vidar | 937c46006e622509af09340233e000490f1294a6122f6d222abd8239c15f3a0c

Analysis

max time kernel
150s
max time network
153s
platform
windows11-21h2_x64
resource
win11-20241007-es
resource tags

arch:x64arch:x86image:win11-20241007-eslocale:es-esos:windows11-21h2-x64systemwindows
submitted
21-12-2024 21:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Unlock_App_v1.4.exe
Size

323KB
MD5

34f45d20fef7dd9c8e8d7f5b9d5fa6a7
SHA1

4270a1cf22a0183d772bf143bec8a81b8b4ac51e
SHA256

42226b9f119843f7ff26e7d50895564d59fe8bf8db1830047c86298d8bc22d74
SHA512

11a4e65e08a6f948336971e612f859429c4c58c6443ba85fc3b7a5165040bde57555c596a8c0322cd71b8e1fa3758dd7f6a247de5197b32212d9a90c37fe2410
SSDEEP

6144:bspY93m4ezZF197TvhhFUJi7AuRQ1zkIFZQRhtinsoCiiEI+:bWym4ezxLhKAkuRQtkIjQRGns2iEz

Score

10^/10

vidar credential_access discovery spyware stealer

Malware Config

Signatures

Detect Vidar Stealer 5 IoCs

stealer

resource	yara_rule
behavioral1/memory/2948-2-0x0000000000400000-0x0000000000639000-memory.dmp	family_vidar_v7
behavioral1/memory/2948-1-0x0000000000400000-0x0000000000639000-memory.dmp	family_vidar_v7
behavioral1/memory/2948-3-0x0000000000400000-0x0000000000639000-memory.dmp	family_vidar_v7
behavioral1/memory/2948-13-0x0000000000400000-0x0000000000639000-memory.dmp	family_vidar_v7
behavioral1/memory/2948-14-0x0000000000400000-0x0000000000639000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
47	camo.githubusercontent.com
48	camo.githubusercontent.com
49	camo.githubusercontent.com
50	camo.githubusercontent.com
51	camo.githubusercontent.com
11	camo.githubusercontent.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2484 set thread context of 2948	2484	Unlock_App_v1.4.exe	79

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unlock_App_v1.4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unlock_App_v1.4.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Unlock_App_v1.4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Unlock_App_v1.4.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3504	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings	OpenWith.exe

NTFS ADS 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\link.txt:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unlock_App_v1.4.zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unlock_App_v1.4 (1).zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unlock_App_v1.4 (2).zip:Zone.Identifier	msedge.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4596	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2948	Unlock_App_v1.4.exe
2948	Unlock_App_v1.4.exe
1348	msedge.exe
1348	msedge.exe
4632	msedge.exe
4632	msedge.exe
3524	identity_helper.exe
3524	identity_helper.exe
4596	msedge.exe
4596	msedge.exe
3692	msedge.exe
3692	msedge.exe
1084	msedge.exe
1084	msedge.exe
3048	msedge.exe
3048	msedge.exe
2356	msedge.exe
2356	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 23 IoCs

