vidar | 2a559ce1ff609781226319d7f57d6c8cf32487bd87bb796ea43ee015aa104a73

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30-10-2024 01:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-30_6dc517f58f112adcdd3cfae606a67964_poet-rat_snatch.exe
Size

6.2MB
MD5

6dc517f58f112adcdd3cfae606a67964
SHA1

b59f74642e963111027613ce0206ca77aec06fda
SHA256

2a559ce1ff609781226319d7f57d6c8cf32487bd87bb796ea43ee015aa104a73
SHA512

6f04ac98d9ea1eb203d2b93e9ff9f02a26b2ff61a4afc61b47f5d7f6260a80bc085fbc24c97c43407651c231156f468d4fe00cb152e64c6be948fed6b19f4ed8
SSDEEP

98304:cTiMEvjmzKewwsZ2XoCx7fR+Q6VCKrUk:iiMEaI24C1UQszrU

Score

10^/10

vidar credential_access discovery spyware stealer

Malware Config

Extracted

Family

vidar

https://t.me/asg7rd

https://steamcommunity.com/profiles/76561199794498376

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6

Signatures

Detect Vidar Stealer 19 IoCs

stealer

resource	yara_rule
behavioral2/memory/4436-1-0x0000000000400000-0x0000000000700000-memory.dmp	family_vidar_v7
behavioral2/memory/4436-2-0x0000000000400000-0x0000000000700000-memory.dmp	family_vidar_v7
behavioral2/memory/4436-5-0x0000000000400000-0x0000000000700000-memory.dmp	family_vidar_v7
behavioral2/memory/4436-21-0x0000000000400000-0x0000000000700000-memory.dmp	family_vidar_v7
behavioral2/memory/4436-71-0x0000000000400000-0x0000000000700000-memory.dmp	family_vidar_v7
behavioral2/memory/4436-81-0x0000000000400000-0x0000000000700000-memory.dmp	family_vidar_v7
behavioral2/memory/4436-87-0x0000000000400000-0x0000000000700000-memory.dmp	family_vidar_v7
behavioral2/memory/4436-88-0x0000000000400000-0x0000000000700000-memory.dmp	family_vidar_v7
behavioral2/memory/4436-89-0x0000000000400000-0x0000000000700000-memory.dmp	family_vidar_v7
behavioral2/memory/4436-275-0x0000000000400000-0x0000000000700000-memory.dmp	family_vidar_v7
behavioral2/memory/4436-390-0x0000000000400000-0x0000000000700000-memory.dmp	family_vidar_v7
behavioral2/memory/4436-396-0x0000000000400000-0x0000000000700000-memory.dmp	family_vidar_v7
behavioral2/memory/4436-397-0x0000000000400000-0x0000000000700000-memory.dmp	family_vidar_v7
behavioral2/memory/4436-404-0x0000000000400000-0x0000000000700000-memory.dmp	family_vidar_v7
behavioral2/memory/4436-420-0x0000000000400000-0x0000000000700000-memory.dmp	family_vidar_v7
behavioral2/memory/4436-421-0x0000000000400000-0x0000000000700000-memory.dmp	family_vidar_v7
behavioral2/memory/4436-428-0x0000000000400000-0x0000000000700000-memory.dmp	family_vidar_v7
behavioral2/memory/4436-429-0x0000000000400000-0x0000000000700000-memory.dmp	family_vidar_v7
behavioral2/memory/4436-430-0x0000000000400000-0x0000000000700000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar
Downloads MZ/PE file

Uses browser remote debugging 2 TTPs 9 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
3684	msedge.exe
3448	chrome.exe
2796	msedge.exe
3940	msedge.exe
4808	msedge.exe
3064	msedge.exe
708	chrome.exe
920	chrome.exe
912	chrome.exe

Loads dropped DLL 3 IoCs

pid	Process
4436	BitLockerToGo.exe
4436	BitLockerToGo.exe
4436	BitLockerToGo.exe

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2728 set thread context of 4436	2728	2024-10-30_6dc517f58f112adcdd3cfae606a67964_poet-rat_snatch.exe	94

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-30_6dc517f58f112adcdd3cfae606a67964_poet-rat_snatch.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	BitLockerToGo.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1436	timeout.exe

