vidar | cde0869ebe3e11c729f79c65159832f08045c1c17f838816347a192b5de62ffa

Analysis

max time kernel
119s
max time network
125s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
18-11-2024 10:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Unlock_Tool_v2.6.6.exe
Size

1.2MB
MD5

1da3ab025aec24902139d9a3f1cd4e6a
SHA1

45683e50a3d034e5fe9da7163ae535387c7a6801
SHA256

cde0869ebe3e11c729f79c65159832f08045c1c17f838816347a192b5de62ffa
SHA512

065005c29c2bb4f267bf89f2c190eaf9428096f8617f437fd760b25c52d3729e17b66a826fe45fb1414be529d445aa985b4316fed377052419a42327aaa8d63c
SSDEEP

24576:Y6YnZ/THIr8oY9uX/B55IctTsHHDs+kig6+3flO:Y6+ZbHIr8huX/ddso+kPV3fw

Score

10^/10

vidar 68fa61169d8a1f0521b8a06aa1f33efb credential_access discovery spyware stealer

Malware Config

Extracted

Family

vidar

Version

11.8

Botnet

68fa61169d8a1f0521b8a06aa1f33efb

https://t.me/fu4chmo

https://steamcommunity.com/profiles/76561199802540894

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6

Signatures

Detect Vidar Stealer 4 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/4640-1-0x0000000000400000-0x0000000000659000-memory.dmp	family_vidar_v7
behavioral2/memory/4640-3-0x0000000000400000-0x0000000000659000-memory.dmp	family_vidar_v7
behavioral2/memory/4640-24-0x0000000000400000-0x0000000000659000-memory.dmp	family_vidar_v7
behavioral2/memory/4640-25-0x0000000000400000-0x0000000000659000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar
Downloads MZ/PE file
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

Unlock_Tool_v2.6.6.exe

description pid process target process

PID 340 set thread context of 4640 340 Unlock_Tool_v2.6.6.exe Unlock_Tool_v2.6.6.exe
Drops file in Windows directory 1 IoCs

Processes:

chrome.exe

description ioc process

File opened for modification C:\Windows\SystemTemp chrome.exe
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2096 340 WerFault.exe Unlock_Tool_v2.6.6.exe

description	pid	process	target process
PID 340 set thread context of 4640	340	Unlock_Tool_v2.6.6.exe	Unlock_Tool_v2.6.6.exe

description	ioc	process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

pid	pid_target	process	target process
2096	340	WerFault.exe	Unlock_Tool_v2.6.6.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exetimeout.exeUnlock_Tool_v2.6.6.exeUnlock_Tool_v2.6.6.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unlock_Tool_v2.6.6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unlock_Tool_v2.6.6.exe

Checks processor information in registry 2 TTPs 14 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Unlock_Tool_v2.6.6.exefirefox.exefirefox.exefirefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Unlock_Tool_v2.6.6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Unlock_Tool_v2.6.6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2008 timeout.exe

pid	process
2008	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133764004289838745"	chrome.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings firefox.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Unlock_Tool_v2.6.6.exechrome.exe

pid process

4640 Unlock_Tool_v2.6.6.exe
4640 Unlock_Tool_v2.6.6.exe
3996 chrome.exe
3996 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

3996 chrome.exe
3996 chrome.exe
3996 chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings	firefox.exe

pid	process
4640	Unlock_Tool_v2.6.6.exe
4640	Unlock_Tool_v2.6.6.exe
3996	chrome.exe
3996	chrome.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

chrome.exefirefox.exe

description	pid	process
Token: SeShutdownPrivilege	3996	chrome.exe
Token: SeCreatePagefilePrivilege	3996	chrome.exe
Token: SeShutdownPrivilege	3996	chrome.exe
Token: SeCreatePagefilePrivilege	3996	chrome.exe
Token: SeShutdownPrivilege	3996	chrome.exe
Token: SeCreatePagefilePrivilege	3996	chrome.exe
Token: SeShutdownPrivilege	3996	chrome.exe
Token: SeCreatePagefilePrivilege	3996	chrome.exe
Token: SeDebugPrivilege	340	firefox.exe
Token: SeDebugPrivilege	340	firefox.exe

