vidar | aa226ab5c6754cbbf77de7e20a0bf76529cd7a7b1066df846c15aa89f6cbd0a1

Resubmissions

08/02/2025, 15:20

250208-sq511atmfl 10

08/02/2025, 15:20

250208-sqyxpaske1 10

Analysis

max time kernel
147s
max time network
150s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250207-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250207-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
08/02/2025, 15:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup.exe
Size

360KB
MD5

216340f456c7adb3db07da2b551e1066
SHA1

a9623a90d83ac30a74f52ff9042647d4dad473ec
SHA256

aa226ab5c6754cbbf77de7e20a0bf76529cd7a7b1066df846c15aa89f6cbd0a1
SHA512

8625016bf03fb6b1cedf18371eb2fafa77f10df33ebf09ffa74ca0d79616dbf5544c72ab85317e06d8a8a97980b23681dddf88ce3df06f8df4f3ba68b15c3cbb
SSDEEP

6144:O/a19BSfmQl2G0GI++lx19BSfmQl2G0GI++lM:P19inIT19inIe

Score

10^/10

vidar credential_access discovery spyware stealer

Malware Config

Extracted

Family

vidar

https://t.me/sok33tn

https://steamcommunity.com/profiles/76561199824159981

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0

Signatures

Detect Vidar Stealer 35 IoCs

stealer

resource	yara_rule
behavioral2/memory/3172-4-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/3172-5-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/3172-6-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/3172-8-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/3172-15-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/3172-16-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/3172-17-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/3172-18-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/3172-52-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/3172-57-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/3172-58-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/3172-59-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/3172-60-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/3172-61-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/3172-62-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/3172-63-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/3172-64-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/3172-65-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/3172-105-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/3172-107-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/3172-109-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/3172-108-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/3172-110-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/3172-111-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/3172-113-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/3172-114-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/3172-115-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/3172-116-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/3172-118-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/3172-119-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/3172-120-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/3172-121-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/3172-122-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/3172-123-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/3172-124-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

Downloads MZ/PE file 1 IoCs

flow	pid	Process
98	3812	Process not Found

Uses browser remote debugging 2 TTPs 9 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
1376	chrome.exe
4812	msedge.exe
3668	msedge.exe
2940	chrome.exe
3088	chrome.exe
4140	msedge.exe
4792	msedge.exe
1548	msedge.exe
3212	chrome.exe

.NET Reactor proctector 1 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral2/memory/564-1-0x0000000000FD0000-0x0000000001034000-memory.dmp	net_reactor

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 564 set thread context of 3172	564	Setup.exe	84

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1940	564	WerFault.exe	82

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1732	MicrosoftEdgeUpdate.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Setup.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msedge.exe

Enumerates system info in registry 2 TTPs 8 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133835016647770278"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
3172	Setup.exe
3172	Setup.exe
3172	Setup.exe
3172	Setup.exe
3212	chrome.exe
3212	chrome.exe
3172	Setup.exe
3172	Setup.exe
3172	Setup.exe
3172	Setup.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
4828	msedge.exe
4828	msedge.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe
3172	Setup.exe
3172	Setup.exe
3172	Setup.exe
3172	Setup.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3212	chrome.exe
Token: SeCreatePagefilePrivilege	3212	chrome.exe
Token: SeShutdownPrivilege	3212	chrome.exe
Token: SeCreatePagefilePrivilege	3212	chrome.exe
Token: SeShutdownPrivilege	3212	chrome.exe
Token: SeCreatePagefilePrivilege	3212	chrome.exe
Token: SeShutdownPrivilege	3212	chrome.exe
Token: SeCreatePagefilePrivilege	3212	chrome.exe
Token: SeShutdownPrivilege	3212	chrome.exe
Token: SeCreatePagefilePrivilege	3212	chrome.exe
Token: SeShutdownPrivilege	3212	chrome.exe
Token: SeCreatePagefilePrivilege	3212	chrome.exe
Token: SeShutdownPrivilege	3212	chrome.exe
Token: SeCreatePagefilePrivilege	3212	chrome.exe

