vidar | 0e6fc77a72dd0b4c8f8fe7607c92eac7cf5b0d607c9904e09d9fb1b2128a2e51

Analysis

max time kernel
141s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
01-11-2024 08:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

start-main/njrtdhadawt.exe
Size

943KB
MD5

96e4917ea5d59eca7dd21ad7e7a03d07
SHA1

28c721effb773fdd5cb2146457c10b081a9a4047
SHA256

cab6c398667a4645b9ac20c9748f194554a76706047f124297a76296e3e7a957
SHA512

3414450d1a200ffdcc6e3cb477a0a11049e5e86e8d15ae5b8ed3740a52a0226774333492279092134364460b565a25a7967b987f2304355ecfd5825f86e61687
SSDEEP

24576:ajfMVHefX7eO2FwYPMGNL/geFyNcTN+jv75TQn652VBuNyb2i:oEQreO8wRGJtF4ch+jvNm0Nyb2

Score

10^/10

vidar credential_access discovery spyware stealer

Malware Config

Extracted

Family

vidar

https://t.me/asg7rd

https://steamcommunity.com/profiles/76561199794498376

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6

Signatures

Detect Vidar Stealer 2 IoCs

stealer

Processes:

resource	yara_rule
behavioral25/memory/4860-0-0x0000000000780000-0x0000000000A80000-memory.dmp	family_vidar_v7
behavioral25/memory/4860-414-0x0000000000780000-0x0000000000A80000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar
Downloads MZ/PE file
Uses browser remote debugging 2 TTPs 9 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
credential_access stealer

Steal Web Session Cookie
T1539

Modify Authentication Process
T1556

Processes:

chrome.exemsedge.exechrome.exemsedge.exemsedge.exemsedge.exemsedge.exechrome.exechrome.exe

pid process

3076 chrome.exe
4944 msedge.exe
2464 chrome.exe
5088 msedge.exe
4532 msedge.exe
3972 msedge.exe
1628 msedge.exe
3892 chrome.exe
4020 chrome.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

njrtdhadawt.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	njrtdhadawt.exe

Loads dropped DLL 3 IoCs

Processes:

njrtdhadawt.exe

pid process

4860 njrtdhadawt.exe
4860 njrtdhadawt.exe
4860 njrtdhadawt.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

njrtdhadawt.execmd.exetimeout.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	njrtdhadawt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

njrtdhadawt.exemsedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	njrtdhadawt.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	njrtdhadawt.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msedge.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4216 timeout.exe

pid	process
4216	timeout.exe

Enumerates system info in registry 2 TTPs 8 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exemsedge.exechrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133749218415505614"	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

njrtdhadawt.exechrome.exemsedge.exemsedge.exemsedge.exe

pid	process
4860	njrtdhadawt.exe
4860	njrtdhadawt.exe
4860	njrtdhadawt.exe
4860	njrtdhadawt.exe
3076	chrome.exe
3076	chrome.exe
4860	njrtdhadawt.exe
4860	njrtdhadawt.exe
4860	njrtdhadawt.exe
4860	njrtdhadawt.exe
4328	msedge.exe
4328	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
5088	msedge.exe
5088	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4860	njrtdhadawt.exe
4860	njrtdhadawt.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

