vidar | hxxps://www[.]mediafire[.]com/folder/vnkr1egpyh3vm/Driver+Booster+Pro

Resubmissions

05-10-2024 21:06

241005-zx53xasfrq 10

05-10-2024 20:43

241005-zhmm1sxanc 3

Analysis

max time kernel
933s
max time network
1085s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
05-10-2024 21:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.mediafire.com/folder/vnkr1egpyh3vm/Driver+Booster+Pro

Score

10^/10

vidar 2c447a3a3ad43bca51b075083f951002 credential_access defense_evasion discovery spyware stealer

Malware Config

Extracted

Family

vidar

Version

Botnet

2c447a3a3ad43bca51b075083f951002

https://steamcommunity.com/profiles/76561199780418869

https://t.me/ae5ed

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0

Signatures

Detect Vidar Stealer 3 IoCs

stealer

resource	yara_rule
behavioral1/memory/5168-455-0x0000000000A30000-0x000000000158E000-memory.dmp	family_vidar_v7
behavioral1/memory/3488-1010-0x0000000000F80000-0x0000000001ADE000-memory.dmp	family_vidar_v7
behavioral1/memory/5168-1029-0x0000000000A30000-0x000000000158E000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
5168	Set-up.exe
3488	Set-up.exe

Loads dropped DLL 2 IoCs

pid	Process
5168	Set-up.exe
5168	Set-up.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\7zO8894BE05\Set-up.exe:Zone.Identifier	7zFM.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Set-up.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Set-up.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Set-up.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Set-up.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings	msedge.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\IObit Driver Booster Pro v.12.rar:Zone.Identifier	msedge.exe
File created	C:\Users\Admin\AppData\Local\Temp\7zO8894BE05\Set-up.exe:Zone.Identifier	7zFM.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
3140	msedge.exe
3140	msedge.exe
5812	msedge.exe
5812	msedge.exe
1148	msedge.exe
1148	msedge.exe
1400	identity_helper.exe
1400	identity_helper.exe
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe
2540	msedge.exe
5152	msedge.exe
5152	msedge.exe
5168	Set-up.exe
5168	Set-up.exe
5168	Set-up.exe
5168	Set-up.exe
5168	Set-up.exe
5168	Set-up.exe
3488	Set-up.exe
3488	Set-up.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2440	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs

pid	Process
5812	msedge.exe
5812	msedge.exe
5812	msedge.exe
5812	msedge.exe
5812	msedge.exe
5812	msedge.exe
5812	msedge.exe
5812	msedge.exe
5812	msedge.exe
5812	msedge.exe
5812	msedge.exe
5812	msedge.exe
5812	msedge.exe
5812	msedge.exe
5812	msedge.exe
5812	msedge.exe
5812	msedge.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	2440	7zFM.exe
Token: 35	2440	7zFM.exe
Token: SeSecurityPrivilege	2440	7zFM.exe
Token: SeRestorePrivilege	892	7zG.exe
Token: 35	892	7zG.exe
Token: SeSecurityPrivilege	892	7zG.exe
Token: SeSecurityPrivilege	892	7zG.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
5812	msedge.exe
5812	msedge.exe
5812	msedge.exe
5812	msedge.exe
5812	msedge.exe
5812	msedge.exe
5812	msedge.exe
5812	msedge.exe
5812	msedge.exe
5812	msedge.exe
5812	msedge.exe
5812	msedge.exe
5812	msedge.exe
5812	msedge.exe
5812	msedge.exe
5812	msedge.exe
5812	msedge.exe
5812	msedge.exe
5812	msedge.exe
5812	msedge.exe
5812	msedge.exe
5812	msedge.exe
5812	msedge.exe
5812	msedge.exe
5812	msedge.exe
5812	msedge.exe
5812	msedge.exe
5812	msedge.exe
5812	msedge.exe
5812	msedge.exe
5812	msedge.exe
5812	msedge.exe
5812	msedge.exe
5812	msedge.exe
5812	msedge.exe
5812	msedge.exe
5812	msedge.exe
5812	msedge.exe
5812	msedge.exe
5812	msedge.exe
5812	msedge.exe
5812	msedge.exe
5812	msedge.exe
5812	msedge.exe
5812	msedge.exe
5812	msedge.exe
5812	msedge.exe
5812	msedge.exe
5812	msedge.exe
5812	msedge.exe
5812	msedge.exe
5812	msedge.exe
5812	msedge.exe
5812	msedge.exe
5812	msedge.exe
5812	msedge.exe
5812	msedge.exe
5812	msedge.exe
5812	msedge.exe
5812	msedge.exe
5812	msedge.exe
5812	msedge.exe
5812	msedge.exe
5812	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
5812	msedge.exe
5812	msedge.exe
5812	msedge.exe
5812	msedge.exe
5812	msedge.exe
5812	msedge.exe
5812	msedge.exe
5812	msedge.exe
5812	msedge.exe
5812	msedge.exe
5812	msedge.exe
5812	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5812 wrote to memory of 3100	5812	msedge.exe	78
PID 5812 wrote to memory of 3100	5812	msedge.exe	78
PID 5812 wrote to memory of 3136	5812	msedge.exe	79
PID 5812 wrote to memory of 3136	5812	msedge.exe	79
PID 5812 wrote to memory of 3136	5812	msedge.exe	79
PID 5812 wrote to memory of 3136	5812	msedge.exe	79
PID 5812 wrote to memory of 3136	5812	msedge.exe	79
PID 5812 wrote to memory of 3136	5812	msedge.exe	79
PID 5812 wrote to memory of 3136	5812	msedge.exe	79
PID 5812 wrote to memory of 3136	5812	msedge.exe	79
PID 5812 wrote to memory of 3136	5812	msedge.exe	79
PID 5812 wrote to memory of 3136	5812	msedge.exe	79
PID 5812 wrote to memory of 3136	5812	msedge.exe	79
PID 5812 wrote to memory of 3136	5812	msedge.exe	79
PID 5812 wrote to memory of 3136	5812	msedge.exe	79
PID 5812 wrote to memory of 3136	5812	msedge.exe	79
PID 5812 wrote to memory of 3136	5812	msedge.exe	79
PID 5812 wrote to memory of 3136	5812	msedge.exe	79
PID 5812 wrote to memory of 3136	5812	msedge.exe	79
PID 5812 wrote to memory of 3136	5812	msedge.exe	79
PID 5812 wrote to memory of 3136	5812	msedge.exe	79
PID 5812 wrote to memory of 3136	5812	msedge.exe	79
PID 5812 wrote to memory of 3136	5812	msedge.exe	79
PID 5812 wrote to memory of 3136	5812	msedge.exe	79
PID 5812 wrote to memory of 3136	5812	msedge.exe	79
PID 5812 wrote to memory of 3136	5812	msedge.exe	79
PID 5812 wrote to memory of 3136	5812	msedge.exe	79
PID 5812 wrote to memory of 3136	5812	msedge.exe	79
PID 5812 wrote to memory of 3136	5812	msedge.exe	79
PID 5812 wrote to memory of 3136	5812	msedge.exe	79
PID 5812 wrote to memory of 3136	5812	msedge.exe	79
PID 5812 wrote to memory of 3136	5812	msedge.exe	79
PID 5812 wrote to memory of 3136	5812	msedge.exe	79
PID 5812 wrote to memory of 3136	5812	msedge.exe	79
PID 5812 wrote to memory of 3136	5812	msedge.exe	79
PID 5812 wrote to memory of 3136	5812	msedge.exe	79
PID 5812 wrote to memory of 3136	5812	msedge.exe	79
PID 5812 wrote to memory of 3136	5812	msedge.exe	79
PID 5812 wrote to memory of 3136	5812	msedge.exe	79
PID 5812 wrote to memory of 3136	5812	msedge.exe	79
PID 5812 wrote to memory of 3136	5812	msedge.exe	79
PID 5812 wrote to memory of 3136	5812	msedge.exe	79
PID 5812 wrote to memory of 3140	5812	msedge.exe	80
PID 5812 wrote to memory of 3140	5812	msedge.exe	80
PID 5812 wrote to memory of 2016	5812	msedge.exe	81
PID 5812 wrote to memory of 2016	5812	msedge.exe	81
PID 5812 wrote to memory of 2016	5812	msedge.exe	81
PID 5812 wrote to memory of 2016	5812	msedge.exe	81
PID 5812 wrote to memory of 2016	5812	msedge.exe	81
PID 5812 wrote to memory of 2016	5812	msedge.exe	81
PID 5812 wrote to memory of 2016	5812	msedge.exe	81
PID 5812 wrote to memory of 2016	5812	msedge.exe	81
PID 5812 wrote to memory of 2016	5812	msedge.exe	81
PID 5812 wrote to memory of 2016	5812	msedge.exe	81
PID 5812 wrote to memory of 2016	5812	msedge.exe	81
PID 5812 wrote to memory of 2016	5812	msedge.exe	81
PID 5812 wrote to memory of 2016	5812	msedge.exe	81
PID 5812 wrote to memory of 2016	5812	msedge.exe	81
PID 5812 wrote to memory of 2016	5812	msedge.exe	81
PID 5812 wrote to memory of 2016	5812	msedge.exe	81
PID 5812 wrote to memory of 2016	5812	msedge.exe	81
PID 5812 wrote to memory of 2016	5812	msedge.exe	81
PID 5812 wrote to memory of 2016	5812	msedge.exe	81
PID 5812 wrote to memory of 2016	5812	msedge.exe	81