Enumerates system info in registry 2 TTPs 8 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133747242722140350"	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4436	BitLockerToGo.exe
4436	BitLockerToGo.exe
4436	BitLockerToGo.exe
4436	BitLockerToGo.exe
708	chrome.exe
708	chrome.exe
4436	BitLockerToGo.exe
4436	BitLockerToGo.exe
4436	BitLockerToGo.exe
4436	BitLockerToGo.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
1836	msedge.exe
1836	msedge.exe
2796	msedge.exe
2796	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe
4748	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
708	chrome.exe
708	chrome.exe
708	chrome.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeShutdownPrivilege	708	chrome.exe
Token: SeCreatePagefilePrivilege	708	chrome.exe
Token: SeShutdownPrivilege	708	chrome.exe
Token: SeCreatePagefilePrivilege	708	chrome.exe
Token: SeShutdownPrivilege	708	chrome.exe
Token: SeCreatePagefilePrivilege	708	chrome.exe
Token: SeShutdownPrivilege	708	chrome.exe
Token: SeCreatePagefilePrivilege	708	chrome.exe
Token: SeShutdownPrivilege	708	chrome.exe
Token: SeCreatePagefilePrivilege	708	chrome.exe
Token: SeShutdownPrivilege	708	chrome.exe
Token: SeCreatePagefilePrivilege	708	chrome.exe
Token: SeShutdownPrivilege	708	chrome.exe
Token: SeCreatePagefilePrivilege	708	chrome.exe
Token: SeShutdownPrivilege	708	chrome.exe
Token: SeCreatePagefilePrivilege	708	chrome.exe
Token: SeShutdownPrivilege	708	chrome.exe
Token: SeCreatePagefilePrivilege	708	chrome.exe

