vidar | 87456e358fac3b5c8c3c1997cc4b5a4c692073972a08033837f15d022086668c

Analysis

max time kernel
132s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
31/03/2025, 04:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-03-31_93079de0bd272e60957277651faba8e6_black-basta_cobalt-strike_ryuk_satacom.exe
Size

1.9MB
MD5

93079de0bd272e60957277651faba8e6
SHA1

6881ba19895707f88b3a25dace643ee450d5e978
SHA256

87456e358fac3b5c8c3c1997cc4b5a4c692073972a08033837f15d022086668c
SHA512

127a1db9614d1a0f9da080a83ee260e47eb604baf7f412c690e0f908f27db32620d2bd28a6c4487c99db944a10816db0d035891ca69dc2b3a26001059e1f70f3
SSDEEP

24576:NNI2LXlFLf2uee/0kd+mELBX11GyDXcOSbNpZwGlUR:LnFFytugGlUR

Score

10^/10

vidar 861aaf32ff897d13c49344e110765213 credential_access discovery spyware stealer

Malware Config

Extracted

Family

vidar

Version

13.3

Botnet

861aaf32ff897d13c49344e110765213

https://t.me/lw25chm

https://steamcommunity.com/profiles/76561199839170361

Attributes

user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/132.0.0.0 Safari/537.36 OPR/117.0.0.0

Signatures

Detect Vidar Stealer 34 IoCs

stealer

resource	yara_rule
behavioral2/memory/5968-0-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/5968-1-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/5968-2-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/5968-9-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/5968-10-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/5968-15-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/5968-16-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/5968-19-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/5968-23-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/5968-24-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/5968-28-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/5968-29-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/5968-32-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/5968-368-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/5968-369-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/5968-370-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/5968-371-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/5968-374-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/5968-378-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/5968-379-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/5968-380-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/5968-384-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/5968-466-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/5968-539-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/5968-655-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/5968-658-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/5968-661-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/5968-662-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/5968-663-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/5968-664-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/5968-665-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/5968-666-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/5968-667-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/5968-670-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

Uses browser remote debugging 2 TTPs 10 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
4540	msedge.exe
2276	msedge.exe
3424	chrome.exe
4796	chrome.exe
3236	chrome.exe
1648	chrome.exe
5944	chrome.exe
5608	msedge.exe
1504	msedge.exe
3808	msedge.exe

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1060 set thread context of 5968	1060	2025-03-31_93079de0bd272e60957277651faba8e6_black-basta_cobalt-strike_ryuk_satacom.exe	87