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.mediafire.com/folder/vnkr1egpyh3vm/Driver+Booster+Pro
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9f4603cb8,0x7ff9f4603cc8,0x7ff9f4603cd8
  2⤵
  PID:3100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,446701406702736679,10129082095677431590,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1936 /prefetch:2
  2⤵
  PID:3136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1924,446701406702736679,10129082095677431590,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2388 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1924,446701406702736679,10129082095677431590,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2716 /prefetch:8
  2⤵
  PID:2016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,446701406702736679,10129082095677431590,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:3604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,446701406702736679,10129082095677431590,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:3352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1924,446701406702736679,10129082095677431590,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5552 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1148
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1924,446701406702736679,10129082095677431590,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5300 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,446701406702736679,10129082095677431590,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:1
  2⤵
  PID:3884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,446701406702736679,10129082095677431590,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:1
  2⤵
  PID:2632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,446701406702736679,10129082095677431590,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5952 /prefetch:1
  2⤵
  PID:4336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,446701406702736679,10129082095677431590,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6356 /prefetch:1
  2⤵
  PID:3904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,446701406702736679,10129082095677431590,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6588 /prefetch:1
  2⤵
  PID:5940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,446701406702736679,10129082095677431590,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6736 /prefetch:1
  2⤵
  PID:2180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,446701406702736679,10129082095677431590,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6784 /prefetch:1
  2⤵
  PID:1156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,446701406702736679,10129082095677431590,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7052 /prefetch:1
  2⤵
  PID:2020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,446701406702736679,10129082095677431590,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:1
  2⤵
  PID:1216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,446701406702736679,10129082095677431590,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3504 /prefetch:1
  2⤵
  PID:5208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,446701406702736679,10129082095677431590,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3508 /prefetch:1
  2⤵
  PID:3820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,446701406702736679,10129082095677431590,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6016 /prefetch:1
  2⤵
  PID:5752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,446701406702736679,10129082095677431590,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6736 /prefetch:1
  2⤵
  PID:2276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,446701406702736679,10129082095677431590,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6648 /prefetch:1
  2⤵
  PID:5572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,446701406702736679,10129082095677431590,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1880 /prefetch:1
  2⤵
  PID:3148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,446701406702736679,10129082095677431590,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1324 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1924,446701406702736679,10129082095677431590,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5788 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:5152

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1576

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4008

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3732

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\IObit Driver Booster Pro v.12.rar"
1⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2440
- C:\Users\Admin\AppData\Local\Temp\7zO8894BE05\Set-up.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO8894BE05\Set-up.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:5168

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\IObit Driver Booster Pro v.12\" -spe -an -ai#7zMap6209:120:7zEvent28037
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:892

C:\Users\Admin\Downloads\IObit Driver Booster Pro v.12\Set-up.exe
"C:\Users\Admin\Downloads\IObit Driver Booster Pro v.12\Set-up.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\HCFCAAEBGCAK\ECGDHD

