vidar | 19198e75f7c830441360a42b06e10415f4368300a7590c119c237ea8c67bf23e

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250207-en
resource tags

arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system
submitted
13-02-2025 12:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9f680720826812af34cbc66e27e0281f.exe
Size

6.2MB
MD5

9f680720826812af34cbc66e27e0281f
SHA1

fb580afbf6fb913e83eea1fb99be9c95b6ec39d5
SHA256

19198e75f7c830441360a42b06e10415f4368300a7590c119c237ea8c67bf23e
SHA512

482fb7ca414b9070849017a9ec390597dd6fb1a18cb7e819b498b786dc1467dadd928d2f054baec880307274296f6b66a971deb63b14f0fc27f39094fcb2be8e
SSDEEP

49152:QU4K1Qy8nPDdZiBSFfscuj9ADJZlShhV7+pXLRB5TYAUhJSh7DUtiGlMlHDNuc6X:QNbrnrShj9AVYhgB5IJsnUw918SvljW

Score

10^/10

vidar credential_access discovery stealer

Malware Config

Extracted

Family

vidar

https://t.me/b4cha00

https://steamcommunity.com/profiles/76561199825403037

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:137.0) Gecko/20100101 Firefox/137.0

Signatures

Detect Vidar Stealer 10 IoCs

stealer

resource	yara_rule
behavioral2/memory/752-2-0x0000000000490000-0x00000000004B2000-memory.dmp	family_vidar_v7
behavioral2/memory/752-6-0x0000000000490000-0x00000000004B2000-memory.dmp	family_vidar_v7
behavioral2/memory/752-10-0x0000000000490000-0x00000000004B2000-memory.dmp	family_vidar_v7
behavioral2/memory/752-11-0x0000000000490000-0x00000000004B2000-memory.dmp	family_vidar_v7
behavioral2/memory/752-12-0x0000000000490000-0x00000000004B2000-memory.dmp	family_vidar_v7
behavioral2/memory/752-13-0x0000000000490000-0x00000000004B2000-memory.dmp	family_vidar_v7
behavioral2/memory/752-14-0x0000000000490000-0x00000000004B2000-memory.dmp	family_vidar_v7
behavioral2/memory/752-48-0x0000000000490000-0x00000000004B2000-memory.dmp	family_vidar_v7
behavioral2/memory/752-50-0x0000000000490000-0x00000000004B2000-memory.dmp	family_vidar_v7
behavioral2/memory/752-51-0x0000000000490000-0x00000000004B2000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

Downloads MZ/PE file 1 IoCs

flow	pid	Process
40	4860	Process not Found

Uses browser remote debugging 2 TTPs 4 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
3680	chrome.exe
1344	chrome.exe
2552	chrome.exe
2840	chrome.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1732 set thread context of 752	1732	9f680720826812af34cbc66e27e0281f.exe	95