pid	Process
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4692	MiniSearchHost.exe
3692	OpenWith.exe
3692	OpenWith.exe
3692	OpenWith.exe
3692	OpenWith.exe
3692	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2484 wrote to memory of 2952	2484	Unlock_App_v1.4.exe	78
PID 2484 wrote to memory of 2952	2484	Unlock_App_v1.4.exe	78
PID 2484 wrote to memory of 2952	2484	Unlock_App_v1.4.exe	78
PID 2484 wrote to memory of 2948	2484	Unlock_App_v1.4.exe	79
PID 2484 wrote to memory of 2948	2484	Unlock_App_v1.4.exe	79
PID 2484 wrote to memory of 2948	2484	Unlock_App_v1.4.exe	79
PID 2484 wrote to memory of 2948	2484	Unlock_App_v1.4.exe	79
PID 2484 wrote to memory of 2948	2484	Unlock_App_v1.4.exe	79
PID 2484 wrote to memory of 2948	2484	Unlock_App_v1.4.exe	79
PID 2484 wrote to memory of 2948	2484	Unlock_App_v1.4.exe	79
PID 2484 wrote to memory of 2948	2484	Unlock_App_v1.4.exe	79
PID 2484 wrote to memory of 2948	2484	Unlock_App_v1.4.exe	79
PID 2484 wrote to memory of 2948	2484	Unlock_App_v1.4.exe	79
PID 2948 wrote to memory of 236	2948	Unlock_App_v1.4.exe	80
PID 2948 wrote to memory of 236	2948	Unlock_App_v1.4.exe	80
PID 2948 wrote to memory of 236	2948	Unlock_App_v1.4.exe	80
PID 236 wrote to memory of 3504	236	cmd.exe	82
PID 236 wrote to memory of 3504	236	cmd.exe	82
PID 236 wrote to memory of 3504	236	cmd.exe	82
PID 4632 wrote to memory of 1944	4632	msedge.exe	90
PID 4632 wrote to memory of 1944	4632	msedge.exe	90
PID 4632 wrote to memory of 4040	4632	msedge.exe	91
PID 4632 wrote to memory of 4040	4632	msedge.exe	91
PID 4632 wrote to memory of 4040	4632	msedge.exe	91
PID 4632 wrote to memory of 4040	4632	msedge.exe	91
PID 4632 wrote to memory of 4040	4632	msedge.exe	91
PID 4632 wrote to memory of 4040	4632	msedge.exe	91
PID 4632 wrote to memory of 4040	4632	msedge.exe	91
PID 4632 wrote to memory of 4040	4632	msedge.exe	91
PID 4632 wrote to memory of 4040	4632	msedge.exe	91
PID 4632 wrote to memory of 4040	4632	msedge.exe	91
PID 4632 wrote to memory of 4040	4632	msedge.exe	91
PID 4632 wrote to memory of 4040	4632	msedge.exe	91
PID 4632 wrote to memory of 4040	4632	msedge.exe	91
PID 4632 wrote to memory of 4040	4632	msedge.exe	91
PID 4632 wrote to memory of 4040	4632	msedge.exe	91
PID 4632 wrote to memory of 4040	4632	msedge.exe	91
PID 4632 wrote to memory of 4040	4632	msedge.exe	91
PID 4632 wrote to memory of 4040	4632	msedge.exe	91
PID 4632 wrote to memory of 4040	4632	msedge.exe	91
PID 4632 wrote to memory of 4040	4632	msedge.exe	91
PID 4632 wrote to memory of 4040	4632	msedge.exe	91
PID 4632 wrote to memory of 4040	4632	msedge.exe	91
PID 4632 wrote to memory of 4040	4632	msedge.exe	91
PID 4632 wrote to memory of 4040	4632	msedge.exe	91
PID 4632 wrote to memory of 4040	4632	msedge.exe	91
PID 4632 wrote to memory of 4040	4632	msedge.exe	91
PID 4632 wrote to memory of 4040	4632	msedge.exe	91
PID 4632 wrote to memory of 4040	4632	msedge.exe	91
PID 4632 wrote to memory of 4040	4632	msedge.exe	91
PID 4632 wrote to memory of 4040	4632	msedge.exe	91
PID 4632 wrote to memory of 4040	4632	msedge.exe	91
PID 4632 wrote to memory of 4040	4632	msedge.exe	91
PID 4632 wrote to memory of 4040	4632	msedge.exe	91
PID 4632 wrote to memory of 4040	4632	msedge.exe	91
PID 4632 wrote to memory of 4040	4632	msedge.exe	91
PID 4632 wrote to memory of 4040	4632	msedge.exe	91
PID 4632 wrote to memory of 4040	4632	msedge.exe	91
PID 4632 wrote to memory of 4040	4632	msedge.exe	91
PID 4632 wrote to memory of 4040	4632	msedge.exe	91
PID 4632 wrote to memory of 4040	4632	msedge.exe	91
PID 4632 wrote to memory of 1348	4632	msedge.exe	92
PID 4632 wrote to memory of 1348	4632	msedge.exe	92
PID 4632 wrote to memory of 4920	4632	msedge.exe	93