Suspicious use of FindShellTrayWindow 51 IoCs

pid	Process
708	chrome.exe
708	chrome.exe
708	chrome.exe
708	chrome.exe
708	chrome.exe
708	chrome.exe
708	chrome.exe
708	chrome.exe
708	chrome.exe
708	chrome.exe
708	chrome.exe
708	chrome.exe
708	chrome.exe
708	chrome.exe
708	chrome.exe
708	chrome.exe
708	chrome.exe
708	chrome.exe
708	chrome.exe
708	chrome.exe
708	chrome.exe
708	chrome.exe
708	chrome.exe
708	chrome.exe
708	chrome.exe
708	chrome.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2728 wrote to memory of 4436	2728	2024-10-30_6dc517f58f112adcdd3cfae606a67964_poet-rat_snatch.exe	94
PID 2728 wrote to memory of 4436	2728	2024-10-30_6dc517f58f112adcdd3cfae606a67964_poet-rat_snatch.exe	94
PID 2728 wrote to memory of 4436	2728	2024-10-30_6dc517f58f112adcdd3cfae606a67964_poet-rat_snatch.exe	94
PID 2728 wrote to memory of 4436	2728	2024-10-30_6dc517f58f112adcdd3cfae606a67964_poet-rat_snatch.exe	94
PID 2728 wrote to memory of 4436	2728	2024-10-30_6dc517f58f112adcdd3cfae606a67964_poet-rat_snatch.exe	94
PID 2728 wrote to memory of 4436	2728	2024-10-30_6dc517f58f112adcdd3cfae606a67964_poet-rat_snatch.exe	94
PID 2728 wrote to memory of 4436	2728	2024-10-30_6dc517f58f112adcdd3cfae606a67964_poet-rat_snatch.exe	94
PID 2728 wrote to memory of 4436	2728	2024-10-30_6dc517f58f112adcdd3cfae606a67964_poet-rat_snatch.exe	94
PID 2728 wrote to memory of 4436	2728	2024-10-30_6dc517f58f112adcdd3cfae606a67964_poet-rat_snatch.exe	94
PID 2728 wrote to memory of 4436	2728	2024-10-30_6dc517f58f112adcdd3cfae606a67964_poet-rat_snatch.exe	94
PID 4436 wrote to memory of 708	4436	BitLockerToGo.exe	95
PID 4436 wrote to memory of 708	4436	BitLockerToGo.exe	95
PID 708 wrote to memory of 4184	708	chrome.exe	96
PID 708 wrote to memory of 4184	708	chrome.exe	96
PID 708 wrote to memory of 2952	708	chrome.exe	97
PID 708 wrote to memory of 2952	708	chrome.exe	97
PID 708 wrote to memory of 2952	708	chrome.exe	97
PID 708 wrote to memory of 2952	708	chrome.exe	97
PID 708 wrote to memory of 2952	708	chrome.exe	97
PID 708 wrote to memory of 2952	708	chrome.exe	97
PID 708 wrote to memory of 2952	708	chrome.exe	97
PID 708 wrote to memory of 2952	708	chrome.exe	97
PID 708 wrote to memory of 2952	708	chrome.exe	97
PID 708 wrote to memory of 2952	708	chrome.exe	97
PID 708 wrote to memory of 2952	708	chrome.exe	97
PID 708 wrote to memory of 2952	708	chrome.exe	97
PID 708 wrote to memory of 2952	708	chrome.exe	97
PID 708 wrote to memory of 2952	708	chrome.exe	97
PID 708 wrote to memory of 2952	708	chrome.exe	97
PID 708 wrote to memory of 2952	708	chrome.exe	97
PID 708 wrote to memory of 2952	708	chrome.exe	97
PID 708 wrote to memory of 2952	708	chrome.exe	97
PID 708 wrote to memory of 2952	708	chrome.exe	97
PID 708 wrote to memory of 2952	708	chrome.exe	97
PID 708 wrote to memory of 2952	708	chrome.exe	97
PID 708 wrote to memory of 2952	708	chrome.exe	97
PID 708 wrote to memory of 2952	708	chrome.exe	97
PID 708 wrote to memory of 2952	708	chrome.exe	97
PID 708 wrote to memory of 2952	708	chrome.exe	97
PID 708 wrote to memory of 2952	708	chrome.exe	97
PID 708 wrote to memory of 2952	708	chrome.exe	97
PID 708 wrote to memory of 2952	708	chrome.exe	97
PID 708 wrote to memory of 2952	708	chrome.exe	97
PID 708 wrote to memory of 2952	708	chrome.exe	97
PID 708 wrote to memory of 432	708	chrome.exe	98
PID 708 wrote to memory of 432	708	chrome.exe	98
PID 708 wrote to memory of 3920	708	chrome.exe	99
PID 708 wrote to memory of 3920	708	chrome.exe	99
PID 708 wrote to memory of 3920	708	chrome.exe	99
PID 708 wrote to memory of 3920	708	chrome.exe	99
PID 708 wrote to memory of 3920	708	chrome.exe	99
PID 708 wrote to memory of 3920	708	chrome.exe	99
PID 708 wrote to memory of 3920	708	chrome.exe	99
PID 708 wrote to memory of 3920	708	chrome.exe	99
PID 708 wrote to memory of 3920	708	chrome.exe	99
PID 708 wrote to memory of 3920	708	chrome.exe	99
PID 708 wrote to memory of 3920	708	chrome.exe	99
PID 708 wrote to memory of 3920	708	chrome.exe	99
PID 708 wrote to memory of 3920	708	chrome.exe	99
PID 708 wrote to memory of 3920	708	chrome.exe	99
PID 708 wrote to memory of 3920	708	chrome.exe	99
PID 708 wrote to memory of 3920	708	chrome.exe	99
PID 708 wrote to memory of 3920	708	chrome.exe	99
PID 708 wrote to memory of 3920	708	chrome.exe	99