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MSBuild.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msedge.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
5416	timeout.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133878686439392146"	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-83325578-304917428-1200496059-1000\{EEA79870-D1B9-40E3-B86F-E9D0E37F90F5}	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
5968	MSBuild.exe
5968	MSBuild.exe
5968	MSBuild.exe
5968	MSBuild.exe
3424	chrome.exe
3424	chrome.exe
5968	MSBuild.exe
5968	MSBuild.exe
5968	MSBuild.exe
5968	MSBuild.exe
5968	MSBuild.exe
5968	MSBuild.exe
5968	MSBuild.exe
5968	MSBuild.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3424	chrome.exe
Token: SeCreatePagefilePrivilege	3424	chrome.exe
Token: SeShutdownPrivilege	3424	chrome.exe
Token: SeCreatePagefilePrivilege	3424	chrome.exe
Token: SeShutdownPrivilege	3424	chrome.exe
Token: SeCreatePagefilePrivilege	3424	chrome.exe
Token: SeShutdownPrivilege	3424	chrome.exe
Token: SeCreatePagefilePrivilege	3424	chrome.exe
Token: SeShutdownPrivilege	3424	chrome.exe
Token: SeCreatePagefilePrivilege	3424	chrome.exe
Token: SeShutdownPrivilege	3424	chrome.exe
Token: SeCreatePagefilePrivilege	3424	chrome.exe
Token: SeShutdownPrivilege	3424	chrome.exe
Token: SeCreatePagefilePrivilege	3424	chrome.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3808	msedge.exe
3808	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1060 wrote to memory of 5452	1060	2025-03-31_93079de0bd272e60957277651faba8e6_black-basta_cobalt-strike_ryuk_satacom.exe	86
PID 1060 wrote to memory of 5452	1060	2025-03-31_93079de0bd272e60957277651faba8e6_black-basta_cobalt-strike_ryuk_satacom.exe	86
PID 1060 wrote to memory of 5452	1060	2025-03-31_93079de0bd272e60957277651faba8e6_black-basta_cobalt-strike_ryuk_satacom.exe	86
PID 1060 wrote to memory of 5968	1060	2025-03-31_93079de0bd272e60957277651faba8e6_black-basta_cobalt-strike_ryuk_satacom.exe	87
PID 1060 wrote to memory of 5968	1060	2025-03-31_93079de0bd272e60957277651faba8e6_black-basta_cobalt-strike_ryuk_satacom.exe	87
PID 1060 wrote to memory of 5968	1060	2025-03-31_93079de0bd272e60957277651faba8e6_black-basta_cobalt-strike_ryuk_satacom.exe	87
PID 1060 wrote to memory of 5968	1060	2025-03-31_93079de0bd272e60957277651faba8e6_black-basta_cobalt-strike_ryuk_satacom.exe	87
PID 1060 wrote to memory of 5968	1060	2025-03-31_93079de0bd272e60957277651faba8e6_black-basta_cobalt-strike_ryuk_satacom.exe	87
PID 1060 wrote to memory of 5968	1060	2025-03-31_93079de0bd272e60957277651faba8e6_black-basta_cobalt-strike_ryuk_satacom.exe	87
PID 1060 wrote to memory of 5968	1060	2025-03-31_93079de0bd272e60957277651faba8e6_black-basta_cobalt-strike_ryuk_satacom.exe	87
PID 1060 wrote to memory of 5968	1060	2025-03-31_93079de0bd272e60957277651faba8e6_black-basta_cobalt-strike_ryuk_satacom.exe	87
PID 1060 wrote to memory of 5968	1060	2025-03-31_93079de0bd272e60957277651faba8e6_black-basta_cobalt-strike_ryuk_satacom.exe	87
