vidar | 6dfe4ea4f42f1cd4111a449e6fcae596c3884f6016f0ed5d0f36adff1acf0d88

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
29-10-2024 06:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-29_45f6af3f1ad22c109e6d1792de150d6e_poet-rat_snatch.exe
Size

24.7MB
MD5

45f6af3f1ad22c109e6d1792de150d6e
SHA1

5fc5bc9c90ee17197abdec68b6bf1e4a04f62d3c
SHA256

6dfe4ea4f42f1cd4111a449e6fcae596c3884f6016f0ed5d0f36adff1acf0d88
SHA512

e328e51323889f5620aa734ab057c266a0fac7a843442aed5192b6d74b8cee4a6a0ea0e0698d40f1f9b4922e2cb6c58dd18e52e206fa388e668e6557e76e06e5
SSDEEP

98304:XvkH7wY4yuW07JJkTXzEuo70QfTIgQBojs+5qSyHSgCBOvMOefSQOMaHH0+nn87b:fkb7CzTmKjs/HjCYkOeCMa0+nn8/CEb

Score

10^/10

vidar credential_access discovery spyware stealer

Malware Config

Extracted

Family

vidar

https://t.me/asg7rd

https://steamcommunity.com/profiles/76561199794498376

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6

Signatures

Detect Vidar Stealer 20 IoCs

stealer

resource	yara_rule
behavioral2/memory/4528-5-0x00000000006C0000-0x00000000009C0000-memory.dmp	family_vidar_v7
behavioral2/memory/4528-11-0x00000000006C0000-0x00000000009C0000-memory.dmp	family_vidar_v7
behavioral2/memory/4528-8-0x00000000006C0000-0x00000000009C0000-memory.dmp	family_vidar_v7
behavioral2/memory/4528-14-0x00000000006C0000-0x00000000009C0000-memory.dmp	family_vidar_v7
behavioral2/memory/4528-30-0x00000000006C0000-0x00000000009C0000-memory.dmp	family_vidar_v7
behavioral2/memory/4528-74-0x00000000006C0000-0x00000000009C0000-memory.dmp	family_vidar_v7
behavioral2/memory/4528-83-0x00000000006C0000-0x00000000009C0000-memory.dmp	family_vidar_v7
behavioral2/memory/4528-89-0x00000000006C0000-0x00000000009C0000-memory.dmp	family_vidar_v7
behavioral2/memory/4528-90-0x00000000006C0000-0x00000000009C0000-memory.dmp	family_vidar_v7
behavioral2/memory/4528-91-0x00000000006C0000-0x00000000009C0000-memory.dmp	family_vidar_v7
behavioral2/memory/4528-277-0x00000000006C0000-0x00000000009C0000-memory.dmp	family_vidar_v7
behavioral2/memory/4528-392-0x00000000006C0000-0x00000000009C0000-memory.dmp	family_vidar_v7
behavioral2/memory/4528-398-0x00000000006C0000-0x00000000009C0000-memory.dmp	family_vidar_v7
behavioral2/memory/4528-399-0x00000000006C0000-0x00000000009C0000-memory.dmp	family_vidar_v7
behavioral2/memory/4528-406-0x00000000006C0000-0x00000000009C0000-memory.dmp	family_vidar_v7
behavioral2/memory/4528-422-0x00000000006C0000-0x00000000009C0000-memory.dmp	family_vidar_v7
behavioral2/memory/4528-423-0x00000000006C0000-0x00000000009C0000-memory.dmp	family_vidar_v7
behavioral2/memory/4528-430-0x00000000006C0000-0x00000000009C0000-memory.dmp	family_vidar_v7
behavioral2/memory/4528-431-0x00000000006C0000-0x00000000009C0000-memory.dmp	family_vidar_v7
behavioral2/memory/4528-432-0x00000000006C0000-0x00000000009C0000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar
Downloads MZ/PE file

Uses browser remote debugging 2 TTPs 9 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
5020	msedge.exe
1948	msedge.exe
4028	msedge.exe
1236	msedge.exe
3000	chrome.exe
3972	chrome.exe
3968	chrome.exe
1556	chrome.exe
5040	msedge.exe