C:\Users\Admin\AppData\Local\Temp\2024-10-30_6dc517f58f112adcdd3cfae606a67964_poet-rat_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-30_6dc517f58f112adcdd3cfae606a67964_poet-rat_snatch.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2728
- C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
  "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4436
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Enumerates system info in registry
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:708
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd99e4cc40,0x7ffd99e4cc4c,0x7ffd99e4cc58
      4⤵
      PID:4184
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1960,i,15243652079849643628,15880111001695775487,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1956 /prefetch:2
      4⤵
      PID:2952
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1964,i,15243652079849643628,15880111001695775487,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2056 /prefetch:3
      4⤵
      PID:432
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2268,i,15243652079849643628,15880111001695775487,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2292 /prefetch:8
      4⤵
      PID:3920
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3204,i,15243652079849643628,15880111001695775487,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3220 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:3448
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3228,i,15243652079849643628,15880111001695775487,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3376 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:920
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3756,i,15243652079849643628,15880111001695775487,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3688 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:912
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4520,i,15243652079849643628,15880111001695775487,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4656 /prefetch:8
      4⤵
      PID:2716
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4264,i,15243652079849643628,15880111001695775487,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4664 /prefetch:8
      4⤵
      PID:4012
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4680,i,15243652079849643628,15880111001695775487,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4696 /prefetch:8
      4⤵
      PID:4032
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4260,i,15243652079849643628,15880111001695775487,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4960 /prefetch:8
      4⤵
      PID:4128
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4916,i,15243652079849643628,15880111001695775487,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4664 /prefetch:8
      4⤵
      PID:4556
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5196,i,15243652079849643628,15880111001695775487,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4960 /prefetch:8
      4⤵
      PID:1780
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    PID:2796
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd99e546f8,0x7ffd99e54708,0x7ffd99e54718
      4⤵
      Checks processor information in registry
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      PID:4748
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,679281312584231965,3663387416578137771,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
      4⤵
      PID:3144
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,679281312584231965,3663387416578137771,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2316 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1836
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,679281312584231965,3663387416578137771,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2888 /prefetch:8
      4⤵
      PID:4612
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2152,679281312584231965,3663387416578137771,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:4808
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2152,679281312584231965,3663387416578137771,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:3940
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2152,679281312584231965,3663387416578137771,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4828 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:3064
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2152,679281312584231965,3663387416578137771,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4832 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:3684
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,679281312584231965,3663387416578137771,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
      4⤵
      PID:2260
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,679281312584231965,3663387416578137771,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
      4⤵
      PID:4628
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,679281312584231965,3663387416578137771,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2848 /prefetch:2
      4⤵
      PID:3208
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,679281312584231965,3663387416578137771,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3664 /prefetch:2
      4⤵
      PID:1976
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,679281312584231965,3663387416578137771,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2192 /prefetch:2
      4⤵
      PID:4476
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,679281312584231965,3663387416578137771,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=4060 /prefetch:2
      4⤵
      PID:1988
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\CFHDHIJDGCBA" & exit
    3⤵
    - System Location Discovery: System Language Discovery
    PID:212
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 10
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:1436

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1608

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Modify Authentication Process

T1556

Privilege Escalation

Defense Evasion

Modify Authentication Process

T1556

Credential Access

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\chrome.dll

Filesize
676KB

MD5
eda18948a989176f4eebb175ce806255

SHA1
ff22a3d5f5fb705137f233c36622c79eab995897

SHA256
81a4f37c5495800b7cc46aea6535d9180dadb5c151db6f1fd1968d1cd8c1eeb4

SHA512
160ed9990c37a4753fc0f5111c94414568654afbedc05308308197df2a99594f2d5d8fe511fd2279543a869ed20248e603d88a0b9b8fb119e8e6131b0c52ff85

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
8b60642c8aa05132dcb3fdfb7dc8a0e4

SHA1
9b5c95a9ea04b91019720369f5e72047df916e20

SHA256
bd0ba16a84939140d7af4f9627070650f87f9746155c44864448466830f78dfa

SHA512
6b127c9c8cff6c1fcc97f7a62b7c4e96dc442dc63f1530428b2bee59914b303ebc21943c4d2d74cc75f99305f49de3617d280665cfd25615e8edd8140cdb4e44

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\0e0e2336-330a-447c-b44c-4746ac5491d0.dmp

Filesize
842KB

MD5
18052d3d0889ce07e92f4cfc40b09bf5

SHA1
6fa62375daf72996d5844739f13007207670946d

SHA256
c942cdf4af0bbecd757ed7e5ecf51afa4621aadfd23d30751c9e5c9d2336e63b

SHA512
412ca8df307fa46e43ddd8264313db2ed4d504aebad381489658496beeec4192150b5fc5d2ef2a59d9e15b46bac6f802f1bfd9b22ea878e80a7660da1125174c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\7a0621e6-2af9-4015-aec5-cfeadbe01d4d.dmp

