vidar | 630f2e9dc252f71613a30aaf3544739785a64f3f6fc96fbcc960511b29e0eced

Resubmissions

13-02-2025 19:55

250213-yna1qstjbk 10

13-02-2025 13:16

250213-qhvtysxrgr 10

Analysis

max time kernel
299s
max time network
300s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
13-02-2025 13:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.ps1
Size

29B
MD5

726ac161772f83ef4c852d6c3e158e86
SHA1

66b5487d1d873300d241e96fed4e1ba5d8fea2af
SHA256

630f2e9dc252f71613a30aaf3544739785a64f3f6fc96fbcc960511b29e0eced
SHA512

0b103e71e1a6b5ba400981f45ba460290ec97bd424a80ed4675b12aa68e9d3426bc253c5ae63ad4deba146b69a10b8f532c40344e6194482c3cc73bc4ab95910

Score

10^/10

vidar credential_access discovery execution stealer

Malware Config

Extracted

Family

vidar

https://t.me/b4cha00

https://steamcommunity.com/profiles/76561199825403037

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:137.0) Gecko/20100101 Firefox/137.0

Signatures

Detect Vidar Stealer 7 IoCs

stealer

resource	yara_rule
behavioral1/memory/2856-56-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral1/memory/2856-63-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral1/memory/2856-64-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral1/memory/2856-65-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral1/memory/2856-66-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral1/memory/2856-107-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral1/memory/2856-108-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

Blocklisted process makes network request 2 IoCs

flow	pid	Process
2	3340	powershell.exe
8	3340	powershell.exe

Downloads MZ/PE file 2 IoCs

flow	pid	Process
37	4704	Process not Found
8	3340	powershell.exe

Uses browser remote debugging 2 TTPs 4 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
2208	chrome.exe
1124	chrome.exe
812	chrome.exe
2764	chrome.exe

Executes dropped EXE 1 IoCs

pid	Process
1992	updater.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1992 set thread context of 2856	1992	updater.exe	97