chrome.exemsedge.exe

pid process

3076 chrome.exe
3076 chrome.exe
3076 chrome.exe
5088 msedge.exe
5088 msedge.exe
5088 msedge.exe
5088 msedge.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	3076	chrome.exe
Token: SeCreatePagefilePrivilege	3076	chrome.exe
Token: SeShutdownPrivilege	3076	chrome.exe
Token: SeCreatePagefilePrivilege	3076	chrome.exe
Token: SeShutdownPrivilege	3076	chrome.exe
Token: SeCreatePagefilePrivilege	3076	chrome.exe
Token: SeShutdownPrivilege	3076	chrome.exe
Token: SeCreatePagefilePrivilege	3076	chrome.exe
Token: SeShutdownPrivilege	3076	chrome.exe
Token: SeCreatePagefilePrivilege	3076	chrome.exe
Token: SeShutdownPrivilege	3076	chrome.exe
Token: SeCreatePagefilePrivilege	3076	chrome.exe
Token: SeShutdownPrivilege	3076	chrome.exe
Token: SeCreatePagefilePrivilege	3076	chrome.exe
Token: SeShutdownPrivilege	3076	chrome.exe
Token: SeCreatePagefilePrivilege	3076	chrome.exe
Token: SeShutdownPrivilege	3076	chrome.exe
Token: SeCreatePagefilePrivilege	3076	chrome.exe

Suspicious use of FindShellTrayWindow 51 IoCs

Processes:

chrome.exemsedge.exe

pid	process
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

njrtdhadawt.exechrome.exe

description	pid	process	target process
PID 4860 wrote to memory of 3076	4860	njrtdhadawt.exe	chrome.exe
PID 4860 wrote to memory of 3076	4860	njrtdhadawt.exe	chrome.exe
PID 3076 wrote to memory of 5012	3076	chrome.exe	chrome.exe
PID 3076 wrote to memory of 5012	3076	chrome.exe	chrome.exe
PID 3076 wrote to memory of 2512	3076	chrome.exe	chrome.exe
PID 3076 wrote to memory of 2512	3076	chrome.exe	chrome.exe
PID 3076 wrote to memory of 2512	3076	chrome.exe	chrome.exe
PID 3076 wrote to memory of 2512	3076	chrome.exe	chrome.exe
PID 3076 wrote to memory of 2512	3076	chrome.exe	chrome.exe
PID 3076 wrote to memory of 2512	3076	chrome.exe	chrome.exe
PID 3076 wrote to memory of 2512	3076	chrome.exe	chrome.exe
PID 3076 wrote to memory of 2512	3076	chrome.exe	chrome.exe
PID 3076 wrote to memory of 2512	3076	chrome.exe	chrome.exe
PID 3076 wrote to memory of 2512	3076	chrome.exe	chrome.exe
PID 3076 wrote to memory of 2512	3076	chrome.exe	chrome.exe
PID 3076 wrote to memory of 2512	3076	chrome.exe	chrome.exe
PID 3076 wrote to memory of 2512	3076	chrome.exe	chrome.exe
PID 3076 wrote to memory of 2512	3076	chrome.exe	chrome.exe
PID 3076 wrote to memory of 2512	3076	chrome.exe	chrome.exe
PID 3076 wrote to memory of 2512	3076	chrome.exe	chrome.exe
PID 3076 wrote to memory of 2512	3076	chrome.exe	chrome.exe
PID 3076 wrote to memory of 2512	3076	chrome.exe	chrome.exe
PID 3076 wrote to memory of 2512	3076	chrome.exe	chrome.exe
PID 3076 wrote to memory of 2512	3076	chrome.exe	chrome.exe
PID 3076 wrote to memory of 2512	3076	chrome.exe	chrome.exe
PID 3076 wrote to memory of 2512	3076	chrome.exe	chrome.exe
PID 3076 wrote to memory of 2512	3076	chrome.exe	chrome.exe
PID 3076 wrote to memory of 2512	3076	chrome.exe	chrome.exe
PID 3076 wrote to memory of 2512	3076	chrome.exe	chrome.exe
PID 3076 wrote to memory of 2512	3076	chrome.exe	chrome.exe
PID 3076 wrote to memory of 2512	3076	chrome.exe	chrome.exe
PID 3076 wrote to memory of 2512	3076	chrome.exe	chrome.exe
PID 3076 wrote to memory of 2512	3076	chrome.exe	chrome.exe
PID 3076 wrote to memory of 2512	3076	chrome.exe	chrome.exe
PID 3076 wrote to memory of 4144	3076	chrome.exe	chrome.exe
PID 3076 wrote to memory of 4144	3076	chrome.exe	chrome.exe
PID 3076 wrote to memory of 4116	3076	chrome.exe	chrome.exe
PID 3076 wrote to memory of 4116	3076	chrome.exe	chrome.exe
PID 3076 wrote to memory of 4116	3076	chrome.exe	chrome.exe
PID 3076 wrote to memory of 4116	3076	chrome.exe	chrome.exe
PID 3076 wrote to memory of 4116	3076	chrome.exe	chrome.exe
PID 3076 wrote to memory of 4116	3076	chrome.exe	chrome.exe
PID 3076 wrote to memory of 4116	3076	chrome.exe	chrome.exe
PID 3076 wrote to memory of 4116	3076	chrome.exe	chrome.exe
PID 3076 wrote to memory of 4116	3076	chrome.exe	chrome.exe
PID 3076 wrote to memory of 4116	3076	chrome.exe	chrome.exe
PID 3076 wrote to memory of 4116	3076	chrome.exe	chrome.exe
PID 3076 wrote to memory of 4116	3076	chrome.exe	chrome.exe
PID 3076 wrote to memory of 4116	3076	chrome.exe	chrome.exe
PID 3076 wrote to memory of 4116	3076	chrome.exe	chrome.exe
PID 3076 wrote to memory of 4116	3076	chrome.exe	chrome.exe
PID 3076 wrote to memory of 4116	3076	chrome.exe	chrome.exe
PID 3076 wrote to memory of 4116	3076	chrome.exe	chrome.exe
PID 3076 wrote to memory of 4116	3076	chrome.exe	chrome.exe
PID 3076 wrote to memory of 4116	3076	chrome.exe	chrome.exe
PID 3076 wrote to memory of 4116	3076	chrome.exe	chrome.exe
PID 3076 wrote to memory of 4116	3076	chrome.exe	chrome.exe
PID 3076 wrote to memory of 4116	3076	chrome.exe	chrome.exe
PID 3076 wrote to memory of 4116	3076	chrome.exe	chrome.exe
PID 3076 wrote to memory of 4116	3076	chrome.exe	chrome.exe
PID 3076 wrote to memory of 4116	3076	chrome.exe	chrome.exe
PID 3076 wrote to memory of 4116	3076	chrome.exe	chrome.exe
PID 3076 wrote to memory of 4116	3076	chrome.exe	chrome.exe
PID 3076 wrote to memory of 4116	3076	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\start-main\njrtdhadawt.exe
"C:\Users\Admin\AppData\Local\Temp\start-main\njrtdhadawt.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4860