Loads dropped DLL 3 IoCs

pid	Process
4528	BitLockerToGo.exe
4528	BitLockerToGo.exe
4528	BitLockerToGo.exe

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3428 set thread context of 4528	3428	2024-10-29_45f6af3f1ad22c109e6d1792de150d6e_poet-rat_snatch.exe	100

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-29_45f6af3f1ad22c109e6d1792de150d6e_poet-rat_snatch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	BitLockerToGo.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msedge.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2156	timeout.exe

Enumerates system info in registry 2 TTPs 8 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133746571993310839"	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4528	BitLockerToGo.exe
4528	BitLockerToGo.exe
4528	BitLockerToGo.exe
4528	BitLockerToGo.exe
3000	chrome.exe
3000	chrome.exe
4528	BitLockerToGo.exe
4528	BitLockerToGo.exe
4528	BitLockerToGo.exe
4528	BitLockerToGo.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
4496	msedge.exe
4496	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3000	chrome.exe
Token: SeCreatePagefilePrivilege	3000	chrome.exe
Token: SeShutdownPrivilege	3000	chrome.exe
Token: SeCreatePagefilePrivilege	3000	chrome.exe
Token: SeShutdownPrivilege	3000	chrome.exe
Token: SeCreatePagefilePrivilege	3000	chrome.exe
Token: SeShutdownPrivilege	3000	chrome.exe
Token: SeCreatePagefilePrivilege	3000	chrome.exe
Token: SeShutdownPrivilege	3000	chrome.exe
Token: SeCreatePagefilePrivilege	3000	chrome.exe
Token: SeShutdownPrivilege	3000	chrome.exe
Token: SeCreatePagefilePrivilege	3000	chrome.exe
Token: SeShutdownPrivilege	3000	chrome.exe
Token: SeCreatePagefilePrivilege	3000	chrome.exe
Token: SeShutdownPrivilege	3000	chrome.exe
Token: SeCreatePagefilePrivilege	3000	chrome.exe
Token: SeShutdownPrivilege	3000	chrome.exe
Token: SeCreatePagefilePrivilege	3000	chrome.exe