Filesize
512KB

MD5
59071590099d21dd439896592338bf95

SHA1
6a521e1d2a632c26e53b83d2cc4b0edecfc1e68c

SHA256
07854d2fef297a06ba81685e660c332de36d5d18d546927d30daad6d7fda1541

SHA512
eedb6cadbceb2c991fc6f68dccb80463b3f660c5358acd7d705398ae2e3df2b4327f0f6c6746486848bd2992b379776483a98063ae96edb45877bb0314874668

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2ee16858e751901224340cabb25e5704

SHA1
24e0d2d301f282fb8e492e9df0b36603b28477b2

SHA256
e9784fcff01f83f4925f23e3a24bce63314ea503c2091f7309c014895fead33c

SHA512
bd9994c2fb4bf097ce7ffea412a2bed97e3af386108ab6aab0df9472a92d4bd94489bb9c36750a92f9818fa3ea6d1756497f5364611e6ebd36de4cd14e9a0fba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ea667b2dedf919487c556b97119cf88a

SHA1
0ee7b1da90be47cc31406f4dba755fd083a29762

SHA256
9e7e47ebf490ba409eab3be0314fa695bf28f4764f4875c7568a54337f2df70f

SHA512
832391afcac34fc6c949dee8120f2a5f83ca68c159ff707751d844b085c7496930f0c8fd8313fd8f10a5f5725138be651953934aa79b087ba3c6dd22eaa49c72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
5555f4294d426bf1b00ec5a49668f0fe

SHA1
6a8506f69fbd58ed8810763bf7a6a4925bdf28ad

SHA256
393b679fad27ec356159c83e1c7c86f30a74d8a02a825b705fa40bd4f3e5bfc5

SHA512
33576e1cf4ee9eaec1f7968360c8b6ea100614cbd081ffacce144269f25e6fbd76f1c1158163317bb919e2f986ebafe0bf2afc6b0172a59a59d0f372423857a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
36KB

MD5
a0aeff0f7c50708f86261b9cd98c77d5

SHA1
7b0f979dd6a5f28027cc74ce80be49c628d3100a

SHA256
81f02b7717431ecd073f8994c69bf1cde26f9cf2f5484bb5de9edb98abec3824

SHA512
b952a3c49c600fa39e538d6fcc383b1bbd753b5d14843ddc5d4ec76f3c57686793fc81aaefa31f9ed6bc5fc43af832937116f0b4f7ab31bcba28ef571db9b882

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
19f00ee8e0a68ecb73314f03b03ef747

SHA1
e475fef2215a97030c6b452b809bf5b4edf48c45

SHA256
8f67cecf12f5bc76bbeaf74a466be3006416a7bc1de5298c45d4c4a72dbb0ea7

SHA512
cb2634f93dc0aa8d27bc4b530b1d347bf32ae7c4728b81a6ba80563f39871bdf57cfc4a6284c88a66ce74bd9e85397945246a6c54075281dc45dd7d2afac140d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
8KB

MD5
2b6c752f59a1505bae304b3fd5905da6

SHA1
78749c15709f17887d3829efac813ca7ed854e14

SHA256
71abdaed379cb4e5b6122e580e3887741260f7bd46a225815cbc50af99bf6463

SHA512
c1d5dd0dd7d5f81fb00e7a29a8473b06aa4bc79e0344ac5cf65abe9b55aba19cf2de78be893d04d1c4c6b519ad448b54ea3957262098f93cf58aedd6abb33200

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
5d8e9728bc40370a20d92bf76bd8ed60

SHA1
f022d1317774d8302989568bbd653d420fb4e33f

SHA256
60bcda720380005d9b751b7603e9616b60de7675f076b0ae79e02a11e4be82dc

SHA512
2a3f1083b6586d87e6e36ac4f611bbd6239f288f798ec17d258841a2e67296b3d1c5edb13244f6d5973f47cd603a0e94ffef00ea18e7b6dcf54c227a7590a6f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
4d0e22078e3b5c16cbb595765f42f4d0