Suspicious use of FindShellTrayWindow 48 IoCs

Processes:

chrome.exefirefox.exe

pid	process
3996	chrome.exe
3996	chrome.exe
3996	chrome.exe
3996	chrome.exe
3996	chrome.exe
3996	chrome.exe
3996	chrome.exe
3996	chrome.exe
3996	chrome.exe
3996	chrome.exe
3996	chrome.exe
3996	chrome.exe
3996	chrome.exe
3996	chrome.exe
3996	chrome.exe
3996	chrome.exe
3996	chrome.exe
3996	chrome.exe
3996	chrome.exe
3996	chrome.exe
3996	chrome.exe
3996	chrome.exe
3996	chrome.exe
3996	chrome.exe
3996	chrome.exe
3996	chrome.exe
3996	chrome.exe
340	firefox.exe
340	firefox.exe
340	firefox.exe
340	firefox.exe
340	firefox.exe
340	firefox.exe
340	firefox.exe
340	firefox.exe
340	firefox.exe
340	firefox.exe
340	firefox.exe
340	firefox.exe
340	firefox.exe
340	firefox.exe
340	firefox.exe
340	firefox.exe
340	firefox.exe
340	firefox.exe
340	firefox.exe
340	firefox.exe
340	firefox.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

chrome.exe

pid	process
3996	chrome.exe
3996	chrome.exe
3996	chrome.exe
3996	chrome.exe
3996	chrome.exe
3996	chrome.exe
3996	chrome.exe
3996	chrome.exe
3996	chrome.exe
3996	chrome.exe
3996	chrome.exe
3996	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

firefox.exe

pid process

340 firefox.exe

pid	process
340	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Unlock_Tool_v2.6.6.exeUnlock_Tool_v2.6.6.execmd.exechrome.exe

