vidar | hxxps://github[.]com/Hira20/AquaDiscord

Analysis

max time kernel
148s
max time network
152s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
05-11-2024 00:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Hira20/AquaDiscord

Score

10^/10

vidar credential_access discovery spyware stealer

Malware Config

Extracted

Family

vidar

https://t.me/asg7rd

https://steamcommunity.com/profiles/76561199794498376

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6

Signatures

Detect Vidar Stealer 3 IoCs

stealer

resource	yara_rule
behavioral1/memory/6124-907-0x00000000037F0000-0x0000000003AF0000-memory.dmp	family_vidar_v7
behavioral1/memory/6124-934-0x00000000037F0000-0x0000000003AF0000-memory.dmp	family_vidar_v7
behavioral1/memory/6124-946-0x00000000037F0000-0x0000000003AF0000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar
Downloads MZ/PE file

Uses browser remote debugging 2 TTPs 4 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
3996	chrome.exe
1608	chrome.exe
5244	chrome.exe
772	chrome.exe

Executes dropped EXE 1 IoCs

pid	Process
6124	Installing.exe

Loads dropped DLL 2 IoCs

pid	Process
6124	Installing.exe
6124	Installing.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\2679f859-e319-44cb-940a-257c79db45db.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20241105004158.pma	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Installing.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Installing.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Installing.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2788	msedge.exe
2788	msedge.exe
1700	msedge.exe
1700	msedge.exe
3108	identity_helper.exe
3108	identity_helper.exe
5160	msedge.exe
5160	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
6124	Installing.exe
6124	Installing.exe
6124	Installing.exe
6124	Installing.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