Suspicious use of FindShellTrayWindow 51 IoCs

pid	Process
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3428 wrote to memory of 4528	3428	2024-10-29_45f6af3f1ad22c109e6d1792de150d6e_poet-rat_snatch.exe	100
PID 3428 wrote to memory of 4528	3428	2024-10-29_45f6af3f1ad22c109e6d1792de150d6e_poet-rat_snatch.exe	100
PID 3428 wrote to memory of 4528	3428	2024-10-29_45f6af3f1ad22c109e6d1792de150d6e_poet-rat_snatch.exe	100
PID 3428 wrote to memory of 4528	3428	2024-10-29_45f6af3f1ad22c109e6d1792de150d6e_poet-rat_snatch.exe	100
PID 3428 wrote to memory of 4528	3428	2024-10-29_45f6af3f1ad22c109e6d1792de150d6e_poet-rat_snatch.exe	100
PID 3428 wrote to memory of 4528	3428	2024-10-29_45f6af3f1ad22c109e6d1792de150d6e_poet-rat_snatch.exe	100
PID 3428 wrote to memory of 4528	3428	2024-10-29_45f6af3f1ad22c109e6d1792de150d6e_poet-rat_snatch.exe	100
PID 3428 wrote to memory of 4528	3428	2024-10-29_45f6af3f1ad22c109e6d1792de150d6e_poet-rat_snatch.exe	100
PID 3428 wrote to memory of 4528	3428	2024-10-29_45f6af3f1ad22c109e6d1792de150d6e_poet-rat_snatch.exe	100
PID 3428 wrote to memory of 4528	3428	2024-10-29_45f6af3f1ad22c109e6d1792de150d6e_poet-rat_snatch.exe	100
PID 4528 wrote to memory of 3000	4528	BitLockerToGo.exe	102
PID 4528 wrote to memory of 3000	4528	BitLockerToGo.exe	102
PID 3000 wrote to memory of 1476	3000	chrome.exe	103
PID 3000 wrote to memory of 1476	3000	chrome.exe	103
PID 3000 wrote to memory of 4340	3000	chrome.exe	104
PID 3000 wrote to memory of 4340	3000	chrome.exe	104
PID 3000 wrote to memory of 4340	3000	chrome.exe	104
PID 3000 wrote to memory of 4340	3000	chrome.exe	104
PID 3000 wrote to memory of 4340	3000	chrome.exe	104
PID 3000 wrote to memory of 4340	3000	chrome.exe	104
PID 3000 wrote to memory of 4340	3000	chrome.exe	104
PID 3000 wrote to memory of 4340	3000	chrome.exe	104
PID 3000 wrote to memory of 4340	3000	chrome.exe	104
PID 3000 wrote to memory of 4340	3000	chrome.exe	104
PID 3000 wrote to memory of 4340	3000	chrome.exe	104
PID 3000 wrote to memory of 4340	3000	chrome.exe	104
PID 3000 wrote to memory of 4340	3000	chrome.exe	104
PID 3000 wrote to memory of 4340	3000	chrome.exe	104
PID 3000 wrote to memory of 4340	3000	chrome.exe	104
PID 3000 wrote to memory of 4340	3000	chrome.exe	104
PID 3000 wrote to memory of 4340	3000	chrome.exe	104
PID 3000 wrote to memory of 4340	3000	chrome.exe	104
PID 3000 wrote to memory of 4340	3000	chrome.exe	104
PID 3000 wrote to memory of 4340	3000	chrome.exe	104
PID 3000 wrote to memory of 4340	3000	chrome.exe	104
PID 3000 wrote to memory of 4340	3000	chrome.exe	104
PID 3000 wrote to memory of 4340	3000	chrome.exe	104
PID 3000 wrote to memory of 4340	3000	chrome.exe	104
PID 3000 wrote to memory of 4340	3000	chrome.exe	104
PID 3000 wrote to memory of 4340	3000	chrome.exe	104
PID 3000 wrote to memory of 4340	3000	chrome.exe	104
PID 3000 wrote to memory of 4340	3000	chrome.exe	104
PID 3000 wrote to memory of 4340	3000	chrome.exe	104
PID 3000 wrote to memory of 4340	3000	chrome.exe	104
PID 3000 wrote to memory of 4356	3000	chrome.exe	105
PID 3000 wrote to memory of 4356	3000	chrome.exe	105
PID 3000 wrote to memory of 1188	3000	chrome.exe	106
PID 3000 wrote to memory of 1188	3000	chrome.exe	106
PID 3000 wrote to memory of 1188	3000	chrome.exe	106
PID 3000 wrote to memory of 1188	3000	chrome.exe	106
PID 3000 wrote to memory of 1188	3000	chrome.exe	106
PID 3000 wrote to memory of 1188	3000	chrome.exe	106
PID 3000 wrote to memory of 1188	3000	chrome.exe	106
PID 3000 wrote to memory of 1188	3000	chrome.exe	106
PID 3000 wrote to memory of 1188	3000	chrome.exe	106
PID 3000 wrote to memory of 1188	3000	chrome.exe	106
PID 3000 wrote to memory of 1188	3000	chrome.exe	106
PID 3000 wrote to memory of 1188	3000	chrome.exe	106
PID 3000 wrote to memory of 1188	3000	chrome.exe	106
PID 3000 wrote to memory of 1188	3000	chrome.exe	106
PID 3000 wrote to memory of 1188	3000	chrome.exe	106
PID 3000 wrote to memory of 1188	3000	chrome.exe	106
PID 3000 wrote to memory of 1188	3000	chrome.exe	106
PID 3000 wrote to memory of 1188	3000	chrome.exe	106