description	pid	process	target process
PID 340 wrote to memory of 4640	340	Unlock_Tool_v2.6.6.exe	Unlock_Tool_v2.6.6.exe
PID 340 wrote to memory of 4640	340	Unlock_Tool_v2.6.6.exe	Unlock_Tool_v2.6.6.exe
PID 340 wrote to memory of 4640	340	Unlock_Tool_v2.6.6.exe	Unlock_Tool_v2.6.6.exe
PID 340 wrote to memory of 4640	340	Unlock_Tool_v2.6.6.exe	Unlock_Tool_v2.6.6.exe
PID 340 wrote to memory of 4640	340	Unlock_Tool_v2.6.6.exe	Unlock_Tool_v2.6.6.exe
PID 340 wrote to memory of 4640	340	Unlock_Tool_v2.6.6.exe	Unlock_Tool_v2.6.6.exe
PID 340 wrote to memory of 4640	340	Unlock_Tool_v2.6.6.exe	Unlock_Tool_v2.6.6.exe
PID 340 wrote to memory of 4640	340	Unlock_Tool_v2.6.6.exe	Unlock_Tool_v2.6.6.exe
PID 340 wrote to memory of 4640	340	Unlock_Tool_v2.6.6.exe	Unlock_Tool_v2.6.6.exe
PID 340 wrote to memory of 4640	340	Unlock_Tool_v2.6.6.exe	Unlock_Tool_v2.6.6.exe
PID 4640 wrote to memory of 232	4640	Unlock_Tool_v2.6.6.exe	cmd.exe
PID 4640 wrote to memory of 232	4640	Unlock_Tool_v2.6.6.exe	cmd.exe
PID 4640 wrote to memory of 232	4640	Unlock_Tool_v2.6.6.exe	cmd.exe
PID 232 wrote to memory of 2008	232	cmd.exe	timeout.exe
PID 232 wrote to memory of 2008	232	cmd.exe	timeout.exe
PID 232 wrote to memory of 2008	232	cmd.exe	timeout.exe
PID 3996 wrote to memory of 1940	3996	chrome.exe	chrome.exe
PID 3996 wrote to memory of 1940	3996	chrome.exe	chrome.exe
PID 3996 wrote to memory of 3784	3996	chrome.exe	chrome.exe
PID 3996 wrote to memory of 3784	3996	chrome.exe	chrome.exe
PID 3996 wrote to memory of 3784	3996	chrome.exe	chrome.exe
PID 3996 wrote to memory of 3784	3996	chrome.exe	chrome.exe
PID 3996 wrote to memory of 3784	3996	chrome.exe	chrome.exe
PID 3996 wrote to memory of 3784	3996	chrome.exe	chrome.exe
PID 3996 wrote to memory of 3784	3996	chrome.exe	chrome.exe
PID 3996 wrote to memory of 3784	3996	chrome.exe	chrome.exe
PID 3996 wrote to memory of 3784	3996	chrome.exe	chrome.exe
PID 3996 wrote to memory of 3784	3996	chrome.exe	chrome.exe
PID 3996 wrote to memory of 3784	3996	chrome.exe	chrome.exe
PID 3996 wrote to memory of 3784	3996	chrome.exe	chrome.exe
PID 3996 wrote to memory of 3784	3996	chrome.exe	chrome.exe
PID 3996 wrote to memory of 3784	3996	chrome.exe	chrome.exe
PID 3996 wrote to memory of 3784	3996	chrome.exe	chrome.exe
PID 3996 wrote to memory of 3784	3996	chrome.exe	chrome.exe
PID 3996 wrote to memory of 3784	3996	chrome.exe	chrome.exe
PID 3996 wrote to memory of 3784	3996	chrome.exe	chrome.exe
PID 3996 wrote to memory of 3784	3996	chrome.exe	chrome.exe
PID 3996 wrote to memory of 3784	3996	chrome.exe	chrome.exe
PID 3996 wrote to memory of 3784	3996	chrome.exe	chrome.exe
PID 3996 wrote to memory of 3784	3996	chrome.exe	chrome.exe
PID 3996 wrote to memory of 3784	3996	chrome.exe	chrome.exe
PID 3996 wrote to memory of 3784	3996	chrome.exe	chrome.exe
PID 3996 wrote to memory of 3784	3996	chrome.exe	chrome.exe
PID 3996 wrote to memory of 3784	3996	chrome.exe	chrome.exe
PID 3996 wrote to memory of 3784	3996	chrome.exe	chrome.exe
PID 3996 wrote to memory of 3784	3996	chrome.exe	chrome.exe
PID 3996 wrote to memory of 3784	3996	chrome.exe	chrome.exe
PID 3996 wrote to memory of 3784	3996	chrome.exe	chrome.exe
PID 3996 wrote to memory of 5060	3996	chrome.exe	chrome.exe
PID 3996 wrote to memory of 5060	3996	chrome.exe	chrome.exe
PID 3996 wrote to memory of 1572	3996	chrome.exe	chrome.exe
PID 3996 wrote to memory of 1572	3996	chrome.exe	chrome.exe
PID 3996 wrote to memory of 1572	3996	chrome.exe	chrome.exe
PID 3996 wrote to memory of 1572	3996	chrome.exe	chrome.exe
PID 3996 wrote to memory of 1572	3996	chrome.exe	chrome.exe
PID 3996 wrote to memory of 1572	3996	chrome.exe	chrome.exe
PID 3996 wrote to memory of 1572	3996	chrome.exe	chrome.exe
PID 3996 wrote to memory of 1572	3996	chrome.exe	chrome.exe
PID 3996 wrote to memory of 1572	3996	chrome.exe	chrome.exe
PID 3996 wrote to memory of 1572	3996	chrome.exe	chrome.exe
PID 3996 wrote to memory of 1572	3996	chrome.exe	chrome.exe
PID 3996 wrote to memory of 1572	3996	chrome.exe	chrome.exe
PID 3996 wrote to memory of 1572	3996	chrome.exe	chrome.exe
PID 3996 wrote to memory of 1572	3996	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Unlock_Tool_v2.6.6.exe
"C:\Users\Admin\AppData\Local\Temp\Unlock_Tool_v2.6.6.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:340
- C:\Users\Admin\AppData\Local\Temp\Unlock_Tool_v2.6.6.exe
  "C:\Users\Admin\AppData\Local\Temp\Unlock_Tool_v2.6.6.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4640
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\Unlock_Tool_v2.6.6.exe" & rd /s /q "C:\ProgramData\KJECFHCBKKEB" & exit
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:232
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 10
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:2008
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 340 -s 160
  2⤵
  - Program crash
  PID:2096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 340 -ip 340
1⤵
PID:3412

