Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20250207-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20250207-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
08/02/2025, 15:20
Static task
static1
Behavioral task
behavioral1
Sample
Setup.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
Setup.exe
Resource
win10ltsc2021-20250207-en
Behavioral task
behavioral3
Sample
Setup.exe
Resource
win11-20250207-en
General
-
Target
Setup.exe
-
Size
360KB
-
MD5
216340f456c7adb3db07da2b551e1066
-
SHA1
a9623a90d83ac30a74f52ff9042647d4dad473ec
-
SHA256
aa226ab5c6754cbbf77de7e20a0bf76529cd7a7b1066df846c15aa89f6cbd0a1
-
SHA512
8625016bf03fb6b1cedf18371eb2fafa77f10df33ebf09ffa74ca0d79616dbf5544c72ab85317e06d8a8a97980b23681dddf88ce3df06f8df4f3ba68b15c3cbb
-
SSDEEP
6144:O/a19BSfmQl2G0GI++lx19BSfmQl2G0GI++lM:P19inIT19inIe
Malware Config
Extracted
vidar
https://t.me/sok33tn
https://steamcommunity.com/profiles/76561199824159981
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0
Signatures
-
Detect Vidar Stealer 35 IoCs
resource yara_rule behavioral2/memory/3172-4-0x0000000000400000-0x0000000000422000-memory.dmp family_vidar_v7 behavioral2/memory/3172-5-0x0000000000400000-0x0000000000422000-memory.dmp family_vidar_v7 behavioral2/memory/3172-6-0x0000000000400000-0x0000000000422000-memory.dmp family_vidar_v7 behavioral2/memory/3172-8-0x0000000000400000-0x0000000000422000-memory.dmp family_vidar_v7 behavioral2/memory/3172-15-0x0000000000400000-0x0000000000422000-memory.dmp family_vidar_v7 behavioral2/memory/3172-16-0x0000000000400000-0x0000000000422000-memory.dmp family_vidar_v7 behavioral2/memory/3172-17-0x0000000000400000-0x0000000000422000-memory.dmp family_vidar_v7 behavioral2/memory/3172-18-0x0000000000400000-0x0000000000422000-memory.dmp family_vidar_v7 behavioral2/memory/3172-52-0x0000000000400000-0x0000000000422000-memory.dmp family_vidar_v7 behavioral2/memory/3172-57-0x0000000000400000-0x0000000000422000-memory.dmp family_vidar_v7 behavioral2/memory/3172-58-0x0000000000400000-0x0000000000422000-memory.dmp family_vidar_v7 behavioral2/memory/3172-59-0x0000000000400000-0x0000000000422000-memory.dmp family_vidar_v7 behavioral2/memory/3172-60-0x0000000000400000-0x0000000000422000-memory.dmp family_vidar_v7 behavioral2/memory/3172-61-0x0000000000400000-0x0000000000422000-memory.dmp family_vidar_v7 behavioral2/memory/3172-62-0x0000000000400000-0x0000000000422000-memory.dmp family_vidar_v7 behavioral2/memory/3172-63-0x0000000000400000-0x0000000000422000-memory.dmp family_vidar_v7 behavioral2/memory/3172-64-0x0000000000400000-0x0000000000422000-memory.dmp family_vidar_v7 behavioral2/memory/3172-65-0x0000000000400000-0x0000000000422000-memory.dmp family_vidar_v7 behavioral2/memory/3172-105-0x0000000000400000-0x0000000000422000-memory.dmp family_vidar_v7 behavioral2/memory/3172-107-0x0000000000400000-0x0000000000422000-memory.dmp family_vidar_v7 behavioral2/memory/3172-109-0x0000000000400000-0x0000000000422000-memory.dmp family_vidar_v7 behavioral2/memory/3172-108-0x0000000000400000-0x0000000000422000-memory.dmp family_vidar_v7 behavioral2/memory/3172-110-0x0000000000400000-0x0000000000422000-memory.dmp family_vidar_v7 behavioral2/memory/3172-111-0x0000000000400000-0x0000000000422000-memory.dmp family_vidar_v7 behavioral2/memory/3172-113-0x0000000000400000-0x0000000000422000-memory.dmp family_vidar_v7 behavioral2/memory/3172-114-0x0000000000400000-0x0000000000422000-memory.dmp family_vidar_v7 behavioral2/memory/3172-115-0x0000000000400000-0x0000000000422000-memory.dmp