pid	Process
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeRestorePrivilege	1492	7zG.exe
Token: 35	1492	7zG.exe
Token: SeSecurityPrivilege	1492	7zG.exe
Token: SeSecurityPrivilege	1492	7zG.exe
Token: SeRestorePrivilege	6020	7zG.exe
Token: 35	6020	7zG.exe
Token: SeSecurityPrivilege	6020	7zG.exe
Token: SeSecurityPrivilege	6020	7zG.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe
1700	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1700 wrote to memory of 1268	1700	msedge.exe	82
PID 1700 wrote to memory of 1268	1700	msedge.exe	82
PID 1700 wrote to memory of 652	1700	msedge.exe	83
PID 1700 wrote to memory of 652	1700	msedge.exe	83
PID 1700 wrote to memory of 652	1700	msedge.exe	83
PID 1700 wrote to memory of 652	1700	msedge.exe	83
PID 1700 wrote to memory of 652	1700	msedge.exe	83
PID 1700 wrote to memory of 652	1700	msedge.exe	83
PID 1700 wrote to memory of 652	1700	msedge.exe	83
PID 1700 wrote to memory of 652	1700	msedge.exe	83
PID 1700 wrote to memory of 652	1700	msedge.exe	83
PID 1700 wrote to memory of 652	1700	msedge.exe	83
PID 1700 wrote to memory of 652	1700	msedge.exe	83
PID 1700 wrote to memory of 652	1700	msedge.exe	83
PID 1700 wrote to memory of 652	1700	msedge.exe	83
PID 1700 wrote to memory of 652	1700	msedge.exe	83
PID 1700 wrote to memory of 652	1700	msedge.exe	83
PID 1700 wrote to memory of 652	1700	msedge.exe	83
PID 1700 wrote to memory of 652	1700	msedge.exe	83
PID 1700 wrote to memory of 652	1700	msedge.exe	83
PID 1700 wrote to memory of 652	1700	msedge.exe	83
PID 1700 wrote to memory of 652	1700	msedge.exe	83
PID 1700 wrote to memory of 652	1700	msedge.exe	83
PID 1700 wrote to memory of 652	1700	msedge.exe	83
PID 1700 wrote to memory of 652	1700	msedge.exe	83
PID 1700 wrote to memory of 652	1700	msedge.exe	83
PID 1700 wrote to memory of 652	1700	msedge.exe	83
PID 1700 wrote to memory of 652	1700	msedge.exe	83
PID 1700 wrote to memory of 652	1700	msedge.exe	83
PID 1700 wrote to memory of 652	1700	msedge.exe	83
PID 1700 wrote to memory of 652	1700	msedge.exe	83
PID 1700 wrote to memory of 652	1700	msedge.exe	83
PID 1700 wrote to memory of 652	1700	msedge.exe	83
PID 1700 wrote to memory of 652	1700	msedge.exe	83
PID 1700 wrote to memory of 652	1700	msedge.exe	83
PID 1700 wrote to memory of 652	1700	msedge.exe	83
PID 1700 wrote to memory of 652	1700	msedge.exe	83
PID 1700 wrote to memory of 652	1700	msedge.exe	83
PID 1700 wrote to memory of 652	1700	msedge.exe	83
PID 1700 wrote to memory of 652	1700	msedge.exe	83
PID 1700 wrote to memory of 652	1700	msedge.exe	83
PID 1700 wrote to memory of 652	1700	msedge.exe	83
PID 1700 wrote to memory of 2788	1700	msedge.exe	84
PID 1700 wrote to memory of 2788	1700	msedge.exe	84
PID 1700 wrote to memory of 232	1700	msedge.exe	85
PID 1700 wrote to memory of 232	1700	msedge.exe	85
PID 1700 wrote to memory of 232	1700	msedge.exe	85
PID 1700 wrote to memory of 232	1700	msedge.exe	85
PID 1700 wrote to memory of 232	1700	msedge.exe	85
PID 1700 wrote to memory of 232	1700	msedge.exe	85
PID 1700 wrote to memory of 232	1700	msedge.exe	85
PID 1700 wrote to memory of 232	1700	msedge.exe	85
PID 1700 wrote to memory of 232	1700	msedge.exe	85
PID 1700 wrote to memory of 232	1700	msedge.exe	85
PID 1700 wrote to memory of 232	1700	msedge.exe	85
PID 1700 wrote to memory of 232	1700	msedge.exe	85
PID 1700 wrote to memory of 232	1700	msedge.exe	85
PID 1700 wrote to memory of 232	1700	msedge.exe	85
PID 1700 wrote to memory of 232	1700	msedge.exe	85
PID 1700 wrote to memory of 232	1700	msedge.exe	85
PID 1700 wrote to memory of 232	1700	msedge.exe	85
PID 1700 wrote to memory of 232	1700	msedge.exe	85
PID 1700 wrote to memory of 232	1700	msedge.exe	85
PID 1700 wrote to memory of 232	1700	msedge.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Hira20/AquaDiscord
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ffbb9fc46f8,0x7ffbb9fc4708,0x7ffbb9fc4718
  2⤵
  PID:1268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,2608746086210653255,13493036685823632470,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2228 /prefetch:2
  2⤵
  PID:652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,2608746086210653255,13493036685823632470,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2324 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,2608746086210653255,13493036685823632470,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2440 /prefetch:8
  2⤵
  PID:232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,2608746086210653255,13493036685823632470,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:1020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,2608746086210653255,13493036685823632470,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
  2⤵
  PID:2436
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,2608746086210653255,13493036685823632470,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5484 /prefetch:8
  2⤵
  PID:3172
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:1384
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2a4,0x7ff627f65460,0x7ff627f65470,0x7ff627f65480
    3⤵
    PID:4216
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,2608746086210653255,13493036685823632470,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5484 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,2608746086210653255,13493036685823632470,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5980 /prefetch:1
  2⤵
  PID:1324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,2608746086210653255,13493036685823632470,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5972 /prefetch:1
  2⤵
  PID:4812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,2608746086210653255,13493036685823632470,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6132 /prefetch:1
  2⤵
  PID:4000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,2608746086210653255,13493036685823632470,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6108 /prefetch:1
  2⤵
  PID:4756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2156,2608746086210653255,13493036685823632470,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6412 /prefetch:8
  2⤵
  PID:5404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,2608746086210653255,13493036685823632470,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6420 /prefetch:1
  2⤵
  PID:5412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,2608746086210653255,13493036685823632470,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6088 /prefetch:1
  2⤵
  PID:5784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,2608746086210653255,13493036685823632470,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:1
  2⤵
  PID:5872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2156,2608746086210653255,13493036685823632470,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6540 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,2608746086210653255,13493036685823632470,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6484 /prefetch:1
  2⤵
  PID:5392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,2608746086210653255,13493036685823632470,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6876 /prefetch:1
  2⤵
  PID:5564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,2608746086210653255,13493036685823632470,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4920 /prefetch:1
  2⤵
  PID:5716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,2608746086210653255,13493036685823632470,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6884 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2352

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:540

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3952

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3944

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap2929:76:7zEvent28004
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1492

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Setup\" -spe -an -ai#7zMap24717:72:7zEvent12219
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6020

