fb119e8e6131b0c52ff85

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
433d63f06b9a565813c51e7c8149c9fa

SHA1
9b0c3f90075abd0cab8c9f9e0c03088c411f8dd6

SHA256
7c65b9bfff17e56d3f4ecefe32c7a23f6b28b57310450b5431ddfb1226fca4ed

SHA512
c1a0697aedf37cf517a121e6d185984d8b075254cbc0033852f39219aca7bdebc9ee054245943c2726537b63cd18fc69ba24abae2d63acc4ed3f44528297ac11

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\1cbc528e-f0d0-4687-b5e4-69a830f32827.dmp

Filesize
830KB

MD5
bdb1b369ecad989c2e685a091bd51958

SHA1
82ac00c37ed56857d96547bcb68784b063a342f3

SHA256
cb7fe64e9431cff937c855d57565c6cb7c9a9643fc39e3089b1a90d9d42d3805

SHA512
e66bac407c8b6d3ce50320e292e7bcb36f6b49f73d8e0c2219f199959f38f06cbd46613d092c9d9b8e6cb50f7d10e393b71289d9d231de2f9fc14791d561177a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\8f38ad6d-a727-45a1-a1e0-c4101006af8a.dmp

Filesize
826KB

MD5
89078e1ac4a0127f7dd25dd4ac9b87ba

SHA1
3e7fe16c5e55cf36ecb2821a17fe34a654227d69

SHA256
55603c2c8353fc7e998d925c0a27a35f598a551016a03d321813c62d43e906da

SHA512
d9892ff92a7dce4d1da39a129580c603280c70fe971b1251f480e4bd3f3d392db3dbdeccd312f2756613ee395ac67c509d5fdc3490e50f132aedc05567bccbc8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\aba1b58d-3448-4136-b526-29f9d208a275.dmp

Filesize
838KB

MD5
64f7aa6210cf9e1e012f208b9f9bdc0f

SHA1
654660abb1efe2f45bdb7c4d29db109a29e9729a

SHA256
22bbeb2be4f840ebfce6e2526aa8be4e1ea28a29ed6535445b5bda6946d9d9c6

SHA512
274816338d286eec19c3debff605eb7f4d62ce28b706f72c9027852b0da8c477ebe8041bafc9cd6c4379e94a06fd381407d3b99647eb3b52b30815cf989b1a65

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\aed60f36-1fc1-4181-98c2-a76b418c9848.dmp

Filesize
838KB

MD5
f1ecf6614e5eb87b952c8866e48f75f5

SHA1
4640a3eb92bd93f8bd986f234c1335bc57d1a3d0

SHA256
33c1b3546fe2428e12487b2bb13becefe64b56af1234c2317357201c201c280e

SHA512
febf4931fe74cd9a9394b8338fa61f720eddfd5aa20fd0725f9432d6577b00746fad080051dca6238c38ebdcb784cffb56044d798f4fc2202fbd2cd170fcf81b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\bc8f398a-8f25-45b0-a999-4559008f8a74.dmp

Filesize
838KB

MD5
70c28163c97e236a2916d8a035cfb22a

SHA1
cd2668525f695d0dffa9bcf584473dbeb7305948

SHA256
6d03d4260bd6f906efcfc3f62307a65a8548a730baa36ebef17168f45cfe77ee

SHA512
4647c15ff4311f81cb4e8738a5d274674358e7c1040b425eae368eb6098f657eebf8ec4c436f26b3aa866f10bc264ac181fb0ace607ab0593c5ef96f09d51348

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\bd7d7ea4-1b6c-4049-aa7d-a663ad466a1b.dmp

Filesize
826KB

MD5
cee1141888aa2e0e57ae47575c882479

SHA1
2740b20fa3a22c762b6f1abaceb6aabb42931066

SHA256
242b76fc09da2c06b6cf53ff6a5872b06a7cae67ab89cb2a83b4c75870e2316b

SHA512
815edc758a260d30d202f6c0ed203943c449e5c67a6f0110cdd41361217454343f8787c22d0a271a5cfe1d4ab2ab5360c440fb80e5860a0ce49f5452969ad369

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\eaf6b7fb-3512-4363-85c3-56733bc5420d.dmp

Filesize
826KB

MD5
0922ec9a00df8dff66a3e6cfc8c2069e

SHA1
8bc4de3b3f04f7932bfd66504840660f3e826728

SHA256
125a5b64a43bacfe2cc6fa53608cf71b0d41520df8d13fbe1edbb421740bfd3b

SHA512
5ae5593100127393bb81a9cf65de34937bc1ad4c85cfc8aa8bb571227ac964c2e5f502c7d787f84addb80811b62d52d6ef6f457eeda9f2c2f6b9a050eed26046

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b8880802fc2bb880a7a869faa01315b0

SHA1
51d1a3fa2c272f094515675d82150bfce08ee8d3

SHA256
467b8cd4aacac66557712f9843023dcedefcc26efc746f3e44157bc8dac73812

SHA512
e1c6dba2579357ba70de58968b167d2c529534d24bff70568144270c48ac18a48ee2af2d58d78ae741e5a36958fa78a57955bd2456f1df00b781fc1002e123d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9e7030dfbdde211d495d9226dc9c0939

