Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20250129-en -
resource tags
arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system -
submitted
07/02/2025, 15:13
Static task
static1
Behavioral task
behavioral1
Sample
1VB7gm8.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
1VB7gm8.exe
Resource
win10v2004-20250129-en
General
-
Target
1VB7gm8.exe
-
Size
1.7MB
-
MD5
0f2e0a4daa819b94536f513d8bb3bfe2
-
SHA1
4f73cec6761d425000a5586a7325378148d67861
-
SHA256
8afc16be658f69754cc0654864ffed46c97a7558db0c39e0f2d5b870c1ff6e39
-
SHA512
80a35414c2be58deec0f3382a8e949a979f67d4f02c2700cf0da4b857cdcc8daa6b00ce2bcc3864edb87446086fe3f547a60580449935dbad5fb5f08dda69f1b
-
SSDEEP
49152:kvigLTTxYy9dxaAc73z4PQqLiy1jhDMBhKwnq2:kvi6hYy7YAI3ziLZA6wq
Malware Config
Signatures
-
Detect Vidar Stealer 23 IoCs
resource yara_rule behavioral2/memory/5032-7-0x0000000000400000-0x000000000085E000-memory.dmp family_vidar_v7 behavioral2/memory/5032-8-0x0000000000400000-0x000000000085E000-memory.dmp family_vidar_v7 behavioral2/memory/5032-9-0x0000000000400000-0x000000000085E000-memory.dmp family_vidar_v7 behavioral2/memory/5032-10-0x0000000000400000-0x000000000085E000-memory.dmp family_vidar_v7 behavioral2/memory/5032-11-0x0000000000400000-0x000000000085E000-memory.dmp family_vidar_v7 behavioral2/memory/5032-12-0x0000000000400000-0x000000000085E000-memory.dmp family_vidar_v7 behavioral2/memory/5032-13-0x0000000000400000-0x000000000085E000-memory.dmp family_vidar_v7 behavioral2/memory/5032-20-0x0000000000400000-0x000000000085E000-memory.dmp family_vidar_v7 behavioral2/memory/5032-21-0x0000000000400000-0x000000000085E000-memory.dmp family_vidar_v7 behavioral2/memory/5032-22-0x0000000000400000-0x000000000085E000-memory.dmp family_vidar_v7 behavioral2/memory/5032-23-0x0000000000400000-0x000000000085E000-memory.dmp family_vidar_v7 behavioral2/memory/5032-24-0x0000000000400000-0x000000000085E000-memory.dmp family_vidar_v7 behavioral2/memory/5032-49-0x0000000000400000-0x000000000085E000-memory.dmp family_vidar_v7 behavioral2/memory/5032-61-0x0000000000400000-0x000000000085E000-memory.dmp family_vidar_v7 behavioral2/memory/5032-70-0x0000000000400000-0x000000000085E000-memory.dmp family_vidar_v7 behavioral2/memory/5032-77-0x0000000000400000-0x000000000085E000-memory.dmp family_vidar_v7 behavioral2/memory/5032-79-0x0000000000400000-0x000000000085E000-memory.dmp family_vidar_v7 behavioral2/memory/5032-80-0x0000000000400000-0x000000000085E000-memory.dmp family_vidar_v7 behavioral2/memory/5032-81-0x0000000000400000-0x000000000085E000-memory.dmp family_vidar_v7 behavioral2/memory/5032-114-0x0000000000400000-0x000000000085E000-memory.dmp family_vidar_v7 behavioral2/memory/5032-127-0x0000000000400000-0x000000000085E000-memory.dmp family_vidar_v7 behavioral2/memory/5032-132-0x0000000000400000-0x000000000085E000-memory.dmp family_vidar_v7 behavioral2/memory/5032-134-0x0000000000400000-0x000000000085E000-memory.dmp family_vidar_v7 -
Vidar family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 1VB7gm8.exe -
Uses browser remote debugging 2 TTPs 9 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
pid Process 520 msedge.exe 4296 chrome.exe 1192 msedge.exe 3328 msedge.exe 4084 msedge.exe 3156 chrome.exe 2448 chrome.exe 3152 chrome.exe 3352 msedge.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1VB7gm8.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1VB7gm8.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\Control Panel\International\Geo\Nation 1VB7gm8.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\Software\Wine 1VB7gm8.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 5032 1VB7gm8.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1VB7gm8.exe -