C:\Users\Admin\Downloads\Setup\Installing.exe
"C:\Users\Admin\Downloads\Setup\Installing.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:6124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
  2⤵
  - Uses browser remote debugging
  - Enumerates system info in registry
  PID:5244
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x220,0x224,0x228,0x1c8,0x22c,0x7ffba80bcc40,0x7ffba80bcc4c,0x7ffba80bcc58
    3⤵
    PID:1684
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1964,i,7849735226256471201,2353335854738226560,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=1948 /prefetch:2
    3⤵
    PID:748
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2192,i,7849735226256471201,2353335854738226560,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2232 /prefetch:3
    3⤵
    PID:404
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2316,i,7849735226256471201,2353335854738226560,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2520 /prefetch:8
    3⤵
    PID:5256
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3144,i,7849735226256471201,2353335854738226560,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3172 /prefetch:1
    3⤵
    - Uses browser remote debugging
    PID:772
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3152,i,7849735226256471201,2353335854738226560,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3176 /prefetch:1
    3⤵
    - Uses browser remote debugging
    PID:3996
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4192,i,7849735226256471201,2353335854738226560,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4572 /prefetch:1
    3⤵
    - Uses browser remote debugging
    PID:1608

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Modify Authentication Process

T1556

Privilege Escalation

Defense Evasion

Modify Authentication Process

T1556

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\chrome.dll

Filesize
676KB

MD5
eda18948a989176f4eebb175ce806255

SHA1
ff22a3d5f5fb705137f233c36622c79eab995897

SHA256
81a4f37c5495800b7cc46aea6535d9180dadb5c151db6f1fd1968d1cd8c1eeb4

SHA512
160ed9990c37a4753fc0f5111c94414568654afbedc05308308197df2a99594f2d5d8fe511fd2279543a869ed20248e603d88a0b9b8fb119e8e6131b0c52ff85

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5d9c9a841c4d3c390d06a3cc8d508ae6

SHA1
052145bf6c75ab8d907fc83b33ef0af2173a313f

SHA256
915ea0e3e872d2b2e7d0e0ca30f282675139c787fec8043a6e92b9ef68b4f67d

SHA512
8243684857e1c359872b8e795a0e5f2ee56b0c0c1e1c7e5d264c2c28476e9830981bb95244f44c3b2ed334c3e1228f3d6245cce2f3d1f34cdbce8e2af55b4c85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e87625b4a77de67df5a963bf1f1b9f24

SHA1
727c79941debbd77b12d0a016164bae1dd3f127c

SHA256
07ecc7bd328990f44b189112a1a738861b0f4528097d4371e1ab0c46d8819f4e

SHA512
000d74220ba78628b727441c1b3f8813eec7fc97ff9aa6963eb2ab08d09525fa03935b32e86458c42e573b828a22b0b229af02b47eee511dc83de4ed3b5e726b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
ac9e2de8ce0821bd6524e1a9a79337d4

SHA1
de89fd1e107292d61eeac4e7d74239a5c66aebcc

SHA256
bfef4edd1ae2c908eed7b8db9729229de76444e69c753841b8c57adb4e102aec

SHA512
67b3a5d335855517a803f7fa160f6b28af16563c2c8ab65f088c2fc6f36cc0bc63faf53131b74465680cf4996457b7b27c01f963176faecd394b6dcc55082953

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
116e998da4891ad9d2675d00621d7bf7

SHA1
1f53085b8921099b97354c7922b0cf808910871d

SHA256
803157e4218030d4dee9c0e96368e3f16efa84063495a895c0502d887c0e317d

SHA512
ef93bb8b8205b25b07f2879524e2dcd959e2adc761ce15f0447339f237cbf83a26a8a55db4de63557f893960797d1ed3ac765f61bde17416b95fa37edaef9890

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
595B

MD5
cb2c9697111e87008354d236d31950de

SHA1
eb6d7e2156462d483ae9e8715da74e96fb7056d7

SHA256
56eb573349bb23d498705ea5ee72a995c8d064a214faa251347be97483352b66

SHA512
dc172f2670b50b84d72fdb0351cf0da29c62862fdb19076b06dfe4d6f9aeab7db2c4ba45842112f9b5264b8afabd0eafb6f590165d5f47e0c2a72f096d74cccb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
db44d012aca012436d70b3c2bb75151a

SHA1
ecf35c05f0c6f4b5e04312b983c164f9a4044511

SHA256
3c68328ace16613775fd2dd17ed3918336dd49188e6498eea38d682bc46d557c

SHA512
341a96828f06682616f3066439076456192e80d7553a13dac81974d835c7d4628fcbce8f5d8145851983a8ae43208f12ef562edfe4c47f7ed0224d469e151dcd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e7e4d537f8b6aee18d071e9af5564f06

SHA1
a61c823a707bead8ae4941cd71d337f8bda660a9

SHA256
793913ffb85ae7bfb8c26cf9545d3f02bf1c9e52007ed384c7fcb3fa2df45a57

SHA512
a482d4aa2ae2c68a6045bd041d8ffd17f93ace1aac5322e53feda145ee12b70a37739f7c535363c70284213c314eea4dff448e40c38fc6f6da1c8a87f2d8b9d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c982e20804f3343600a0712f75a57a03

SHA1
bdfe88d0784b597c171b611b2e61db6efe870625

SHA256
780704f3748059986e3a9d9e03a8bf6914d848e5d9f75dbd4f0607b8cbb83517

SHA512
7ecbc3033b049df043f4328bfef64af186080fb824ec16da1eb0cf50bea4570dd57ddc4fce0b25e6f7636ba100235cd9aac44aa335b321d91b95e80780d5f514

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
7412aa6a37d61d7547d27c30381673c4

SHA1
2c98ca06e2981a48bd810b7781819feac67f1c5b

SHA256
0fdf2477e5b9bc57119dcacfcecc9ef800b4174255808f51511e5f844395752b

SHA512
280431bef2e4441a77fdc7b036cc4f9a1ef29bebe815b0485d7baf6a1abc75696a2ef35e3f0f6c922c2abeaefd0b4bff271fcc031846260e94482dfc2c291183

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
137094a3453899bc0bc86df52edd9186

SHA1
66bc2c2b45b63826bb233156bab8ce31c593ba99

SHA256
72d823cac2d49660cdd20ebf4d3ac222c4dd15aae6e5ac4a64f993ef5c4fdd44

SHA512
f8f149c9eab06e8d7e1aa62145f0fc588dc36fc521ef4dceceb80a191b72d79586d920feb5f3b1d19595109cc6d608c143e32f521a4da1068c708a2538899ada

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
364592d2cc18adf665987584bf528cba

SHA1
d1225b2b8ee4038b0c42229833acc543deeab0f6

SHA256
bd97dd6797bb763681cfb1fc3cc21a44a273aab1d9a4f4f9332675c662d2136c

SHA512
0e852db825e451464cbcfda95eae2dfe780874bd20e7b467604962428007d1735ece752aa5901d468708a68d66d029271d5567b39c530d2d44b875abbff9aa40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
9ad00eb526f4a43210016e28e37768a2

SHA1
8aad3bb87a08bccb90ac92db2174418d70a9b93c

SHA256
5c1db1bd884765f1a400f5508160c0dfccf1319c3af9edc1c5d05b5d75b8b527

SHA512
f3ebc5f86d182cbd2bdba6806d97f0ba192fce3bf825547f3fffd0fe9d1ba166d05964d7f34d802f6c8cfee40af9b5708ef5e7580a5cb37d8502cf27b4e1b200

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
610ff9bb1b5d9af48551d80c56bfb3b9

SHA1
eb5742a0d44ff2b377d9b0f0f2fd82bb85a714c6

SHA256
7786b80df2dc9d048dfc409a24d9ce2fbf2270179aaff4365e2770bfc367103d

SHA512
7bc6837907498c3799cd8f4c598d1b2642e85c8bb20f590290e999e486ac524e183ba4654289102eeb4ca623bfb1e523a33932ef06ac31b86b1e267d73f0470b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58047f.TMP

Filesize
1KB

MD5
a8056b1507333c3cae52cce8a9d83d6a

SHA1
bd139063c7de24d2d7af9a4879c9a02451875702

SHA256
e5fbb1b2f698fec2ba623aeaf4fab1d3c7c6c22cbe37dafc8f84369ccc341f53

SHA512
b4c2edb9ce2d1550cddcebe60c4858e1b3f730597fd93f3b1566d579543bbb06c789e3d858d979d048115a60986583ba0292d5379ab1de4aa1232510621cae84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c8a315fb021f49f917bae6910eeacd33

SHA1
76f1fdedc2655945767748947a195d72671e5c3a

SHA256
afbb31419132706736207c4274ae347222e63acc328271a066cdfb0ce95f4561

SHA512
13d5198c7815b78cc04bedfa190a46cb120b27f8dfa611e4dcd467506bd0c0952a8dcd6f42cd99b43102ebb0de488e04f5758055cb9712afe00bf024e0de0d85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
452a690cd0dc8580f9c54dcb9d5fd406

SHA1
4c0f43e894034ef39acc482c03b7a68cc0803a48

SHA256
6ec79fab85ba2f67a399830336adf2e52ac7ac99e63b500600ec599e3a729bac

SHA512
31efdb96a5472f9ef00fd25dc3517a48547f2569f11950f5e23ea43e591776a39c53bd93387522276010e5ab69fade42ec2a46dd0f5c4a4e686e5f957d0157a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
8f5a28873bc8d2c55291450263a2edb8

SHA1
45df579a3145678198c15f9eb3f9f79c5df5f9bb

SHA256
c132421ed94a0c7961ee083bc07cb39c77356082587a6b3bae113d2d167bfa52

SHA512
e94a70502f6df08b50d13701fd21a6721889dfe6133140693106d4aab4bb2751091ca72561996d8d1e1d10f9c14acc22eb2a0763c2a33727186c20934f3993ec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
30193cda2ca3b9a31875afae3f651f37

SHA1
4f7ec72fe8fe884eeef509712e9670493543763c

SHA256
c023687b187a0e39bc65cd051ea0a756a103f084183ce40be5d0a63acf40db56

SHA512
891d25894dc1e1c1f055a152b295fca3d0f4adbefbfde6339bfff7decf7ebf1ca7b8a793f0ecca934682bf4832787908ee428ee7cf7a14c6993c45f5b7641ed5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
6bee43ff5b1e26fbac3baa1e627a8ab8

SHA1
15edc9d402f84f5c7b8d282032ffdf5da4f03304

SHA256
b146cd8c4f8c76ad0fb35bcce4c19d185a2b7f2ea87e524327c1a8aba7bd0859

SHA512
8b4f81136151893a3d160cd01f07c591ef7ab82cd5c6093e7ca19b3854f8517f0fb9b29d46b0d434063646efc78a9a603b4160432f337df4ce94c84526cd4781

Download Submit
C:\Users\Admin\Downloads\Setup\crl86x.dll

Filesize
40.2MB

MD5
d346f59a8c953406c19fdaa5d31c4b45

SHA1
68fcb7dda2b015e3ee9a9c271e23402566ad1dd7

SHA256
e89dfd276365f09169a40eef3664ad45bfb14779b8ff13010a3593262c2a28ff

SHA512
cde7d6f566602cfdb6e53d46b4557885286ca9785b4faa4088c1c925ac1d92fe84e832aa0d8317be54f3d9758b00acdcf174364e2689249bb45a86f4a3bbb769

Download Submit
C:\Users\Admin\Downloads\Setup\jres\lib\images\cursors\win32_LinkNoDrop32x32.gif

Filesize
153B

MD5
1e9d8f133a442da6b0c74d49bc84a341

SHA1
259edc45b4569427e8319895a444f4295d54348f

SHA256
1a1d3079d49583837662b84e11d8c0870698511d9110e710eb8e7eb20df7ae3b

SHA512
63d6f70c8cab9735f0f857f5bf99e319f6ae98238dc7829dd706b7d6855c70be206e32e3e55df884402483cf8bebad00d139283af5c0b85dc1c5bf8f253acd37

Download Submit
C:\Users\Admin\Downloads\a6c00a0e-dd34-4ade-a549-e8d38ee79749.tmp

Filesize
31KB

MD5
8fe92a1b8c2ce8073c76aaa56082bda4

SHA1
a1d45346077eb4dea273d3e80423989f7ba2bdbb

SHA256
39ef76064439b06aafd155e8252018bb5190b927b14316a8522d25aa3d6d0b0d

SHA512
7a0d38464dbe4b615f4e98f64388bb187a98cba26540087fc736253c3755e1d4ecc0bfe767d3802760b8b03ce3bb5ad8d404ce9b3271174a74e4ebb581753d80

Download Submit
memory/6124-906-0x00000000037F0000-0x0000000003AF0000-memory.dmp

Filesize
3.0MB

Download
memory/6124-907-0x00000000037F0000-0x0000000003AF0000-memory.dmp

Filesize
3.0MB

Download
memory/6124-934-0x00000000037F0000-0x0000000003AF0000-memory.dmp

Filesize
3.0MB

Download
memory/6124-936-0x0000000010000000-0x000000001025F000-memory.dmp

Filesize
2.4MB

Download
memory/6124-946-0x00000000037F0000-0x0000000003AF0000-memory.dmp

Filesize
3.0MB

Download
memory/6124-957-0x00000000753C0000-0x00000000758FA000-memory.dmp

Filesize
5.2MB

Download
memory/6124-956-0x0000000000F40000-0x00000000011B6000-memory.dmp

Filesize
2.5MB

Download