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9f680720826812af34cbc66e27e0281f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
316	MicrosoftEdgeUpdate.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	BitLockerToGo.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	BitLockerToGo.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133839223848847599"	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
752	BitLockerToGo.exe
752	BitLockerToGo.exe
752	BitLockerToGo.exe
752	BitLockerToGo.exe
1344	chrome.exe
1344	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1344	chrome.exe
Token: SeCreatePagefilePrivilege	1344	chrome.exe
Token: SeShutdownPrivilege	1344	chrome.exe
Token: SeCreatePagefilePrivilege	1344	chrome.exe
Token: SeShutdownPrivilege	1344	chrome.exe
Token: SeCreatePagefilePrivilege	1344	chrome.exe
Token: SeShutdownPrivilege	1344	chrome.exe
Token: SeCreatePagefilePrivilege	1344	chrome.exe
Token: SeShutdownPrivilege	1344	chrome.exe
Token: SeCreatePagefilePrivilege	1344	chrome.exe
Token: SeShutdownPrivilege	1344	chrome.exe
Token: SeCreatePagefilePrivilege	1344	chrome.exe
Token: SeShutdownPrivilege	1344	chrome.exe
Token: SeCreatePagefilePrivilege	1344	chrome.exe
Token: SeShutdownPrivilege	1344	chrome.exe
Token: SeCreatePagefilePrivilege	1344	chrome.exe
Token: SeShutdownPrivilege	1344	chrome.exe
Token: SeCreatePagefilePrivilege	1344	chrome.exe
Token: SeShutdownPrivilege	1344	chrome.exe
Token: SeCreatePagefilePrivilege	1344	chrome.exe
Token: SeShutdownPrivilege	1344	chrome.exe
Token: SeCreatePagefilePrivilege	1344	chrome.exe
Token: SeShutdownPrivilege	1344	chrome.exe
Token: SeCreatePagefilePrivilege	1344	chrome.exe
Token: SeShutdownPrivilege	1344	chrome.exe
Token: SeCreatePagefilePrivilege	1344	chrome.exe
Token: SeShutdownPrivilege	1344	chrome.exe
Token: SeCreatePagefilePrivilege	1344	chrome.exe
Token: SeShutdownPrivilege	1344	chrome.exe
Token: SeCreatePagefilePrivilege	1344	chrome.exe
Token: SeShutdownPrivilege	1344	chrome.exe
Token: SeCreatePagefilePrivilege	1344	chrome.exe
Token: SeShutdownPrivilege	1344	chrome.exe
Token: SeCreatePagefilePrivilege	1344	chrome.exe
Token: SeShutdownPrivilege	1344	chrome.exe
Token: SeCreatePagefilePrivilege	1344	chrome.exe
Token: SeShutdownPrivilege	1344	chrome.exe
Token: SeCreatePagefilePrivilege	1344	chrome.exe
Token: SeShutdownPrivilege	1344	chrome.exe
Token: SeCreatePagefilePrivilege	1344	chrome.exe
Token: SeShutdownPrivilege	1344	chrome.exe
Token: SeCreatePagefilePrivilege	1344	chrome.exe
Token: SeShutdownPrivilege	1344	chrome.exe
Token: SeCreatePagefilePrivilege	1344	chrome.exe
Token: SeShutdownPrivilege	1344	chrome.exe
Token: SeCreatePagefilePrivilege	1344	chrome.exe
Token: SeShutdownPrivilege	1344	chrome.exe
Token: SeCreatePagefilePrivilege	1344	chrome.exe
Token: SeShutdownPrivilege	1344	chrome.exe
Token: SeCreatePagefilePrivilege	1344	chrome.exe
Token: SeShutdownPrivilege	1344	chrome.exe
Token: SeCreatePagefilePrivilege	1344	chrome.exe
Token: SeShutdownPrivilege	1344	chrome.exe
Token: SeCreatePagefilePrivilege	1344	chrome.exe
Token: SeShutdownPrivilege	1344	chrome.exe
Token: SeCreatePagefilePrivilege	1344	chrome.exe
Token: SeShutdownPrivilege	1344	chrome.exe
Token: SeCreatePagefilePrivilege	1344	chrome.exe
Token: SeShutdownPrivilege	1344	chrome.exe
Token: SeCreatePagefilePrivilege	1344	chrome.exe
Token: SeShutdownPrivilege	1344	chrome.exe
Token: SeCreatePagefilePrivilege	1344	chrome.exe
Token: SeShutdownPrivilege	1344	chrome.exe
Token: SeCreatePagefilePrivilege	1344	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe
1344	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 752	1732	9f680720826812af34cbc66e27e0281f.exe	95
PID 1732 wrote to memory of 752	1732	9f680720826812af34cbc66e27e0281f.exe	95
PID 1732 wrote to memory of 752	1732	9f680720826812af34cbc66e27e0281f.exe	95
PID 1732 wrote to memory of 752	1732	9f680720826812af34cbc66e27e0281f.exe	95
PID 1732 wrote to memory of 752	1732	9f680720826812af34cbc66e27e0281f.exe	95
PID 1732 wrote to memory of 752	1732	9f680720826812af34cbc66e27e0281f.exe	95
PID 1732 wrote to memory of 752	1732	9f680720826812af34cbc66e27e0281f.exe	95
PID 1732 wrote to memory of 752	1732	9f680720826812af34cbc66e27e0281f.exe	95
PID 1732 wrote to memory of 752	1732	9f680720826812af34cbc66e27e0281f.exe	95
PID 1732 wrote to memory of 752	1732	9f680720826812af34cbc66e27e0281f.exe	95
PID 1732 wrote to memory of 752	1732	9f680720826812af34cbc66e27e0281f.exe	95
PID 752 wrote to memory of 1344	752	BitLockerToGo.exe	97
PID 752 wrote to memory of 1344	752	BitLockerToGo.exe	97
PID 1344 wrote to memory of 3304	1344	chrome.exe	98
PID 1344 wrote to memory of 3304	1344	chrome.exe	98
PID 1344 wrote to memory of 4548	1344	chrome.exe	99
PID 1344 wrote to memory of 4548	1344	chrome.exe	99
PID 1344 wrote to memory of 4548	1344	chrome.exe	99
PID 1344 wrote to memory of 4548	1344	chrome.exe	99
PID 1344 wrote to memory of 4548	1344	chrome.exe	99
PID 1344 wrote to memory of 4548	1344	chrome.exe	99
PID 1344 wrote to memory of 4548	1344	chrome.exe	99
PID 1344 wrote to memory of 4548	1344	chrome.exe	99
PID 1344 wrote to memory of 4548	1344	chrome.exe	99
PID 1344 wrote to memory of 4548	1344	chrome.exe	99
PID 1344 wrote to memory of 4548	1344	chrome.exe	99
PID 1344 wrote to memory of 4548	1344	chrome.exe	99
PID 1344 wrote to memory of 4548	1344	chrome.exe	99
PID 1344 wrote to memory of 4548	1344	chrome.exe	99
PID 1344 wrote to memory of 4548	1344	chrome.exe	99
PID 1344 wrote to memory of 4548	1344	chrome.exe	99
PID 1344 wrote to memory of 4548	1344	chrome.exe	99
PID 1344 wrote to memory of 4548	1344	chrome.exe	99
PID 1344 wrote to memory of 4548	1344	chrome.exe	99
PID 1344 wrote to memory of 4548	1344	chrome.exe	99
PID 1344 wrote to memory of 4548	1344	chrome.exe	99
PID 1344 wrote to memory of 4548	1344	chrome.exe	99
PID 1344 wrote to memory of 4548	1344	chrome.exe	99
PID 1344 wrote to memory of 4548	1344	chrome.exe	99
PID 1344 wrote to memory of 4548	1344	chrome.exe	99
PID 1344 wrote to memory of 4548	1344	chrome.exe	99
PID 1344 wrote to memory of 4548	1344	chrome.exe	99
PID 1344 wrote to memory of 4548	1344	chrome.exe	99
PID 1344 wrote to memory of 4548	1344	chrome.exe	99
PID 1344 wrote to memory of 4548	1344	chrome.exe	99
PID 1344 wrote to memory of 4304	1344	chrome.exe	100
PID 1344 wrote to memory of 4304	1344	chrome.exe	100
PID 1344 wrote to memory of 1172	1344	chrome.exe	101
PID 1344 wrote to memory of 1172	1344	chrome.exe	101
PID 1344 wrote to memory of 1172	1344	chrome.exe	101
PID 1344 wrote to memory of 1172	1344	chrome.exe	101
PID 1344 wrote to memory of 1172	1344	chrome.exe	101
PID 1344 wrote to memory of 1172	1344	chrome.exe	101
PID 1344 wrote to memory of 1172	1344	chrome.exe	101
PID 1344 wrote to memory of 1172	1344	chrome.exe	101
PID 1344 wrote to memory of 1172	1344	chrome.exe	101
PID 1344 wrote to memory of 1172	1344	chrome.exe	101
PID 1344 wrote to memory of 1172	1344	chrome.exe	101
PID 1344 wrote to memory of 1172	1344	chrome.exe	101
PID 1344 wrote to memory of 1172	1344	chrome.exe	101
PID 1344 wrote to memory of 1172	1344	chrome.exe	101
PID 1344 wrote to memory of 1172	1344	chrome.exe	101
PID 1344 wrote to memory of 1172	1344	chrome.exe	101
PID 1344 wrote to memory of 1172	1344	chrome.exe	101

