Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-11-2024 06:12

General

  • Target

    6dc517f58f112adcdd3cfae606a67964.exe

  • Size

    6.2MB

  • MD5

    6dc517f58f112adcdd3cfae606a67964

  • SHA1

    b59f74642e963111027613ce0206ca77aec06fda

  • SHA256

    2a559ce1ff609781226319d7f57d6c8cf32487bd87bb796ea43ee015aa104a73

  • SHA512

    6f04ac98d9ea1eb203d2b93e9ff9f02a26b2ff61a4afc61b47f5d7f6260a80bc085fbc24c97c43407651c231156f468d4fe00cb152e64c6be948fed6b19f4ed8

  • SSDEEP

    98304:cTiMEvjmzKewwsZ2XoCx7fR+Q6VCKrUk:iiMEaI24C1UQszrU

Malware Config

Extracted

Family

vidar

C2

https://t.me/asg7rd

https://steamcommunity.com/profiles/76561199794498376

Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6

Signatures

  • Detect Vidar Stealer 20 IoCs
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

  • Vidar family
  • Downloads MZ/PE file
  • Uses browser remote debugging 2 TTPs 10 IoCs

    Can be used control the browser and steal sensitive information such as credentials and session cookies.

  • Loads dropped DLL 3 IoCs
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
  • Enumerates system info in registry 2 TTPs 8 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 18 IoCs
  • Suspicious use of FindShellTrayWindow 51 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6dc517f58f112adcdd3cfae606a67964.exe
    "C:\Users\Admin\AppData\Local\Temp\6dc517f58f112adcdd3cfae606a67964.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2536
    • C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
      "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2624
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
        3⤵
        • Uses browser remote debugging
        • Enumerates system info in registry
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:4300
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffb105acc40,0x7ffb105acc4c,0x7ffb105acc58
          4⤵
            PID:4296
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1816,i,5877420800993083253,731024290688185974,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1812 /prefetch:2
            4⤵
              PID:1612
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2120,i,5877420800993083253,731024290688185974,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2184 /prefetch:3
              4⤵
                PID:3916
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2232,i,5877420800993083253,731024290688185974,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2476 /prefetch:8
                4⤵
                  PID:1700
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3164,i,5877420800993083253,731024290688185974,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3184 /prefetch:1
                  4⤵
                  • Uses browser remote debugging
                  PID:1620
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3188,i,5877420800993083253,731024290688185974,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3240 /prefetch:1
                  4⤵
                  • Uses browser remote debugging
                  PID:2832
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4524,i,5877420800993083253,731024290688185974,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4540 /prefetch:1
                  4⤵
                  • Uses browser remote debugging
                  PID:2484
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4736,i,5877420800993083253,731024290688185974,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4744 /prefetch:8
                  4⤵
                    PID:1728
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4864,i,5877420800993083253,731024290688185974,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4720 /prefetch:8
                    4⤵
                      PID:2772
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4888,i,5877420800993083253,731024290688185974,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4516 /prefetch:8
                      4⤵
                        PID:2536
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4756,i,5877420800993083253,731024290688185974,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4856 /prefetch:8
                        4⤵
                          PID:4400
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4516,i,5877420800993083253,731024290688185974,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4832 /prefetch:8
                          4⤵
                            PID:1688
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4836,i,5877420800993083253,731024290688185974,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4668 /prefetch:8
                            4⤵
                              PID:1912
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4840,i,5877420800993083253,731024290688185974,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4968 /prefetch:8
                              4⤵
                                PID:4844
                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3992,i,5877420800993083253,731024290688185974,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4904 /prefetch:8
                                4⤵
                                  PID:3896
                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=4972,i,5877420800993083253,731024290688185974,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5172 /prefetch:2
                                  4⤵
                                  • Uses browser remote debugging
                                  PID:4124
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
                                3⤵
                                • Uses browser remote debugging
                                • Enumerates system info in registry
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                                • Suspicious use of FindShellTrayWindow
                                PID:1628
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb105b46f8,0x7ffb105b4708,0x7ffb105b4718
                                  4⤵
                                  • Checks processor information in registry
                                  • Enumerates system info in registry
                                  • Suspicious behavior: EnumeratesProcesses
                                  PID:1728
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,3037167929550503238,9692785342090945328,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2
                                  4⤵
                                    PID:4320
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,3037167929550503238,9692785342090945328,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2532 /prefetch:3
                                    4⤵
                                    • Suspicious behavior: EnumeratesProcesses
                                    PID:2820
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,3037167929550503238,9692785342090945328,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2948 /prefetch:8
                                    4⤵
                                      PID:872
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2076,3037167929550503238,9692785342090945328,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:1
                                      4⤵
                                      • Uses browser remote debugging
                                      PID:3416
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2076,3037167929550503238,9692785342090945328,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:1
                                      4⤵
                                      • Uses browser remote debugging
                                      PID:4128
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2076,3037167929550503238,9692785342090945328,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4828 /prefetch:1
                                      4⤵
                                      • Uses browser remote debugging
                                      PID:900
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2076,3037167929550503238,9692785342090945328,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4984 /prefetch:1
                                      4⤵
                                      • Uses browser remote debugging
                                      PID:4464
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,3037167929550503238,9692785342090945328,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
                                      4⤵
                                        PID:4004
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,3037167929550503238,9692785342090945328,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2064 /prefetch:2
                                        4⤵
                                          PID:1356
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,3037167929550503238,9692785342090945328,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2556 /prefetch:2
                                          4⤵
                                            PID:4916
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,3037167929550503238,9692785342090945328,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2516 /prefetch:2
                                            4⤵
                                              PID:5036
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,3037167929550503238,9692785342090945328,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3676 /prefetch:2
                                              4⤵
                                                PID:5000
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,3037167929550503238,9692785342090945328,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=2108 /prefetch:2
                                                4⤵
                                                  PID:5052
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,3037167929550503238,9692785342090945328,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=4592 /prefetch:2
                                                  4⤵
                                                    PID:3964
                                                • C:\Windows\SysWOW64\cmd.exe
                                                  "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\AAFIDGCFHIEH" & exit
                                                  3⤵
                                                  • System Location Discovery: System Language Discovery
                                                  PID:3960
                                                  • C:\Windows\SysWOW64\timeout.exe
                                                    timeout /t 10
                                                    4⤵
                                                    • System Location Discovery: System Language Discovery
                                                    • Delays execution with timeout.exe
                                                    PID:4252
                                            • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
                                              "C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
                                              1⤵
                                                PID:4860
                                              • C:\Windows\system32\svchost.exe
                                                C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
                                                1⤵
                                                  PID:4248

                                                Network

                                                MITRE ATT&CK Enterprise v15

                                                Replay Monitor

                                                Loading Replay Monitor...

                                                Downloads

                                                • C:\ProgramData\chrome.dll

                                                  Filesize

                                                  676KB

                                                  MD5

                                                  eda18948a989176f4eebb175ce806255

                                                  SHA1

                                                  ff22a3d5f5fb705137f233c36622c79eab995897

                                                  SHA256

                                                  81a4f37c5495800b7cc46aea6535d9180dadb5c151db6f1fd1968d1cd8c1eeb4

                                                  SHA512

                                                  160ed9990c37a4753fc0f5111c94414568654afbedc05308308197df2a99594f2d5d8fe511fd2279543a869ed20248e603d88a0b9b8fb119e8e6131b0c52ff85

                                                • C:\ProgramData\mozglue.dll

                                                  Filesize

                                                  593KB

                                                  MD5

                                                  c8fd9be83bc728cc04beffafc2907fe9

                                                  SHA1

                                                  95ab9f701e0024cedfbd312bcfe4e726744c4f2e

                                                  SHA256

                                                  ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

                                                  SHA512

                                                  fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

                                                • C:\ProgramData\nss3.dll

                                                  Filesize

                                                  2.0MB

                                                  MD5

                                                  1cc453cdf74f31e4d913ff9c10acdde2

                                                  SHA1

                                                  6e85eae544d6e965f15fa5c39700fa7202f3aafe

                                                  SHA256

                                                  ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

                                                  SHA512

                                                  dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

                                                  Filesize

                                                  649B

                                                  MD5

                                                  097851949b7b3cd182055074c560e096

                                                  SHA1

                                                  c93e0e82fcedbd4d30c2f2d259b4d559100f04fe

                                                  SHA256

                                                  1af3073c22eb81f560c28a61aacc224a58f40197087f6e2ef4b00148c7488568

                                                  SHA512

                                                  78200b8b1d6a7ff4f1a7cbc1cc22ebe327177bf430c0f6beaff4f2d24a3fdded63fabacf78b671ed330984c08070bb3e4816da2458b08fd4b3b9635cc73f2ae7

                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\_locales\en_CA\messages.json

                                                  Filesize

                                                  851B

                                                  MD5

                                                  07ffbe5f24ca348723ff8c6c488abfb8

                                                  SHA1

                                                  6dc2851e39b2ee38f88cf5c35a90171dbea5b690

                                                  SHA256

                                                  6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

                                                  SHA512

                                                  7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\dasherSettingSchema.json

                                                  Filesize

                                                  854B

                                                  MD5

                                                  4ec1df2da46182103d2ffc3b92d20ca5

                                                  SHA1

                                                  fb9d1ba3710cf31a87165317c6edc110e98994ce

                                                  SHA256

                                                  6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

                                                  SHA512

                                                  939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

                                                  Filesize

                                                  2B

                                                  MD5

                                                  d751713988987e9331980363e24189ce

                                                  SHA1

                                                  97d170e1550eee4afc0af065b78cda302a97674c

                                                  SHA256

                                                  4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                                                  SHA512

                                                  b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\0613e8c6-1a8f-4af0-bea4-a92d260aef8a.dmp

                                                  Filesize

                                                  838KB

                                                  MD5

                                                  0da14538d31b395536a3956ed4fdc9e5

                                                  SHA1

                                                  7c5d21180f4d6b0d073f3d8f491fea55b72f1722

                                                  SHA256

                                                  ea8269f1635ed984e83da05303021a4232ea055b8ecd497091ca29c2cb1ec891

                                                  SHA512

                                                  4e79bd7090347620427bbfde7562f0ff2141dc0f9a5073a49d52e04e7341555c05f06d0097e27dbe25de7d15adaa26295f86638d1121d6d2c0d12a6034ddbc56

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\7d032778-6174-4cb0-8a0f-3c26c2860edf.dmp

                                                  Filesize

                                                  838KB

                                                  MD5

                                                  7b5313a165361e3748bc182ebae4049d

                                                  SHA1

                                                  70eed9375ed2200c7c45f8d1b6d6faee8fc9dccb

                                                  SHA256

                                                  a606a9041f5e693495e1a99a7f25c082076107654a90a903e75c2cd96e6d4c02

                                                  SHA512

                                                  42d7d4b15e59af0da38da2b999887f4a1122f9313d35fe19cdcbc775e416802cbf22bc9afb9e8757c5ba9d6370ecdea58c084912eee8697c2f14b5e17a02e7ac

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\98ec3142-2ab8-45cb-9be0-e49ff7ec9202.dmp

                                                  Filesize

                                                  830KB

                                                  MD5

                                                  2e0ce6fd6398368dd4743c7db43992b1

                                                  SHA1

                                                  e732896b931016554736b03f8fd88b17beb92a93

                                                  SHA256

                                                  226fc56b906a0139096b2a998459a8a98dd8db52f643868dc4bbc5be810a9e36

                                                  SHA512

                                                  8911b34013a7e1a5f6dbb46ca70969f0ecb5996da490049403d174d645bd44ee56a72a6b3011ef46ac7b66b018b32129b30a3b24f7aaaa174abe2a2c5728dbda

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\acb65d6d-3bf2-4745-ae4e-71a3c474f580.dmp

                                                  Filesize

                                                  826KB

                                                  MD5

                                                  8ef806b65cbce611a94ec3a2a2b4d874

                                                  SHA1

                                                  4265212779ef2ba6da7fa5f250c92c09dfb3f03c

                                                  SHA256

                                                  c10c3b357b265e8fc617506fd0d4706b0445fe3a3f98ac8e6ddef4ec8fc1844d

                                                  SHA512

                                                  d380086b8e19aab3b14b44e27a8af145a8dbac487e0bc2fa8106314844b2058e726463b7e4781615e48e1adc9ab879496a2d52a2847c901e812d8641b6833286

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\c3de236d-a689-46a5-b5e0-e2ff05b58a8e.dmp

                                                  Filesize

                                                  830KB

                                                  MD5

                                                  0e8bff4dfd953025a61b25e7287341c9

                                                  SHA1

                                                  2374832a5066371d5805975c29496040925e3eb0

                                                  SHA256

                                                  4dec3047086f8d4e531feb104d1c63ebbe77b6d7562c33d93b281f3ec9692146

                                                  SHA512

                                                  616ada106e851628608c86538990a17f47e85486d8161914101642cb0538b15907ea4983cbf30a31dd28e1d2cdd5cecf87d491456ec3fa24512f681dcad6579d

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\df1e4b14-97b7-4213-8f5b-76368e37a9f6.dmp

                                                  Filesize

                                                  838KB

                                                  MD5

                                                  76601ac124b73f4141a0e67bc7debcf8

                                                  SHA1

                                                  eb83b6946bf446389b01eca03071990abae3437e

                                                  SHA256

                                                  62e7fee7f3b77ee933b753d40079421dedbf3c5415ba6ad9141e3f8e5d2c81e9

                                                  SHA512

                                                  61050a73b6248031f25a063bffad7c7d175c3acf60b3b6f4d232572a85b43f13c57a64156340362ab7a1405b7612ac02808fb2ce82eb1c3d31ec6c9991572d73

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\e6faf259-bd9f-40a6-856c-a2f9074f8629.dmp

                                                  Filesize

                                                  826KB

                                                  MD5

                                                  707e7ede92cd502cc956bab8f8dd3e71

                                                  SHA1

                                                  3b41ac37287f0eca566267c6247d7e7e56b205d5

                                                  SHA256

                                                  726744c1ef8e01efd15828dde0548b1680604d623e70791662f0e3ae71b8c52f

                                                  SHA512

                                                  bbe90bb865c245a75e7ef6c644e9c60f072a55378236d851bcb789b7f346d4433dd10e2343a7b6115b74fa3c6a36dfef0d598795f946a13d5276b14ab4250c8a

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                  Filesize

                                                  152B

                                                  MD5

                                                  443a627d539ca4eab732bad0cbe7332b

                                                  SHA1

                                                  86b18b906a1acd2a22f4b2c78ac3564c394a9569

                                                  SHA256

                                                  1e1ad9dce141f5f17ea07c7e9c2a65e707c9943f172b9134b0daf9eef25f0dc9

                                                  SHA512

                                                  923b86d75a565c91250110162ce13dd3ef3f6bdde1a83f7af235ed302d4a96b8c9ed722e2152781e699dfcb26bb98afc73f5adb298f8fd673f14c9f28b5f764d

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                  Filesize

                                                  152B

                                                  MD5

                                                  99afa4934d1e3c56bbce114b356e8a99

                                                  SHA1

                                                  3f0e7a1a28d9d9c06b6663df5d83a65c84d52581

                                                  SHA256

                                                  08e098bb97fd91d815469cdfd5568607a3feca61f18b6b5b9c11b531fde206c8

                                                  SHA512

                                                  76686f30ed68144cf943b80ac10b52c74eee84f197cee3c24ef7845ef44bdb5586b6e530824543deeed59417205ac0e2559808bcb46450504106ac8f4c95b9da

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                  Filesize

                                                  152B

                                                  MD5

                                                  e79ccdda3d02041e4582383f403f46ec

                                                  SHA1

                                                  d1d1effa9c94337585f915e2d2b8afac88d529bb

                                                  SHA256

                                                  f93a5d3256d6ba6acbe5c2fb412d43aa0552be424510593ae8a1a831b17e211f

                                                  SHA512

                                                  6ef237e368a012022bf2a4aa58d423242ba175258ec4841124cecc4fe5fa0e96f0aa395b0e831b578457b4b049fbd3d038d2f9ea24211bac7e548f0f163fe719

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                  Filesize

                                                  152B

                                                  MD5

                                                  d6c01fb86d6ec5129911641f2c69cda5

                                                  SHA1

                                                  f9577ceedb8d07fbc6dd85bd74b20af5bb498050

                                                  SHA256

                                                  f3464fcf05e18581948c615c513e2a7fa439ca18b644930e1690d54a72176165

                                                  SHA512

                                                  3a20879c5b79f702f9d3c2a32ce245c9c3107eb428e44c0244a3995eb34903e9c39ed5965c499951a711a4ac13ebc29f0466cb3cc0910076ca72ba0eb242709e

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                  Filesize

                                                  152B

                                                  MD5

                                                  91fd901262deec20c96ea4294dd1a315

                                                  SHA1

                                                  9136fd6f2f26448a4fec58fed68e3db23509da82

                                                  SHA256

                                                  47617d52052cdd61f38d232f9d764871b627d83236be95f8a8316bf4a6078c12

                                                  SHA512

                                                  a61734c1c39b76b1a107b6d5ba470feae2d3c1205877f0aaee8e767799a1b40bcfb4665f25a0ea74036f6d8282fb8dd9612668ed86bd435522d625c307b65f87

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\320185d7-3f78-41ed-9cf9-729dbfb2b88d.tmp

                                                  Filesize

                                                  1B

                                                  MD5

                                                  5058f1af8388633f609cadb75a75dc9d

                                                  SHA1

                                                  3a52ce780950d4d969792a2559cd519d7ee8c727

                                                  SHA256

                                                  cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

                                                  SHA512

                                                  0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                  Filesize

                                                  5KB

                                                  MD5

                                                  1ead52cafc096df017ef06e08b294d50

                                                  SHA1

                                                  379b79e2626df12035171e2f9b04ac4eb3867a5e

                                                  SHA256

                                                  25f93e3f344c920ce704fb800b027b2c9dbe781d46071066c4ec61d17a5ebb4d

                                                  SHA512

                                                  183e267800c8ec4d8647b812b784eee68e16da17055d160e3d2aa0afa7cb9afed395766fe79781475e0dd8c7aeacec7084ecc62bd00b7d8480c331f882a682dd

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

                                                  Filesize

                                                  264KB

                                                  MD5

                                                  f50f89a0a91564d0b8a211f8921aa7de

                                                  SHA1

                                                  112403a17dd69d5b9018b8cede023cb3b54eab7d

                                                  SHA256

                                                  b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

                                                  SHA512

                                                  bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

                                                • C:\Users\Admin\AppData\Local\Temp\scoped_dir4300_1364954427\9803a27c-0229-46cd-93c0-bc4f622ace06.tmp

                                                  Filesize

                                                  132KB

                                                  MD5

                                                  da75bb05d10acc967eecaac040d3d733

                                                  SHA1

                                                  95c08e067df713af8992db113f7e9aec84f17181

                                                  SHA256

                                                  33ae9b8f06dc777bb1a65a6ba6c3f2a01b25cd1afc291426b46d1df27ea6e7e2

                                                  SHA512

                                                  56533de53872f023809a20d1ea8532cdc2260d40b05c5a7012c8e61576ff092f006a197f759c92c6b8c429eeec4bb542073b491ddcfd5b22cd4ecbe1a8a7c6ef

                                                • C:\Users\Admin\AppData\Local\Temp\scoped_dir4300_1364954427\CRX_INSTALL\_locales\en_CA\messages.json

                                                  Filesize

                                                  711B

                                                  MD5

                                                  558659936250e03cc14b60ebf648aa09

                                                  SHA1

                                                  32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

                                                  SHA256

                                                  2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

                                                  SHA512

                                                  1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

                                                • memory/2624-660-0x0000000000690000-0x0000000000990000-memory.dmp

                                                  Filesize

                                                  3.0MB

                                                • memory/2624-7-0x0000000000690000-0x0000000000990000-memory.dmp

                                                  Filesize

                                                  3.0MB

                                                • memory/2624-467-0x0000000000690000-0x0000000000990000-memory.dmp

                                                  Filesize

                                                  3.0MB

                                                • memory/2624-0-0x0000000000690000-0x0000000000990000-memory.dmp

                                                  Filesize

                                                  3.0MB

                                                • memory/2624-70-0x0000000000690000-0x0000000000990000-memory.dmp

                                                  Filesize

                                                  3.0MB

                                                • memory/2624-473-0x0000000000690000-0x0000000000990000-memory.dmp

                                                  Filesize

                                                  3.0MB

                                                • memory/2624-28-0x000000001B6B0000-0x000000001B90F000-memory.dmp

                                                  Filesize

                                                  2.4MB

                                                • memory/2624-474-0x0000000000690000-0x0000000000990000-memory.dmp

                                                  Filesize

                                                  3.0MB

                                                • memory/2624-27-0x0000000000690000-0x0000000000990000-memory.dmp

                                                  Filesize

                                                  3.0MB

                                                • memory/2624-26-0x0000000000690000-0x0000000000990000-memory.dmp

                                                  Filesize

                                                  3.0MB

                                                • memory/2624-10-0x0000000000690000-0x0000000000990000-memory.dmp

                                                  Filesize

                                                  3.0MB

                                                • memory/2624-466-0x0000000000690000-0x0000000000990000-memory.dmp

                                                  Filesize

                                                  3.0MB

                                                • memory/2624-840-0x0000000000690000-0x0000000000990000-memory.dmp

                                                  Filesize

                                                  3.0MB

                                                • memory/2624-834-0x0000000000690000-0x0000000000990000-memory.dmp

                                                  Filesize

                                                  3.0MB

                                                • memory/2624-841-0x0000000000690000-0x0000000000990000-memory.dmp

                                                  Filesize

                                                  3.0MB

                                                • memory/2624-4-0x0000000000690000-0x0000000000990000-memory.dmp

                                                  Filesize

                                                  3.0MB

                                                • memory/2624-1-0x0000000000690000-0x0000000000990000-memory.dmp

                                                  Filesize

                                                  3.0MB

                                                • memory/2624-863-0x0000000000690000-0x0000000000990000-memory.dmp

                                                  Filesize

                                                  3.0MB

                                                • memory/2624-864-0x0000000000690000-0x0000000000990000-memory.dmp

                                                  Filesize

                                                  3.0MB

                                                • memory/2624-871-0x0000000000690000-0x0000000000990000-memory.dmp

                                                  Filesize

                                                  3.0MB

                                                • memory/2624-872-0x0000000000690000-0x0000000000990000-memory.dmp

                                                  Filesize

                                                  3.0MB

                                                • memory/2624-873-0x0000000000690000-0x0000000000990000-memory.dmp

                                                  Filesize

                                                  3.0MB