vidar | hxxps://azsolver[.]com/files/main[.]exe

Analysis

max time kernel
197s
max time network
211s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250207-de
resource tags

arch:x64arch:x86image:win10ltsc2021-20250207-delocale:de-deos:windows10-ltsc 2021-x64systemwindows
submitted
12-02-2025 17:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://azsolver.com/files/main.exe

Score

10^/10

vidar credential_access discovery stealer

Malware Config

Extracted

Family

vidar

https://t.me/b4cha00

https://steamcommunity.com/profiles/76561199825403037

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:137.0) Gecko/20100101 Firefox/137.0

Signatures

Detect Vidar Stealer 10 IoCs

stealer

resource	yara_rule
behavioral1/memory/1856-124-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral1/memory/1856-125-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral1/memory/1856-141-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral1/memory/1856-142-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral1/memory/1856-144-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral1/memory/1856-194-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral1/memory/1856-217-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral1/memory/1856-228-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral1/memory/1856-229-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral1/memory/1856-230-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

Downloads MZ/PE file 1 IoCs

flow	pid	Process
9	2192	chrome.exe

Uses browser remote debugging 2 TTPs 4 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
3792	chrome.exe
3076	chrome.exe
2696	chrome.exe
1876	chrome.exe

Executes dropped EXE 2 IoCs

pid	Process
4036	main.exe
4136	main.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4036 set thread context of 1856	4036	main.exe	103

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	main.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	main.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe

Checks processor information in registry 2 TTPs 14 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	BitLockerToGo.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	BitLockerToGo.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133838533917835090"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-67687450-2252871228-2016797368-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1736	chrome.exe
1736	chrome.exe
1856	BitLockerToGo.exe
1856	BitLockerToGo.exe
1856	BitLockerToGo.exe
1856	BitLockerToGo.exe
3792	chrome.exe
3792	chrome.exe
1856	BitLockerToGo.exe
1856	BitLockerToGo.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
1736	chrome.exe
1736	chrome.exe
3792	chrome.exe
3792	chrome.exe
3792	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1736	chrome.exe
Token: SeCreatePagefilePrivilege	1736	chrome.exe
Token: SeShutdownPrivilege	1736	chrome.exe
Token: SeCreatePagefilePrivilege	1736	chrome.exe
Token: SeShutdownPrivilege	1736	chrome.exe
Token: SeCreatePagefilePrivilege	1736	chrome.exe
Token: SeShutdownPrivilege	1736	chrome.exe
Token: SeCreatePagefilePrivilege	1736	chrome.exe
Token: SeShutdownPrivilege	1736	chrome.exe
Token: SeCreatePagefilePrivilege	1736	chrome.exe
Token: SeShutdownPrivilege	1736	chrome.exe
Token: SeCreatePagefilePrivilege	1736	chrome.exe
Token: SeShutdownPrivilege	1736	chrome.exe
Token: SeCreatePagefilePrivilege	1736	chrome.exe
Token: SeShutdownPrivilege	1736	chrome.exe
Token: SeCreatePagefilePrivilege	1736	chrome.exe
Token: SeShutdownPrivilege	1736	chrome.exe
Token: SeCreatePagefilePrivilege	1736	chrome.exe
Token: SeShutdownPrivilege	1736	chrome.exe
Token: SeCreatePagefilePrivilege	1736	chrome.exe
Token: SeShutdownPrivilege	1736	chrome.exe
Token: SeCreatePagefilePrivilege	1736	chrome.exe
Token: SeShutdownPrivilege	1736	chrome.exe
Token: SeCreatePagefilePrivilege	1736	chrome.exe
Token: SeShutdownPrivilege	1736	chrome.exe
Token: SeCreatePagefilePrivilege	1736	chrome.exe
Token: SeShutdownPrivilege	1736	chrome.exe
Token: SeCreatePagefilePrivilege	1736	chrome.exe
Token: SeShutdownPrivilege	1736	chrome.exe
Token: SeCreatePagefilePrivilege	1736	chrome.exe
Token: SeShutdownPrivilege	1736	chrome.exe
Token: SeCreatePagefilePrivilege	1736	chrome.exe
Token: SeShutdownPrivilege	1736	chrome.exe
Token: SeCreatePagefilePrivilege	1736	chrome.exe
Token: SeShutdownPrivilege	1736	chrome.exe
Token: SeCreatePagefilePrivilege	1736	chrome.exe
Token: SeShutdownPrivilege	1736	chrome.exe
Token: SeCreatePagefilePrivilege	1736	chrome.exe
Token: SeShutdownPrivilege	1736	chrome.exe
Token: SeCreatePagefilePrivilege	1736	chrome.exe
Token: SeShutdownPrivilege	1736	chrome.exe
Token: SeCreatePagefilePrivilege	1736	chrome.exe
Token: SeShutdownPrivilege	1736	chrome.exe
Token: SeCreatePagefilePrivilege	1736	chrome.exe
Token: SeShutdownPrivilege	1736	chrome.exe
Token: SeCreatePagefilePrivilege	1736	chrome.exe
Token: SeShutdownPrivilege	1736	chrome.exe
Token: SeCreatePagefilePrivilege	1736	chrome.exe
Token: SeShutdownPrivilege	1736	chrome.exe
Token: SeCreatePagefilePrivilege	1736	chrome.exe
Token: SeShutdownPrivilege	1736	chrome.exe
Token: SeCreatePagefilePrivilege	1736	chrome.exe
Token: SeShutdownPrivilege	1736	chrome.exe
Token: SeCreatePagefilePrivilege	1736	chrome.exe
Token: SeShutdownPrivilege	1736	chrome.exe
Token: SeCreatePagefilePrivilege	1736	chrome.exe
Token: SeShutdownPrivilege	1736	chrome.exe
Token: SeCreatePagefilePrivilege	1736	chrome.exe
Token: SeShutdownPrivilege	1736	chrome.exe
Token: SeCreatePagefilePrivilege	1736	chrome.exe
Token: SeShutdownPrivilege	1736	chrome.exe
Token: SeCreatePagefilePrivilege	1736	chrome.exe
Token: SeShutdownPrivilege	1736	chrome.exe
Token: SeCreatePagefilePrivilege	1736	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe

Suspicious use of SendNotifyMessage 44 IoCs

pid	Process
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe
444	firefox.exe
444	firefox.exe
444	firefox.exe
444	firefox.exe
444	firefox.exe
444	firefox.exe
444	firefox.exe
444	firefox.exe
444	firefox.exe
444	firefox.exe
444	firefox.exe
444	firefox.exe
444	firefox.exe
444	firefox.exe
444	firefox.exe
444	firefox.exe
444	firefox.exe
444	firefox.exe
444	firefox.exe
444	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
444	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 2764	1736	chrome.exe	87
PID 1736 wrote to memory of 2764	1736	chrome.exe	87
PID 1736 wrote to memory of 3796	1736	chrome.exe	88
PID 1736 wrote to memory of 3796	1736	chrome.exe	88
PID 1736 wrote to memory of 3796	1736	chrome.exe	88
PID 1736 wrote to memory of 3796	1736	chrome.exe	88
PID 1736 wrote to memory of 3796	1736	chrome.exe	88
PID 1736 wrote to memory of 3796	1736	chrome.exe	88
PID 1736 wrote to memory of 3796	1736	chrome.exe	88
PID 1736 wrote to memory of 3796	1736	chrome.exe	88
PID 1736 wrote to memory of 3796	1736	chrome.exe	88
PID 1736 wrote to memory of 3796	1736	chrome.exe	88
PID 1736 wrote to memory of 3796	1736	chrome.exe	88
PID 1736 wrote to memory of 3796	1736	chrome.exe	88
PID 1736 wrote to memory of 3796	1736	chrome.exe	88
PID 1736 wrote to memory of 3796	1736	chrome.exe	88
PID 1736 wrote to memory of 3796	1736	chrome.exe	88
PID 1736 wrote to memory of 3796	1736	chrome.exe	88
PID 1736 wrote to memory of 3796	1736	chrome.exe	88
PID 1736 wrote to memory of 3796	1736	chrome.exe	88
PID 1736 wrote to memory of 3796	1736	chrome.exe	88
PID 1736 wrote to memory of 3796	1736	chrome.exe	88
PID 1736 wrote to memory of 3796	1736	chrome.exe	88
PID 1736 wrote to memory of 3796	1736	chrome.exe	88
PID 1736 wrote to memory of 3796	1736	chrome.exe	88
PID 1736 wrote to memory of 3796	1736	chrome.exe	88
PID 1736 wrote to memory of 3796	1736	chrome.exe	88
PID 1736 wrote to memory of 3796	1736	chrome.exe	88
PID 1736 wrote to memory of 3796	1736	chrome.exe	88
PID 1736 wrote to memory of 3796	1736	chrome.exe	88
PID 1736 wrote to memory of 3796	1736	chrome.exe	88
PID 1736 wrote to memory of 3796	1736	chrome.exe	88
PID 1736 wrote to memory of 2192	1736	chrome.exe	89
PID 1736 wrote to memory of 2192	1736	chrome.exe	89
PID 1736 wrote to memory of 4200	1736	chrome.exe	90
PID 1736 wrote to memory of 4200	1736	chrome.exe	90
PID 1736 wrote to memory of 4200	1736	chrome.exe	90
PID 1736 wrote to memory of 4200	1736	chrome.exe	90
PID 1736 wrote to memory of 4200	1736	chrome.exe	90
PID 1736 wrote to memory of 4200	1736	chrome.exe	90
PID 1736 wrote to memory of 4200	1736	chrome.exe	90
PID 1736 wrote to memory of 4200	1736	chrome.exe	90
PID 1736 wrote to memory of 4200	1736	chrome.exe	90
PID 1736 wrote to memory of 4200	1736	chrome.exe	90
PID 1736 wrote to memory of 4200	1736	chrome.exe	90
PID 1736 wrote to memory of 4200	1736	chrome.exe	90
PID 1736 wrote to memory of 4200	1736	chrome.exe	90
PID 1736 wrote to memory of 4200	1736	chrome.exe	90
PID 1736 wrote to memory of 4200	1736	chrome.exe	90
PID 1736 wrote to memory of 4200	1736	chrome.exe	90
PID 1736 wrote to memory of 4200	1736	chrome.exe	90
PID 1736 wrote to memory of 4200	1736	chrome.exe	90
PID 1736 wrote to memory of 4200	1736	chrome.exe	90
PID 1736 wrote to memory of 4200	1736	chrome.exe	90
PID 1736 wrote to memory of 4200	1736	chrome.exe	90
PID 1736 wrote to memory of 4200	1736	chrome.exe	90
PID 1736 wrote to memory of 4200	1736	chrome.exe	90
PID 1736 wrote to memory of 4200	1736	chrome.exe	90
PID 1736 wrote to memory of 4200	1736	chrome.exe	90
PID 1736 wrote to memory of 4200	1736	chrome.exe	90
PID 1736 wrote to memory of 4200	1736	chrome.exe	90
PID 1736 wrote to memory of 4200	1736	chrome.exe	90
PID 1736 wrote to memory of 4200	1736	chrome.exe	90
PID 1736 wrote to memory of 4200	1736	chrome.exe	90