C:\Users\Admin\AppData\Local\Temp\9f680720826812af34cbc66e27e0281f.exe
"C:\Users\Admin\AppData\Local\Temp\9f680720826812af34cbc66e27e0281f.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
  "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:752
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Enumerates system info in registry
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:1344
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffad824cc40,0x7ffad824cc4c,0x7ffad824cc58
      4⤵
      PID:3304
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1928,i,3623449469309621782,14297171843222350173,262144 --variations-seed-version=20250206-180041.353000 --mojo-platform-channel-handle=1924 /prefetch:2
      4⤵
      PID:4548
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2184,i,3623449469309621782,14297171843222350173,262144 --variations-seed-version=20250206-180041.353000 --mojo-platform-channel-handle=2192 /prefetch:3
      4⤵
      PID:4304
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1884,i,3623449469309621782,14297171843222350173,262144 --variations-seed-version=20250206-180041.353000 --mojo-platform-channel-handle=2516 /prefetch:8
      4⤵
      PID:1172
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3196,i,3623449469309621782,14297171843222350173,262144 --variations-seed-version=20250206-180041.353000 --mojo-platform-channel-handle=3216 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:2552
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3224,i,3623449469309621782,14297171843222350173,262144 --variations-seed-version=20250206-180041.353000 --mojo-platform-channel-handle=3264 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:2840
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4172,i,3623449469309621782,14297171843222350173,262144 --variations-seed-version=20250206-180041.353000 --mojo-platform-channel-handle=4580 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:3680
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4268,i,3623449469309621782,14297171843222350173,262144 --variations-seed-version=20250206-180041.353000 --mojo-platform-channel-handle=4232 /prefetch:8
      4⤵
      PID:3336
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4536,i,3623449469309621782,14297171843222350173,262144 --variations-seed-version=20250206-180041.353000 --mojo-platform-channel-handle=4504 /prefetch:8
      4⤵
      PID:1764
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4564,i,3623449469309621782,14297171843222350173,262144 --variations-seed-version=20250206-180041.353000 --mojo-platform-channel-handle=4752 /prefetch:8
      4⤵
      PID:4200
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4612,i,3623449469309621782,14297171843222350173,262144 --variations-seed-version=20250206-180041.353000 --mojo-platform-channel-handle=4836 /prefetch:8
      4⤵
      PID:516