C:\Users\Admin\AppData\Local\Temp\2024-10-29_45f6af3f1ad22c109e6d1792de150d6e_poet-rat_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-29_45f6af3f1ad22c109e6d1792de150d6e_poet-rat_snatch.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3428
- C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
  "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4528
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Enumerates system info in registry
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:3000
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff94bc1cc40,0x7ff94bc1cc4c,0x7ff94bc1cc58
      4⤵
      PID:1476
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1928,i,15869399273631575859,8490009384991859621,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1920 /prefetch:2
      4⤵
      PID:4340
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2032,i,15869399273631575859,8490009384991859621,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2168 /prefetch:3
      4⤵
      PID:4356
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2200,i,15869399273631575859,8490009384991859621,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2448 /prefetch:8
      4⤵
      PID:1188
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3184,i,15869399273631575859,8490009384991859621,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3200 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:3972
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3208,i,15869399273631575859,8490009384991859621,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3388 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:3968
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4272,i,15869399273631575859,8490009384991859621,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4572 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:1556
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3848,i,15869399273631575859,8490009384991859621,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4564 /prefetch:8
      4⤵
      PID:3868
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4652,i,15869399273631575859,8490009384991859621,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4920 /prefetch:8
      4⤵
      PID:2912
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4584,i,15869399273631575859,8490009384991859621,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4648 /prefetch:8
      4⤵
      PID:4524
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5060,i,15869399273631575859,8490009384991859621,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4836 /prefetch:8
      4⤵
      PID:2148
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    PID:5040
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff94b0046f8,0x7ff94b004708,0x7ff94b004718
      4⤵
      Checks processor information in registry
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      PID:3224
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,13278808076645395440,5855102318897950065,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2
      4⤵
      PID:4140
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2184,13278808076645395440,5855102318897950065,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4496
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2184,13278808076645395440,5855102318897950065,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2784 /prefetch:8
      4⤵
      PID:936
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2184,13278808076645395440,5855102318897950065,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:1948
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2184,13278808076645395440,5855102318897950065,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:5020
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2184,13278808076645395440,5855102318897950065,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4768 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:4028
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2184,13278808076645395440,5855102318897950065,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1420 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:1236
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,13278808076645395440,5855102318897950065,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2212 /prefetch:2
      4⤵
      PID:2740
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,13278808076645395440,5855102318897950065,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:2
      4⤵
      PID:780
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,13278808076645395440,5855102318897950065,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2704 /prefetch:2
      4⤵
      PID:1216
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,13278808076645395440,5855102318897950065,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=4776 /prefetch:2
      4⤵
      PID:4000
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,13278808076645395440,5855102318897950065,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=4600 /prefetch:2
      4⤵
      PID:3352
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,13278808076645395440,5855102318897950065,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=2372 /prefetch:2
      4⤵
      PID:1188
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\DBFIEHDHIIIE" & exit
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4176
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 10
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:2156

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2544

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Modify Authentication Process

T1556

Privilege Escalation

Defense Evasion

Modify Authentication Process

T1556

Credential Access

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\chrome.dll

Filesize
676KB

MD5
eda18948a989176f4eebb175ce806255

SHA1
ff22a3d5f5fb705137f233c36622c79eab995897

SHA256
81a4f37c5495800b7cc46aea6535d9180dadb5c151db6f1fd1968d1cd8c1eeb4

SHA512
160ed9990c37a4753fc0f5111c94414568654afbedc05308308197df2a99594f2d5d8fe511fd2279543a869ed20248e603d88a0b9b8fb119e8e6131b0c52ff85

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
fe11e54aa6e5b6b8926be0092ff4139b

SHA1
9e2bdc28b49fc7da52536fa086b0cbaaa60b1906

SHA256
8925f48ac1c1710cfd0bbd4c67e685e1c9362024625ab4b11e568764458f9b11

SHA512
ce710cb220331ba21b888d78905879bae14836e9b6763bd27c56e5e5876940cd1bf26484d5df10c63a5ec4050ee4d13fb6b983e13bd72d00411b9337536b4f22

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\1857d414-73bf-4517-b19a-cc2c6907942e.dmp

Filesize
835KB

MD5
ab36c8b8dcf1b6e9af874c3d02aa5528

SHA1
0e655ba70ae856e0723d054083c7f22ee25359bb

SHA256
bc981930e1454cbeba242555a27ba8881f486de1ef15f6531178f381a56d3d0f

SHA512
6bbff7309e421e275de5ed6e2a1ce3fbc1671ccf26930692fb4247d85cd8ef67c62b1b6d2d90a30c210033fd18b830427c61a04ca65d042283d7aadc8623ccb7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\2db4170b-3ff7-4c65-b0f8-8905d1d7baa0.dmp

Filesize
838KB

MD5
4db25f670953a5514425c285dd2e6192

SHA1
02ee83947ee8831e70887ee494f54a89110c06bf

SHA256
04608287fb4f7bf898444b7fe0ef8ab75f3949910f40114b1b61622e5d0ecf5a

SHA512
fa093c4edfea1611f74d8a631afeee10c5e38c3e20ba0f9a5a08e26c68fe57b5de7f831ff778122467e84f6369d2dcbc3f00c8354b8ad1aeeb8ac52a23e0f07d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\2fcfe889-7715-43ed-8625-7609c545ac33.dmp

Filesize
826KB

MD5
224c9aff0cba2b1cfaff85c347ac3f5f

SHA1
62e2b38d11ed9f5dd7fdab841fe0850b2daaecbd

SHA256
61447c8cb2731bd365c9bd2181694517bf1f6dc1d95701d9da7f08e72d6ba67a

SHA512
d34788f5f6d7da07eab85a39d211df4f09d6947b68924a2181e62eafe000a1c136625be43d067f870a996edba528da02998aed019a84b708eae291e903729009

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\4cb8719f-477c-48a1-919e-030b3ac21a90.dmp

Filesize
838KB

MD5
3c87ba93ec6ef7361d90c5a995501f4c

SHA1
9b18a25582b18898568bd7866f066cb1185df062

SHA256
251cd8d832101773d91375c9d4a8ced2241285a76025e57ab19fbd974fc5190f

SHA512
f7472e9b9e4f21d3710c15c9e54aba368673122496402a1db56070a3b83359ab629562b2940f41f2c8834d704e0eb7654013366c7bae539b7db404bccdd75e71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\9c611e2b-8fab-4b39-8be3-e95c4277d054.dmp

Filesize
826KB

MD5
47c8ef9c80803d96b87b6c6f8ee9d48a

SHA1
d771c63389be0e303b6d8c316d732be2fef3e509

SHA256
316c15feec633aec24a6b3b55d2133a7be282a2f65cef8009e60525696c2673e

SHA512
44c16083342af9b33f4d99bbbe305869463ae2dbe7cad13f9ff7ad64ae5dc2a53172220e40607d541f93d0ce8c272123995db0f4f373a3ff0458d1173be49ba4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\fdba8d95-5a77-4c93-a0cb-c30d49c6e769.dmp

Filesize
826KB

MD5
d2953b0b67b153f97d6a7a7d58da275e

SHA1
38003c239f77747317e60a7d7bf3f4980fbd8a79

SHA256
264c6665cd084067d1d5c4210a93b8067106917511f33a637dc0c315912b2ae6

SHA512
1763d6dbe7aacac1da4a612d2ec39cccc3608d9374f692010ae6c85fafbdf267bdf5b9028cf81517f534e4dfb2d0b8bdbc6a1f15f3c8e955e1f54efa2cf7a896

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
443a627d539ca4eab732bad0cbe7332b

SHA1
86b18b906a1acd2a22f4b2c78ac3564c394a9569

SHA256
1e1ad9dce141f5f17ea07c7e9c2a65e707c9943f172b9134b0daf9eef25f0dc9

SHA512
923b86d75a565c91250110162ce13dd3ef3f6bdde1a83f7af235ed302d4a96b8c9ed722e2152781e699dfcb26bb98afc73f5adb298f8fd673f14c9f28b5f764d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
99afa4934d1e3c56bbce114b356e8a99

SHA1
3f0e7a1a28d9d9c06b6663df5d83a65c84d52581

SHA256
08e098bb97fd91d815469cdfd5568607a3feca61f18b6b5b9c11b531fde206c8

SHA512
76686f30ed68144cf943b80ac10b52c74eee84f197cee3c24ef7845ef44bdb5586b6e530824543deeed59417205ac0e2559808bcb46450504106ac8f4c95b9da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3f08718463520d3ae7aab69234f89e58