Filesize
830KB

MD5
24390bb4453b5381e266c38b231a66c1

SHA1
4db7d11d663286bf0670a169219ad37c3857a481

SHA256
8b1e2147bea061aa7f905cfb3eb78525650c810ba91c058cb29cbfa1f13375d3

SHA512
79da9b001d22e417d706bf7fc2059c1686f61c3297376bfdd1f706d8ec4683d56824009bae2afff0b1e93153cd1fce326d7f9a5228adcf55c8053182e635b49c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\91caf13e-625a-46c7-93a8-989312311ccd.dmp

Filesize
830KB

MD5
c018c6f2703e94c7c38b4cfa4f7ba1ab

SHA1
2cf183d380380bce130c20b0a509e9eba4b044dc

SHA256
281b99e748dc5b2fa4ecc53379671773a284295064d01f16d6a9d859fe479986

SHA512
95469eb557fd3c359b12c1abaf049855cc05193837cc7026a320044e52b8c4e255af64bf033f1173b99ea1e0c379b93d261877bbe1434fe58259d0bba5d8082e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\b49dcc93-aa9d-4051-8d7a-2cfc89045da8.dmp

Filesize
842KB

MD5
ff6297490a1e4e448981954c802ce8b1

SHA1
77534a4fc08341574571657b70f5cb358eb924f0

SHA256
9316467866a61ed76b784e74b92da73085d754cdc3dd7a56f6b10cef18d71526

SHA512
4781b137ba760964502a61eff415b9985f36e329efcbb45e9b0fd10cd8fba8942b7361f454b4a4a502e5ef77eeabf3d82b158682c4e0d4908ecabebcd85c7fee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\e37c9e3b-cb34-49b3-9538-ad1d4b992dac.dmp

Filesize
830KB

MD5
6a38e7bcec629f963431e0b5470f6771

SHA1
5497d63d51c031d6dab99097ae01dfa662a5f406

SHA256
d61aacfebb39fbde62d0597c092bc7503d63cff3e64ae9660cfbae37c1035cc2

SHA512
ed81c2c4845831b60effaeb542283fa3d8655cac0942eb97fda13ce07591b09ee8928f14f4ca1fc1fac90c016ac8ac3aec88be00f36ca910971629ff00d022d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\f37422e8-0e08-4fdb-99dc-23a5f948607c.dmp

Filesize
846KB

MD5
eb63851c527d7294eb9bd2bc0fcacf7d

SHA1
0ec160a5ab373671e5125ce5da27ffd11d3f613b

SHA256
b49669fae03c431e7f6f82be67523f95cb6c3fc5045fd3eaad06962541246005

SHA512
82471de817d7d8983b813a067e34791bd03d0fbd68b50c628afc199bd0aaba4ff1a75bebae014903933d1842940e5f212a294d5b2cbea16f54aaf23280491bfb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ba6ef346187b40694d493da98d5da979

SHA1
643c15bec043f8673943885199bb06cd1652ee37

SHA256
d86eec91f295dfda8ed1c5fa99de426f2fe359282c7ebf67e3a40be739475d73

SHA512
2e6cc97330be8868d4b9c53be7e12c558f6eb1ac2c4080a611ba6c43561d0c5bb4791b8a11a8c2371599f0ba73ed1d9a7a2ea6dee2ae6a080f1912e0cb1f656c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b8880802fc2bb880a7a869faa01315b0

SHA1
51d1a3fa2c272f094515675d82150bfce08ee8d3

SHA256
467b8cd4aacac66557712f9843023dcedefcc26efc746f3e44157bc8dac73812

SHA512
e1c6dba2579357ba70de58968b167d2c529534d24bff70568144270c48ac18a48ee2af2d58d78ae741e5a36958fa78a57955bd2456f1df00b781fc1002e123d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4ef5d7043e3bfe6d8e86b0c8d62c3f12

