Analysis
-
max time kernel
145s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
-
submitted
18-02-2025 18:02
General
-
Target
config.js
-
Size
4KB
-
MD5
b50f09dd1b24a4873bf0f24447ede431
-
SHA1
4a32f009ae0f2988ccbe0994cd3e8720428891db
-
SHA256
eb7593118f659dce4e1ef47eef2d465070c8cde955696f1f4925ff0076a54e3e
-
SHA512
c99cb30f2f894ec9770638d3a0e662941bc5112c226ef0096fdd4b7ceda8541ba572602fa139c335db9cbf113937455170b73d04174cb8ef6674758f99876036
-
SSDEEP
96:ZqF9oamAr0aIuSg42sEi6EkuzwQYwld9dyLh9gZsLvsFgl:ZqFyQr0jgjs9lhzw8OgiLegl
Malware Config
Extracted
vidar
https://t.me/g02f04
https://steamcommunity.com/profiles/76561199828130190
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/131.0.0.0 Safari/537.36 OPR/116.0.0.0
Signatures
-
Detect Vidar Stealer 30 IoCs
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Vidar family
-
Blocklisted process makes network request 1 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Using powershell.exe command.
-
Downloads MZ/PE file 1 IoCs
-
Uses browser remote debugging 2 TTPs 9 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 11 IoCs
-
Modifies data under HKEY_USERS 2 IoCs
-
Modifies registry class 5 IoCs
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs
-
Suspicious use of AdjustPrivilegeToken 23 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\config.js1⤵
- Blocklisted process makes network request
- Downloads MZ/PE file
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Add-MpPreference -ExclusionPath \"C:\Users\Admin\AppData\Local\Temp\tmp_ndxn6rq1\""2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\tmp_ndxn6rq1\main.exe"C:\Users\Admin\AppData\Local\Temp\tmp_ndxn6rq1\main.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"3⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"4⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffbc657cc40,0x7ffbc657cc4c,0x7ffbc657cc585⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1808,i,8791633252430873768,2749108600500655258,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2024 /prefetch:25⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1904,i,8791633252430873768,2749108600500655258,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2172 /prefetch:35⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2296,i,8791633252430873768,2749108600500655258,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2476 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3180,i,8791633252430873768,2749108600500655258,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3184 /prefetch:15⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3192,i,8791633252430873768,2749108600500655258,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3232 /prefetch:15⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3724,i,8791633252430873768,2749108600500655258,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4532 /prefetch:15⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4484,i,8791633252430873768,2749108600500655258,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4584 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4692,i,8791633252430873768,2749108600500655258,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4684 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4524,i,8791633252430873768,2749108600500655258,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4928 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4956,i,8791633252430873768,2749108600500655258,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4808 /prefetch:85⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"4⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbc65846f8,0x7ffbc6584708,0x7ffbc65847185⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,12636408558772927318,2078885605222906763,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:25⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,12636408558772927318,2078885605222906763,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2064,12636408558772927318,2078885605222906763,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2760 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2064,12636408558772927318,2078885605222906763,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:15⤵
- Uses browser remote debugging
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2064,12636408558772927318,2078885605222906763,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:15⤵
- Uses browser remote debugging
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2064,12636408558772927318,2078885605222906763,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4868 /prefetch:15⤵
- Uses browser remote debugging
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2064,12636408558772927318,2078885605222906763,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4100 /prefetch:15⤵
- Uses browser remote debugging
-
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Remove-MpPreference -ExclusionPath \"C:\Users\Admin\AppData\Local\Temp\tmp_ndxn6rq1\""2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?LinkId=1297651⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffbc58846f8,0x7ffbc5884708,0x7ffbc58847182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,15552175371574696652,5631080743773496486,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,15552175371574696652,5631080743773496486,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:32⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,15552175371574696652,5631080743773496486,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2744 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,15552175371574696652,5631080743773496486,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,15552175371574696652,5631080743773496486,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3496 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,15552175371574696652,5631080743773496486,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4328 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,15552175371574696652,5631080743773496486,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3848 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,15552175371574696652,5631080743773496486,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1968 /prefetch:12⤵
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Credential Access
Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
152B
MD5f09c5037ff47e75546f2997642cac037
SHA163d599921be61b598ef4605a837bb8422222bef2
SHA256ba61197fff5ed487084790b869045ab41830bdf6db815503e8e064dd4e4df662
SHA512280bff6eac4b2b4fe515696223f61531f6b507c4c863ad9eef5ab0b1d65d264eba74fb7c9314b6920922142b8ab7605792211fca11a9a9ef0fc2ae995bf4f473
-
Filesize
152B
MD5010f6dd77f14afcb78185650052a120d
SHA176139f0141fa930b6460f3ca6f00671b4627dc98
SHA25680321891fd7f7c02dd4be4e5be09f8e57d49e076c750f8deb300be8f600de2d7
SHA5126e6c9e348e948b946cfb97478698423e1272c4417bc8540e5daa64858e28be8fda5baf28538aee849f8bb409c17a51c60e48a3f1793e3a86cb27edeb32aa30a5
-
Filesize
1B
MD55058f1af8388633f609cadb75a75dc9d
SHA13a52ce780950d4d969792a2559cd519d7ee8c727