C:\Users\Admin\AppData\Local\Temp\Unlock_App_v1.4.exe
"C:\Users\Admin\AppData\Local\Temp\Unlock_App_v1.4.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2484
- C:\Users\Admin\AppData\Local\Temp\Unlock_App_v1.4.exe
  "C:\Users\Admin\AppData\Local\Temp\Unlock_App_v1.4.exe"
  2⤵
  PID:2952
- C:\Users\Admin\AppData\Local\Temp\Unlock_App_v1.4.exe
  "C:\Users\Admin\AppData\Local\Temp\Unlock_App_v1.4.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2948
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\Unlock_App_v1.4.exe" & rd /s /q "C:\ProgramData\68GDBA1DBSJM" & exit
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:236
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 10
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:3504

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4692

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4808

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd8a7a3cb8,0x7ffd8a7a3cc8,0x7ffd8a7a3cd8
  2⤵
  PID:1944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,121954937191195436,6147422610290932674,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1920 /prefetch:2
  2⤵
  PID:4040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1888,121954937191195436,6147422610290932674,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=2364 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1888,121954937191195436,6147422610290932674,131072 --lang=es --service-sandbox-type=utility --mojo-platform-channel-handle=2536 /prefetch:8
  2⤵
  PID:4920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,121954937191195436,6147422610290932674,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:2144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,121954937191195436,6147422610290932674,131072 --lang=es --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:2928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,121954937191195436,6147422610290932674,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4036 /prefetch:1
  2⤵
  PID:4764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,121954937191195436,6147422610290932674,131072 --lang=es --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4736 /prefetch:1
  2⤵
  PID:2632
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1888,121954937191195436,6147422610290932674,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=5564 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,121954937191195436,6147422610290932674,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:1
  2⤵
  PID:796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,121954937191195436,6147422610290932674,131072 --lang=es --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5128 /prefetch:1
  2⤵
  PID:3048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1888,121954937191195436,6147422610290932674,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=4584 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,121954937191195436,6147422610290932674,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4492 /prefetch:1
  2⤵
  PID:2024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,121954937191195436,6147422610290932674,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4712 /prefetch:1
  2⤵
  PID:4516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,121954937191195436,6147422610290932674,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4608 /prefetch:1
  2⤵
  PID:2644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,121954937191195436,6147422610290932674,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:1
  2⤵
  PID:4008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,121954937191195436,6147422610290932674,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4668 /prefetch:1
  2⤵
  PID:1728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,121954937191195436,6147422610290932674,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2904 /prefetch:1
  2⤵
  PID:4568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,121954937191195436,6147422610290932674,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1720 /prefetch:1
  2⤵
  PID:2628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1888,121954937191195436,6147422610290932674,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=5164 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3692
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\link.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:4596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,121954937191195436,6147422610290932674,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6404 /prefetch:1
  2⤵
  PID:856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,121954937191195436,6147422610290932674,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6200 /prefetch:1
  2⤵
  PID:2344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,121954937191195436,6147422610290932674,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5832 /prefetch:1
  2⤵
  PID:4696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1888,121954937191195436,6147422610290932674,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=5856 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,121954937191195436,6147422610290932674,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6312 /prefetch:1
  2⤵
  PID:4988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1888,121954937191195436,6147422610290932674,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=5988 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,121954937191195436,6147422610290932674,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6436 /prefetch:1
  2⤵
  PID:3868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,121954937191195436,6147422610290932674,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:1
  2⤵
  PID:1012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,121954937191195436,6147422610290932674,131072 --lang=es --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6380 /prefetch:1
  2⤵
  PID:4884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,121954937191195436,6147422610290932674,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6560 /prefetch:1
  2⤵
  PID:3592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,121954937191195436,6147422610290932674,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6532 /prefetch:1
  2⤵
  PID:3304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,121954937191195436,6147422610290932674,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5948 /prefetch:1
  2⤵
  PID:2776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1888,121954937191195436,6147422610290932674,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=6624 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2356

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1012

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2708

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
02a4b762e84a74f9ee8a7d8ddd34fedb

SHA1
4a870e3bd7fd56235062789d780610f95e3b8785

SHA256
366e497233268d7cdf699242e4b2c7ecc1999d0a84e12744f5af2b638e9d86da

SHA512
19028c45f2e05a0cb32865a2554513c1536bf9da63512ff4e964c94a3e171f373493c7787d2d2a6df8012648bbefab63a9de924f119c50c39c727cf81bdc659f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
826c7cac03e3ae47bfe2a7e50281605e

SHA1
100fbea3e078edec43db48c3312fbbf83f11fca0

SHA256
239b1d7cc6f76e1d1832b0587664f114f38a21539cb8548e25626ed5053ea2ab

SHA512
a82f3c817a6460fd8907a4ac6ab37c2129fb5466707edcfb565c255680d7f7212a5669fe2a42976150f16e4e549ea8310078f22ed35514ee1b7b45b46d8cc96e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
c95e86649032a02a23147a96073c627f

SHA1
fe34a1616538223315036519d9e4e1d5f0e98eb9

SHA256
84125a860c2ba985393f0cc4d9e5a997eb63b89d514bc7acb97c28cfb6e42832

SHA512
2dd7e724f534d03e2981ba96a6402a97ab92763da09479684238881e41e04f5474d693af22946f9bda5302a12f2419f253cf43754e6fed4d8ff120ba30f0c809

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
a0fefec05178e431abdd940495554bb8

SHA1
31dd64bc464a7303368c1eac24249f9318322481

SHA256
5aeb0df4ad31588a5cca46c62153f854e2d909a7f367d4f2a0470973f20a1cc1

SHA512
b510ec82054ca19a8c777e9a6ddb549a7d5f80cfa612cc1695745e105c80567f415b205b9e35d9471a99e7a49832d25d14fd97b2ae599fc871d2e86fe2c64268

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
64bcf0b614ebdd787f8bced1b931d127

SHA1
c9c7068f8c171f655306dd49cfc6c9202cb7a17b

SHA256
b00657011cecc80831d808e3816981bb8a6b7f8eee496056bf69a8bbee9fc9d3

SHA512
168e03afe3e16dc026b556eb0c7e8dd071e744e8448be02653bcd5c63ee6574aba5c3d99fe7b0600c2d5c2efa793fccfd68a5b5ddfc03be9505e282dbe11e316

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
65897b83ec887625ed7d3d201b2c4944

SHA1
d4c896cf80ae62ccfede56523e269a379b87f47b

SHA256
fdbc33413f727d59a01decf4c97fb0f06f7185d7f04c73fc71e97031ce29647a

SHA512
4a94c5e6316ad2db37ce2dae1da38c5dbdc6319a660b354843f478a8e842514dba8befc5e80e63b3f49a391596215d9133b4c7089ede4565757e9713ccff1b5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ecc4516c28c5ad6e2b063fc32369f5d8

SHA1
e541dc799f2919f8f5c33910568a8112764996c2

SHA256
00e8f947bb4981ba9d55c73a5c8a3f6f04850cd79924a709df90975cdbf75061

SHA512
c88cad02eadc5a21683d2e2bb2e6fe0d33fe1376fc411b6cbe9d08f8531ad12f036001f308e0dec3e234dbfd3d4d96cd6b635a3200fec582a705f6d95885f90a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2fb43d8a07b4a2438920fad7ed043385