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://azsolver.com/files/main.exe
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7ffb4641cc40,0x7ffb4641cc4c,0x7ffb4641cc58
  2⤵
  PID:2764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2000,i,7357912910502364563,7997977666225278033,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=1932 /prefetch:2
  2⤵
  PID:3796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1908,i,7357912910502364563,7997977666225278033,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=2112 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  PID:2192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2268,i,7357912910502364563,7997977666225278033,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=2292 /prefetch:8
  2⤵
  PID:4200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3132,i,7357912910502364563,7997977666225278033,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=3184 /prefetch:1
  2⤵
  PID:4288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3156,i,7357912910502364563,7997977666225278033,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=3212 /prefetch:1
  2⤵
  PID:3688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5012,i,7357912910502364563,7997977666225278033,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=5008 /prefetch:8
  2⤵
  PID:4560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5004,i,7357912910502364563,7997977666225278033,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=5168 /prefetch:8
  2⤵
  PID:2144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5332,i,7357912910502364563,7997977666225278033,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=5316 /prefetch:8
  2⤵
  PID:1516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4428,i,7357912910502364563,7997977666225278033,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=3896 /prefetch:8
  2⤵
  PID:3644
- C:\Users\Admin\Downloads\main.exe
  "C:\Users\Admin\Downloads\main.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:4036
- - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
    "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:1856
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
      4⤵
      Uses browser remote debugging
      Drops file in Windows directory
      Enumerates system info in registry
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      PID:3792
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ffb4641cc40,0x7ffb4641cc4c,0x7ffb4641cc58
        5⤵
        
        PID:2976
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2172,i,13706743567563247006,771540431608284766,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=2164 /prefetch:2
        5⤵
        
        PID:1696
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1888,i,13706743567563247006,771540431608284766,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=2204 /prefetch:3
        5⤵
        
        PID:3216
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2336,i,13706743567563247006,771540431608284766,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=2320 /prefetch:8
        5⤵
        
        PID:3612
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3212,i,13706743567563247006,771540431608284766,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=3224 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:2696
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3248,i,13706743567563247006,771540431608284766,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=3256 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:3076
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4204,i,13706743567563247006,771540431608284766,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=4552 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:1876
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4220,i,13706743567563247006,771540431608284766,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=4828 /prefetch:8
        5⤵
        
        PID:4652
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4832,i,13706743567563247006,771540431608284766,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=4764 /prefetch:8
        5⤵
        
        PID:5096
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4704,i,13706743567563247006,771540431608284766,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=5000 /prefetch:8
        5⤵
        
        PID:2136
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5144,i,13706743567563247006,771540431608284766,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=4756 /prefetch:8
        5⤵
        
        PID:1412
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5228,i,13706743567563247006,771540431608284766,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=5240 /prefetch:8
        5⤵
        
        PID:900
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5184,i,13706743567563247006,771540431608284766,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=4544 /prefetch:8
        5⤵
        
        PID:4012

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4240

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1908

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3876

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:4940
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:444
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1956 -parentBuildID 20240401114208 -prefsHandle 1884 -prefMapHandle 1876 -prefsLen 27424 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ba69ba01-c8d9-4796-9c68-32844ecbc1c1} 444 "\\.\pipe\gecko-crash-server-pipe.444" gpu
    3⤵
    PID:2140
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2364 -parentBuildID 20240401114208 -prefsHandle 2356 -prefMapHandle 2352 -prefsLen 27302 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {13d5c9c1-f76a-4589-ade1-44a2df5f4cf9} 444 "\\.\pipe\gecko-crash-server-pipe.444" socket
    3⤵
    - Checks processor information in registry
    PID:4620
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3096 -childID 1 -isForBrowser -prefsHandle 2832 -prefMapHandle 2668 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {83b26001-edfe-4d96-a1b0-a092b1ebb0e1} 444 "\\.\pipe\gecko-crash-server-pipe.444" tab
    3⤵
    PID:4428
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4116 -childID 2 -isForBrowser -prefsHandle 4108 -prefMapHandle 4104 -prefsLen 32676 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {36994ea2-77b9-46fb-9acc-c1dee80ccaee} 444 "\\.\pipe\gecko-crash-server-pipe.444" tab
    3⤵
    PID:2976
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4700 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4644 -prefMapHandle 4640 -prefsLen 32676 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e79f07f4-b994-4c9e-914f-f4191bb94be3} 444 "\\.\pipe\gecko-crash-server-pipe.444" utility
    3⤵
    - Checks processor information in registry
    PID:2184
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4804 -childID 3 -isForBrowser -prefsHandle 4808 -prefMapHandle 5188 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f582a1dd-e051-4c43-b1bd-f277ced029c4} 444 "\\.\pipe\gecko-crash-server-pipe.444" tab
    3⤵
    PID:3040
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5464 -childID 4 -isForBrowser -prefsHandle 5448 -prefMapHandle 5452 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f8402b74-9239-4f46-bfa2-77631421788d} 444 "\\.\pipe\gecko-crash-server-pipe.444" tab
    3⤵
    PID:5096
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4104 -childID 5 -isForBrowser -prefsHandle 5432 -prefMapHandle 5444 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {711ad7fa-bc4c-40bc-9b90-848f7cebf67c} 444 "\\.\pipe\gecko-crash-server-pipe.444" tab
    3⤵
    PID:1412