SHA256cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA5120b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21
-
Filesize
44KB
MD5d1f604157b0745a40453afb93a6caa42
SHA13d5d77429b03674ebb0ba34d925ba1b09310df5e
SHA256468456974fd86b33647942820dce7284879acfab9e9e6eca008e1fdcf9006fb5
SHA5120644ce93724a57dedd8aec208e5a038e323a1b9871d5046d58a87c60479626693e6c8f25b7c7f7b60fd35aac133d2e660ecbd8f8d579ad1fc6703ae117a485a0
-
Filesize
264KB
MD564b9728a254e1d131dca7273d229a9a5
SHA1c93eeaa836507f39335aed5c0bd96db93c5faa77
SHA256bfd9a2d69967304cade524cef03a8e05fb72fc234457ed985dd841158da3f6d6
SHA512a608ed4f2a2fcf9a729d3c66c540af3e73f7e2490d985f13360873a5b579507d043a09cc06e5ae2cffc96712f37b9b59b1e21abef3abf1bc5bc8a55867588f89
-
Filesize
360B
MD524091b53b30abd55e4fcb59a2bd05c8e
SHA1036e35264f55cbfd5edf836468e5afa715bc8e51
SHA256346d8fb5a4041e8846f8c2131bc255f5a4496c6ad9c8836981613c27369c8fbb
SHA5124eeca006d2ca85c4f12962a0b33e1d09648601ed998e091f5166e62d8ede35ad720ed91decf276719f1a0995f477ae0956301478e2f98c8c08803e9ca5c41ab6
-
Filesize
322B
MD56c6b1628d2355d4407d36914f105c317
SHA1f40ce37ed9664942e4874d0d6bae51edeabbf535
SHA256709dd2652237c8a6f04caf19dd6f8990f89a1131446c3a00f5c99bd9550a7934
SHA51287dd5e111eb127970abd86e51ba33441d0bffad1bfa3d7f327c42d7a5982be031e187bd14b9b7d07ea7200e512f76492bef64ab36375bfa4b0cd6ccf48f4b95e
-
Filesize
331B
MD54657adbc95c0bd0b4884b96f30b4eef7
SHA1889370729a6957ad2625319139d6c33c6ce50edf
SHA256610e5d86b4196788f52b2471024941897798e24e6baafee259265e4162991a9e
SHA51284291cea00b91794f62df699c5edbedb16057a043b5903a30ec365ad93acf08baf2df7adf334c1c74f2e908ef43da59b22bff74bfba2ffc654253a1c1bb8d5b2
-
Filesize
734B
MD551cc63d3089b5058d82918739233becd
SHA1721ad5a506b0d50c671567620f2ea5434f60034c
SHA2563a12c11a6bd7461843e79a803b54aab98e3ef1d04cd37967ff130382f6321501
SHA512a1e57a2f0b6ea74542a34cdfd9eeb9c1257760e95d58ab31ec5db23b72cf475cfe57deb7bc6e135ed1c18a37d332bc217a8a4f503b0348bbc6c944e267ebc561
-
Filesize
6KB
MD517ca626572af14c5bb8619e9c8467219
SHA1428339c32e035f9231511ad22f610f8ff12abce1
SHA256ca3247c59d04eac01560f4cb2264cc307a6b40cdf2f2ad646cb694a17aa50b98
SHA5126ca18960ac05074423eb3e751e2578c5f74e1263a0edfd23bedad1363d3cd56d93399c26dc07943046b9dfd53008f9d553c329f7b2d7b440e2c5e65dc6a888f7
-
Filesize
6KB
MD577168dee4cfe26b048835b6858815341
SHA1f40adcc0439791b0e8489c26ef2a91b44bb5c373
SHA2562d732224a5be4c26910e29953cceb023dc78bf173a4653075451b8164016b32c
SHA512aa5e7c18a16b859636839632bbf92c417c361d23d34674b7373d58368b8e2ee55e7f658adb868461cb27e7b403924822ddd8178bfa3f81b538b610ed86ee3fa6
-
Filesize
6KB
MD54dbd3f77400e59d5f40ddf0d588ab932
SHA1da3d45e21ff61a36279a187fed13d4d5c8e9258f
SHA256518c206c629c2d94309c760576d19623d193a8452276ab19400c93d14c7812b9
SHA512eb6bca06c9629684db7b2b368f3f85afadc603f80206abb5c906492b2dc90d72a86b953783b5180a1a23a3ad04e997ea0a2419f8dcc00cc643cfd30c05f4783d
-
Filesize
99B
MD5ba92e5bbca79ea378c3376187ae43eae
SHA1f0947098577f6d0fe07422acbe3d71510289e2fc
SHA256ccf4c13cd2433fe8a7add616c7d8e6b384cf441e4d948de5c6fc73e9315c619f
SHA512aa1d8b7eb9add6c5ed5635295f501f950914affc3fa9aa1ee58167ed110f99a1760b05e4efb779df8e432eab1b2a0fc9cf9d67a05b2d5432ff8f82c620a38a62
-
Filesize
319B
MD5e4da82c8bddd94c50c6614400fce275b
SHA1d12cbe67517d3393fd9ccd82253ed37fba4ec545
SHA256edd1f6f00c84197c39c8f4b76b5c35ed93ea28ea0e62328147d01184337b3c05
SHA512d81024e98c293a110ae52b89e02e9fbb97ab0cedfd1342d21f20047836f820ec2bc5857008550a879218a5e2392b4cbcefd9582bb95540636673e74474b5ffd3
-
Filesize
1KB
MD5773b9753e622d23df9ff1cfb92b1c1aa
SHA15807a84003a9c7d6e61850e25b13a2721af0ce50
SHA256845485b692bd5c4d47f6d285fedb86766832f3bb90158670ab018ed5bfa3f899