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdafa2cc40,0x7ffdafa2cc4c,0x7ffdafa2cc58
  2⤵
  PID:1940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1768,i,98111346613352824,15057590220813637243,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1764 /prefetch:2
  2⤵
  PID:3784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2060,i,98111346613352824,15057590220813637243,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2120 /prefetch:3
  2⤵
  PID:5060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2212,i,98111346613352824,15057590220813637243,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2172 /prefetch:8
  2⤵
  PID:1572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3088,i,98111346613352824,15057590220813637243,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3104 /prefetch:1
  2⤵
  PID:2104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3124,i,98111346613352824,15057590220813637243,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:3564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4420,i,98111346613352824,15057590220813637243,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4432 /prefetch:1
  2⤵
  PID:4516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4708,i,98111346613352824,15057590220813637243,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4748 /prefetch:8
  2⤵
  PID:3008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4968,i,98111346613352824,15057590220813637243,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4976 /prefetch:8
  2⤵
  PID:1592

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4320

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3168

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:2096
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:340
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1964 -parentBuildID 20240401114208 -prefsHandle 1892 -prefMapHandle 1884 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {95d2d016-079b-48e5-a890-eca31d672e64} 340 "\\.\pipe\gecko-crash-server-pipe.340" gpu
    3⤵
    PID:8
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2364 -parentBuildID 20240401114208 -prefsHandle 2356 -prefMapHandle 2352 -prefsLen 23714 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7147acd3-3b8d-4ddb-8868-04a6a8356d10} 340 "\\.\pipe\gecko-crash-server-pipe.340" socket
    3⤵
    - Checks processor information in registry
    PID:564
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2832 -childID 1 -isForBrowser -prefsHandle 3180 -prefMapHandle 3200 -prefsLen 23855 -prefMapSize 244658 -jsInitHandle 1364 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f9d45840-fc9f-446d-a5b7-a9ac0d3aa92d} 340 "\\.\pipe\gecko-crash-server-pipe.340" tab
    3⤵
    PID:700
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3548 -childID 2 -isForBrowser -prefsHandle 3532 -prefMapHandle 2720 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1364 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {99fedd1b-ee6a-4a7b-a88b-612d344a3361} 340 "\\.\pipe\gecko-crash-server-pipe.340" tab
    3⤵
    PID:920
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4760 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4764 -prefMapHandle 4712 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {44465bd2-4bff-4db7-8133-00bc1cf7188f} 340 "\\.\pipe\gecko-crash-server-pipe.340" utility
    3⤵
    - Checks processor information in registry
    PID:3004
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5316 -childID 3 -isForBrowser -prefsHandle 5276 -prefMapHandle 5308 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1364 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f1d58ade-adfe-408a-a1fe-0d04ebf2b51b} 340 "\\.\pipe\gecko-crash-server-pipe.340" tab
    3⤵
    PID:2360
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5528 -childID 4 -isForBrowser -prefsHandle 5448 -prefMapHandle 5452 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1364 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aa270c25-f2db-4a85-bf29-7d897e24a43b} 340 "\\.\pipe\gecko-crash-server-pipe.340" tab
    3⤵
    PID:3916
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5740 -childID 5 -isForBrowser -prefsHandle 5732 -prefMapHandle 5728 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1364 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {36631db5-3592-4d0f-82e9-abc0ac24540e} 340 "\\.\pipe\gecko-crash-server-pipe.340" tab
    3⤵
    PID:3124

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
4fa6209161c7905feb798e41ac2fdc24