PID 1060 wrote to memory of 5968	1060	2025-03-31_93079de0bd272e60957277651faba8e6_black-basta_cobalt-strike_ryuk_satacom.exe	87
PID 1060 wrote to memory of 5968	1060	2025-03-31_93079de0bd272e60957277651faba8e6_black-basta_cobalt-strike_ryuk_satacom.exe	87
PID 1060 wrote to memory of 5968	1060	2025-03-31_93079de0bd272e60957277651faba8e6_black-basta_cobalt-strike_ryuk_satacom.exe	87
PID 5968 wrote to memory of 3424	5968	MSBuild.exe	96
PID 5968 wrote to memory of 3424	5968	MSBuild.exe	96
PID 3424 wrote to memory of 3088	3424	chrome.exe	97
PID 3424 wrote to memory of 3088	3424	chrome.exe	97
PID 3424 wrote to memory of 5232	3424	chrome.exe	98
PID 3424 wrote to memory of 5232	3424	chrome.exe	98
PID 3424 wrote to memory of 5232	3424	chrome.exe	98
PID 3424 wrote to memory of 5232	3424	chrome.exe	98
PID 3424 wrote to memory of 5232	3424	chrome.exe	98
PID 3424 wrote to memory of 5232	3424	chrome.exe	98
PID 3424 wrote to memory of 5232	3424	chrome.exe	98
PID 3424 wrote to memory of 5232	3424	chrome.exe	98
PID 3424 wrote to memory of 5232	3424	chrome.exe	98
PID 3424 wrote to memory of 5232	3424	chrome.exe	98
PID 3424 wrote to memory of 5232	3424	chrome.exe	98
PID 3424 wrote to memory of 5232	3424	chrome.exe	98
PID 3424 wrote to memory of 5232	3424	chrome.exe	98
PID 3424 wrote to memory of 5232	3424	chrome.exe	98
PID 3424 wrote to memory of 5232	3424	chrome.exe	98
PID 3424 wrote to memory of 5232	3424	chrome.exe	98
PID 3424 wrote to memory of 5232	3424	chrome.exe	98
PID 3424 wrote to memory of 5232	3424	chrome.exe	98
PID 3424 wrote to memory of 5232	3424	chrome.exe	98
PID 3424 wrote to memory of 5232	3424	chrome.exe	98
PID 3424 wrote to memory of 5232	3424	chrome.exe	98
PID 3424 wrote to memory of 5232	3424	chrome.exe	98
PID 3424 wrote to memory of 5232	3424	chrome.exe	98
PID 3424 wrote to memory of 5232	3424	chrome.exe	98
PID 3424 wrote to memory of 5232	3424	chrome.exe	98
PID 3424 wrote to memory of 5232	3424	chrome.exe	98
PID 3424 wrote to memory of 5232	3424	chrome.exe	98
PID 3424 wrote to memory of 5232	3424	chrome.exe	98
PID 3424 wrote to memory of 5232	3424	chrome.exe	98
PID 3424 wrote to memory of 5232	3424	chrome.exe	98
PID 3424 wrote to memory of 4148	3424	chrome.exe	99
PID 3424 wrote to memory of 4148	3424	chrome.exe	99
PID 3424 wrote to memory of 2448	3424	chrome.exe	100
PID 3424 wrote to memory of 2448	3424	chrome.exe	100
PID 3424 wrote to memory of 2448	3424	chrome.exe	100
PID 3424 wrote to memory of 2448	3424	chrome.exe	100
PID 3424 wrote to memory of 2448	3424	chrome.exe	100
PID 3424 wrote to memory of 2448	3424	chrome.exe	100
PID 3424 wrote to memory of 2448	3424	chrome.exe	100
PID 3424 wrote to memory of 2448	3424	chrome.exe	100
PID 3424 wrote to memory of 2448	3424	chrome.exe	100
PID 3424 wrote to memory of 2448	3424	chrome.exe	100
PID 3424 wrote to memory of 2448	3424	chrome.exe	100
PID 3424 wrote to memory of 2448	3424	chrome.exe	100
PID 3424 wrote to memory of 2448	3424	chrome.exe	100