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
2⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3076

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff952a1cc40,0x7ff952a1cc4c,0x7ff952a1cc58
3⤵
PID:5012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1936,i,3549248072932957983,234149063791530131,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1928 /prefetch:2
3⤵
PID:2512

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2172,i,3549248072932957983,234149063791530131,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2212 /prefetch:3
3⤵
PID:4144

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2276,i,3549248072932957983,234149063791530131,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2460 /prefetch:8
3⤵
PID:4116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3108,i,3549248072932957983,234149063791530131,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3216 /prefetch:1
3⤵
- Uses browser remote debugging
PID:3892

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3224,i,3549248072932957983,234149063791530131,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3264 /prefetch:1
3⤵
- Uses browser remote debugging
PID:4020

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4568,i,3549248072932957983,234149063791530131,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4592 /prefetch:1
3⤵
- Uses browser remote debugging
PID:2464

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4636,i,3549248072932957983,234149063791530131,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4276 /prefetch:8
3⤵
PID:1312

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4804,i,3549248072932957983,234149063791530131,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4820 /prefetch:8
3⤵
PID:4556

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4860,i,3549248072932957983,234149063791530131,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4768 /prefetch:8
3⤵
PID:1952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4976,i,3549248072932957983,234149063791530131,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4900 /prefetch:8
3⤵
PID:3172