SHA1
4df89de2744ad26bed0a75102a4849dae70c817f

SHA256
2594b1366ec92df2c2ede4524bcac664e657838f943b95ce88248cf8723eae03

SHA512
9124783932692c2d79d71032834bfee8741a1c23818a95c8f500036f0df8cdde3072456c382e4df510758d90d8322a1c76d520ba89f1521226ba508ef835fce9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
391386b91e0e2ccd7434fe883b4e44ed

SHA1
a7ea543f54ec0b3119eb8fcc1b4bc04eadfbf5b3

SHA256
7094d491cb8302435700284035617517edf3dc9a010294271eca47e75014a49e

SHA512
8a2afe3a08cd88ad4019f4b27f33d4996b9915fde0063c92f11fde269ec174172c7bf4d9498d74d8f0a18f1246ade348aeba00aace5263eaea51c806025dded0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
e0383fbebecaf99e98f4c5acb61da8d7

SHA1
7b89b14269deba83b383d472d26087090d4b5c0a

SHA256
a7cb9ac4f47388cec7bc52d070b16e195f068d58a9e5f2165884916c2f28459a

SHA512
310bfc6c1333ab0f80512dc66ba2646dbd54895facc0a5eb25732fe5edb4ed058ab4f0d2b64220bdf592889cd2e182966ce7b1792cdd1337a42a335bb96a4652

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
648474e5ab0d2557e6710e8d0f1cceec

SHA1
0519c55ec4ebcf6b7bf6281401d661b8824e4cef

SHA256
895d09f39bef4e8f973d3434a2d6c0c5ddb6ba092b73e2ab9ec3de5ea5b2a47c

SHA512
5d659e21bb96e3dba1e01ac24ec5c323999dd3e71cac34378bc919e0f6c004fd03c1029f2580875b3f6de35d396286d224f85ccdb2471372c66a6ad8a27267e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
eca6ff22289d3bcc57781e430e112f9a

SHA1
fdf906c0e2a4b7b4f785e65fcc9841407edd200b

SHA256
b580eadd201d45e256da719d17ddbd505fc2c776ee7c2a8635bca440bf669ae0

SHA512
3f65ac01e63d20254adf68f099be075a7976696a25028653dd9f4d91d59db4b8b41192dd3e6bfa90019eab399a5f732fde05c9b0079d48acb487b84639c00af8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
53eec004932eb1aab3d799e43b653ffb

SHA1
ed338136b8cc5a723cea425d3c193d26f15bf1b5

SHA256
c8c0059b802f8443c2de793ce7b83990864d2390c8f56b7e15c03693fd29f4b3

SHA512
4adcc0ff2fe4cc3df9224b3720c0c5df17b3e7dca56f486ac6ed51caade0fcb94421edc20e75834eec60533635c7fbd5d0cd0af17a8d1c03a2a585c72913a7ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\odgo8eah.default-release\activity-stream.discovery_stream.json

Filesize
19KB

MD5
6062fa6ceb1b63d704bacee45d0c2f0f

SHA1
ce7a815bd61475c94d1b57520df44ca982ac1749

SHA256
23505a4e8d0043ee10a487ff7e761f0ae8027d205fd61dacb24d3430bad9447d

SHA512
edbab95136e7546fb0e959d8533458b404f0e899c5a6179c6c3f84e79f5dbf88495cc9647b2380d2ae8684f6b3730147b29e19cf963fe4a0812ae26cb5212341

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\AlternateServices.bin

Filesize
6KB

MD5
b8467dd6d2c2cc6664722a92086b2ba1

SHA1
a755eedcbe57a751919378d2e20684c51c13215c

SHA256
16bc456ba5563a98eeca45db55b608bcf7775d310aca56cdaebc763d92486a2d

SHA512
ffb49ab1c872ff885c0e3605e6b980782bbb548881d166d52217398980c54316ce2f5d11f72cb684ddbd416edc8b2f3be694f71554babf825e065eea216066bd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
2fb54fdd4b278196de55a488432c1de5