Suspicious use of FindShellTrayWindow 51 IoCs

pid	Process
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe
4812	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 564 wrote to memory of 3172	564	Setup.exe	84
PID 564 wrote to memory of 3172	564	Setup.exe	84
PID 564 wrote to memory of 3172	564	Setup.exe	84
PID 564 wrote to memory of 3172	564	Setup.exe	84
PID 564 wrote to memory of 3172	564	Setup.exe	84
PID 564 wrote to memory of 3172	564	Setup.exe	84
PID 564 wrote to memory of 3172	564	Setup.exe	84
PID 564 wrote to memory of 3172	564	Setup.exe	84
PID 564 wrote to memory of 3172	564	Setup.exe	84
PID 564 wrote to memory of 3172	564	Setup.exe	84
PID 564 wrote to memory of 3172	564	Setup.exe	84
PID 3172 wrote to memory of 3212	3172	Setup.exe	88
PID 3172 wrote to memory of 3212	3172	Setup.exe	88
PID 3212 wrote to memory of 3840	3212	chrome.exe	89
PID 3212 wrote to memory of 3840	3212	chrome.exe	89
PID 3212 wrote to memory of 3560	3212	chrome.exe	90
PID 3212 wrote to memory of 3560	3212	chrome.exe	90
PID 3212 wrote to memory of 3560	3212	chrome.exe	90
PID 3212 wrote to memory of 3560	3212	chrome.exe	90
PID 3212 wrote to memory of 3560	3212	chrome.exe	90
PID 3212 wrote to memory of 3560	3212	chrome.exe	90
PID 3212 wrote to memory of 3560	3212	chrome.exe	90
PID 3212 wrote to memory of 3560	3212	chrome.exe	90
PID 3212 wrote to memory of 3560	3212	chrome.exe	90
PID 3212 wrote to memory of 3560	3212	chrome.exe	90
PID 3212 wrote to memory of 3560	3212	chrome.exe	90
PID 3212 wrote to memory of 3560	3212	chrome.exe	90
PID 3212 wrote to memory of 3560	3212	chrome.exe	90
PID 3212 wrote to memory of 3560	3212	chrome.exe	90
PID 3212 wrote to memory of 3560	3212	chrome.exe	90
PID 3212 wrote to memory of 3560	3212	chrome.exe	90
PID 3212 wrote to memory of 3560	3212	chrome.exe	90
PID 3212 wrote to memory of 3560	3212	chrome.exe	90
PID 3212 wrote to memory of 3560	3212	chrome.exe	90
PID 3212 wrote to memory of 3560	3212	chrome.exe	90
PID 3212 wrote to memory of 3560	3212	chrome.exe	90
PID 3212 wrote to memory of 3560	3212	chrome.exe	90
PID 3212 wrote to memory of 3560	3212	chrome.exe	90
PID 3212 wrote to memory of 3560	3212	chrome.exe	90
PID 3212 wrote to memory of 3560	3212	chrome.exe	90
PID 3212 wrote to memory of 3560	3212	chrome.exe	90
PID 3212 wrote to memory of 3560	3212	chrome.exe	90
PID 3212 wrote to memory of 3560	3212	chrome.exe	90
PID 3212 wrote to memory of 3560	3212	chrome.exe	90
PID 3212 wrote to memory of 3560	3212	chrome.exe	90
PID 3212 wrote to memory of 4396	3212	chrome.exe	91
PID 3212 wrote to memory of 4396	3212	chrome.exe	91
PID 3212 wrote to memory of 3712	3212	chrome.exe	92
PID 3212 wrote to memory of 3712	3212	chrome.exe	92
PID 3212 wrote to memory of 3712	3212	chrome.exe	92
PID 3212 wrote to memory of 3712	3212	chrome.exe	92
PID 3212 wrote to memory of 3712	3212	chrome.exe	92
PID 3212 wrote to memory of 3712	3212	chrome.exe	92
PID 3212 wrote to memory of 3712	3212	chrome.exe	92
PID 3212 wrote to memory of 3712	3212	chrome.exe	92
PID 3212 wrote to memory of 3712	3212	chrome.exe	92
PID 3212 wrote to memory of 3712	3212	chrome.exe	92
PID 3212 wrote to memory of 3712	3212	chrome.exe	92
PID 3212 wrote to memory of 3712	3212	chrome.exe	92
PID 3212 wrote to memory of 3712	3212	chrome.exe	92
PID 3212 wrote to memory of 3712	3212	chrome.exe	92
PID 3212 wrote to memory of 3712	3212	chrome.exe	92
PID 3212 wrote to memory of 3712	3212	chrome.exe	92
PID 3212 wrote to memory of 3712	3212	chrome.exe	92