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MTNDQkREQTAtQkJDNC00QUZGLTlGQTAtQjk3MDZGQTdFMzIyfSIgdXNlcmlkPSJ7Mjk4NzBEQTItRTI2Ri00RDAwLUE5RTAtMzYwODhGOTYxMjA5fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7QkE3MTI4QkEtQjJEMS00RTVELUI0MTItNUM3NTdEMUM0MEYxfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI1IiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDU5ODUiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxODQ0NDQzNjAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MDUyNTIxNTU4Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:316

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5100

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Modify Authentication Process

T1556

Privilege Escalation

Defense Evasion

Modify Authentication Process

T1556

Credential Access

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
b96b45c08b5922e6de9a67a358aa29e6

SHA1
c596c99c353502bb3aa9f910651a5c5a173c3d50

SHA256
3f85206e4d7cacad0073b8a42e81f4749a0cad4e5dc9a6c0f92a44b02530d0af

SHA512
d585920dce12daee22693cef64414928730f9c832945bc7e1d67d0ce9149c77ab9d01ad9db2ce1c8c4abd7a3f45c66a72feabf8a94c520e32a58e15480eed780

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
4bc67ccd05b1b82b6854da518a8c99cd

SHA1
ae680084952aa86569afbc454efacc70cc82b9fa

SHA256
53a5d7f10c31edad53e01eb9c6842420473bc73a3b3d766bd282a9d9b391afc0

SHA512
b84d34f78b1582b8076a06b83df04ed45c1f86ebf579bc6d10544e0564dd63e6c9b338478777e716b8119e951e2070fe414e5b1396e9ea6886f2f25e4f7a23b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
47bdc983efb71a9ed9286372e3abf1ec

SHA1
6f510e14a938f6a97bb6a0865711d6d45002a677

SHA256
4a1e9bcc58749b65e74e03a9b26a3a59eb37f271508760ddc9fd0156de555148

SHA512
507847aabfcca9c4a5eb5f780ae9899342ab402d188ebbb7841305cc353a7f27130facd914b9586ea68fc4a3e6ff30034146753c07f3219609007abf9bae0d2b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
b7e4b87b56c011797547edfcf2bf0cde

SHA1
d0a194d3aedaf1d3a0034b160e643d5bb3eaa17b

SHA256
55b6ec41c2e62c22e180545bed27a58f9f7a0d5b448572fdd4802d8fbeae3b23

SHA512
0b9b67703062041ae3474946916c94da940b751701f275283a28fdbf69d6473e1177241710ae633a2222cd4d13f5b643168832e0c806688150ca8fe9f2fb7b18