SHA1
7e2653e42b1c9d40d692f7042930f30f1af13add

SHA256
2058ac89fe987995298808463c0565b4ab2ad9b44f82c7d50d1a2d10e36ad96d

SHA512
829ac991290f5148ca3f63a422bf401863899660a4b33886ab8a219d2b38466a5dcf01d336acfec1e5b2a8e9d875b234597cae7571b550eb9f69317dd8842309

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
9ccd956269d2da3e069a2edf2efb99ef

SHA1
380a1a862779c695c537de1dd836c238d9cbd66d

SHA256
30c92849d19f47db6c31b4ffd568b97c28d76c7ae2ed2d1759b7d9397e840a59

SHA512
b1e2890682a58e82b12ce071bb3d44167b3d07395e99a6a7e39021727eabd5771e328f83941ca8d33f10bad97b165a26407f45467f2c34678671c2f5b984e009

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
8d3d380a5a83948d72a46b0ea47df1cb

SHA1
0893aec941de145a017a3cd8216c1dab5ce1461c

SHA256
f49d0fd5b6f7f662aa15e382f6f880610f926aaf3aa75f277bde8436cd8b80e1

SHA512
3aca930dd1a74318da4d2445b75993ff085af05552e885f49e76cd2a70054e14ff1ad80e2c728e7fcb4bb4200a9a922833b901c6ceb0e4dccf80a6f4bc51a5fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
3c43101428bff5ea88bd13767e0fb7bb

SHA1
04ffe2e282e6aa25a5edd3cb897853c1199a43bd

SHA256
802b0bc5054eae062e37e8da55ef865486af870ce4e2c66ba25d4439efdaeae3

SHA512
3990e6e4d92d17a4f5e1d89b1525bfadc4df72c7abb14d110fe7ed2dc6a09d4e0d57cf947049ff78bd36c4ae30ae4bf55a8c7b179f1119c74e836a37fd3e1be5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57d7f1.TMP

Filesize
1KB

MD5
cc0e57231a113951ca58e09028eebcdf

SHA1
012a95f61bade2dec4da372bc6f81e915bfa09dc

SHA256
a3640eddb9a40436c4bd368690a92497c80a5c616da1b4aa193af38f577203ea

SHA512
d09ce3ead45225c36e0c3b62511913a6757cefd352ba0028c3c7c1c8753f0b4ba7ce2505f7abf1a6895ef805d7454a5ad9b68c46ce98a93081699ce31767172c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
9b238f39182899cee656e2e44c77128d

SHA1
7633f87fa4844865c83be19ae146a6c917623f80

SHA256
c1d90fcec86318eeefdae9786ce3ae06916625e4786e1fdb3e0589979a75a144

SHA512
8296ac4008a2fbb3ab9302bdf3261ab033b721620b6c90942c6097e7f5eae158117b137921b9ce5cd24fbbb38ad457791a981813bf1d32de6a3ef215f6d1c20f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
a217cd403e04b81d6166af4616a44a7d

SHA1
85ee917f9cdecfc75aa6c0fa1f0604580129879a

SHA256
119b82dc5a6be6ccc4c7ebe9e9e6f4e1978cda4959482c479f91929732905491

SHA512
59e341454d2cb0178827c94dcdbc00aa8e74591f7d4cb5611c3090400a90fd83fa80fa5ed0d8fd7d5710b306c56e4ff11871f91330904335e17b701f11c13472

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
50af016c1a75f95cc720853d8f8f9d3a

SHA1
a192622d5f37886228b18dd24ef6cc50179592bd

SHA256
4266277a37073167d6d2998f94cd1e812444fbe4c5ddb67a7877cafe03685034

SHA512
7af21bac06aec77cbdf9113cf9674ca5e40308bd4e8168bac0a12fea2eb3b30b504408d6d5802aa32caf2124b99f85d08fe7bcc7cc7a326bd471ac7e1da7af8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
14KB

MD5
acdaf14150e839c16629fc69bee13998

SHA1
961c2fc7f4b224cb5d9fe9fbf079778f2dd023e3

SHA256
191b79fb1f5de008d836aba1526d4ffccfe718481a13836821f6bf3f92985ead

SHA512
b18b677e1ab47084c369b81c3e4d94e27a9dbf6df5e9fbc96857ec5528909fdcab95746814432d57b585ac0278a7e4ea3baa9982cf4a9d20839789cc9fbefcf8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\U8JSEUQZ\76561199780418869[1].htm