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:564
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3172
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Drops file in Windows directory
    - Enumerates system info in registry
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:3212
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7ffb53a9cc40,0x7ffb53a9cc4c,0x7ffb53a9cc58
      4⤵
      PID:3840
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1988,i,4778518126239647083,7602843644343624136,262144 --variations-seed-version=20250206-180041.353000 --mojo-platform-channel-handle=1980 /prefetch:2
      4⤵
      PID:3560
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2228,i,4778518126239647083,7602843644343624136,262144 --variations-seed-version=20250206-180041.353000 --mojo-platform-channel-handle=2244 /prefetch:3
      4⤵
      PID:4396
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2304,i,4778518126239647083,7602843644343624136,262144 --variations-seed-version=20250206-180041.353000 --mojo-platform-channel-handle=2472 /prefetch:8
      4⤵
      PID:3712
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3208,i,4778518126239647083,7602843644343624136,262144 --variations-seed-version=20250206-180041.353000 --mojo-platform-channel-handle=3232 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:3088
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3240,i,4778518126239647083,7602843644343624136,262144 --variations-seed-version=20250206-180041.353000 --mojo-platform-channel-handle=3264 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:2940
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3672,i,4778518126239647083,7602843644343624136,262144 --variations-seed-version=20250206-180041.353000 --mojo-platform-channel-handle=4576 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:1376
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4192,i,4778518126239647083,7602843644343624136,262144 --variations-seed-version=20250206-180041.353000 --mojo-platform-channel-handle=4272 /prefetch:8
      4⤵
      PID:3368
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4536,i,4778518126239647083,7602843644343624136,262144 --variations-seed-version=20250206-180041.353000 --mojo-platform-channel-handle=4476 /prefetch:8
      4⤵
      PID:2604
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4864,i,4778518126239647083,7602843644343624136,262144 --variations-seed-version=20250206-180041.353000 --mojo-platform-channel-handle=4892 /prefetch:8
      4⤵
      PID:1056
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4332,i,4778518126239647083,7602843644343624136,262144 --variations-seed-version=20250206-180041.353000 --mojo-platform-channel-handle=4808 /prefetch:8
      4⤵
      PID:3424
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    PID:4812
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ffb53f446f8,0x7ffb53f44708,0x7ffb53f44718
      4⤵
      Checks processor information in registry
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      PID:2728
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,9634227411103507822,5566784432840082609,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
      4⤵
      PID:1196
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,9634227411103507822,5566784432840082609,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2444 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4828
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,9634227411103507822,5566784432840082609,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3004 /prefetch:8
      4⤵
      PID:2948
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2124,9634227411103507822,5566784432840082609,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:3668
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2124,9634227411103507822,5566784432840082609,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:4140
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2124,9634227411103507822,5566784432840082609,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:4792
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2124,9634227411103507822,5566784432840082609,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3896 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:1548
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 564 -s 996
  2⤵
  - Program crash
  PID:1940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 564 -ip 564
1⤵
PID:820

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:336

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3836

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RkVCRDkxODItOTBCMC00QUFBLUEzNkUtNkIzQjhCOUJBMkM0fSIgdXNlcmlkPSJ7MEU0QjM4ODktQTlDRS00NjBDLUIyRDctNkMzRTBCRjk1REY3fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7OEUyNTYxRjUtNDgyRi00RDc5LUFCQzMtMjI3NzY5QkFCMjI4fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0NC40NTI5IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iMTI1IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtyNDUydDErazJUZ3EvSFh6anZGTkJSaG9wQldSOXNialh4cWVVREg5dVgwPSZxdW90OyIvPjxhcHAgYXBwaWQ9Ins4QTY5RDM0NS1ENTY0LTQ2M2MtQUZGMS1BNjlEOUU1MzBGOTZ9IiB2ZXJzaW9uPSIxMjMuMC42MzEyLjEyMyIgbmV4dHZlcnNpb249IiIgbGFuZz0iZW4iIGJyYW5kPSJHR0xTIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMSIgaW5zdGFsbGRhdGV0aW1lPSIxNzM4OTM1NTU1IiBvb2JlX2luc3RhbGxfdGltZT0iMTMzODM0MDc5OTgxMDYwMDAwIj48ZXZlbnQgZXZlbnR0eXBlPSIzMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMjE3OTg2MiIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTUyMDMxMTc5MSIvPjwvYXBwPjwvcmVxdWVzdD4
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:1732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Modify Authentication Process

T1556

Privilege Escalation

Defense Evasion

Modify Authentication Process

T1556

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
125KB

MD5
2face99cd59a389e7c33dc5ac3d70b82

SHA1
298417d14f1fb81b2d29f0c3cd32206b722a4ae7

SHA256
a9c718dd3643852891ab4993b17b912fae84791cfd49049d2786e8f3207806ec

SHA512
0ec476534cd03209b0e9bfea65afb4a27d33a54273b6860c44f46bc10da84e41afdb551364f47852a22872113cb3fe2e983b1235bda35a1147aa03696d95c984

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
93c24509a4655fc4e247810f1237b016

SHA1
af42f0737a2e7d324303b18ce7da8c86a3753782

SHA256
d9eee0267974d42fd17c21fc5e594454dc7e671314cda3dfa50469ccfa4cfab8

SHA512
c3d878b87cfe8756432325425ec98cf65c4898ed32e2baf674b66ecff18eaaa6bb43ff964420aba559f5fca25f9fd7c4c983b0b6cc2fb47db2f350a33b42b8c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
4a4aa97de4f3069ddab5bfc65bcadd93

SHA1
04097bc4fec0c819d12c55dcfbf03628acde8f47

SHA256
740558ba5507bd58d1869a8c4ef0a2454893e920e3050d7e61835e8f02749d15

SHA512
0861f7a3ed9823d5539f851164c78caa92546fa7f86880ea6c92700e66ba470255b32d844aedc53fb298d32c09f65833154d4ae5f1e9d22fbbd57784bb19223c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data

Filesize
112KB

MD5
e03fc0ff83fdfa203efc0eb3d2b8ed35

SHA1
c705b1aa42d84b3414fdc5058e0fa0a3dc9e1664

SHA256
08d550d1866b479c6c41ebbda7b453dba198ee8744a52c530ff34458024ee1fe

SHA512
c0840930d7a9cf16e8fbefefd09c564eabfcfb6e9df1f9b906b830e8218a818c3f9721f9ce1fc2a96b2e6ce725baba0dcd5810a9b55d20b3c9d6f4569b9008a2

Download Submit
memory/564-0-0x00000000736DE000-0x00000000736DF000-memory.dmp

Filesize
4KB

Download
memory/564-1-0x0000000000FD0000-0x0000000001034000-memory.dmp

Filesize
400KB

Download
memory/564-2-0x0000000005F20000-0x00000000064C6000-memory.dmp

Filesize
5.6MB

Download
memory/564-7-0x00000000736D0000-0x0000000073E81000-memory.dmp

Filesize
7.7MB

Download
memory/3172-18-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3172-105-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3172-16-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3172-15-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3172-8-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3172-52-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3172-57-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3172-58-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3172-59-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3172-60-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3172-61-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3172-62-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3172-63-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3172-64-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3172-65-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3172-6-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3172-5-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3172-17-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3172-107-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3172-109-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3172-108-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3172-110-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3172-111-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3172-4-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3172-113-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3172-114-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3172-115-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3172-116-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3172-118-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3172-119-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3172-120-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3172-121-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3172-122-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3172-123-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3172-124-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download