vidar | 5774bde7146d959bade7f3976943fae0e43fa497eeabf318fb97f829854392cc

Analysis

max time kernel
43s
max time network
171s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
09/07/2023, 19:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

LauncherS0FT.exe
Size

810.9MB
MD5

a7b4ac9550a8d63bc992147aca794821
SHA1

537e90a20244228c928bc0d1f01907fd7f246894
SHA256

5774bde7146d959bade7f3976943fae0e43fa497eeabf318fb97f829854392cc
SHA512

e745aa07091730032f626b4d5c69d80e3b6f3ec431009245c5480bd90e6d9adffc3b6170e2571392026c590dd11673739ca26d3ef4beec05e0b369f8ee88a741
SSDEEP

196608:UpReULRqbyXOBJwTXes1xJFme/aWDnBYSnfh8p1oLgDOmkT:UwE+CTX71HkeSO6Ip8pmLfmkT

Score

10^/10

vidar fc787ec968ec360fbe65a94cb1c1aabd discovery spyware stealer

Malware Config

Extracted

Family

vidar

Version

4.6

Botnet

fc787ec968ec360fbe65a94cb1c1aabd

https://steamcommunity.com/profiles/76561199523054520

https://t.me/vookihhfd

https://t.me/booliiksws

https://t.me/game4serv

Attributes

profile_id_v2
fc787ec968ec360fbe65a94cb1c1aabd
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:103.0) Gecko/20100101 Firefox/103.0

Signatures

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Loads dropped DLL 2 IoCs

pid	Process
2928	LauncherS0FT.exe
2928	LauncherS0FT.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2928	LauncherS0FT.exe
2928	LauncherS0FT.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	LauncherS0FT.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	LauncherS0FT.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	LauncherS0FT.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	LauncherS0FT.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	LauncherS0FT.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2928	LauncherS0FT.exe
2928	LauncherS0FT.exe
2928	LauncherS0FT.exe
2436	chrome.exe
2436	chrome.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2436	chrome.exe
Token: SeShutdownPrivilege	2436	chrome.exe
Token: SeShutdownPrivilege	2436	chrome.exe
Token: SeShutdownPrivilege	2436	chrome.exe
Token: SeShutdownPrivilege	2436	chrome.exe
Token: SeShutdownPrivilege	2436	chrome.exe
Token: SeShutdownPrivilege	2436	chrome.exe
Token: SeShutdownPrivilege	2436	chrome.exe
Token: SeShutdownPrivilege	2436	chrome.exe
Token: SeShutdownPrivilege	2436	chrome.exe
Token: SeShutdownPrivilege	2436	chrome.exe
Token: SeShutdownPrivilege	2436	chrome.exe
Token: SeShutdownPrivilege	2436	chrome.exe
Token: SeShutdownPrivilege	2436	chrome.exe
Token: SeShutdownPrivilege	2436	chrome.exe
Token: SeShutdownPrivilege	2436	chrome.exe
Token: SeShutdownPrivilege	2436	chrome.exe
Token: SeShutdownPrivilege	2436	chrome.exe
Token: SeShutdownPrivilege	2436	chrome.exe
Token: SeShutdownPrivilege	2436	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2436 wrote to memory of 2172	2436	chrome.exe	34
PID 2436 wrote to memory of 2172	2436	chrome.exe	34
PID 2436 wrote to memory of 2172	2436	chrome.exe	34
PID 2436 wrote to memory of 1692	2436	chrome.exe	35
PID 2436 wrote to memory of 1692	2436	chrome.exe	35
PID 2436 wrote to memory of 1692	2436	chrome.exe	35
PID 2436 wrote to memory of 1692	2436	chrome.exe	35
PID 2436 wrote to memory of 1692	2436	chrome.exe	35
PID 2436 wrote to memory of 1692	2436	chrome.exe	35
PID 2436 wrote to memory of 1692	2436	chrome.exe	35
PID 2436 wrote to memory of 1692	2436	chrome.exe	35
PID 2436 wrote to memory of 1692	2436	chrome.exe	35
PID 2436 wrote to memory of 1692	2436	chrome.exe	35
PID 2436 wrote to memory of 1692	2436	chrome.exe	35
PID 2436 wrote to memory of 1692	2436	chrome.exe	35
PID 2436 wrote to memory of 1692	2436	chrome.exe	35
PID 2436 wrote to memory of 1692	2436	chrome.exe	35
PID 2436 wrote to memory of 1692	2436	chrome.exe	35
PID 2436 wrote to memory of 1692	2436	chrome.exe	35
PID 2436 wrote to memory of 1692	2436	chrome.exe	35
PID 2436 wrote to memory of 1692	2436	chrome.exe	35
PID 2436 wrote to memory of 1692	2436	chrome.exe	35
PID 2436 wrote to memory of 1692	2436	chrome.exe	35
PID 2436 wrote to memory of 1692	2436	chrome.exe	35
PID 2436 wrote to memory of 1692	2436	chrome.exe	35
PID 2436 wrote to memory of 1692	2436	chrome.exe	35
PID 2436 wrote to memory of 1692	2436	chrome.exe	35
PID 2436 wrote to memory of 1692	2436	chrome.exe	35
PID 2436 wrote to memory of 1692	2436	chrome.exe	35
PID 2436 wrote to memory of 1692	2436	chrome.exe	35
PID 2436 wrote to memory of 1692	2436	chrome.exe	35
PID 2436 wrote to memory of 1692	2436	chrome.exe	35
PID 2436 wrote to memory of 1692	2436	chrome.exe	35
PID 2436 wrote to memory of 1692	2436	chrome.exe	35
PID 2436 wrote to memory of 1692	2436	chrome.exe	35
PID 2436 wrote to memory of 1692	2436	chrome.exe	35
PID 2436 wrote to memory of 1692	2436	chrome.exe	35
PID 2436 wrote to memory of 1692	2436	chrome.exe	35
PID 2436 wrote to memory of 1692	2436	chrome.exe	35
PID 2436 wrote to memory of 1692	2436	chrome.exe	35
PID 2436 wrote to memory of 1692	2436	chrome.exe	35
PID 2436 wrote to memory of 1692	2436	chrome.exe	35
PID 2436 wrote to memory of 1368	2436	chrome.exe	36
PID 2436 wrote to memory of 1368	2436	chrome.exe	36
PID 2436 wrote to memory of 1368	2436	chrome.exe	36
PID 2436 wrote to memory of 2696	2436	chrome.exe	37
PID 2436 wrote to memory of 2696	2436	chrome.exe	37
PID 2436 wrote to memory of 2696	2436	chrome.exe	37
PID 2436 wrote to memory of 2696	2436	chrome.exe	37
PID 2436 wrote to memory of 2696	2436	chrome.exe	37
PID 2436 wrote to memory of 2696	2436	chrome.exe	37
PID 2436 wrote to memory of 2696	2436	chrome.exe	37
PID 2436 wrote to memory of 2696	2436	chrome.exe	37
PID 2436 wrote to memory of 2696	2436	chrome.exe	37
PID 2436 wrote to memory of 2696	2436	chrome.exe	37
PID 2436 wrote to memory of 2696	2436	chrome.exe	37
PID 2436 wrote to memory of 2696	2436	chrome.exe	37
PID 2436 wrote to memory of 2696	2436	chrome.exe	37
PID 2436 wrote to memory of 2696	2436	chrome.exe	37
PID 2436 wrote to memory of 2696	2436	chrome.exe	37
PID 2436 wrote to memory of 2696	2436	chrome.exe	37
PID 2436 wrote to memory of 2696	2436	chrome.exe	37
PID 2436 wrote to memory of 2696	2436	chrome.exe	37
PID 2436 wrote to memory of 2696	2436	chrome.exe	37

C:\Users\Admin\AppData\Local\Temp\LauncherS0FT.exe
"C:\Users\Admin\AppData\Local\Temp\LauncherS0FT.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:2928

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef5769758,0x7fef5769768,0x7fef5769778
  2⤵
  PID:2172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1184 --field-trial-handle=1308,i,11282141033947482338,12240957466736327770,131072 /prefetch:2
  2⤵
  PID:1692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1520 --field-trial-handle=1308,i,11282141033947482338,12240957466736327770,131072 /prefetch:8
  2⤵
  PID:1368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1600 --field-trial-handle=1308,i,11282141033947482338,12240957466736327770,131072 /prefetch:8
  2⤵
  PID:2696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2272 --field-trial-handle=1308,i,11282141033947482338,12240957466736327770,131072 /prefetch:1
  2⤵
  PID:2052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2280 --field-trial-handle=1308,i,11282141033947482338,12240957466736327770,131072 /prefetch:1
  2⤵
  PID:2656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1176 --field-trial-handle=1308,i,11282141033947482338,12240957466736327770,131072 /prefetch:2
  2⤵
  PID:3008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3708 --field-trial-handle=1308,i,11282141033947482338,12240957466736327770,131072 /prefetch:1
  2⤵
  PID:3012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3728 --field-trial-handle=1308,i,11282141033947482338,12240957466736327770,131072 /prefetch:8
  2⤵
  PID:3048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3712 --field-trial-handle=1308,i,11282141033947482338,12240957466736327770,131072 /prefetch:8
  2⤵
  PID:2104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3924 --field-trial-handle=1308,i,11282141033947482338,12240957466736327770,131072 /prefetch:1
  2⤵
  PID:2768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=1868 --field-trial-handle=1308,i,11282141033947482338,12240957466736327770,131072 /prefetch:1
  2⤵
  PID:3052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=572 --field-trial-handle=1308,i,11282141033947482338,12240957466736327770,131072 /prefetch:1
  2⤵
  PID:2176

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1604

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cd78f5754dcf990e19d95b5f239c87f6

SHA1
f923322decbfafab5c69ee1091c5bbdc0ac83f16

SHA256
86b3aad7f66e06d8fa2ce34908fd4112a97ae092d672647e72e937ed3642bc28

SHA512
259236b9a0c4ae503daae4a5c955df0e90ec610a7b885c8fdf25624858ca95946a48b1e127f401d4a15e65431e1e8e719fc95fa795afadf704f96a41eeb7722a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3198468232a145184f5e8e953be094eb

SHA1
f78a2a2e7f287ebb0567ad18d906927cfcfdcf88

SHA256
e820fe7617e749de7b02c1902ad5e296eb4099715ca28f011cd8885418540200

SHA512
96071cad100e62155fa1a81af1610fe8fc9c6eab81db1e93ae066b11d9482fe8225f53d9e0554ef0614432a991ba6d05e7ce6c45f13c08a570b10d1f6d54ac2b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bcf576d8a713730e4d277c8801f87b52

SHA1
018cb1f627322f5c255cef61b05b1e4b384e9612

SHA256
eb1988ebc1b1e16bf0b0457cd3138971e1c742d0228ce632ed62433fd5276ff4

SHA512
aeb4b2461125f219ba8dfe54cf059cc7f87f39201c043f460aaf712c92fd217511002015813d49c241928d2aa0d4e6230a7d94a6bb700fb08fb14968a705507e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b6df332ffdd340c699d1ad26fb04d54d

SHA1
dcdd9f66dcb712ce37cbcc385dbe858b6e07c20b

SHA256
6e1918dd92a6ddeefecb706d6805baeee74fb9a279039e5dfca9fb51fbf88b20

SHA512
80339f229134671f6d7fe8515c8759a6ddc426203dbb988f5aa76edf7d58b38d371b5ce4863b1bc8f63210ed2bf0573e6891f0e18e957a7104de9479c930d980

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7a1811885690317d8a91d40b27dae439

SHA1
7f9cda0c95b42bff05184a21e4f3a9ac6ba8439f

SHA256
e3d182a3cfdae08a61fa4eb286f4becdf7fc2fb36e9a4dd8129801728d6a6178

SHA512
c431186e50a3a10a7ce49b1ab3d75f35db659564dd3338d3bc8e32dda860cc29b92f11692c3dab182caf7e7ad5edd5d11470b8f173b376bad229d91437ab1edb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b51179278c1dd59749d0e39217a74a94

SHA1
5fd8c73efcf763f951e5ff6a79a5ab8e5775b47f

SHA256
ef49620bed336ee0d3bde6067baee5c73f94ec2ab4e915e53a543c6cae5761d8

SHA512
9928eca08bedc44a515333728b4207648734322047387fa33f4d24b34462e7b94c312b092081718eab7bc85d31114afc5365e63349087ed8c5ba2ed0d3d5c088

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
53439c7c2d673edaa2ea13ae3ce5d631

SHA1
18f20986be313597aaa493fef684f981b8feadd9

SHA256
3182bead07a0bdaf8303ec8300b0d053f0ab72d1068e96091681c65e74811367

SHA512
3f3f4bb4d087020091af40a87ad54c5a8f09034a7b85f31ce4e0395e406ccb0d7ae2ea42fb68b4fc1336068cf3042156e253c8b8d615d78e005ce39a5a137070

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000028

Filesize
1.6MB

MD5
088fc1eac5d2ddbfc1250911da43af58

SHA1
de3f782ae408b46aa5ac5880a8d6f39a361be77d

SHA256
8a8372ac0761924b3c82dfcf74456eecd144e36265b14c82254271b6de987795

SHA512
191ad00ba3148c7c704418968ddb2adbe3450dbfa596e401d7710ea13fafc317c39b77e561497ae15d53a78457c3ca6cfc05f8e4121d32948a39ec98a666a3d0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
f2b80b2c3032f92e3b6defa9d7fb76c2

SHA1
1684176297c8c24f5ac5f1db2645f840e740a5a5

SHA256
9435bdb00afbef246aa60b39fc40bb103145ee3e8c0f14386ea24c35935f019f

SHA512
7fcff019e44176c37ec8cfcec49cb9b3e0face3e927fc8d89d2ea9a85d5e2179f6111c54272b6d4c556c5e71aee2b4bb3e1d8a2026beeed708152260642688d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
527B

MD5
4d0b001d267f9a5f238e2aba27821b4e

SHA1
e44e758292f3da7c28b13ba11a17831052936b38

SHA256
8c11860dbea21f612947c81aa9aac13e6171c3cb46fa889b39c989c8b22f1c3d

SHA512
99cf451501f3d7f7540312fd8e4624d3909af03cb0e82da2e22495da1209a0da1bce88a0eb590fb607b78b426c2918b21b6d0f5c2c59900f6b4e7dcc2bc4906a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
691B

MD5
276b60248ffd68567d32e6cd29664185

SHA1
dda1afff5fbcfc4b394a347ff6af46f4b17c8c09

SHA256
fe9e3f8336bc35422fc571e8ba43f59900a3606d4131c3591a7a4693756117a6

SHA512
e9bda7c499844059f05aa61b08e6cbbcd75b5262667a7a3a0208417ae267058c3c6a3ec394cad33765e49e52f14dccece6578b316562c017ef2fce87258ec426

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1018B

MD5
821dbefe83892843a14cc243f9539d03

SHA1
8356a115162bad08c9859c33bc40073b3d7a7d75

SHA256
328c68a3b7aa62ce2d0672a74834273dfdc88c1e76708531d695156a9a719028

SHA512
29c3758c4ba44e3471ed5e3ba9aad12cf52bc0127b32e18576f65b541aacc916e43598ade560225efa7f9b7b8cadd13be8c5064209192deb5301ec53e602e389

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1018B

MD5
4bcf4712f6da249d0cad9e3516749c1a

SHA1
3064fc70dfe20a4050e7976601e3c4678739a8d9

SHA256
846aed8b11a35b35cc4558df84c340aa23200260e17183758242a77d13e30ee0

SHA512
f57524c3715c5d2eaf555b5f27dff0e9b0df89bb90af642405c7a72f6a84eae3335f88a2f8e41c7e555d7ed6bfc2c63d9bdd1c3dcc4e28341d5b8b9c3b73a3ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
0b63ba9b1044c8cd6e0cbcfadef3f1d3

SHA1
caf570ebd1ec31c834459e5e104c42a6f110bc2d

SHA256
262a1bdcd136a5d83eed1d81ee06d4ed1befb57eb66f056ebb8d33a093abdafb

SHA512
4e9297e590f354c797ace152ae0f1a9a55d8235ffed27ebe7b4b6d3ded54b20b1d82727f5ffc0e4b09d798605c2a64e3fe536a4df849d1f249f9838bcf4b8e2e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
bd3f451044a6fae6330996780336f72b

SHA1
b84cc9591cc6b5e453175b49461ec933c3a94535

SHA256
500564092e9234863d997d913d231dcb2cd59ebe2f8eb0eab614ac240816c00a

SHA512
7cac6ba09acdd3fb441ba784cb859b38e5de5e8a7e5f98da0667021ed11365f3ddca063c00332bc47628fd7eec5e5d6fc739de9e71510876ac42f53718f3282e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
0acb268adc0ee2a5ff217a5a2c1581a5

SHA1
25cf58f5a44ba3d5b1278180022b5faf4e99219e

SHA256
fec1caf0d7974ae5d1bf340b3aa6db7765c650d0ce402979eb992766cbe6afa2

SHA512
81b89073e87fcffbbfcca554f239354ba91b02fd1d4d4f23354fd17d081a44e57c2e81f41fa583b85a0156384b0f6feb58612ffba0dc79ea37794123a1a0e6ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
9cdbf552c4bfa9e6eec40ffb9dbc134f

SHA1
0dccb58b23cc5a55fe32a11230a22b08f89c103e

SHA256
1cf4d0669032612214b31c08faa1539deb9101188e5d7d9b3faeb64e6e774c4f

SHA512
3340386ee291b6857d8becf960c27a8cbcabb6314429ec0720e2a33ffe4a5948d0635baea3815b76bc9533303200620b1c4d74b1b88fa365174553f33f3ce9fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7996.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7A06.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
memory/2928-68-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2928-65-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2928-55-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2928-77-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2928-76-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2928-74-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2928-73-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2928-71-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2928-70-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2928-78-0x0000000000400000-0x00000000013EC000-memory.dmp

Filesize
15.9MB

Download
memory/2928-67-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2928-128-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/2928-64-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2928-63-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2928-62-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2928-61-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2928-60-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2928-59-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2928-58-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2928-57-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2928-56-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2928-54-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download