SHA512e3ef1276e2f462bd512ebe12339fcf5d5cd4d2ef6138672ad0c708dfff939753a88282338abb0926fdd99cffb13aab7bf965bd091b498b591458a1712adec146
-
Filesize
933B
MD5628c17b987585b7422307b531a807683
SHA10842a8f0aee6214e86f41d2a93ec276bfce02a9b
SHA2566244fd08a0f895c0c208cc98f9c35875cc0ae5c9b46dc6d87cc7f146c57d1bbe
SHA512956200a4e61894ca0c6bd97dc66b1c54af5d19e8fc43b128de9c851efe4fcad4993d7171b9ab34303bf87f75106a7715d21870c2e1ad7d3a980fd935e7334000
-
Filesize
350B
MD51cca583a6d77ee06eab137c7b3bb32f6
SHA135c9e1aa8d221823ada1ab98a131a0289dde1bd1
SHA256cf5e0834512439ee93f77ec86d57d80445ddb8bd59021367e2fe1699c624b8b4
SHA512b60c8b06c7e0e9b11b12ae66f164f603fbac0eb539b7ace3242c654d32ac0e9c8299e72d631123bcb12fbc9f244b778fd990c08aa3129350e4197a2077d24807
-
Filesize
326B
MD530f7863f71892b5fab04c64953210223
SHA1b86b227339af108624a4cc54cb4f7f1487f6a56c
SHA2568ee01c8a29e1a4275ece7cb3bbed20427e8127a4e8d044fe6fcc92953fd2f3bf
SHA51223fc6da8517d889ac687ccd2475a0630c8eed047e5ed0b84b90a63a60daa852d94d4410adb2072783ccc648d4ea498a03fbd667d83383d84004cabb04eb9b6e4
-
Filesize
16KB
MD5b7a95248ab0dc53b03ab2805b235127c
SHA159c720507e5e4cc67e188fd9a74a42ca8394e34c
SHA25668a85091a9d42dd60206b3bfe7ddcd7d40b850561ab138662302ffa5d8201791
SHA51232bd53b2fe21344ddd593e8e156aa02210a77c4c4149f2000352787fe4f8f525b4cfcfbbe7fce30dd7e9edf78a2adea1d42c578aaf17b05f12b46a0c25ca9486
-
Filesize
322B
MD5861eba27093361ea346ed60c6e7a1439
SHA1d50359ff15998e8c3e8a4ea7581385b19e7592a2
SHA2560e18c21991252afaf5322489b599ca29059300c0d70306d98442e8a5f998545e
SHA51297335f3e2446d2a3bd08cb757711fcd41ba5f68894e82e520ab6a0925b28bebf945d321bfae1e22a57a3bffc82b40a00a6dd76ac1a5788b27a5b19d75fdc1b26
-
Filesize
194B
MD5a48763b50473dbd0a0922258703d673e
SHA15a3572629bcdf5586d79823b6ddbf3d9736aa251
SHA2569bb14ea03c24f4c3543b22a8b4e9d306b926d4950cfcc410808ecac2407409fd
SHA512536406435e35f8204ce6d3b64850ffb656813aacbc5172af895c16c4f183005d69999c4f48f948875d9837890f290b51a7358ff974fb1efc6ba3d1592426cca1
-
Filesize
340B
MD5c2195fec40c20b47ed474729aa4601be
SHA1e06fa334ac49b4c75bbd1252993d5d3cad025561
SHA2560f14e87a3ad201d1ecf10c51457fc55714fa352a43024f4c8cbc72b6f7598b9f
SHA5122919bb518b71ff50db76989d26d8dede19023f8eee96c86413bc2ee3c77eb6d0da78ed0adac106ffa9de1ffd8d0a7077a056aaa5e171e162779736f462b3f2a7
-
Filesize
11B
MD5838a7b32aefb618130392bc7d006aa2e
SHA15159e0f18c9e68f0e75e2239875aa994847b8290
SHA256ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa
SHA5129e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9
-
Filesize
10KB
MD5f43bb62e62057ad54819d025783d5309
SHA1f98ab4f53ce43d56143a5f0f6e8d3352a4b9f07f
SHA2560115fde37bc630135ec017530693b6b211833b9234674b63c6dda790ac28100d
SHA5121b389af0e44703aa64611287e907bf2eb8682d719dc31a9fa6d5f0b25fb3bb59a39e1d67332317d2e792a4769cb82c8a8efaa936076eac64b29978bce07cee08
-
Filesize
4KB
MD512aec4b5a7b91cde37cf1668aac2549e
SHA18d4ba2503bc4f54c4d5bfdabf0a44551b512bfb9
SHA256399bfcf309476b9fa21d18dbeb311a6f28141e12ce4998c455740cb9c5ce1378
SHA5126b51e4bd214c94ca9c1c922f6dfed7c76967b601fa5b4925dd53cca8fd0182d12e4dc524a7528f9395bd9bd9ae185a3266e14b2cd3f3108cbd8e661fd2b10f48
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
5.4MB
MD56768e4499258c2b0de9500e3df9f1091
SHA1be85cdd2afc5ef803cbd27a3f9e5981728e9ac39
SHA256e226a8c19929e94761027accb16309d9a64589b9bf67778cc114ad75636790b3
SHA512a0f1fa5a14268e4cb977001121bf0f9691f9a1dc1210bfc08b077d36527b86c658fe897669ee58071f0d62178039fef690587f66256fbd060c3553fe2b6677de
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
136KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB