vidar | 7b57fc8247fcbb96a51179ee5f6ac33113b67fe891fc79af6fe68fec29968470

Analysis

max time kernel
149s
max time network
148s
platform
windows10-1703_x64
resource
win10-20231215-en
resource tags

arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
submitted
03-02-2024 07:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sample.html
Size

18KB
MD5

c3ba1375694274633324d415de31e874
SHA1

9cb98523c24d967f5b6fe967c9932d66472ebb73
SHA256

7b57fc8247fcbb96a51179ee5f6ac33113b67fe891fc79af6fe68fec29968470
SHA512

7fb6370260b9cb8daeebf97c619fd88d6fd8a4efc7e84b8793b452ffdd1f3f9c7fdb101832a2bd64ca9b6ab16b21ad54854bb3af51034a3f022c1cc781b15dee
SSDEEP

384:rBlwDpmReVoOs4lN9ylKeGM9UbhhblFKeb7tN2weXlVJCBXQL:rBlwBVoOs4lryI1MehbjKeP6DJQQL

Score

10^/10

vidar 1b9d7ec5a25ab9d78c31777a0016a097 stealer

Malware Config

Extracted

Family

vidar

Version

7.6

Botnet

1b9d7ec5a25ab9d78c31777a0016a097

https://t.me/tvrugrats

https://steamcommunity.com/profiles/76561199627279110

Attributes

profile_id_v2
1b9d7ec5a25ab9d78c31777a0016a097

Signatures

Detect Vidar Stealer 5 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/1828-253-0x00000000004F0000-0x0000000000520000-memory.dmp	family_vidar_v7
behavioral1/memory/4344-254-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral1/memory/4344-257-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral1/memory/4344-258-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral1/memory/4344-302-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

build2.exebuild2.exe

pid process

1828 build2.exe
4344 build2.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

build2.exe

description pid process target process

PID 1828 set thread context of 4344 1828 build2.exe build2.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3824 4344 WerFault.exe build2.exe

pid	process
1828	build2.exe
4344	build2.exe

description	pid	process	target process
PID 1828 set thread context of 4344	1828	build2.exe	build2.exe

pid	pid_target	process	target process
3824	4344	WerFault.exe	build2.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133514195883773071"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

4280 chrome.exe
4280 chrome.exe
4856 chrome.exe
4856 chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

Processes:

chrome.exe

pid	process
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	4280	chrome.exe
Token: SeCreatePagefilePrivilege	4280	chrome.exe
Token: SeShutdownPrivilege	4280	chrome.exe
Token: SeCreatePagefilePrivilege	4280	chrome.exe
Token: SeShutdownPrivilege	4280	chrome.exe
Token: SeCreatePagefilePrivilege	4280	chrome.exe
Token: SeShutdownPrivilege	4280	chrome.exe
Token: SeCreatePagefilePrivilege	4280	chrome.exe
Token: SeShutdownPrivilege	4280	chrome.exe
Token: SeCreatePagefilePrivilege	4280	chrome.exe
Token: SeShutdownPrivilege	4280	chrome.exe
Token: SeCreatePagefilePrivilege	4280	chrome.exe
Token: SeShutdownPrivilege	4280	chrome.exe
Token: SeCreatePagefilePrivilege	4280	chrome.exe
Token: SeShutdownPrivilege	4280	chrome.exe
Token: SeCreatePagefilePrivilege	4280	chrome.exe
Token: SeShutdownPrivilege	4280	chrome.exe
Token: SeCreatePagefilePrivilege	4280	chrome.exe
Token: SeShutdownPrivilege	4280	chrome.exe
Token: SeCreatePagefilePrivilege	4280	chrome.exe
Token: SeShutdownPrivilege	4280	chrome.exe
Token: SeCreatePagefilePrivilege	4280	chrome.exe
Token: SeShutdownPrivilege	4280	chrome.exe
Token: SeCreatePagefilePrivilege	4280	chrome.exe
Token: SeShutdownPrivilege	4280	chrome.exe
Token: SeCreatePagefilePrivilege	4280	chrome.exe
Token: SeShutdownPrivilege	4280	chrome.exe
Token: SeCreatePagefilePrivilege	4280	chrome.exe
Token: SeShutdownPrivilege	4280	chrome.exe
Token: SeCreatePagefilePrivilege	4280	chrome.exe
Token: SeShutdownPrivilege	4280	chrome.exe
Token: SeCreatePagefilePrivilege	4280	chrome.exe
Token: SeShutdownPrivilege	4280	chrome.exe
Token: SeCreatePagefilePrivilege	4280	chrome.exe
Token: SeShutdownPrivilege	4280	chrome.exe
Token: SeCreatePagefilePrivilege	4280	chrome.exe
Token: SeShutdownPrivilege	4280	chrome.exe
Token: SeCreatePagefilePrivilege	4280	chrome.exe
Token: SeShutdownPrivilege	4280	chrome.exe
Token: SeCreatePagefilePrivilege	4280	chrome.exe
Token: SeShutdownPrivilege	4280	chrome.exe
Token: SeCreatePagefilePrivilege	4280	chrome.exe
Token: SeShutdownPrivilege	4280	chrome.exe
Token: SeCreatePagefilePrivilege	4280	chrome.exe
Token: SeShutdownPrivilege	4280	chrome.exe
Token: SeCreatePagefilePrivilege	4280	chrome.exe
Token: SeShutdownPrivilege	4280	chrome.exe
Token: SeCreatePagefilePrivilege	4280	chrome.exe
Token: SeShutdownPrivilege	4280	chrome.exe
Token: SeCreatePagefilePrivilege	4280	chrome.exe
Token: SeShutdownPrivilege	4280	chrome.exe
Token: SeCreatePagefilePrivilege	4280	chrome.exe
Token: SeShutdownPrivilege	4280	chrome.exe
Token: SeCreatePagefilePrivilege	4280	chrome.exe
Token: SeShutdownPrivilege	4280	chrome.exe
Token: SeCreatePagefilePrivilege	4280	chrome.exe
Token: SeShutdownPrivilege	4280	chrome.exe
Token: SeCreatePagefilePrivilege	4280	chrome.exe
Token: SeShutdownPrivilege	4280	chrome.exe
Token: SeCreatePagefilePrivilege	4280	chrome.exe
Token: SeShutdownPrivilege	4280	chrome.exe
Token: SeCreatePagefilePrivilege	4280	chrome.exe
Token: SeShutdownPrivilege	4280	chrome.exe
Token: SeCreatePagefilePrivilege	4280	chrome.exe

Suspicious use of FindShellTrayWindow 36 IoCs

Processes:

chrome.exe

pid	process
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 4280 wrote to memory of 204	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 204	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 4580	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 4580	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 4580	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 4580	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 4580	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 4580	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 4580	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 4580	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 4580	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 4580	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 4580	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 4580	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 4580	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 4580	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 4580	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 4580	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 4580	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 4580	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 4580	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 4580	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 4580	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 4580	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 4580	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 4580	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 4580	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 4580	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 4580	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 4580	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 4580	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 4580	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 4580	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 4580	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 4580	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 4580	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 4580	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 4580	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 4580	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 4580	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 4780	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 4780	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 4192	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 4192	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 4192	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 4192	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 4192	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 4192	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 4192	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 4192	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 4192	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 4192	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 4192	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 4192	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 4192	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 4192	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 4192	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 4192	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 4192	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 4192	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 4192	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 4192	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 4192	4280	chrome.exe	chrome.exe
PID 4280 wrote to memory of 4192	4280	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffbd9a49758,0x7ffbd9a49768,0x7ffbd9a49778
1⤵
PID:204

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument C:\Users\Admin\AppData\Local\Temp\sample.html
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4280

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1832 --field-trial-handle=1788,i,15723585491507098724,517592019282983936,131072 /prefetch:8
2⤵
PID:4780

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2856 --field-trial-handle=1788,i,15723585491507098724,517592019282983936,131072 /prefetch:1
2⤵
PID:1288

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2848 --field-trial-handle=1788,i,15723585491507098724,517592019282983936,131072 /prefetch:1
2⤵
PID:3384

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2104 --field-trial-handle=1788,i,15723585491507098724,517592019282983936,131072 /prefetch:8
2⤵
PID:4192

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1576 --field-trial-handle=1788,i,15723585491507098724,517592019282983936,131072 /prefetch:2
2⤵
PID:4580

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4636 --field-trial-handle=1788,i,15723585491507098724,517592019282983936,131072 /prefetch:8
2⤵
PID:1544

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4736 --field-trial-handle=1788,i,15723585491507098724,517592019282983936,131072 /prefetch:8
2⤵
PID:1432

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3924 --field-trial-handle=1788,i,15723585491507098724,517592019282983936,131072 /prefetch:8
2⤵
PID:1732

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=1664 --field-trial-handle=1788,i,15723585491507098724,517592019282983936,131072 /prefetch:1
2⤵
PID:3836

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5000 --field-trial-handle=1788,i,15723585491507098724,517592019282983936,131072 /prefetch:1
2⤵
PID:2268

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5012 --field-trial-handle=1788,i,15723585491507098724,517592019282983936,131072 /prefetch:8
2⤵
PID:4296

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4752 --field-trial-handle=1788,i,15723585491507098724,517592019282983936,131072 /prefetch:8
2⤵
PID:1080

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5308 --field-trial-handle=1788,i,15723585491507098724,517592019282983936,131072 /prefetch:1
2⤵
PID:2800

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=5376 --field-trial-handle=1788,i,15723585491507098724,517592019282983936,131072 /prefetch:1
2⤵
PID:60

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=5272 --field-trial-handle=1788,i,15723585491507098724,517592019282983936,131072 /prefetch:1
2⤵
PID:4456

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5904 --field-trial-handle=1788,i,15723585491507098724,517592019282983936,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4856

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=5924 --field-trial-handle=1788,i,15723585491507098724,517592019282983936,131072 /prefetch:1
2⤵
PID:520

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=6000 --field-trial-handle=1788,i,15723585491507098724,517592019282983936,131072 /prefetch:1
2⤵
PID:2628

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6100 --field-trial-handle=1788,i,15723585491507098724,517592019282983936,131072 /prefetch:8
2⤵
PID:2840

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5280 --field-trial-handle=1788,i,15723585491507098724,517592019282983936,131072 /prefetch:8
2⤵
PID:3712

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=164 --field-trial-handle=1788,i,15723585491507098724,517592019282983936,131072 /prefetch:1
2⤵
PID:1432

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5312 --field-trial-handle=1788,i,15723585491507098724,517592019282983936,131072 /prefetch:8
2⤵
PID:4880

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4976 --field-trial-handle=1788,i,15723585491507098724,517592019282983936,131072 /prefetch:8
2⤵
PID:4464

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4904 --field-trial-handle=1788,i,15723585491507098724,517592019282983936,131072 /prefetch:8
2⤵
PID:3536

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5508 --field-trial-handle=1788,i,15723585491507098724,517592019282983936,131072 /prefetch:8
2⤵
PID:652

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4844 --field-trial-handle=1788,i,15723585491507098724,517592019282983936,131072 /prefetch:8
2⤵
PID:1072

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5788 --field-trial-handle=1788,i,15723585491507098724,517592019282983936,131072 /prefetch:8
2⤵
PID:2784

C:\Users\Admin\Downloads\build2.exe
"C:\Users\Admin\Downloads\build2.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1828

C:\Users\Admin\Downloads\build2.exe
"C:\Users\Admin\Downloads\build2.exe"
3⤵
- Executes dropped EXE
PID:4344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4344 -s 1844
4⤵
- Program crash
PID:3824

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4308

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
456B

MD5
0529b8447f502a12c974b46880c4e108

SHA1
be086c11a6a49861ed6f76a2314a9e5c2e992ee5

SHA256
fe84948629e9754e9bb1f8dc0dcb434dbe3378922b49ecb0ea2025d264fc50f9

SHA512
7c32d84a4687de86f1cae9dcc53bda63455ad23a5fe8c0fc62a37c77ea115863ff27d159b157a252ef503a7167795321a5a16f971c7c2b2bf7db0328a670df38

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
21780542ff8a84ac458fae6f9fbd6a37

SHA1
5159e9bdc78cd1bace02359afc349e7aa0568434

SHA256
4f1630610ef4698919111561c11c9c5e1a9d931183c6423aff20c8bbb3c173fd

SHA512
f2afff6fd87c53df0e13241d0e3a1fed5153157b16d7a2c48873bcf1eb05325d2c5766cac13010f5801fa72c0f59ecf4ce3f3e276a6e9a13cab9f9bc4828dba0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
84f8cb3c90cf5109760d090aa3ed9c35