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
a6ef09b7e60da834e1a6c22471c34a90

SHA1
e459240db17db3f8a67b44b8ad4e8f4dce991766

SHA256
aca4f5816a79d4457c47fdd14d6070b52c003bd65f062ed619413562a0a3ab03

SHA512
6f17919fa6070c19c582aa49f589f00f0942ea9bc1ef244c57fe5feb7bf04bf4f7d74e33b4bbdef1d160bc47e9b615987d189810b8c0c42ac916f060346864a5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
76bc35d56299ac9d3704822c96738981

SHA1
7b53bd571abc8ef9c382f67287ea670b5f2cfe04

SHA256
8722b7b3f84e1fd4848bb5766539bfe546715cfe0edfdf65c593975e13c5a5f0

SHA512
248e18fb672bf2ddb0f7d2ea7bea1bbf1991d860ff992fc65f0223766c63d397298be52d4a303368088b06a96dba964445654e7998ad5160ac128cfac49d351a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
8c018c3542d87fee5dc2472a45cdcfeb

SHA1
9fbad41a2c192dca962122a2bd40407ef0d08505

SHA256
b5177068f2007392e167753cd163241cd369bf0e7f4c525cd2900a0e4be74575

SHA512
82d48790dbbb14b5de2031e30b4719c484b8c0838da272cea93f4bacb658086c5b24596b91aed65d3137ed2fc1e43d388b1e831f0358e69728dc10e6a2914dc5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
abf4e503c08f6df490e8bd64e1e73869

SHA1
b961291d3200b387a84b2df8a748d09b6856841a

SHA256
af309bf1b4affa8ce2c470c0d0ab33851b1fb2a47d23cca9dd2ec5ba193a09ec

SHA512
b96c3ff31b7cbff60a1ca15f49ffe81c9952a3513b7603742a710f2d054396f811ddf8fe24681ff08b7007c5aa380862b02bdca48973c4f1e45cef09134e87fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
245KB

MD5
40b641f0fa2a4185f3aca06e49bfc9af

SHA1
f29eb0f4ffef01842da95297066fb797d59bab5d

SHA256
94cb80ef11449d02a82c3f5ddeaf59e67cf58353c267b4d55d120c15a9e47b2c

SHA512
b95db16b72f2757cb4c6e47edcfaec14e407ad2440fcede3a95007fd6cc941de6b4debb7ab1b04260687583b7624e4af4ba976b2c2480a364c595ca00d69c374

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
245KB

MD5
9ea24d341ade10ca5a53f94622afc349

SHA1
b5079f10711010ddb2a6c502a039e0906dec813e

SHA256
71c26907ad30ce16f791e3ae6f852d861bf5378af1c2a571f38c8a8bcddb32cc

SHA512
40ff120689fa3b390602505629029762b40163461f106daf3ad3c68ccc7ac6e45db0aec1389768e57b322e6e722d6665be743327794a54bba8bf8b973558c71a

Download Submit
memory/752-12-0x0000000000490000-0x00000000004B2000-memory.dmp

Filesize
136KB

Download
memory/752-51-0x0000000000490000-0x00000000004B2000-memory.dmp

Filesize
136KB

Download
memory/752-50-0x0000000000490000-0x00000000004B2000-memory.dmp

Filesize
136KB

Download
memory/752-48-0x0000000000490000-0x00000000004B2000-memory.dmp

Filesize
136KB

Download
memory/752-14-0x0000000000490000-0x00000000004B2000-memory.dmp

Filesize
136KB

Download
memory/752-13-0x0000000000490000-0x00000000004B2000-memory.dmp

Filesize
136KB

Download
memory/752-1-0x0000000000490000-0x00000000004B2000-memory.dmp

Filesize
136KB

Download
memory/752-11-0x0000000000490000-0x00000000004B2000-memory.dmp

Filesize
136KB

Download
memory/752-10-0x0000000000490000-0x00000000004B2000-memory.dmp

Filesize
136KB

Download
memory/752-6-0x0000000000490000-0x00000000004B2000-memory.dmp

Filesize
136KB

Download
memory/752-2-0x0000000000490000-0x00000000004B2000-memory.dmp

Filesize
136KB

Download