family_vidar_v7 behavioral2/memory/3172-116-0x0000000000400000-0x0000000000422000-memory.dmp family_vidar_v7 behavioral2/memory/3172-118-0x0000000000400000-0x0000000000422000-memory.dmp family_vidar_v7 behavioral2/memory/3172-119-0x0000000000400000-0x0000000000422000-memory.dmp family_vidar_v7 behavioral2/memory/3172-120-0x0000000000400000-0x0000000000422000-memory.dmp family_vidar_v7 behavioral2/memory/3172-121-0x0000000000400000-0x0000000000422000-memory.dmp family_vidar_v7 behavioral2/memory/3172-122-0x0000000000400000-0x0000000000422000-memory.dmp family_vidar_v7 behavioral2/memory/3172-123-0x0000000000400000-0x0000000000422000-memory.dmp family_vidar_v7 behavioral2/memory/3172-124-0x0000000000400000-0x0000000000422000-memory.dmp family_vidar_v7 -
Vidar family
-
Downloads MZ/PE file 1 IoCs
flow pid Process 98 3812 Process not Found -
Uses browser remote debugging 2 TTPs 9 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
pid Process 1376 chrome.exe 4812 msedge.exe 3668 msedge.exe 2940 chrome.exe 3088 chrome.exe 4140 msedge.exe 4792 msedge.exe 1548 msedge.exe 3212 chrome.exe -
.NET Reactor proctector 1 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
resource yara_rule behavioral2/memory/564-1-0x0000000000FD0000-0x0000000001034000-memory.dmp net_reactor -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 564 set thread context of 3172 564 Setup.exe 84 -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SystemTemp chrome.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1940 564 WerFault.exe 82 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Setup.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1732 MicrosoftEdgeUpdate.exe -
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Setup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Setup.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString msedge.exe -
Enumerates system info in registry 2 TTPs 8 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133835016647770278" chrome.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
pid Process 3172 Setup.exe 3172 Setup.exe 3172 Setup.exe 3172 Setup.exe 3212 chrome.exe 3212 chrome.exe 3172 Setup.exe 3172 Setup.exe 3172 Setup.exe 3172 Setup.exe 2728 msedge.exe 2728 msedge.exe 2728 msedge.exe 2728 msedge.exe 4828 msedge.exe 4828 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 3172 Setup.exe 3172 Setup.exe 3172 Setup.exe 3172 Setup.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 3212 chrome.exe 3212 chrome.exe 3212 chrome.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe -
Suspicious use of AdjustPrivilegeToken 14 IoCs
description pid Process Token: SeShutdownPrivilege 3212 chrome.exe Token: SeCreatePagefilePrivilege 3212 chrome.exe Token: SeShutdownPrivilege 3212 chrome.exe Token: SeCreatePagefilePrivilege 3212 chrome.exe Token: SeShutdownPrivilege 3212 chrome.exe Token: SeCreatePagefilePrivilege 3212 chrome.exe Token: SeShutdownPrivilege 3212 chrome.exe Token: SeCreatePagefilePrivilege 3212 chrome.exe Token: SeShutdownPrivilege 3212 chrome.exe Token: SeCreatePagefilePrivilege 3212 chrome.exe Token: SeShutdownPrivilege 3212 chrome.exe Token: SeCreatePagefilePrivilege 3212 chrome.exe Token: SeShutdownPrivilege 3212 chrome.exe Token: SeCreatePagefilePrivilege 3212 chrome.exe -
Suspicious use of FindShellTrayWindow 51 IoCs