C:\Users\Admin\AppData\Local\Temp\2025-03-31_93079de0bd272e60957277651faba8e6_black-basta_cobalt-strike_ryuk_satacom.exe
"C:\Users\Admin\AppData\Local\Temp\2025-03-31_93079de0bd272e60957277651faba8e6_black-basta_cobalt-strike_ryuk_satacom.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1060
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:5452
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:5968
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Checks processor information in registry
    - Enumerates system info in registry
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:3424
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffbc58adcf8,0x7ffbc58add04,0x7ffbc58add10
      4⤵
      PID:3088
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1976,i,8616414648699980565,12010966334159810722,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=1972 /prefetch:2
      4⤵
      PID:5232
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=2216,i,8616414648699980565,12010966334159810722,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2264 /prefetch:3
      4⤵
      PID:4148
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2364,i,8616414648699980565,12010966334159810722,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2488 /prefetch:8
      4⤵
      PID:2448
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3224,i,8616414648699980565,12010966334159810722,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3232 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:3236
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3256,i,8616414648699980565,12010966334159810722,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3284 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:4796
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4264,i,8616414648699980565,12010966334159810722,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4280 /prefetch:2
      4⤵
      Uses browser remote debugging
      PID:1648
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4564,i,8616414648699980565,12010966334159810722,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4744 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:5944
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5328,i,8616414648699980565,12010966334159810722,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5340 /prefetch:8
      4⤵
      PID:4012
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5360,i,8616414648699980565,12010966334159810722,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5492 /prefetch:8
      4⤵
      PID:4128
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5352,i,8616414648699980565,12010966334159810722,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5560 /prefetch:8
      4⤵
      PID:3092
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5572,i,8616414648699980565,12010966334159810722,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5732 /prefetch:8
      4⤵
      PID:5060
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5752,i,8616414648699980565,12010966334159810722,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5624 /prefetch:8
      4⤵
      PID:5024
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5744,i,8616414648699980565,12010966334159810722,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5748 /prefetch:8
      4⤵
      PID:3688
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Checks processor information in registry
    - Enumerates system info in registry
    - Modifies registry class
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    PID:3808
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x238,0x264,0x7ffbb5a6f208,0x7ffbb5a6f214,0x7ffbb5a6f220
      4⤵
      PID:5624
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1924,i,325663011721205294,8061307890291825812,262144 --variations-seed-version --mojo-platform-channel-handle=2224 /prefetch:3
      4⤵
      PID:5220
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2196,i,325663011721205294,8061307890291825812,262144 --variations-seed-version --mojo-platform-channel-handle=2192 /prefetch:2
      4⤵
      PID:2780
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2528,i,325663011721205294,8061307890291825812,262144 --variations-seed-version --mojo-platform-channel-handle=2688 /prefetch:8
      4⤵
      PID:3876
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3524,i,325663011721205294,8061307890291825812,262144 --variations-seed-version --mojo-platform-channel-handle=3592 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:2276
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3580,i,325663011721205294,8061307890291825812,262144 --variations-seed-version --mojo-platform-channel-handle=3620 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:4540
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4168,i,325663011721205294,8061307890291825812,262144 --variations-seed-version --mojo-platform-channel-handle=4288 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:1504
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=4184,i,325663011721205294,8061307890291825812,262144 --variations-seed-version --mojo-platform-channel-handle=4328 /prefetch:2
      4⤵
      Uses browser remote debugging
      PID:5608
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4892,i,325663011721205294,8061307890291825812,262144 --variations-seed-version --mojo-platform-channel-handle=3864 /prefetch:8
      4⤵
      PID:5052
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5232,i,325663011721205294,8061307890291825812,262144 --variations-seed-version --mojo-platform-channel-handle=5144 /prefetch:8
      4⤵
      PID:1436
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4884,i,325663011721205294,8061307890291825812,262144 --variations-seed-version --mojo-platform-channel-handle=5328 /prefetch:8
      4⤵
      PID:1144
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4860,i,325663011721205294,8061307890291825812,262144 --variations-seed-version --mojo-platform-channel-handle=5268 /prefetch:8
      4⤵
      PID:1208
  - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6108,i,325663011721205294,8061307890291825812,262144 --variations-seed-version --mojo-platform-channel-handle=6148 /prefetch:8
      4⤵
      PID:2228
  - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6108,i,325663011721205294,8061307890291825812,262144 --variations-seed-version --mojo-platform-channel-handle=6148 /prefetch:8
      4⤵
      PID:2232
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6248,i,325663011721205294,8061307890291825812,262144 --variations-seed-version --mojo-platform-channel-handle=6288 /prefetch:8
      4⤵
      PID:5924
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6256,i,325663011721205294,8061307890291825812,262144 --variations-seed-version --mojo-platform-channel-handle=6448 /prefetch:8
      4⤵
      PID:3720
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\9z5fu" & exit
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1816
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 11
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:5416