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4064

C:\Users\Admin\Downloads\main.exe
"C:\Users\Admin\Downloads\main.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Modify Authentication Process

T1556

Privilege Escalation

Defense Evasion

Modify Authentication Process

T1556

Credential Access

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
3b40f3ac0ab9eec6a23934793abc79ea

SHA1
7baee89ae00816a5d388f6437636e9db2f2ed7f6

SHA256
88f496627b985ba693976115a1fc58480fca14b11848f8dc865232457050a49f

SHA512
f7a0062e6c259750d8f78eab6939178a10dcd03040f3736f9dd375926636b4ecc81cb6863e8833cbe57a3731af86587d0e2775bdb9e44531bade03f8cbea359e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_0

Filesize
44KB

MD5
e432abb318a5d8c91e1955340e78a698

SHA1
dca9c62f60035dd07faa911acd35057bd9730e0b

SHA256
cb48947730238c8156ad646c13bf11ab4870dc93ce4c20d4d5844db02160bf20

SHA512
c369db9ef947eaa568c950addb30ff595f09b25d1b3da8649b88c1c8827fbdfe1eb590d51fddcb82180d2571e17c6a69ad57cf14dfeb69814e24e9aedc39a0a5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_1

Filesize
264KB

MD5
1ada444b43b0de3380b54fd9701649f9

SHA1
59a8620d13753c61127c8dab386c3ac1cd048dff

SHA256
684c9f22c49b451eb42f6d6d56e93c1dca079cccd29101c683fd9e1a63f2aae4

SHA512
71be7d47746ba28124defdfe7d79871b8a3598c2e9376190de30eb91d56005700458d857b15a49b558bf2db1719cf260b9baacb304908ce2edf9d9f43a30b03b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_3

Filesize
4.0MB

MD5
a283bbf1c1ca82674c1bcf596e584dd3

SHA1
6ba35cb239eb4f3da91b8e7f04900fedf24db92f

SHA256
6a8ae5a69c2ee65996f43239a29f5024c4187afa648ec3b8f8f42ef02a213285

SHA512
5b3d363207561b192e0d100628db6757b34a3080f6fd3b0cd6ae7795cd4f22722352010b859e091899f54f45edebe4a21ec9f96622c60d3afa8df51629cd01ea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOG

Filesize
317B

MD5
55aa8b787bfdf19d0ec72e0bda1ccf04

SHA1
543a47c8fd775d5be35d9b69f96fce00bf1c12a7

SHA256
44a1143cf4a4d11a0419a4ccec517098b0bdef448ab7b05d1dd9bebcef0c1078

SHA512
8a5f22d5c1dacffcf2a9c5d5a10e96e8f98c59c262ec5240ce3c653e49931be59430d593fd6bcbd188f6472608b97606d84b9a03b8797fea2c1469f9cc17be93

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\LOG

Filesize
327B

MD5
0d873449d4c0f4048c7e86e14ffbe020

SHA1
cfa350fe120f1a3c23196b6f89d81530fe0ce358

SHA256
bc926c98b857fba165fd1b91b4fbf5ea7917b841f62af40aa470c65b7aad3e85

SHA512
580f5956679b3a52f44776ffba6ca348d454ea74e7a61fd5755f382003477a7f024de0b28fb26605d982734f06eb0e9ebe593890108baf33d1fd094038cb28df

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History

Filesize
160KB

MD5
63b7f74f5d27b4c70dd4921063b74b52

SHA1
d9949030445f785552637d86f2319659a8bb1c23

SHA256
bef255ab408a6f4ceb212fe88f32ac39ca1a32bef200b9c5d692ba61e65d6467

SHA512
ca1eb5eb513abfe0718e258ad3af6cd4ffb0a60e5289a49434c590b644c8ca791aedbe00fba484276f9d983e48e295f9aa724bc2caa6d209295f01d2d0186825

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History-journal

Filesize
8KB

MD5
a4cf6e548613dd3171bb8034f459ae65

SHA1
7737ef35f9941df2c512ad04d05b7b619b96d88c

SHA256
1f444516c40ea89f65e8f85395805d611c94c5909dc97ed028c2752090062973

SHA512
00f27223e6aed9e0d30dec9a94fde58ab939f070529a4b94471d517ed28344cde97aa91ece98a79da33f14d40fe03d25f3b0f704cc23e429f9686ba778af387e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG

Filesize
329B

MD5
6ba33e59c4d802bfe22b422c21b2b9be

SHA1
e9bbd97147d3596854dd56b6575694e7ca45ba02

SHA256
8be95ace94b013ab591c3fd1a8a56ee998a1153afc83b4ea35180c9831c0bb61

SHA512
2ca7898816ec1511710c66be2dbf442b7a33ea95982d93c5ef35873bf1771609a152a02e08c3bd0c85a83050ca241a96555c9d60e91cc7dcb38d1af48bf3d7b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
d7ccf4066998996948fe5acc931a771a

SHA1
788bcf2e6cf6db932336f16d8a469f3ec295da7d

SHA256
e88bd23d5458015e31be85901a2dde8961b97cbab2cb30484e3edb5ccd3b93bd

SHA512
2599e9e9d14cc795a9a6693cc10ef61701cd2fcf5112189cad34d4cd30c6a970fccace52b4411542d41f8fd1ccc40f07cc205a271876d64b53aac7478a2437a8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
da73e5638857e2bb884ffc2629142acf

SHA1
cc9b6a1d3974b84e77c9e802cf541f0a0ce4f08c

SHA256
dd5b4558a366a22a2cc17c5e4aa2b1f8c64e20e2021a4a76e5af6a6b9b541d34

SHA512
f24b56e599c2e174b32670de06b00ecc3c3a2df62f2b17f776df8c8b708879443848787cfb32fa22b5c7f74dd2e1750163318b6af3fbd5becffede438f1d1f04

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
c3a76f12d4f332d53e9c9b1ea688ad3d

SHA1
e0905940a56ebad05e28394e6865848c7eab327d

SHA256
9772deff917d4b1ec60956426fc9d45930dfa87cda2bccabbee785f3845a12f1

SHA512
c19d2c455f292cbddde17f26ea7927ac98ddac0ab2a318cf9c1ed4093d80480f71dde6a90fcd592fbcb1d621cee23801085bf60a7f5b83699cb4fbe9e95c77f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
5f29705237f51682ddac3c72824fe7eb

SHA1
6b980a4d0db7d55f73637af67d185eb5d3813f49

SHA256
ab2ab92802d8b1cfe8aa4cf6271044b031c340b034200f9c9666b4da2ea48ed4

SHA512
08e1efb41bc8fb14821f8db52ec1aa86708061139f66dcd5d51dd005e4adf7a57cb263468ad6b9d6adef11db7cfc84944d9e235938f50612f379f6ce7d48a7de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
c9add3fe668734e0e84122673aa1802d

SHA1
93bcdf763952ee7859d4f8f5caa7101770495a48

SHA256
306550dac39360fb3cd9bbc16546e4322e615dbbcd1c9c2b5ef38bde56bb85c3

SHA512
2df58f6f8281132945274d10fb549893cc593bc2596db7632d70ddbcb7f5a50ded1cb1c6726c920c6229756124df85d537469e0ce5cd9732e92be7a6c354b995

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
e0e2235f455fed03b35a1cea88185d1f

SHA1
ec2efa77cba9c01b3d8748f8f46dc1ac1b026c9f

SHA256
ab3f796f86010ef1fc09164d7e7e4bca7b85bcbe33fcbb2492164cf93d5d25a2

SHA512
078fd3e1eb0fbf1e64c9adc1ec85bcb66f80629d2ffa0126da540539c1f319d7c5c6391d9edc53d3edd53a58db77c14b2332aa0db7cad3bdf4f3eace7abd60f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
8e494dce5107a06f559ddc6cdacbb48f

SHA1
a879f0d407c096d63f5bc392a722ab741ae87a1f

SHA256
23ac29bd9efbfa112ca0d35cae14a0854d11207a1cb8f1f342aa2e242934545a

SHA512
7c89ed238c32dbcd24e368b2b6cab16be0acf252d893f69b5ac3d4fd789c90f8cb832723756350df36d088cba87a960a3d925c0a2e154bdbfe6af8aa24e6a468

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
7894df96c5cbfa15b4c54de228ce09cd

SHA1
2245d4743ddb6db54b622af85467e7b9717500fd

SHA256
6a339f7f030b0df22c702186f3acf36424ec78280848c137fada7a5fd2f91672

SHA512
f1da5968ea1b9b8f74dab0b1eca6dc8c20f7082419b5fe10fb591613e9d89dff08336cc8265cefdcd221cbe585c9c6fb30c35a81f9cfd92214270f6030f1a42c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
7d06dcf810fc02e16958b65029d7a6b4

SHA1
23b1ef715e11c34ffce8c2443e40aeece398e636

SHA256
f319c9fdd8ba219759488e0936b0234d8344bcdc15cd95be1cbd36065f0cc00a

SHA512
a5522226ba40bbb5998fcccde8c2cc2ebfe900aea62268c650b43fb85e50fadf567ab7b7e9f9b35b9a7200f8f335bba788dadabc99766c5770c8d03bfa02bfdb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
513432386e78bd5d3c3623fce929d110

SHA1
0f498f6e0bd2e2e33a8c911f169242768beb23e3

SHA256
c7114378a4d3e75b8ebcf13ffb4cd9f06271119a58e588d2066f48e536f9a554

SHA512
784a4ca99dd300ab8d19565731ed8511e7bfe791ab43546ba7ef14f8054e5331ac39895b4bd1cd113ec89a81b1e45257cb3606156bcd8fa11f0118c89a3032bb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\LOG