pid Process 3212 chrome.exe 3212 chrome.exe 3212 chrome.exe 3212 chrome.exe 3212 chrome.exe 3212 chrome.exe 3212 chrome.exe 3212 chrome.exe 3212 chrome.exe 3212 chrome.exe 3212 chrome.exe 3212 chrome.exe 3212 chrome.exe 3212 chrome.exe 3212 chrome.exe 3212 chrome.exe 3212 chrome.exe 3212 chrome.exe 3212 chrome.exe 3212 chrome.exe 3212 chrome.exe 3212 chrome.exe 3212 chrome.exe 3212 chrome.exe 3212 chrome.exe 3212 chrome.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 564 wrote to memory of 3172 564 Setup.exe 84 PID 564 wrote to memory of 3172 564 Setup.exe 84 PID 564 wrote to memory of 3172 564 Setup.exe 84 PID 564 wrote to memory of 3172 564 Setup.exe 84 PID 564 wrote to memory of 3172 564 Setup.exe 84 PID 564 wrote to memory of 3172 564 Setup.exe 84 PID 564 wrote to memory of 3172 564 Setup.exe 84 PID 564 wrote to memory of 3172 564 Setup.exe 84 PID 564 wrote to memory of 3172 564 Setup.exe 84 PID 564 wrote to memory of 3172 564 Setup.exe 84 PID 564 wrote to memory of 3172 564 Setup.exe 84 PID 3172 wrote to memory of 3212 3172 Setup.exe 88 PID 3172 wrote to memory of 3212 3172 Setup.exe 88 PID 3212 wrote to memory of 3840 3212 chrome.exe 89 PID 3212 wrote to memory of 3840 3212 chrome.exe 89 PID 3212 wrote to memory of 3560 3212 chrome.exe 90 PID 3212 wrote to memory of 3560 3212 chrome.exe 90 PID 3212 wrote to memory of 3560 3212 chrome.exe 90 PID 3212 wrote to memory of 3560 3212 chrome.exe 90 PID 3212 wrote to memory of 3560 3212 chrome.exe 90 PID 3212 wrote to memory of 3560 3212 chrome.exe 90 PID 3212 wrote to memory of 3560 3212 chrome.exe 90 PID 3212 wrote to memory of 3560 3212 chrome.exe 90 PID 3212 wrote to memory of 3560 3212 chrome.exe 90 PID 3212 wrote to memory of 3560 3212 chrome.exe 90 PID 3212 wrote to memory of 3560 3212 chrome.exe 90 PID 3212 wrote to memory of 3560 3212 chrome.exe 90 PID 3212 wrote to memory of 3560 3212 chrome.exe 90 PID 3212 wrote to memory of 3560 3212 chrome.exe 90 PID 3212 wrote to memory of 3560 3212 chrome.exe 90 PID 3212 wrote to memory of 3560 3212 chrome.exe 90 PID 3212 wrote to memory of 3560 3212 chrome.exe 90 PID 3212 wrote to memory of 3560 3212 chrome.exe 90 PID 3212 wrote to memory of 3560 3212 chrome.exe 90 PID 3212 wrote to memory of 3560 3212 chrome.exe 90 PID 3212 wrote to memory of 3560 3212 chrome.exe 90 PID 3212 wrote to memory of 3560 3212 chrome.exe 90 PID 3212 wrote to memory of 3560 3212 chrome.exe 90 PID 3212 wrote to memory of 3560 3212 chrome.exe 90 PID 3212 wrote to memory of 3560 3212 chrome.exe 90 PID 3212 wrote to memory of 3560 3212 chrome.exe 90 PID 3212 wrote to memory of 3560 3212 chrome.exe 90 PID 3212 wrote to memory of 3560 3212 chrome.exe 90 PID 3212 wrote to memory of 3560 3212 chrome.exe 90 PID 3212 wrote to memory of 3560 3212 chrome.exe 90 PID 3212 wrote to memory of 4396 3212 chrome.exe 91 PID 3212 wrote to memory of 4396 3212 chrome.exe 91 PID 3212 wrote to memory of 3712 3212 chrome.exe 92 PID 3212 wrote to memory of 3712 3212 chrome.exe 92 PID 3212 wrote to memory of 3712 3212 chrome.exe 92 PID 3212 wrote to memory of 3712 3212 chrome.exe 92 PID 3212 wrote to memory of 3712 3212 chrome.exe 92 PID 3212 wrote to memory of 3712 3212 chrome.exe 92 PID 3212 wrote to memory of 3712 3212 chrome.exe 92 PID 3212 wrote to memory of 3712 3212 chrome.exe 92 PID 3212 wrote to memory of 3712 3212 chrome.exe 92 PID 3212 wrote to memory of 3712 3212 chrome.exe 92 PID 3212 wrote to memory of 3712 3212 chrome.exe 92 PID 3212 wrote to memory of 3712 3212 chrome.exe 92 PID 3212 wrote to memory of 3712 3212 chrome.exe 92 PID 3212 wrote to memory of 3712 3212 chrome.exe 92 PID 3212 wrote to memory of 3712 3212 chrome.exe 92 PID 3212 wrote to memory of 3712 3212 chrome.exe 92 PID 3212 wrote to memory of 3712 3212 chrome.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:564 -