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:2076

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5932

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Modify Authentication Process

T1556

Privilege Escalation

Defense Evasion

Modify Authentication Process

T1556

Credential Access

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
ad7bf7f2c6cd7fb6ea8b45227c956489

SHA1
e789062bc48347847f1df6e9d797fd13a24aff53

SHA256
03a0e407647211eeff8e843589ab677cb4def4bc856a429e51af8a6e2de9a38b

SHA512
78ad9d26b4da2c6ec36ad52e3e2b584477c89e49edd0316be4a7b79da27e833b90e92d042bdf0b91e099b26a043ba59a68de04155a8a30aaa5af3d083bbf2bde

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
80KB

MD5
7225cb6af943a4534e3f81fa7ba41dd1

SHA1
ee911eeefdff733c3638d17cb8d70745ad6deda0

SHA256
f9bdd68e214e130ebc8ffff009e1826cdd88d9af29c51addb19abedba3f73352

SHA512
034300cbc3a5de16f1b3bcc1360daba9cfcee3604b5eb63fec2f43bb60b6e9cd4af75f60333a51d693656a533a7f8eca23793ca0c41c6f355feb172faac052f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
eec55fe349980566b1dbf1d409d28c3e

SHA1
654ce4b550defea0851f12e8ff81ae9298bb3f60

SHA256
2e81ea3d7ddfc0274f3955d5131143c481e63f2529514c5295873b393d508efe

SHA512
58e02658d08732b5f36e868331a483b5fde15475a6c5f704a19c97d920399c3f7d41a8fa163c66683bf403598f8f48f0cf9fa468f9783fcabd9136a55cec0059

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
5a7e1750438748bd333b79a94ca69b2a

SHA1
94fd1be56969e269ce195ba29c3d464d356d6556

SHA256
6d7a64a318c25c643323d5cf1c0c80ccf2f2433e7d74b722fca90468f8f9b914

SHA512
842509c0f495ee24d152ab3f7867183d7cd64b01b5a9305405682abbbff3aa18a8ad7d97ee039393fdd1766fc17ad2df1caf711dc4db8dc7b9df608ffc0fdc7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
69KB

MD5
164a788f50529fc93a6077e50675c617

SHA1
c53f6cd0531fd98d6abbd2a9e5fbb4319b221f48

SHA256
b305e470fb9f8b69a8cd53b5a8ffb88538c9f6a9c7c2c194a226e8f6c9b53c17

SHA512
ec7d173b55283f3e59a468a0037921dc4e1bf3fab1c693330b9d8e5826273c917b374c4b802f3234bbb5e5e210d55e52351426867e0eb8c9f6fba1a053cb05d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

Filesize
107KB

MD5
40e2018187b61af5be8caf035fb72882

SHA1
72a0b7bcb454b6b727bf90da35879b3e9a70621e

SHA256
b3efd9d75856016510dd0bdb5e22359925cee7f2056b3cde6411c55ae8ae8ee5

SHA512
a21b8f3f7d646909d6aed605ad5823269f52fda1255aa9bb4d4643e165a7b11935572bf9e0a6a324874f99c20a6f3b6d1e457c7ccd30adcac83c15febc063d12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\b6a380d4-5862-40a9-a645-ceea7f421bc5\index-dir\the-real-index

Filesize
2KB

MD5
856c3012a5517300e29134dce27f836d

SHA1
a4f63f7cc6fcac3b6ee31b7946d4f89140225c38

SHA256
538ac14add097792ea9f1168944da25d29655b6b1127d446ccd214b310e1be39

SHA512
98bb8c4dfcbc17bff6db3680c527205b238c54636cdbd69fe671835969eabed5ddd5c8a8c82113cd552647c871d4aeddc7e87ef29d428477d2d64214e43ff5a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\b6a380d4-5862-40a9-a645-ceea7f421bc5\index-dir\the-real-index~RFe57c44a.TMP