SHA1
516ac778ff0eeada5c43c43ae66fed1a4283ba51

SHA256
1dbbf608300ae6003c992854cdb73c0001bfa49a11cfef108ed020df9c1691b4

SHA512
d74fd6dc6a184f6a9b22a798f4bce8ce7a86cae0786327072ad94b1fc0506957cf29a286d028ef77379bfce879b6ddcdb37b2ede07d1f1353ef453d126c57886

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e71bef16139b34e37993253186b8c199

SHA1
433bc486a3e08d1e463ff39e344bff5f1d3b8c24

SHA256
9cb2ffc6e55b899cf4ea2cdda796d71d8c6a2056f14ce41d18e07e6bb4429ee4

SHA512
1664485aa6462acd28a3f6ef482b587e7c25bd67a552b6b2a362df2ae2c54ec2e8156fe8969e1d22434504949a351b5a21f39a5e9f69b36310882381dc97d41e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f2840fea38cd4db270f098764cfec81f

SHA1
ed74d1ab88d6f4181ff9b6b1f6be84074114f036

SHA256
1e4d9c4a61530271dac4522d45cb3dea03cbc2717e81427384c8cead5fc33e29

SHA512
c6c770dd46e195d5a7cccc5c003d86f7f8d9d998e1e681a7b754d8ead9dbb1f9ecb62a0209291fe1b9d658debf4af484150e0dcee2926acc64367d22c9fbe983

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
memory/4528-74-0x00000000006C0000-0x00000000009C0000-memory.dmp

Filesize
3.0MB

Download
memory/4528-392-0x00000000006C0000-0x00000000009C0000-memory.dmp

Filesize
3.0MB

Download
memory/4528-90-0x00000000006C0000-0x00000000009C0000-memory.dmp

Filesize
3.0MB

Download
memory/4528-89-0x00000000006C0000-0x00000000009C0000-memory.dmp

Filesize
3.0MB

Download
memory/4528-83-0x00000000006C0000-0x00000000009C0000-memory.dmp

Filesize
3.0MB

Download
memory/4528-4-0x00000000006C0000-0x00000000009C0000-memory.dmp

Filesize
3.0MB

Download
memory/4528-31-0x000000001B850000-0x000000001BAAF000-memory.dmp

Filesize
2.4MB

Download
memory/4528-30-0x00000000006C0000-0x00000000009C0000-memory.dmp

Filesize
3.0MB

Download
memory/4528-277-0x00000000006C0000-0x00000000009C0000-memory.dmp

Filesize
3.0MB

Download
memory/4528-14-0x00000000006C0000-0x00000000009C0000-memory.dmp

Filesize
3.0MB

Download
memory/4528-8-0x00000000006C0000-0x00000000009C0000-memory.dmp

Filesize
3.0MB

Download
memory/4528-91-0x00000000006C0000-0x00000000009C0000-memory.dmp

Filesize
3.0MB

Download
memory/4528-398-0x00000000006C0000-0x00000000009C0000-memory.dmp

Filesize
3.0MB

Download
memory/4528-399-0x00000000006C0000-0x00000000009C0000-memory.dmp

Filesize
3.0MB

Download
memory/4528-406-0x00000000006C0000-0x00000000009C0000-memory.dmp

Filesize
3.0MB

Download
memory/4528-11-0x00000000006C0000-0x00000000009C0000-memory.dmp

Filesize
3.0MB

Download
memory/4528-5-0x00000000006C0000-0x00000000009C0000-memory.dmp

Filesize
3.0MB

Download
memory/4528-422-0x00000000006C0000-0x00000000009C0000-memory.dmp

Filesize
3.0MB

Download
memory/4528-423-0x00000000006C0000-0x00000000009C0000-memory.dmp

Filesize
3.0MB

Download
memory/4528-430-0x00000000006C0000-0x00000000009C0000-memory.dmp

Filesize
3.0MB

Download
memory/4528-431-0x00000000006C0000-0x00000000009C0000-memory.dmp

Filesize
3.0MB

Download
memory/4528-432-0x00000000006C0000-0x00000000009C0000-memory.dmp

Filesize
3.0MB

Download