SHA1
5a3c09dff106d554f494fd0fedacbd876cbd501e

SHA256
0af23d8e325c537bb9da2b049e64c2bc6791eca7f9abca78b3eb1aafab85709a

SHA512
70fa51b738f96c8635617f8a352177614f21e32aa7417274d6bdfef3f1981689c599fa97a58ce3fd2d02a11153960194183b052b745e6dd2c534b7ec8edb406a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
1713730f9c839df1b91960575a242daf

SHA1
44df3c017fa9fd5d7d066803a561236766cce288

SHA256
6ff7cf7efe9caa069da9ffbb0c2e2c59f1a87a5a57d40c77c16a501095e9ef79

SHA512
e7b017d48e9113dc23a316c5fd8af6f113cf28cc3f651eea12d0065fbe5776769af7112611bf401b73419f81e71ea04d876b566f88e0dfb8afdad33ffaf70db5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\datareporting\glean\pending_pings\1db3d7e5-2a36-4c5c-9175-5801251c0a6e

Filesize
26KB

MD5
1454c3a386335a2b5e4224be50e39b20

SHA1
6d6febc54343477df20c47d104407be956941488

SHA256
411526f51033508a8eab84d80baaec8831b9f84cc0b5b06093f673fd173a168d

SHA512
a89ffb9fc651d975df7d32415aa5fedb26c4f059c7bfa2c69d1311d8c7721022a79bd40a7d87f5b9d0b4b37a8fdf2208f5f5faf0461b947294b8b9d21ca84363

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\datareporting\glean\pending_pings\8ec99657-b058-43c4-9a9e-523b787f3a96

Filesize
982B

MD5
7a34abb042c66a390e5a20ba938e128e

SHA1
b3e8343dc431a41ce1ba16d91d5389dffbca2cea

SHA256
f77283db75bfbbcd7a7df143850d3b0c9f6d4ea8ac2247735f37e84aff3b83b0

SHA512
e932fb9f7b58bcd385ef359ba02e42258ad7dc931e59840e873651b490ddccc85c2e9893cc7c3a023e68de12aade5284042d07470479a9da9e19c8e51235039e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\datareporting\glean\pending_pings\e0c1b013-2a92-4f9a-b01a-ded865b7bdbe

Filesize
671B

MD5
86342cbefb1e0db385fdeb04ff66a50f

SHA1
43188f37f513365ec63189cd2ed6e76251b99aa7

SHA256
36d66672fafd1ba93367c68cab72d3c308d46b2505bffacc07d261f22994bc85

SHA512
d4d5861b65957974ead17c305fbfc0b69e3802a55e06ce41cc2bc674133e723cfd251249acee6c8f7a3dcfbc90705548e0fa0420f895ad0785b1b514140554e2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\prefs-1.js

Filesize
11KB

MD5
1f1ac88e8da16741219002c55284fdfb

SHA1
be39fbdc7d9f8ca221b802c54bed36815f62e8e0

SHA256
34d0c97ce03e4504945ab4efd21888e4edc8ef32a272b1502c1ee99020e0ade1

SHA512
b6a7883828ba000004a2c052dd6730b35a7ce7101bc6c7af632aafeb15d9d3cd04579e14e110a4aadedd339031cc3463cedb439fe9011e96b0f05e310462abcc

Download Submit
\??\pipe\crashpad_3996_UGODWDCCUKUZHDOD

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/340-0-0x00000000008C0000-0x00000000008C1000-memory.dmp

Filesize
4KB

Download
memory/4640-26-0x000000001C650000-0x000000001C8AF000-memory.dmp

Filesize
2.4MB

Download
memory/4640-25-0x0000000000400000-0x0000000000659000-memory.dmp

Filesize
2.3MB

Download
memory/4640-24-0x0000000000400000-0x0000000000659000-memory.dmp

Filesize
2.3MB

Download
memory/4640-6-0x00000000007E0000-0x000000000090B000-memory.dmp

Filesize
1.2MB

Download
memory/4640-3-0x0000000000400000-0x0000000000659000-memory.dmp

Filesize
2.3MB

Download
memory/4640-1-0x0000000000400000-0x0000000000659000-memory.dmp

Filesize
2.3MB

Download