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
2⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:5088

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff952a246f8,0x7ff952a24708,0x7ff952a24718
3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:4832

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,16678758098452806940,14659503118402341013,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
3⤵
PID:4312

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,16678758098452806940,14659503118402341013,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4328

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,16678758098452806940,14659503118402341013,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2700 /prefetch:8
3⤵
PID:3836

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2148,16678758098452806940,14659503118402341013,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
3⤵
- Uses browser remote debugging
PID:3972

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2148,16678758098452806940,14659503118402341013,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
3⤵
- Uses browser remote debugging
PID:4532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2148,16678758098452806940,14659503118402341013,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4828 /prefetch:1
3⤵
- Uses browser remote debugging
PID:4944

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2148,16678758098452806940,14659503118402341013,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3892 /prefetch:1
3⤵
- Uses browser remote debugging
PID:1628

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,16678758098452806940,14659503118402341013,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:2
3⤵
PID:2512

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,16678758098452806940,14659503118402341013,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
3⤵
PID:1304

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,16678758098452806940,14659503118402341013,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2728 /prefetch:2
3⤵
PID:4064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,16678758098452806940,14659503118402341013,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3380 /prefetch:2
3⤵
PID:3176

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,16678758098452806940,14659503118402341013,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=4792 /prefetch:2
3⤵
PID:4092

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,16678758098452806940,14659503118402341013,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=4040 /prefetch:2
3⤵
PID:4780

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\DAAAKFHIEGDG" & exit
2⤵
- System Location Discovery: System Language Discovery
PID:3968

C:\Windows\SysWOW64\timeout.exe
timeout /t 10
3⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:4216

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5088

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Modify Authentication Process

T1556

Privilege Escalation

Defense Evasion

Modify Authentication Process

T1556

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\chrome.dll

Filesize
676KB

MD5
eda18948a989176f4eebb175ce806255

SHA1
ff22a3d5f5fb705137f233c36622c79eab995897

SHA256
81a4f37c5495800b7cc46aea6535d9180dadb5c151db6f1fd1968d1cd8c1eeb4

SHA512
160ed9990c37a4753fc0f5111c94414568654afbedc05308308197df2a99594f2d5d8fe511fd2279543a869ed20248e603d88a0b9b8fb119e8e6131b0c52ff85

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
2d98b8eac71a89060267946b698202ad

SHA1
3862ef74df2c229c2daa9ca74bc1b1359d377a5f

SHA256
e10513bbf88d7e13ee13e41504b665a0c3013b7cdcb4dee602d4aa6dd0f26ce8

SHA512
8ee8cba1f6c3d4cb57f513ffdd38fe3fb16dbb617cb631b17719c97c63a8334afb45cee103a90c392f46974211fd011512f7f48c885c73a3a321f93fa9108c36

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

Filesize
284B

MD5
ce00d685cd6a93190fd6e0128675ec94

SHA1
a9966daa3bb088153634b3c670f39a7f2c98c92f

SHA256
f0c9223f7cc7f6a652ff5c9f620e521038c8264d2a11e628884432923e9dd008

SHA512
846e35d97ec93fe044a6dd1ce376bd482378902311f5d650bb25d6523b3cb6b565537703a49531a4e19d1cf91f9b70b1c5f8eb800d818e99ee6fe5c9394092a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

Filesize
418B

MD5
bb24930206f8904ae7c5233aab3ae935

SHA1
8d18546950268e196dc17372d594211594a8b737

SHA256
65411e7faf66770893706e3eab649735d18d430e5420594e3d9c0dc7d6327b9f

SHA512
0c8e59a06c530c5f0a67617f7c0f8de9607f8e89e646f625f8e9aeaa33472dbabc853b4f35c9fff1dede24dc09410d05bd173446d8f22de4b47892c9f588918e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