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"2⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3172 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"3⤵
- Uses browser remote debugging
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3212 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7ffb53a9cc40,0x7ffb53a9cc4c,0x7ffb53a9cc584⤵PID:3840
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1988,i,4778518126239647083,7602843644343624136,262144 --variations-seed-version=20250206-180041.353000 --mojo-platform-channel-handle=1980 /prefetch:24⤵PID:3560
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2228,i,4778518126239647083,7602843644343624136,262144 --variations-seed-version=20250206-180041.353000 --mojo-platform-channel-handle=2244 /prefetch:34⤵PID:4396
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2304,i,4778518126239647083,7602843644343624136,262144 --variations-seed-version=20250206-180041.353000 --mojo-platform-channel-handle=2472 /prefetch:84⤵PID:3712
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3208,i,4778518126239647083,7602843644343624136,262144 --variations-seed-version=20250206-180041.353000 --mojo-platform-channel-handle=3232 /prefetch:14⤵
- Uses browser remote debugging
PID:3088
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3240,i,4778518126239647083,7602843644343624136,262144 --variations-seed-version=20250206-180041.353000 --mojo-platform-channel-handle=3264 /prefetch:14⤵
- Uses browser remote debugging
PID:2940
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3672,i,4778518126239647083,7602843644343624136,262144 --variations-seed-version=20250206-180041.353000 --mojo-platform-channel-handle=4576 /prefetch:14⤵
- Uses browser remote debugging
PID:1376
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4192,i,4778518126239647083,7602843644343624136,262144 --variations-seed-version=20250206-180041.353000 --mojo-platform-channel-handle=4272 /prefetch:84⤵PID:3368
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4536,i,4778518126239647083,7602843644343624136,262144 --variations-seed-version=20250206-180041.353000 --mojo-platform-channel-handle=4476 /prefetch:84⤵PID:2604
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4864,i,4778518126239647083,7602843644343624136,262144 --variations-seed-version=20250206-180041.353000 --mojo-platform-channel-handle=4892 /prefetch:84⤵PID:1056
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4332,i,4778518126239647083,7602843644343624136,262144 --variations-seed-version=20250206-180041.353000 --mojo-platform-channel-handle=4808 /prefetch:84⤵PID:3424
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"3⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:4812 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ffb53f446f8,0x7ffb53f44708,0x7ffb53f447184⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:2728
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,9634227411103507822,5566784432840082609,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:24⤵PID:1196
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,9634227411103507822,5566784432840082609,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2444 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
PID:4828
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,9634227411103507822,5566784432840082609,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3004 /prefetch:84⤵PID:2948