SHA1
a454bbda93ad7e6a349ad88437997810ec3d89fe

SHA256
1c1ec79270be6c413c7ebca6293331df269f4720544098c7ac79e8419970a584

SHA512
55ff94b15bf29ed1fa641f2cbef450688796b66fda0053fad6d55c51272dd234aaf1d3ab910281a07115ad99d9ff65b6f230fadeda153a0f11a23b31a1334d48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
eaea251174a9632393a198c42720fcf6

SHA1
a7df7127149594d5a5ca4eec375e62b84562da0a

SHA256
00e2ead4c179819030ea6f64401fa2562ac32e212fcb9cb28960ac8448983f22

SHA512
3657d9d29fdf793e04ff11da6a8a2a4da307a59befb9d0cd00c1b3b7b5863b07d68b181edd402eff4926caaa2d045d78febd197035f8b2a5bc41aa51a1f2bb1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
40e230fe95db30227898081651179c64

SHA1
e868836c5ea38f6fd2df48b5b0633b4139eef7f9

SHA256
12988fff24b6f022240b08f06e8d216438b2c2c433de308f2a2f231df635e5bd

SHA512
61d8b152c54fa23566013f6ca699abe60ddc7ee281e6de12baaeaa9bdc45c8a76d39c2ceaab7b81ff29d5464b5b6bbce186eeb3d82540b7dbfb6e33853cea95e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
a3b3d778a012fd31955c6bce8954f15e

SHA1
a8ff2d5b6721ee87eb93710be78282aec5631040

SHA256
37e79ea1c794b64367962e93982cc84f218882b73666a16f653663f4ece64fc0

SHA512
ca1a9395ef4dc6b2b0616cc63b39dbb756c57d2fb99f5b58b6592931fc9b7d1469a46b432160a8814ef7bcbdc0deed97ceba6a3555051dd5c511fd65697216e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
3da2ae2122b8dc8f656fbb8fb27746f3

SHA1
95450d2f587eed9abd9e6ecd529a2809906ab9e7

SHA256
6c0d53a05aa012f467c18e18f95d8a92a1ba7cd4ba28fef0771321cb738e37c3

SHA512
fc21486e795f8078d0181eea9949871a590bac3900f0191807de8ffc1593763d69c00b6ea6c75e82b35848beb0cdab32477fc38259f57acbbe767ebf9ee69b46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5911aa.TMP

Filesize
1KB

MD5
dd10d87355ea5b5d75d0765c2139b170

SHA1
f0f8277c7a5385059a2e57d3801d2ec371861ef4

SHA256
5969a04f03b062b1eecc14ece9255ac7f909a606a3de7ba3a1cbc3430bc923cf

SHA512
86f54b2fc0f31d177e152c10367a68163a6ede8bfbe6c0ac72179f7f35339d4fce0d80b6eb219c45502b0480a86c4e4472e712979a7abff2a75e60c6b94c53d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
0131b46c4e49ddceff08000ed1f3b185

SHA1
8484c828c8b275d710612cf5b55669ffc011c3ca

SHA256
2b036bf5f8bbdca44faf212686ab6778a723d15f29b9e7f1de3fa132b777a64d

SHA512
f19d920eb951b87081a130f756e9c309d1a1c0ea025b6ec8dc31e701e501d64c1b8ed68809986762b32fae6f8023eb2a8adf661b1918d0dab8914352a2373ced

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
083e83c3e3ca70c05bed4c883aa0870f

SHA1
fb9ca5bb3805f29bfa29eb66631140e1867d434d

SHA256
ec9ad27e606db83f026ef79b9304d23e843f8704f27c493a2c1abfaa1fc76098

SHA512
8e61cc21fdd8601610e635c9d9dc59f6c2c5261dd12d89d6d928ebdbf005dbe4676386de371167a2e741b5e1c3017f4af4d73d6b37cdf5a511d4fc44a6a58651

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
f8328b1ebf463ab3a436fdaca85eb0f9