Filesize
552B

MD5
8e5c7b7f2a39c71c135cd20587e8eccf

SHA1
b8789b6a9133dae76756fdbe3f8288135aa91ffb

SHA256
673a9a393eb26b1e6448d21bbc483da9245209d345952c6da777c6e2de6b4a34

SHA512
88ef6523cd3e759848eb7d1a177afd5cf9364d47bd67f3943c7094bab93580c637384a95908ebc9f2fc6a8128b37e20b46d016e6e391ebe0df0ca939969df874

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

Filesize
686B

MD5
63a9c813ec33f330f2efcd575f4069f0

SHA1
1952ae12144c057653fb6ab8c725711c0afb36af

SHA256
6e6ce7d8810c4ba4cf86613e88bc5eed2a996df7333e63c688e531cd6b31ef3a

SHA512
903e79d1f6aab81f2d110a56972e294caa4a6a09a68ea339ea5f8abb4e4253afbd285b52964cc7107779c4e3bb3a268cb3625bb1a55370248b9559eae646099d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\026a9406-3d94-407f-8081-2061a3fa649c.dmp

Filesize
838KB

MD5
3cfc1a8f7407f3a8568ef50cd088ba6a

SHA1
1f8d2ca7185f01d2e7d40249a48d4fe67d73dfc1

SHA256
40abbc2e1d70a8e4f6acd8e764462e8692da839e4ccf29488a426f16e8da642c

SHA512
8fb5fb4449e9225d43a732a8995051e0cc9521153d0942bc10c88f26ac9eb4e6e3d5d344f060cb6acd67fa2d760fc083aea6cf3c9c5fd43dad3f9248cfd465a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\12e780b0-9b13-4110-aa39-29a756d7b0e1.dmp

Filesize
826KB

MD5
85fcf524b7e29d6b7af7396c2d81f382

SHA1
9e0a78c8345aee91252cff07c0015d67e7eb5d49

SHA256
87479c0ea8b1bac7585b86e83f654fe747384c90ad2fd48134d5596797035cf4

SHA512
acd1981a9990591de25a6a26b06cd50b591e8a04ab44c8add2ae0ac215bf33368300321934d89f5c7dadc4f096bad7b5dc2c6898e592d439c400d430e0f9f177

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\2025fa4c-e5bd-433a-8f82-c2a2710932cd.dmp

Filesize
826KB

MD5
78a738c35a6a9caed25cec453f9fa4fd

SHA1
a6423557d291dd88e00387049b8ba1ccbc4a35d2

SHA256
85cf8a8d940aca4600fbb36c3bf6f3c684a053e5adf578c4f7667a1fc554095d

SHA512
52093bb01f13c3a17d278f618e9938fc1efb4c33d6dfa3344fd945dfccd6708a71275972a265ca5c89aedb00fcaac36d20da18e85ea953b9f21a4fee270e9317

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\81607b6b-335e-4c8a-b143-a044050b1397.dmp

Filesize
838KB

MD5
2cfe806469328d05aaadfec5ab4c2ba5

SHA1
7179ffc43ef2105703de2836dfd4e6f8bafa8cff

SHA256
ea86a535ef238be2a83b0b0999e7f00c63af5fd614d14f47bf9904db4cab14b0

SHA512
0e82ef5707c3470a7c5486f2464e24e6f1766cb23cb520ce5495944c62d173c1d520e9369a590708cc5916fdfab5540916dfc395374becaf221d9bcb9108fa53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\95081a87-764c-4652-b70d-f0283d6d4801.dmp

Filesize
838KB

MD5
a06fb8f7bd192c38f1b6f9b5b4583c06

SHA1
cad5f5a8372e10c794b21f5db986ec9368af8e61

SHA256
7c7e070d2932f7685a7f7b0e7c28765d1aed054ea00c011f1d549dc4c32bd07e

SHA512
b754fc4337450673f691628d09089c2fa72653570b8afc20ac69ea420055bc23e73d2ae318d78154ff0e13e1bb4bb773d7533aef13a60ec432e1019a22aecf87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\d6e5d83d-1643-4edb-9527-e6cf2f34f3b5.dmp

Filesize
826KB

MD5
da53cbe9742562c5af73751d9f60c6f7

SHA1
aeeaf6ce3a607686c7715edddb2c4fa27a754c49

SHA256
1dffb763549329751846fb28f041e3cef04b2f9d8fceaee53aeacc2e8cbdb687

SHA512
9cfb6943f696f45a78459885ab5f8114de4bacabe60c1981a30637c43a5b9efa2ebd87f1ec53f4d58e0d1c3c75fbc697a307f1600c6f83a3a4d1a19e3e2deb39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
015007c3936b3e7a8fc426615b118ecf

SHA1
d80249f5aa6123f0e00ad901280f58057a34e138

SHA256
83814b0138bceb366ca09b8ad4b4d12977b8f9bdca91742f730a136a5cb4d19d

SHA512
0eded808c9b21a629472fb92d2154fccd590cafb5bfde842b30174a61ec8da2e3191dd0dcce93ce14990017acf4325190431a12e5bf39c7af9aa4d0e57f65041

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b8918303e8e2ba076e9b9eced57ac901

SHA1
2f6718b23353882d441e82ee9d9b7bc93931d96f

SHA256
ceeef240a12de89e72cbbf5e8f4430c5056215919caeb57626259482392cd312

SHA512
8939dcc1b86264d658b95bd6e8ff193bb8ef8d981f5ca62dcdfe5f9843f72080ab6e78f309ae57b1bba0d13fc5bfcf2f371d0bcd04f7e1ec03b3cebb35713967

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ba6ef346187b40694d493da98d5da979

SHA1
643c15bec043f8673943885199bb06cd1652ee37

SHA256
d86eec91f295dfda8ed1c5fa99de426f2fe359282c7ebf67e3a40be739475d73

SHA512
2e6cc97330be8868d4b9c53be7e12c558f6eb1ac2c4080a611ba6c43561d0c5bb4791b8a11a8c2371599f0ba73ed1d9a7a2ea6dee2ae6a080f1912e0cb1f656c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b8880802fc2bb880a7a869faa01315b0

SHA1
51d1a3fa2c272f094515675d82150bfce08ee8d3

SHA256
467b8cd4aacac66557712f9843023dcedefcc26efc746f3e44157bc8dac73812

SHA512
e1c6dba2579357ba70de58968b167d2c529534d24bff70568144270c48ac18a48ee2af2d58d78ae741e5a36958fa78a57955bd2456f1df00b781fc1002e123d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a14517ea07552686fe22c100826c163e

SHA1
8930bb8338ec477de1df23514c9d34702552bf2a

SHA256
0ba95222db11666ae44a4ed590ab094dc1aa00bdfad4c8939083b5839784b433

SHA512
42236b6fc759f61516379302fd48a2cf7d0337a29c0ad2047fb65b56bd39a11bce200f53e0f09cc7fa5a10e99c6e81451e0bc552ddbc68c09f05a6c239c6eb58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
\??\pipe\crashpad_3076_ZUJWYRJMGYTVKLWS

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/4860-0-0x0000000000780000-0x0000000000A80000-memory.dmp

Filesize
3.0MB

Download
memory/4860-19-0x000000001F3F0000-0x000000001F64F000-memory.dmp

Filesize
2.4MB

Download
memory/4860-414-0x0000000000780000-0x0000000000A80000-memory.dmp

Filesize
3.0MB

Download

pid	process
3076	chrome.exe
4944	msedge.exe
2464	chrome.exe
5088	msedge.exe
4532	msedge.exe
3972	msedge.exe
1628	msedge.exe
3892	chrome.exe
4020	chrome.exe