SHA1
a3e1561cc0ded98d9dfc80ab3947799ffa614352

SHA256
89958bb5d5979aae938bd9645f97ef742f2592f47118c4de2cc342d8bc07a094

SHA512
27d5fed81657166c3366be396722b14dffc6a714abdfbcf5612231dd5ed1afd70ce929571f145bcba792f9d804162cffc1e1882d6219a6c1403d590b5e7c850f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
371B

MD5
cca35d2ed57b2391d04cd171a19d09e0

SHA1
acba02ffb7c2858be854d494b0a113babc2bacc0

SHA256
517bedeb6f9f1eb64bf2e4299ec174ca6ee08fec1dad5d707592d81d052e19d9

SHA512
f230dbb890a9631d90c47bf06be9374bdf7cedfa8ec79d56faa4aeb6ceff590d09cca8979ab57e662d6b9a376080736200d6b2b94eeb615d6fecd4e56dd9c9bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
371B

MD5
1e24cec7682aede131ce06a8427ad474

SHA1
cd3e16503672a22881eefe535de5ca3dd2a79d31

SHA256
37b62031be49a6076d8cfc99125578314587891527d17c744a6e1198c333ce06

SHA512
5b725c09d9ab7c1272f442fe01fd3907768a4cff6afad9440c68232aee4fe71482da652e2f693d56ecc18b7d0e3d1c4bdfb8040819108fbc384c59acf9d72451

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
369B

MD5
6a09c913498eddc0944cdf84203bc3ac

SHA1
b5e0dca105e1a8a4bf345a91e60b05f0e5dfdc3c

SHA256
c1ca3713b1889c89ab4fc29e8accee4b11b75439c0eff5ef3771acc5060f370f

SHA512
6dc6d40e7df14dc8fe7b9bb54f72aa821b5490416650a68a5a5302dc60b9b93a5b7074bb1be0bbe9df7be35ba4faa314a89159e3f29b49885150a7a6462707fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
35a63a3cb1f531e2465e37440ce206b9

SHA1
af252f5d2233920330c25915551cbe46f23d84ca

SHA256
7e50f2a6601d602b43294abc99a03e2c0fa354838487d170cf73ea907ec52fad

SHA512
81d51a750b0ddd7117e2f65b65d48816fc3e0a6b343b2793d02c1df2815b3394b4eeb8e53ff5a3f192685cab2a1ac88b5151621d1e161eec1d61aab7db12fb35

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
6e610baa51f4d1ae144637a3a7821708

SHA1
118fe55e2b50884567479a34e2cd74187a9c419b

SHA256
f22ffe20a459dd225567d55ded9d6a49d01da6c75f3b23fe9ffb5842be3435d8

SHA512
f809301a1026238b83983e0b94889c5815cc4bd4607e8987474866a07f5a4c38295c96d229db76caf1ba9c28790b476d6442082bda8cfdd683083012c2b6e7bb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
ff140b5cba582805554d30c8b1154098

SHA1
59a5db9f654a841834beee8b728b0a8f002ca347

SHA256
d8b9c633ab26ff3d4a90d3def3dd4aacfefa9ea86c8c82587b95257b9ab38f3c

SHA512
7905f0db28d296f567fea9c4ba44486cfa69b917d8b1f7c3d088f7e5bbd76cebdf0f159b748e4bf4d10b3357d6b889b598fc718bf5c3ef2b75e0ba09ef709a02

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
97be5bbc9474c9a83f6fba01aab71b6f

SHA1
c0cc00f24e2af50bb1155f3eab2b445066d49ae4

SHA256
0c1c161211cbb30971fe45972b1e0418bfe995be7ae9f7f38a2f0fcd5d578899

SHA512
4277a5a661fdd3a466c033eecae137d626a6123368545ac0b8b7e2f4ec45f44a5910abe393747b8cb7c924d963781752a4b48825e9f000c5f98a45dd1d4a8099

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
1376896de4069ba86b9ceee779d47b53