SHA1
8c3ea2802b7ee3ca1f45ab60e1fafd943b490a72

SHA256
0f1c5e4460ea89a3023f3f80c7685ce0a5c1946e0ff03f7a8e4985a7a577eb7a

SHA512
4d6a405bc3f9314c7ac7ef3e3e7c743b64d59dd7b3d410231596b7665d861819eb193b3c106571acad2e9b1557a9dd78eb126149a9ba4aae48a6d337ddf66b85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c07414fdab702976d6000bcd73f283c1

SHA1
999ca071e572fb125fe37a8779ea6362e8183d05

SHA256
667813fd98668bef74716f9f6c6c49bdef94b35c10193245f4e519b723b83dd7

SHA512
9ecae413d2f1f68ea8c84e7f549c5519b4d35594751d4da16a591ca6c2c83b3e2dc2a280dba595bd78f3cb58d5b194d090fcbc73940d3becb2d23fd3201fe50b

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
33eadff925b5cbbf8d978b0e866ea092

SHA1
4c3044f35dba4258dfe5065c6925f0bc32560696

SHA256
4d1042816328b3bcd58a499f43fcaf7448f8a5b1443a4ac9c3f1e6258c428920

SHA512
2c872230b474abfb2f0a6409219d53788b9c717382e0c84ce6e384553f99dd5e7db7dc175d4d62dc9f23cc44cfd2395bbc7eeab240f367b434ba115206ef1408

Download Submit
C:\Users\Admin\Downloads\37bb7498-03bb-427d-ab18-1ced330cc30f.tmp

Filesize
48.5MB

MD5
70476979f8f00c7a79f3d18d81fc56a8

SHA1
2b6e67c9b043398e396f6cb44a6d40ad30d5f8a8

SHA256
937c46006e622509af09340233e000490f1294a6122f6d222abd8239c15f3a0c

SHA512
1072d9b40dc8dce4833b1fee6edfa0d90ce33e74839823c57dd24e89eac4bf674f15ee6c4d1b5e269b6fe32629a3d8a74cdec5e732460b46049dde7eee49d901

Download Submit
C:\Users\Admin\Downloads\Unlock_App_v1.4.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\link.txt

Filesize
143B

MD5
510b3ce5ffc56c6b2201b1cd96f0e224

SHA1
f726989e326d3c0c735f36783f31f7cbcca560d1

SHA256
d8d652579039b4175a95ec1c01418284bd25c3ce1508a4bacb17ba633f2162cf

SHA512
db86b1dc354fba869a6360c764bc4fe113470ac21b7ab09a7d1ba95779a4e43ef6d7b578e9315122322915121f890f5d3b3e6381f3607ab58ebfb668216fd61f

Download Submit
C:\Users\Admin\Downloads\link.txt:Zone.Identifier

Filesize
156B

MD5
9812bd1891e51ad6d40681fd63408305

SHA1
65a1bfd2ac065540a9a9c11a2f27101b31ae3356

SHA256
ef698c11c7515e7ce8b8f566542b669da03a73f459d335d73d0910ec9adee96f

SHA512
c7a5946bf65f5bfd2c00885c618e5846867e6e3e915a28704b6195735c5b6ac3a86c3f1ddff79fef38a8fab2c649a79393b7115bc6c833c25a0ca6b03ab98643

Download Submit
memory/2484-0-0x000000000009B000-0x000000000009C000-memory.dmp

Filesize
4KB

Download
memory/2948-1-0x0000000000400000-0x0000000000639000-memory.dmp

Filesize
2.2MB

Download
memory/2948-14-0x0000000000400000-0x0000000000639000-memory.dmp

Filesize
2.2MB

Download
memory/2948-3-0x0000000000400000-0x0000000000639000-memory.dmp

Filesize
2.2MB

Download
memory/2948-4-0x0000000000070000-0x00000000000C7000-memory.dmp

Filesize
348KB

Download
memory/2948-2-0x0000000000400000-0x0000000000639000-memory.dmp

Filesize
2.2MB

Download
memory/2948-13-0x0000000000400000-0x0000000000639000-memory.dmp

Filesize
2.2MB

Download