Filesize
34KB

MD5
695211148dad6242be03b15a7a54fb98

SHA1
e3f32ea8e23f1267c19549924497e0fbe32ce192

SHA256
04a3a5fee280425158ce321ffd505b81ef9952224db556e817205ae0411cd1d5

SHA512
ae32fbbab775083e9d850f6441f0f06991109cd57d18f190cbe495baf632df735be30a808afb54bd3a0e0c045239acf9beb6adb305bdca87042d53d16abdfc9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO8894BE05\Set-up.exe:Zone.Identifier

Filesize
335B

MD5
bc72ba883bed0add3791d34a9b158344

SHA1
730eb1910bf502148fbe923813edd535e5601cd2

SHA256
8a426f8a997e6b8d2ad6c89c2df6d301c24c54cdddf52cc9653161c2eac7e721

SHA512
a400fb5572fd414ec52953c6857cf02b7401b303e0073c151c8308581e665bcae622f36657d81f2c4a5a7f0d23315446d4df1026a1e5a63596909c68cfbc6e51

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
086785827e3487e4cf6990185b5632f7

SHA1
aa010ae337b7eec8aa57ada7e1843deb549754b8

SHA256
a38aa72629780cc98baff0ab642cc0250d1c018e67ecc649745f4ff34bf05d90

SHA512
619cd0af2bb6b946253921f01d62462ff481a12f4f4975a8140452d79238f9bbf4743c3255ce1ccecee48d46cd9c9b64d2e8d5e68671f129c09b8cf2b052dd4c

Download Submit
C:\Users\Admin\Downloads\IObit Driver Booster Pro v.12.rar:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\IObit Driver Booster Pro v.12\KeyFile\1049\sharedmanagementobjects_keyfile.dll

Filesize
23KB

MD5
5e54cb9759d1a9416f51ac1e759bbccf

SHA1
1a033a7aae7c294967b1baba0b1e6673d4eeefc6

SHA256
f7e5cae32e2ec2c35346954bfb0b7352f9a697c08586e52494a71ef00e40d948

SHA512
32dcca4432ec0d2a8ad35fe555f201fef828b2f467a2b95417b42ff5b5149aee39d626d244bc295dca8a00cd81ef33a20f9e681dd47eb6ee47932d5d8dd2c664

Download Submit
C:\Users\Admin\Downloads\IObit Driver Booster Pro v.12\Source\App\DriverBooster\Icons\Apps\vcrt2015.png

Filesize
1KB

MD5
a364eb8919ad57f2278960cf6a062862

SHA1
dd7fa8dd5894960fa47e8c74e2acec034da803d3

SHA256
ac4531a4b4fe3b34054eb33f2caabe2776be0ea5fc5056670c139caffd51b4f4

SHA512
68e06dcbf244211caac4e386bc73856a7b4da97681e58de3470d6f1000abd336c2d13c84ee11e2bcda9a48afd176efc34f9567ef3bebd5577731956402ead96b

Download Submit
memory/3488-1008-0x0000000000F80000-0x0000000001ADE000-memory.dmp

Filesize
11.4MB

Download
memory/3488-1009-0x0000000000700000-0x0000000000701000-memory.dmp

Filesize
4KB

Download
memory/3488-1010-0x0000000000F80000-0x0000000001ADE000-memory.dmp

Filesize
11.4MB

Download
memory/5168-464-0x0000000025FF0000-0x000000002624F000-memory.dmp

Filesize
2.4MB

Download
memory/5168-455-0x0000000000A30000-0x000000000158E000-memory.dmp

Filesize
11.4MB

Download
memory/5168-454-0x0000000003EA0000-0x0000000003EA1000-memory.dmp

Filesize
4KB

Download
memory/5168-1029-0x0000000000A30000-0x000000000158E000-memory.dmp

Filesize
11.4MB

Download
memory/5168-453-0x0000000000A30000-0x000000000158E000-memory.dmp

Filesize
11.4MB

Download