SHA1
1b379229b3c3fb5bcb2cc7d97ee302015517d499

SHA256
f571f737102c760015497bdeb5f0b764789f882273426c877bd007e786bcee84

SHA512
ac9f9792018e838030aefa06d2e16f2e8a06b762c5b426a200822a90b05b962a4bd1973c82cdef20a86285f2b11b64565b5e24cb3a98d4f865cb75bc73a88f96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b80095862746de0b8b109dd7a08a3325

SHA1
b8e6b881d322330ba93244c9dca87169370c9ff7

SHA256
d60b4c4bea65a7dd06e481413040fcee1954d37059286c669735e4292936dafc

SHA512
108108e0063c1fd41d62ec57a9eee56b5afc498b20b21dc02589b280f20cc80e244deb1ae77da86721a258ec276cd6c5ce379da296dade9a46d0323050fa5de6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ed3119da63b7ea0f64c2291022fd201e

SHA1
a4e89707d5d1194efaf5b6303102218a327d0d13

SHA256
ce42707a295970d8abe481986806c70ae11da9a725aa67cd26e79ad26b9b7416

SHA512
89f8ce50d6a269c842c42de40674f96cc1cf77cfe4671f548f36059508699857520a017421b4940502b67ada8355281d9e0774c0afdd7bff6455f0d5ab07fdd5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ba6ef346187b40694d493da98d5da979

SHA1
643c15bec043f8673943885199bb06cd1652ee37

SHA256
d86eec91f295dfda8ed1c5fa99de426f2fe359282c7ebf67e3a40be739475d73

SHA512
2e6cc97330be8868d4b9c53be7e12c558f6eb1ac2c4080a611ba6c43561d0c5bb4791b8a11a8c2371599f0ba73ed1d9a7a2ea6dee2ae6a080f1912e0cb1f656c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
4af57a6883305ced315301f33da80384

SHA1
d05aa09cb86a454c7bf2b1354888825e2ac8aa02

SHA256
056eed28f6d0715e0d3c914cbbcc2ffb9e9a874ebf17dbd64eedd2346c4dc433

SHA512
c75a2246194883592eb27cc369dd22304b87ee9e7726297cff247cdb66c39b1c2905b6e4dd7c083e8dba2ebcdcce9a93944a4e9d8a58d47c4245426554bfa57a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
memory/2432-277-0x0000000000400000-0x0000000000700000-memory.dmp

Filesize
3.0MB

Download
memory/2432-447-0x0000000000400000-0x0000000000700000-memory.dmp

Filesize
3.0MB

Download
memory/2432-71-0x0000000000400000-0x0000000000700000-memory.dmp

Filesize
3.0MB

Download
memory/2432-86-0x0000000000400000-0x0000000000700000-memory.dmp

Filesize
3.0MB

Download
memory/2432-85-0x0000000000400000-0x0000000000700000-memory.dmp

Filesize
3.0MB

Download
memory/2432-78-0x0000000000400000-0x0000000000700000-memory.dmp

Filesize
3.0MB

Download
memory/2432-26-0x000000001C000000-0x000000001C25F000-memory.dmp

Filesize
2.4MB

Download
memory/2432-84-0x0000000000400000-0x0000000000700000-memory.dmp

Filesize
3.0MB

Download
memory/2432-25-0x0000000000400000-0x0000000000700000-memory.dmp

Filesize
3.0MB

Download
memory/2432-9-0x0000000000400000-0x0000000000700000-memory.dmp

Filesize
3.0MB

Download
memory/2432-441-0x0000000000400000-0x0000000000700000-memory.dmp

Filesize
3.0MB

Download
memory/2432-4-0x0000000000400000-0x0000000000700000-memory.dmp

Filesize
3.0MB

Download
memory/2432-448-0x0000000000400000-0x0000000000700000-memory.dmp

Filesize
3.0MB

Download
memory/2432-455-0x0000000000400000-0x0000000000700000-memory.dmp

Filesize
3.0MB

Download
memory/2432-6-0x0000000000400000-0x0000000000700000-memory.dmp

Filesize
3.0MB

Download
memory/2432-5-0x0000000000400000-0x0000000000700000-memory.dmp

Filesize
3.0MB

Download
memory/2432-471-0x0000000000400000-0x0000000000700000-memory.dmp

Filesize
3.0MB

Download
memory/2432-474-0x0000000000400000-0x0000000000700000-memory.dmp

Filesize
3.0MB

Download
memory/2432-479-0x0000000000400000-0x0000000000700000-memory.dmp

Filesize
3.0MB

Download
memory/2432-480-0x0000000000400000-0x0000000000700000-memory.dmp

Filesize
3.0MB

Download
memory/2432-481-0x0000000000400000-0x0000000000700000-memory.dmp

Filesize
3.0MB

Download