SHA1
508e6273d7e0d21965d240065c9373aff02daf58

SHA256
df6cc406dbc5daf5634eadae73cccb91d43c2c72f6ebb738628351938e75865e

SHA512
b20ae686f4d8f03c9cd7e275dc8b6c54edad1f2e57acfc5d4c90f32ff3ec14ee2d0072fc627e6db8da2853bdd2a225394722855b0ceca7602be28e4ed49e7718

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
423fa5697cdbac1726788bd3a79829c3

SHA1
c9887978aa03dfb73d43dec9b974798f0812c2ee

SHA256
69b39c067d50e19debc1ed07b7efa8436ff06d1c30c8aeb4b06640a801c48345

SHA512
d2b82bda40231c5da0d326108d5ffa999feb7389c9986bcab45d660bb47d024785a37edb45bd943029ee025db916e847cddb0a384a560cd1b8365c7a78bc6562

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a24330d7267dadf9f5295ace79025e98

SHA1
3623acd6f03840e6cae35071e487acd7749d6b10

SHA256
9fd7662a3c9ca167c673dbee113ea170dc9a908ebef0e662f6a0b9d5c4cbc3dd

SHA512
2bfa3e6e770edbd34e591372540da942ccda6ab6012c73b77ac518902ea6fe9071a25139c49cb8cf1ba22fe550fa0d26269e8d3e1c03102586a9bcf897410076

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1d440055fea0e36e07d1e09977cd5e60

SHA1
334a520e8bad64952d6fe32f7b43bc460949e31a

SHA256
f425d7e49d61016404d7e0746eb4de800db92b7832843a6fdbdec98c36db1042

SHA512
7665a97f0967848f545310399821743360b60ff9ce0dd66547903559767f5f71473df1975c1a7625f412d69b3265cb216097f8379c46c9b2eee6da8c7da3f820

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
memory/4436-22-0x000000001BA90000-0x000000001BCEF000-memory.dmp

Filesize
2.4MB

Download
memory/4436-396-0x0000000000400000-0x0000000000700000-memory.dmp

Filesize
3.0MB

Download
memory/4436-21-0x0000000000400000-0x0000000000700000-memory.dmp

Filesize
3.0MB

Download
memory/4436-81-0x0000000000400000-0x0000000000700000-memory.dmp

Filesize
3.0MB

Download
memory/4436-87-0x0000000000400000-0x0000000000700000-memory.dmp

Filesize
3.0MB

Download
memory/4436-5-0x0000000000400000-0x0000000000700000-memory.dmp

Filesize
3.0MB

Download
memory/4436-275-0x0000000000400000-0x0000000000700000-memory.dmp

Filesize
3.0MB

Download
memory/4436-71-0x0000000000400000-0x0000000000700000-memory.dmp

Filesize
3.0MB

Download
memory/4436-89-0x0000000000400000-0x0000000000700000-memory.dmp

Filesize
3.0MB

Download
memory/4436-88-0x0000000000400000-0x0000000000700000-memory.dmp

Filesize
3.0MB

Download
memory/4436-390-0x0000000000400000-0x0000000000700000-memory.dmp

Filesize
3.0MB

Download
memory/4436-0-0x0000000000400000-0x0000000000700000-memory.dmp

Filesize
3.0MB

Download
memory/4436-397-0x0000000000400000-0x0000000000700000-memory.dmp

Filesize
3.0MB

Download
memory/4436-404-0x0000000000400000-0x0000000000700000-memory.dmp

Filesize
3.0MB

Download
memory/4436-2-0x0000000000400000-0x0000000000700000-memory.dmp

Filesize
3.0MB

Download
memory/4436-1-0x0000000000400000-0x0000000000700000-memory.dmp

Filesize
3.0MB

Download
memory/4436-420-0x0000000000400000-0x0000000000700000-memory.dmp

Filesize
3.0MB

Download
memory/4436-421-0x0000000000400000-0x0000000000700000-memory.dmp

Filesize
3.0MB

Download
memory/4436-428-0x0000000000400000-0x0000000000700000-memory.dmp

Filesize
3.0MB

Download
memory/4436-429-0x0000000000400000-0x0000000000700000-memory.dmp

Filesize
3.0MB

Download
memory/4436-430-0x0000000000400000-0x0000000000700000-memory.dmp

Filesize
3.0MB

Download