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 1VB7gm8.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 1VB7gm8.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString msedge.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 4100 timeout.exe -
Enumerates system info in registry 2 TTPs 8 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133834151780550050" chrome.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
pid Process 5032 1VB7gm8.exe 5032 1VB7gm8.exe 5032 1VB7gm8.exe 5032 1VB7gm8.exe 5032 1VB7gm8.exe 5032 1VB7gm8.exe 3156 chrome.exe 3156 chrome.exe 5032 1VB7gm8.exe 5032 1VB7gm8.exe 5032 1VB7gm8.exe 5032 1VB7gm8.exe 2812 msedge.exe 2812 msedge.exe 4916 msedge.exe 4916 msedge.exe 4916 msedge.exe 4916 msedge.exe 4916 msedge.exe 1192 msedge.exe 1192 msedge.exe 5032 1VB7gm8.exe 5032 1VB7gm8.exe 5032 1VB7gm8.exe 5032 1VB7gm8.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 3156 chrome.exe 3156 chrome.exe 3156 chrome.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe -
Suspicious use of AdjustPrivilegeToken 14 IoCs
description pid Process Token: SeShutdownPrivilege 3156 chrome.exe Token: SeCreatePagefilePrivilege 3156 chrome.exe Token: SeShutdownPrivilege 3156 chrome.exe Token: SeCreatePagefilePrivilege 3156 chrome.exe Token: SeShutdownPrivilege 3156 chrome.exe Token: SeCreatePagefilePrivilege 3156 chrome.exe Token: SeShutdownPrivilege 3156 chrome.exe Token: SeCreatePagefilePrivilege 3156 chrome.exe Token: SeShutdownPrivilege 3156 chrome.exe Token: SeCreatePagefilePrivilege 3156 chrome.exe Token: SeShutdownPrivilege 3156 chrome.exe Token: SeCreatePagefilePrivilege 3156 chrome.exe Token: SeShutdownPrivilege 3156 chrome.exe Token: SeCreatePagefilePrivilege 3156 chrome.exe -
Suspicious use of FindShellTrayWindow 51 IoCs
pid Process 3156 chrome.exe 3156 chrome.exe 3156 chrome.exe 3156 chrome.exe 3156 chrome.exe 3156 chrome.exe 3156 chrome.exe 3156 chrome.exe 3156 chrome.exe 3156 chrome.exe 3156 chrome.exe 3156 chrome.exe 3156 chrome.exe 3156 chrome.exe 3156 chrome.exe 3156 chrome.exe 3156 chrome.exe 3156 chrome.exe 3156 chrome.exe 3156 chrome.exe 3156 chrome.exe 3156 chrome.exe 3156 chrome.exe 3156 chrome.exe 3156 chrome.exe 3156 chrome.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5032 wrote to memory of 3156 5032 1VB7gm8.exe 95 PID 5032 wrote to memory of 3156 5032 1VB7gm8.exe 95 PID 3156 wrote to memory of 1072 3156 chrome.exe 96 PID 3156 wrote to memory of 1072 3156 chrome.exe 96 PID 3156 wrote to memory of 3380 3156 chrome.exe 97 PID 3156 wrote to memory of 3380 3156 chrome.exe 97 PID 3156 wrote to memory of 3380 3156 chrome.exe 97 PID 3156 wrote to memory of 3380 3156 chrome.exe 97 PID 3156 wrote to memory of 3380 3156 chrome.exe 97 PID 3156 wrote to memory of 3380 3156 chrome.exe 97 PID 3156 wrote to memory of 3380 3156 chrome.exe 97 PID 3156 wrote to memory of 3380 3156 chrome.exe 97 PID 3156 wrote to memory of 3380 3156 chrome.exe 97 PID 3156 wrote to memory of 3380 3156 chrome.exe 97 PID 3156 wrote to memory of 3380 3156 chrome.exe 97 PID 3156 wrote to memory of 3380 3156 chrome.exe 97 PID 3156 wrote to memory of 3380 3156 chrome.exe 97 PID 3156 wrote to memory of 3380 3156 chrome.exe 97 PID 3156 wrote to memory of 3380 3156 chrome.exe 97 PID 3156 wrote to memory of 3380 3156 chrome.exe 97 PID 3156 wrote to memory of 3380 3156 chrome.exe 97 PID 3156 wrote to memory of 3380 3156 chrome.exe 97 PID 3156 wrote to memory of 3380 3156 chrome.exe 97 PID 3156 wrote to memory of 3380 3156 chrome.exe 97 PID 3156 wrote to memory of 3380 3156 chrome.exe 97 PID 3156 wrote to memory of 3380 3156 chrome.exe 97 PID 3156 wrote to memory of 3380 3156 chrome.exe 97 PID 3156 wrote to memory of 3380 3156 chrome.exe 97 PID 3156 wrote to memory of 3380 3156 chrome.exe 97 PID 3156 wrote to memory of 3380 3156 chrome.exe 97 PID 3156 wrote to memory of 3380 3156 chrome.exe 97 PID 3156 wrote to memory of 3380 3156 chrome.exe 97 PID 3156 wrote to memory of 3380 3156 chrome.exe 97 PID 3156 wrote to memory of 3380 3156 chrome.exe 97 PID 3156 wrote to memory of 4176 3156 chrome.exe 98 PID 3156 wrote to memory of 4176 3156 chrome.exe 98 PID 3156 wrote to memory of 5004 3156 chrome.exe 99 PID 3156 wrote to memory of 5004 3156 chrome.exe 99 PID 3156 wrote to memory of 5004 3156 chrome.exe 99 PID 3156 wrote to memory of 5004 3156 chrome.exe 99 PID 3156 wrote to memory of 5004 3156 chrome.exe 99 PID 3156 wrote to memory of 5004 3156 chrome.exe 99 PID 3156 wrote to memory of 5004 3156 chrome.exe 99 PID 3156 wrote to memory of 5004 3156 chrome.exe 99 PID 3156 wrote to memory of 5004 3156 chrome.exe 99 PID 3156 wrote to memory of 5004 3156 chrome.exe 99 PID 3156 wrote to memory of 5004 3156 chrome.exe 99 PID 3156 wrote to memory of 5004 3156 chrome.exe 99 PID 3156 wrote to memory of 5004 3156 chrome.exe 99 PID 3156 wrote to memory of 5004 3156 chrome.exe 99 PID 3156 wrote to memory of 5004 3156 chrome.exe 99 PID 3156 wrote to memory of 5004 3156 chrome.exe 99 PID 3156 wrote to memory of 5004 3156 chrome.exe 99 PID 3156 wrote to memory of 5004 3156 chrome.exe 99 PID 3156 wrote to memory of 5004 3156 chrome.exe 99 PID 3156 wrote to memory of 5004 3156 chrome.exe 99 PID 3156 wrote to memory of 5004 3156 chrome.exe 99 PID 3156 wrote to memory of 5004 3156 chrome.exe 99 PID 3156 wrote to memory of 5004 3156 chrome.exe 99 PID 3156 wrote to memory of 5004 3156 chrome.exe 99 PID 3156 wrote to memory of 5004 3156 chrome.exe 99 PID 3156 wrote to memory of 5004 3156 chrome.exe 99 PID 3156 wrote to memory of 5004 3156 chrome.exe 99 PID 3156 wrote to memory of 5004 3156 chrome.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\1VB7gm8.exe"C:\Users\Admin\AppData\Local\Temp\1VB7gm8.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5032 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"2⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3156 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8aa59cc40,0x7ff8aa59cc4c,0x7ff8aa59cc583⤵PID:1072
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1940,i,820125535122770452,12571139875654607590,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=1936 /prefetch:23⤵PID:3380
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2168,i,820125535122770452,12571139875654607590,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=2196 /prefetch:33⤵PID:4176
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2260,i,820125535122770452,12571139875654607590,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=2480 /prefetch:83⤵PID:5004
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3188,i,820125535122770452,12571139875654607590,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=3208 /prefetch:13⤵
- Uses browser remote debugging
PID:4296
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3216,i,820125535122770452,12571139875654607590,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=3256 /prefetch:13⤵
- Uses browser remote debugging
PID:2448
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4496,i,820125535122770452,12571139875654607590,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=4520 /prefetch:13⤵
- Uses browser remote debugging
PID:3152
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4444,i,820125535122770452,12571139875654607590,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=4472 /prefetch:83⤵PID:1192
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4700,i,820125535122770452,12571139875654607590,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=4184 /prefetch:83⤵PID:1064
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4764,i,820125535122770452,12571139875654607590,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=4784 /prefetch:83⤵PID:400