Filesize
333B

MD5
6c1df8fb900366b6c0db184fa9ff5cfe

SHA1
62bee6a65e5be0d3a34b6a8818e749b33ec069aa

SHA256
554c5382faee5d5d87c535be74c1af745d0cd18c7eaa7a1bdaffc21b0ad7a7c4

SHA512
39cfd3d5e32fe32c825f415f770b3dec5658dd792d08506f51c4470f3bd8a5f14dccd6a3530f409bc60ff10dabd0b25e09fb8272cd7a10c8ccba4a49aa40127f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sessions\Session_13383853392295375

Filesize
461B

MD5
3a38e5fdc2790a895a045ea22c2afbea

SHA1
d08775fce00025ae24e3387c0a5598c34751e8e7

SHA256
1da53ad250073e5012318867de6f387e357bfd7dda981c2dc156f365b9640e9d

SHA512
ad0c06b601f95afa81908a2a535d0cba2e370158b96f933ee64d7218e41984534945ce8b07dbbdc5389c0e5d030ee3f5e99cffbc5e8cd2e75f5bbcdfbc117b37

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG

Filesize
348B

MD5
3cf26e341265baf057acacfbe13d95a2

SHA1
48ba0a1d146519594121b0cf919a749393f36dfd

SHA256
1848a4fb00c61dc0c9c57ba37487075eed900e46012ea724d33a50e6a8f5e8c1

SHA512
44dca80bc4c6f870f95212add8691563feddb8ba0fd3c54d6ad24719777534dadb5f0b630508bcc36ef6993844c4ced9c4770ff130aac05ce96d42726960b2fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG

Filesize
324B

MD5
f395b0487045df348e9e2246da392143

SHA1
cf1d721061ce2eb07d04f6d4371923232d27b466

SHA256
190bd285c61b2d774bbc5c9be17845a6f1ddb882c7aee737ce98d8475fc34568

SHA512
7c5a6727b56b55dfaffb9672a6f2ba4fa501cafde5c4a023e5c062900180067d4c2213e55c2338f8d464e482a251cdddde40eb622a61e77e66d124704b9782fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\QuotaManager

Filesize
40KB

MD5
0709f4f3471ac8d2b0c26503fbd98aec

SHA1
505799474010227566782c2a93ff33103c7d2570

SHA256
62d17b48637ff74f7315263a0a1a8e81bf9602f315fa4b57af9ed0e81971950d

SHA512
2a4e5485d3721a04f71f207da0fb5027bf496a9a2fa5fe50293df159a3f7181a74f7e17d6acc1e3ecc47c8192ac0f401a280817b09fd9e481e741555082381d0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\QuotaManager-journal

Filesize
8KB

MD5
5dbdb2554b91008a5ae4ea13e6ba0716

SHA1
f70ebe60118f473a300b52b9a81c975df778bf65

SHA256
186aad1e6be0a91e5ce419cdd5fcbfc71f0562302d52db89f9fd6fcacf2903a7

SHA512
dd5e0f3a71cf6fb308e87b65abc21310ca29ba0006a9898fbe7019b1f5fb0ccd6241a30e06a2d9f7297b7c5c1b20e31ea6b0b116e52a14e094cddedf6fd0f408

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000003.log

Filesize
22KB

MD5
45655fd364e008b3ca9149621d946dad

SHA1
c4c59122fd63986b7766cbe895910af17ac23e02

SHA256
310a1da0ec9fdc978052a227741317e0decce88b08613f3f2fe3482df20444cc

SHA512
d093bc7d5ffc208bed903db8e2677a6a26fa5ca080e16742f5b0f5748c3d0836be99a7d75da9d9cc8d4e2737777fb333a3ab0ed9e3f2572cb05e96ecbd40d811

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\LOG

Filesize
317B

MD5
7ba75a570e1ab5f1f9159036cf5fd402

SHA1
e7bd39df77d0889408919cea381cd0bd222ef5d3

SHA256
a59eec18f7edfe28a92403d2eb285ba7adc9a82d50e601798d6402e8c83c4db4

SHA512
b4fd87488b6da14736e64412140ffcd08d1011f04017af69bd8664bca9015151e0b4607d931e2457ce4bb7b83e5bf76eb2b17dbdc10ec40981dd5529f53be147

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000003.log

Filesize
1KB

MD5
bed3c52f73240302c2b039371dda2d36

SHA1
57f6f1f03ec206e46544b1f3c4fe5cf4f5d83e94

SHA256
5d92883e349a392ad94916453f7432fdea80eecd538e44404c304a5ce6c58da4

SHA512
db813b05cf204ac3107a29f1cae272d9de21f32319abd39785437da558ffc4ae19e4ea9faed42dbf24c373379bafef52c6d22e94290d435feaead2754c1ccc5d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\LOG

Filesize
335B

MD5
4c44f6b124cf39279fff00af208fb69c

SHA1
f1e22a2a1712767667179a52c033bab391204cf1

SHA256
48cab65cdbd30e28145d3cf04e14f3d669ef32c0d0747dfcb8f2b0f0892a04db

SHA512
f4aaf4cf2b4ab3b7ccbb4d03eacd10cb201f316500f2e61176dc7ec36af70ae1d37872fe952acc93a51ef3a71766393f23498cc77c04a11aea4b523f7865e12d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_0

Filesize
44KB

MD5
09e788c8141ca5a7d2d189a04b814ecd

SHA1
d51d4bf5f73e9a38dae7ccaa68d23eeb9365693b

SHA256
a000c37d9f5adc4a78ff04e02ab0a374933eab1827bfb99ad8710bf96df42966

SHA512
3ee991aaf01bf877766054c4b163fa803c46b51d931e41db2f54e1e5787d7c5925c83127ba17a34a9633043c4785bce1f43f7450a3f64ad8239d21b366aed1ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_1

Filesize
264KB

MD5
e49fc7a20b9553f2ca556f20ca5852d0

SHA1
a2f62b04407e6eaadba7b13638c725bb86f32556

SHA256
37757042c8f439e05458b35ae50f447c156fcb80e92ffd0008a1a71632e11e5e

SHA512
b0297daa37bf2505db4aefdbdaef25447cfd033106427f16444938c6594e908cc7e60b602f5f3022e660527efb60061836c1f233e68471553fc1239847060ff7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_3

Filesize
4.0MB

MD5
f9101dea7635ce8a73273e97e1396aba

SHA1
69ac00af433ec480f6eaf7a210ad977fb93dc608

SHA256
8bf79626b3751c04b523b662799656de8865d12196ae72cc70f0506a6ed781ce

SHA512
011b5590e1554d57ab21ceeed43aabd03772d116499845608544b22b659356fbbc36da957f4fef5cbc066f938223eec242e01d52743d1963c8a6e5dcb812d952

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version

Filesize
14B

MD5
ef48733031b712ca7027624fff3ab208

SHA1
da4f3812e6afc4b90d2185f4709dfbb6b47714fa

SHA256
c9ce8dbbe51a4131073db3d6ceef1e11eaca6308ad88a86125f221102d2cee99

SHA512
ce3a5a429e3796977a8019f47806b8c0671b597ead642fcbfbe3144e2b8112d35a9f2250896b7f215d237d0d19c5966caf3fe674165a6d50e14cb2b88c892029

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
245KB

MD5
b12167d2eba289e7e7d1bed53a170d23

SHA1
be28f0f18e4b5903ac8f6edab92c0c29d61c290e

SHA256
5b0937f83ec0ecad4c78dda3076ea6a6fcd2f18663eea28f8b0d3a1c0d4c2413

SHA512
4ab8a9c1532eebc678079f5fb1280f4405fbe456b2c136906d1145350554083d660656233518d522ae5dcba3ca976633608081d07e90f2ff23c3653fab105b57

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
245KB

MD5
09921c2a53348a64e3247c36f88438f0

SHA1
787f5b862d3f3d951b7e25f57947a5318bae86a2

SHA256
c8beac388a89d31c4da467a94ad7f8516ba3e5147deb995f63aa377cade17c82

SHA512
4671cced360551f8c957f08a9cb169c6d37d99b6e31fc590c45b5b7ec4b7c00a420b0430c14d63a6f8195c1e97eb21e193b0034e807c242d384c3321fa189e0f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations

Filesize
86B

MD5
f732dbed9289177d15e236d0f8f2ddd3

SHA1
53f822af51b014bc3d4b575865d9c3ef0e4debde

SHA256
2741df9ee9e9d9883397078f94480e9bc1d9c76996eec5cfe4e77929337cbe93

SHA512
b64e5021f32e26c752fcba15a139815894309b25644e74ceca46a9aa97070bca3b77ded569a9bfd694193d035ba75b61a8d6262c8e6d5c4d76b452b38f5150a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\first_party_sets.db

Filesize
48KB

MD5
5a1706ef2fb06594e5ec3a3f15fb89e2

SHA1
983042bba239018b3dced4b56491a90d38ba084a

SHA256
87d62d8837ef9e6ab288f75f207ffa761e90a626a115a0b811ae6357bb7a59dd

SHA512
c56a8b94d62b12af6bd86f392faa7c3b9f257bd2fad69c5fa2d5e6345640fe4576fac629ed070b65ebce237759d30da0c0a62a8a21a0b5ef6b09581d91d0aa16

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\first_party_sets.db-journal

Filesize
512B

MD5
3f916b15830b01a590e2c73217208f21

SHA1
681c3a49a3c0e41f25d548ca6ef41bc70b11a800

SHA256
1602c19f835e9433a6b2fce06d2ce872ea9d16fdd5e474bd71f0de883781212f

SHA512
89352273515cf20d219d4708fcb045a0eed233b4447c2c79be57337f5018b80cd6932504fffbdc18ae68924e7e44ad70d18ebd38270e8482c8044b430113c5d0

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\cstnwvj4.default-release\activity-stream.discovery_stream.json.tmp

Filesize
27KB

MD5
119a66a02dcdb7004498a48c182071d8

SHA1
69d87ad7901602530934c465134336c4d243a8de

SHA256
640682977017c32dd606b9ae4bf3cca450b8708ca38824922af32521d6b951f4

SHA512
e8977054cae9aa10a5254fd5c9c5ef53d744e801cf3d948836bef2d0d590f6632334355763fb9306daa7aa5a9fd0ab76c9ddf393994eddecbf973480088ca31b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cstnwvj4.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
b8ef4518907c355b01fad3aac5d34937

SHA1
74f69a39afb1ea7b8382d9c94c7a4d0198dc5560

SHA256
404dab2aa95e4e6af186cfb62b86fee716a442eb09031b30e2c2438e50cf0e4c

SHA512
7f406c33bb0f526cff9ed54548ed3ecc31c3c4523a0ac54f84864cf76e979bf7bac976624cb9d5e256282a0de740f4d031b58123140390c57b1dc36afcd1a9c0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cstnwvj4.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
fda28e52fa7c1c107364ec12e056115e

SHA1
50dc3404fc6abe090a2fe0ab3fe13074d651e8ce

SHA256
5a847b93c18a75993ef7125d49d6eb22ceea90ffb3ded25afef49b67249d2189

SHA512
eddf3fb8b4ab347818ddecbc6a13d5629f33b25f565695d75bd795bb8c1ea339a9dcdf5cf3033bb15b9e94bfe863a4c58d797339c7619ecb3daf056e070faae3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cstnwvj4.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
549a5095e634b2b66be9f71257e5f16a

SHA1
d802db45be9c01d7448825754de3c4a71cd88086

SHA256
2b86b174d4fe24ca88c067e5af807b1a97e85a20d482d815c9bedec652ec6107

SHA512
7e65c508c560bd1ed36818d5d9d8500ca29f70e87ddfc08eb21cfb092b7df25f7f1ef4d84b6e7d5a19cf3a24419cdafc09825353620c6a8b0d4a8c97e5510e48

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cstnwvj4.default-release\datareporting\glean\pending_pings\201569a6-ce74-4473-9cb6-6a1a0789f515

Filesize
982B

MD5
874f4b6e8bc6077cf24927243599001b

SHA1
f2b4045e7f19aff7c796b26b9552905a489fcef0

SHA256
6cbe374bff192abf31b22563f65f4f636b71dfe0ac8483984af607420e811fa5

SHA512
4e6472ca2dc9fc0c364988f48c5002a5236fdb1b3fa3edc70887ce4749a463c9a2c0ba643301e0fe59b64a676f6e3b49d45077072fe9374b5c6b4b1e69a5df6d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cstnwvj4.default-release\datareporting\glean\pending_pings\54a3b249-318b-4bf9-8383-6a505bcab2dd

Filesize
671B

MD5
b9d74ae60308243864fe48b42d69a302

SHA1
86ad8f8fa54d2d3a421ac65e32c8fcac50248002

SHA256
26a53ec3c36f396c496d414192efc1da87656b2ab8bd1bffb7e463fc73095191

SHA512
108800c3c8eb1449ffebf8c3be03ad0b1c3e35cfd012bdfc10e17dd67d3e4555b2eaaf3c691a5e5489087cd4085d62b43a407bcca27439323e82d2085cdb97a3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cstnwvj4.default-release\datareporting\glean\pending_pings\b268b056-c1fe-4afb-85b9-d7c0cffd4705

Filesize
26KB

MD5
c414117ded7ab2a2c8c649c3f752b3f6

SHA1
fd98408e48d1b96299bf4a33ff7b201d5ec75705

SHA256
2065b5a0acb5054a37d3d2ff509a7209579b139ac67f01aa23b4d3f17b36fedb

SHA512
fb93a327823a4172d9a1efa70e58a60a400df7785407cce76ab4d639360a29fd0e85fc9f0e3824e36c3582d8437dfac24a4bb894126f163b2dbc680cb11295f7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cstnwvj4.default-release\prefs-1.js

Filesize
9KB

MD5
b57e9f16c48001e2bc791c942523b761

SHA1
152ca9ef6d38d8561500cb9b74942d5befde260c

SHA256
1373317289c16575a75d73dc9b0a779082d16ac95541dca33fb2a74b2334e286

SHA512
7221d3f4668caca36fa1bd98303c352ffdaca3209983c86046133a0a2419bc13e58c91e6d57679b890c98a7bf80feda8e4e291ab8d187ed2309f1337903b1c8a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cstnwvj4.default-release\sessionCheckpoints.json.tmp

Filesize
259B

MD5
c8dc58eff0c029d381a67f5dca34a913

SHA1
3576807e793473bcbd3cf7d664b83948e3ec8f2d

SHA256
4c22e8a42797f14510228f9f4de8eea45c526228a869837bd43c0540092e5f17

SHA512
b8f7c4150326f617b63d6bc72953160804a3749f6dec0492779f6c72b3b09c8d1bd58f47d499205c9a0e716f55fe5f1503d7676a4c85d31d1c1e456898af77b4

Download Submit
C:\Users\Admin\Downloads\main.exe

Filesize
5.1MB

MD5
7ca1a467d3565e8827428ac7be5b7bf6

SHA1
63a893bf674933c34cbe216b49722ad18d625fc6

SHA256
efbd528c8ed8c5253b5e191eedc85e30f75778a417b5f427da115e7f44d9dd47

SHA512
9be0926ef5c388853cd7560afdbd97d0f47265b3bef47cefbaaa65c33593e2eb525da9f58079c9411e87ad4a184eff49021fc982bfafe030a55272a311228720

Download Submit
memory/1856-124-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1856-230-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1856-229-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1856-228-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1856-217-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1856-194-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1856-144-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1856-142-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1856-141-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1856-125-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1856-123-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download