SHA1
aee9b8895f8c7cf3ca0ec071afb907dcb40438b1

SHA256
19d98861908e90539516fb69dd2a1454f687e57905762adb379ef666bf82337a

SHA512
62ff4224a913873a737db8508f4ee6a0ebe7c50e03c009e17800eab0a89457cfc926b540bf19073b23e44ca0e9f71337c4fcc555018f5384080a025757664009

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
114KB

MD5
58636e8fc1fc1f2144dc2037331ffbab

SHA1
c495509a3021482e962b5817ba82bb50c1f0c270

SHA256
798879c8593a5f4c940bca4474b9bb271fcb306afdb5e95958767afe709513a4

SHA512
0d02e43cba7c75c663aee8a292d0651c0f44a6c22e7960a678674df7d36e1a3a56ea4d792903ccb76e62d4acb5229100598e32bf6ab66a59fad8118e2a0f3edb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
114KB

MD5
81705fabb39941d0a1c6d82603effd76

SHA1
54389aae4bd47c6af257ebcb96e1924a1ac864dd

SHA256
b77986c4de2ec3249d9402fb97745809d24b18914d1b92de33975544f34df774

SHA512
152be929ae0ded1dc7425d99a31ca9be4f10cf2c18e58bf4746139f194a1506d3b0841d3a543fda02a84608840aba0f4da51750dcc9f1d634d0ba2a382fc8a9e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
114KB

MD5
56021de23284527b0fabc3c6457bbf24

SHA1
efaa4565c80279d8d1904be512fab900fb5eee35

SHA256
c804019a17347e80a9baf48042ea5660fae1a7b3073f03ecb2de9be5cd1daf08

SHA512
65a5cc6de5a85c74350e03a78b04d237d9657f102b0d9bd8f8ebf3b2d1c0024d00eee5f01cb5c4b57c4655b26130a406bdb03d2dbf8ed6179b3a970dd72e60ab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
94KB

MD5
b74ec0150e7b4d6c480690cc0cb7176a

SHA1
a041c127b5278381607f8088d369e614ec15eb64

SHA256
a903597c0d6bd8eff0d1ccb22311595893bc8a4efe57324c375246d6f91d96a6

SHA512
123808b61a98146fb2c374e7bf18e8ef085e55047b6f369efffe92c3e68cdf29ecd6efa0db930311a270aa9073a5ee8c08c1ed8e86539bcf8e5fbd82c849285a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
108KB

MD5
9daf9b3e2e415ee217695896c3787f57

SHA1
643f269d371f6d72bc131af54f78e9fb9f61ea78

SHA256
87c81cc25aa0212ad0072e78fcb51ea84e5c27efc1d32cbff7e5b9936bf533ae

SHA512
4f5e73d16ed8a18deb8b00a3990e4d04664c432941848c22475f92da12d8b9ea6735887574d928045bb9ef1e7b03da12ff856017f6009931bff89362890cbc8c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe582110.TMP
Filesize
93KB

MD5
d4420c469b3b05b39582bdbdf5744b34

SHA1
0fc78231e9a7130aa011c4950f480c09e4b0f623

SHA256
5bf8ca4618f618a0a5235420b55f5539684ac1db833860772b7859102f1d547f

SHA512
0e9c72fb590ed2167452a0a41215075d991574a3169da7738943df5d4b25dff513192f4126159127c30c7fc7a8f220946213fd21493edb2046125d67b6661e19

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\Downloads\build2.exe
Filesize
385KB

MD5
63e4a9cd7a8b37335b5f18cefc5dd9d2

SHA1
c781a30935afc452b108cc78724b60f389b78874

SHA256
c1e75efde3fd1da605135e5c3ffab0073299c80632d136f8eeba9d4a7c98c70f

SHA512
3818b5966938704c5830acb5426db7791f6ae476853248d8984b1aff35a6722a0684bea54a53ef6ded1f301f6de9ed044d45f007457a9c0f3a7ea3afc7bf0ecc

Download Submit
\??\pipe\crashpad_4280_JWNWYNZJCQBEUWNU
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1828-253-0x00000000004F0000-0x0000000000520000-memory.dmp

Filesize
192KB

Download
memory/1828-252-0x0000000000520000-0x0000000000620000-memory.dmp

Filesize
1024KB

Download
memory/4344-254-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/4344-257-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/4344-258-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/4344-302-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download