Filesize
2KB

MD5
33922533dab2ccd14fefd8d15882a995

SHA1
21ea47542f121953d270558ffd36c9241b0d7fd4

SHA256
bc0b6c80fdf798030c0a62265236bd2464106310d370a6a4857a606fd2a98399

SHA512
53cb0167cdc6ab288a0030b7934814079d4aad42deafe776985a01a21b2d2ef8adacff46cb6d94cb2fc485bab2079656af117fce67ff430a92f29a454047ca46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
4KB

MD5
89f131abcd89db587f34ee9f4c557214

SHA1
f8a7d1f8e43c236ec757c2400206322c8a9e1cb0

SHA256
29c53e695c3ad4d8419bc4c59a59f5462b8bc73da8a675c0533b7d3b32e80928

SHA512
cdb66ae5cd3dc187b0bce144c5ac8b45bbcbcddb75105add7855ffe9581bb08905f6e038fcbc952f88b290debdd7db9021ae25274cb5fb658045d0511d0925dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\d5a8fe96-20f3-4cea-a83a-2678f1748443.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
6KB

MD5
295660445e157ff50762eea6ed494696

SHA1
206d9d64f00de0617cb3cbff3664506adabd443b

SHA256
19da46f9e80532a8ff9da4047e3f046992f7aaea06bd15365d4b5bca0ecec62e

SHA512
8ad97def20ab10096c9bc8765b42e5cdad24751cef7ae0c3dc2c5b04d60a099806aa055b98e3bba71584f542b6d16cb88ee5c986604ade1096e0a7cd13535628

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
7KB

MD5
f40ec14c4816a703445bc3e74019b6e4

SHA1
5839ed117defe3bce3777db4cad159b708474400

SHA256
abee5b7fc5f16db4c2e9b0f7b31d4f1ae888a9715eeaf724d6cf104e392712cd

SHA512
dedcbcc5939c7f29efca61b64b5992be43b0fb6c6c9e1198ebc110d74f82e5c841c9633a6067fc62fb825db2c07ab6f66d67c135f0f699b037310ed255908016

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

Filesize
2KB

MD5
dbeba0e05502cdf0383576d164b4c820

SHA1
2dd956d1e942f567b45bc92f6d89148a295e1694

SHA256
0f20c47c6853e7449a77ae27e5f0c9dd91c2d66aced23757df9c1d3a0983d262

SHA512
b90e4a38f2a532594f399a9a2b5a67b9dc84f16ae3362895ec8b10786801abbb54d7c3f092b3d6b6d981da992a41d8216a328f27bdfad41b2aef0d4a2158a540

Download Submit
C:\Users\Admin\AppData\Local\Temp\a88a9bea-f94d-43a6-9d29-1f2a5bc13dbc.tmp

Filesize
10KB

MD5
78e47dda17341bed7be45dccfd89ac87

SHA1
1afde30e46997452d11e4a2adbbf35cce7a1404f

SHA256
67d161098be68cd24febc0c7b48f515f199dda72f20ae3bbb97fcf2542bb0550

SHA512
9574a66d3756540479dc955c4057144283e09cae11ce11ebce801053bb48e536e67dc823b91895a9e3ee8d3cb27c065d5e9030c39a26cbf3f201348385b418a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir3424_1966549244\cd00a47e-8016-447c-8f7d-3f0c7491b0dc.tmp

Filesize
152KB

MD5
dd9bf8448d3ddcfd067967f01e8bf6d7

SHA1
d7829475b2bd6a3baa8fabfaf39af57c6439b35e

SHA256
fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

SHA512
65347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de

Download Submit
memory/5968-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5968-16-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5968-370-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5968-371-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5968-374-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5968-378-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5968-379-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5968-380-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5968-384-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5968-0-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5968-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5968-29-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5968-28-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5968-24-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5968-23-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5968-466-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5968-369-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5968-368-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5968-32-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5968-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5968-539-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5968-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5968-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5968-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5968-655-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5968-658-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5968-661-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5968-662-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5968-663-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5968-664-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5968-665-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5968-666-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5968-667-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5968-670-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download