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4768,i,820125535122770452,12571139875654607590,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=4840 /prefetch:83⤵PID:3196
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"2⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:1192 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8b9d746f8,0x7ff8b9d74708,0x7ff8b9d747183⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:4916
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2000,5537127448556151923,10696082444981136701,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2016 /prefetch:23⤵PID:1776
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2000,5537127448556151923,10696082444981136701,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2444 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:2812
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2000,5537127448556151923,10696082444981136701,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2796 /prefetch:83⤵PID:2024
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2000,5537127448556151923,10696082444981136701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:13⤵
- Uses browser remote debugging
PID:3352
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2000,5537127448556151923,10696082444981136701,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:13⤵
- Uses browser remote debugging
PID:3328
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2000,5537127448556151923,10696082444981136701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4792 /prefetch:13⤵
- Uses browser remote debugging
PID:4084
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2000,5537127448556151923,10696082444981136701,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4964 /prefetch:13⤵
- Uses browser remote debugging
PID:520
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\2ny5p" & exit2⤵
- System Location Discovery: System Language Discovery
PID:3736 -
C:\Windows\SysWOW64\timeout.exetimeout /t 103⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:4100
-
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:3552
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:4548
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
4Credentials In Files
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
288KB
MD56f5c462579115d291e6df5404369d157
SHA187a236d8e0520c6c4dd478b0f307c75b8f99340f
SHA256e3fb2703a68be91266293f7cf1312a1c04ef8c7eb81007bd6149de0b519c0149
SHA51284e587ba5391b998675395332709ef8e3b6d345a01efdf263772864fd3e24503499c3b9562eb4041229ef01d851a94e887740ad5a5a7776928b5bac944be58e5
-
Filesize
649B
MD53b562de76198f66c9029b1b8ead0289a
SHA1e70ed82b99bc94e8708fee3be87b816a0b474d39
SHA256acb2879f1747f3e2e7925e2e809c9825dbeeff2e0133952816f044f8ae55ac39
SHA512d2dcb9b6cef89eba8161b4cff65f49b72cad0c016abdb951f8c75c6fe8a91e297aeece462524ee0f3787d5d43a61f93f8934252f65f3b05e340d13bdaa882d28
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
152B
MD5ae2a8f2ebc841509f7b978edf590d3cd
SHA191358152e27c0165334913228005540756c35bd3
SHA256631550765e3db02be0709748c0634a2cfdab711cea94f5890854d0c1dfbcb214
SHA512e52180dd175f1e6ff72d76400085869387cd70da33919de219a04dc26871e8421e93b22e7c59125c19c6ee54a8a8f742d796ac68ea9077c9dab5f03b80967d11
-
Filesize
152B
MD59bfb45e464f029b27cd825568bc06765
SHA1a4962b4fd45004732f071e16977522709ab0ce60
SHA256ceb8f1b0aaa1ba575c3704e73fd77edf932d68c8be902b33f1ba3b1d130cd139
SHA512f87cce8bb5489b56027f5a285b948b639a1c7b0f213a111f057235177e5bffc537627c82586736704e398a0185cf2ad8ba8cdee788531fb753a2d08f16e906c7
-
Filesize
5KB
MD518e1c0f4d0d6c582965b1585055bfe74
SHA1628c5d4ac31d7b45aa7fffec45fb7b8cbfd22d3e
SHA256dd682f6516fab77318ddadd2a25909777a76225e071d8aaa528947cb2fa32449
SHA5122f645f6dbe031da8e34fb799b2551f1cc92fe946ef99d5d5871fb99b79b12c970afb4710bf38d58c26f3b72ffb77d7b5823d4637263d13f54479632fa7faa812