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2124,9634227411103507822,5566784432840082609,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:14⤵
- Uses browser remote debugging
PID:3668
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2124,9634227411103507822,5566784432840082609,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:14⤵
- Uses browser remote debugging
PID:4140
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2124,9634227411103507822,5566784432840082609,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:14⤵
- Uses browser remote debugging
PID:4792
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2124,9634227411103507822,5566784432840082609,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3896 /prefetch:14⤵
- Uses browser remote debugging
PID:1548
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 564 -s 9962⤵
- Program crash
PID:1940
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 564 -ip 5641⤵PID:820
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:336
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:3836
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RkVCRDkxODItOTBCMC00QUFBLUEzNkUtNkIzQjhCOUJBMkM0fSIgdXNlcmlkPSJ7MEU0QjM4ODktQTlDRS00NjBDLUIyRDctNkMzRTBCRjk1REY3fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7OEUyNTYxRjUtNDgyRi00RDc5LUFCQzMtMjI3NzY5QkFCMjI4fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0NC40NTI5IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iMTI1IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtyNDUydDErazJUZ3EvSFh6anZGTkJSaG9wQldSOXNialh4cWVVREg5dVgwPSZxdW90OyIvPjxhcHAgYXBwaWQ9Ins4QTY5RDM0NS1ENTY0LTQ2M2MtQUZGMS1BNjlEOUU1MzBGOTZ9IiB2ZXJzaW9uPSIxMjMuMC42MzEyLjEyMyIgbmV4dHZlcnNpb249IiIgbGFuZz0iZW4iIGJyYW5kPSJHR0xTIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMSIgaW5zdGFsbGRhdGV0aW1lPSIxNzM4OTM1NTU1IiBvb2JlX2luc3RhbGxfdGltZT0iMTMzODM0MDc5OTgxMDYwMDAwIj48ZXZlbnQgZXZlbnR0eXBlPSIzMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMjE3OTg2MiIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTUyMDMxMTc5MSIvPjwvYXBwPjwvcmVxdWVzdD41⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:1732
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
4Credentials In Files
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
125KB
MD52face99cd59a389e7c33dc5ac3d70b82
SHA1298417d14f1fb81b2d29f0c3cd32206b722a4ae7
SHA256a9c718dd3643852891ab4993b17b912fae84791cfd49049d2786e8f3207806ec
SHA5120ec476534cd03209b0e9bfea65afb4a27d33a54273b6860c44f46bc10da84e41afdb551364f47852a22872113cb3fe2e983b1235bda35a1147aa03696d95c984
-
Filesize
152B
MD593c24509a4655fc4e247810f1237b016
SHA1af42f0737a2e7d324303b18ce7da8c86a3753782
SHA256d9eee0267974d42fd17c21fc5e594454dc7e671314cda3dfa50469ccfa4cfab8
SHA512c3d878b87cfe8756432325425ec98cf65c4898ed32e2baf674b66ecff18eaaa6bb43ff964420aba559f5fca25f9fd7c4c983b0b6cc2fb47db2f350a33b42b8c4
-
Filesize
5KB
MD54a4aa97de4f3069ddab5bfc65bcadd93
SHA104097bc4fec0c819d12c55dcfbf03628acde8f47
SHA256740558ba5507bd58d1869a8c4ef0a2454893e920e3050d7e61835e8f02749d15
SHA5120861f7a3ed9823d5539f851164c78caa92546fa7f86880ea6c92700e66ba470255b32d844aedc53fb298d32c09f65833154d4ae5f1e9d22fbbd57784bb19223c
-
Filesize
112KB
MD5e03fc0ff83fdfa203efc0eb3d2b8ed35
SHA1c705b1aa42d84b3414fdc5058e0fa0a3dc9e1664
SHA25608d550d1866b479c6c41ebbda7b453dba198ee8744a52c530ff34458024ee1fe
SHA512c0840930d7a9cf16e8fbefefd09c564eabfcfb6e9df1f9b906b830e8218a818c3f9721f9ce1fc2a96b2e6ce725baba0dcd5810a9b55d20b3c9d6f4569b9008a2