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3340	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4048	MicrosoftEdgeUpdate.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	BitLockerToGo.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	BitLockerToGo.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133839263693936339"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	powershell.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3340	powershell.exe
3340	powershell.exe
2856	BitLockerToGo.exe
2856	BitLockerToGo.exe
2856	BitLockerToGo.exe
2856	BitLockerToGo.exe
2208	chrome.exe
2208	chrome.exe
2208	chrome.exe
2208	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2208	chrome.exe
2208	chrome.exe
2208	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3340	powershell.exe
Token: SeIncreaseQuotaPrivilege	3340	powershell.exe
Token: SeSecurityPrivilege	3340	powershell.exe
Token: SeTakeOwnershipPrivilege	3340	powershell.exe
Token: SeLoadDriverPrivilege	3340	powershell.exe
Token: SeSystemProfilePrivilege	3340	powershell.exe
Token: SeSystemtimePrivilege	3340	powershell.exe
Token: SeProfSingleProcessPrivilege	3340	powershell.exe
Token: SeIncBasePriorityPrivilege	3340	powershell.exe
Token: SeCreatePagefilePrivilege	3340	powershell.exe
Token: SeBackupPrivilege	3340	powershell.exe
Token: SeRestorePrivilege	3340	powershell.exe
Token: SeShutdownPrivilege	3340	powershell.exe
Token: SeDebugPrivilege	3340	powershell.exe
Token: SeSystemEnvironmentPrivilege	3340	powershell.exe
Token: SeRemoteShutdownPrivilege	3340	powershell.exe
Token: SeUndockPrivilege	3340	powershell.exe
Token: SeManageVolumePrivilege	3340	powershell.exe
Token: 33	3340	powershell.exe
Token: 34	3340	powershell.exe
Token: 35	3340	powershell.exe
Token: 36	3340	powershell.exe
Token: SeShutdownPrivilege	2208	chrome.exe
Token: SeCreatePagefilePrivilege	2208	chrome.exe
Token: SeShutdownPrivilege	2208	chrome.exe
Token: SeCreatePagefilePrivilege	2208	chrome.exe
Token: SeShutdownPrivilege	2208	chrome.exe
Token: SeCreatePagefilePrivilege	2208	chrome.exe
Token: SeShutdownPrivilege	2208	chrome.exe
Token: SeCreatePagefilePrivilege	2208	chrome.exe
Token: SeShutdownPrivilege	2208	chrome.exe
Token: SeCreatePagefilePrivilege	2208	chrome.exe
Token: SeShutdownPrivilege	2208	chrome.exe
Token: SeCreatePagefilePrivilege	2208	chrome.exe
Token: SeShutdownPrivilege	2208	chrome.exe
Token: SeCreatePagefilePrivilege	2208	chrome.exe
Token: SeShutdownPrivilege	2208	chrome.exe
Token: SeCreatePagefilePrivilege	2208	chrome.exe
Token: SeShutdownPrivilege	2208	chrome.exe
Token: SeCreatePagefilePrivilege	2208	chrome.exe
Token: SeShutdownPrivilege	2208	chrome.exe
Token: SeCreatePagefilePrivilege	2208	chrome.exe
Token: SeShutdownPrivilege	2208	chrome.exe
Token: SeCreatePagefilePrivilege	2208	chrome.exe
Token: SeShutdownPrivilege	2208	chrome.exe
Token: SeCreatePagefilePrivilege	2208	chrome.exe
Token: SeShutdownPrivilege	2208	chrome.exe
Token: SeCreatePagefilePrivilege	2208	chrome.exe
Token: SeShutdownPrivilege	2208	chrome.exe
Token: SeCreatePagefilePrivilege	2208	chrome.exe
Token: SeShutdownPrivilege	2208	chrome.exe
Token: SeCreatePagefilePrivilege	2208	chrome.exe
Token: SeShutdownPrivilege	2208	chrome.exe
Token: SeCreatePagefilePrivilege	2208	chrome.exe
Token: SeShutdownPrivilege	2208	chrome.exe
Token: SeCreatePagefilePrivilege	2208	chrome.exe
Token: SeShutdownPrivilege	2208	chrome.exe
Token: SeCreatePagefilePrivilege	2208	chrome.exe
Token: SeShutdownPrivilege	2208	chrome.exe
Token: SeCreatePagefilePrivilege	2208	chrome.exe
Token: SeShutdownPrivilege	2208	chrome.exe
Token: SeCreatePagefilePrivilege	2208	chrome.exe
Token: SeShutdownPrivilege	2208	chrome.exe
Token: SeCreatePagefilePrivilege	2208	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2208	chrome.exe
2208	chrome.exe
2208	chrome.exe
2208	chrome.exe
2208	chrome.exe
2208	chrome.exe
2208	chrome.exe
2208	chrome.exe
2208	chrome.exe
2208	chrome.exe
2208	chrome.exe
2208	chrome.exe
2208	chrome.exe
2208	chrome.exe
2208	chrome.exe
2208	chrome.exe
2208	chrome.exe
2208	chrome.exe
2208	chrome.exe
2208	chrome.exe
2208	chrome.exe
2208	chrome.exe
2208	chrome.exe
2208	chrome.exe
2208	chrome.exe
2208	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3340 wrote to memory of 1992	3340	powershell.exe	96
PID 3340 wrote to memory of 1992	3340	powershell.exe	96
PID 3340 wrote to memory of 1992	3340	powershell.exe	96
PID 1992 wrote to memory of 2856	1992	updater.exe	97
PID 1992 wrote to memory of 2856	1992	updater.exe	97
PID 1992 wrote to memory of 2856	1992	updater.exe	97
PID 1992 wrote to memory of 2856	1992	updater.exe	97
PID 1992 wrote to memory of 2856	1992	updater.exe	97
PID 1992 wrote to memory of 2856	1992	updater.exe	97
PID 1992 wrote to memory of 2856	1992	updater.exe	97
PID 1992 wrote to memory of 2856	1992	updater.exe	97
PID 1992 wrote to memory of 2856	1992	updater.exe	97
PID 1992 wrote to memory of 2856	1992	updater.exe	97
PID 1992 wrote to memory of 2856	1992	updater.exe	97
PID 2856 wrote to memory of 2208	2856	BitLockerToGo.exe	98
PID 2856 wrote to memory of 2208	2856	BitLockerToGo.exe	98
PID 2208 wrote to memory of 1148	2208	chrome.exe	99
PID 2208 wrote to memory of 1148	2208	chrome.exe	99
PID 2208 wrote to memory of 4240	2208	chrome.exe	100
PID 2208 wrote to memory of 4240	2208	chrome.exe	100
PID 2208 wrote to memory of 4240	2208	chrome.exe	100
PID 2208 wrote to memory of 4240	2208	chrome.exe	100
PID 2208 wrote to memory of 4240	2208	chrome.exe	100
PID 2208 wrote to memory of 4240	2208	chrome.exe	100
PID 2208 wrote to memory of 4240	2208	chrome.exe	100
PID 2208 wrote to memory of 4240	2208	chrome.exe	100
PID 2208 wrote to memory of 4240	2208	chrome.exe	100
PID 2208 wrote to memory of 4240	2208	chrome.exe	100
PID 2208 wrote to memory of 4240	2208	chrome.exe	100
PID 2208 wrote to memory of 4240	2208	chrome.exe	100
PID 2208 wrote to memory of 4240	2208	chrome.exe	100
PID 2208 wrote to memory of 4240	2208	chrome.exe	100
PID 2208 wrote to memory of 4240	2208	chrome.exe	100
PID 2208 wrote to memory of 4240	2208	chrome.exe	100
PID 2208 wrote to memory of 4240	2208	chrome.exe	100
PID 2208 wrote to memory of 4240	2208	chrome.exe	100
PID 2208 wrote to memory of 4240	2208	chrome.exe	100
PID 2208 wrote to memory of 4240	2208	chrome.exe	100
PID 2208 wrote to memory of 4240	2208	chrome.exe	100
PID 2208 wrote to memory of 4240	2208	chrome.exe	100
PID 2208 wrote to memory of 4240	2208	chrome.exe	100
PID 2208 wrote to memory of 4240	2208	chrome.exe	100
PID 2208 wrote to memory of 4240	2208	chrome.exe	100
PID 2208 wrote to memory of 4240	2208	chrome.exe	100
PID 2208 wrote to memory of 4240	2208	chrome.exe	100
PID 2208 wrote to memory of 4240	2208	chrome.exe	100
PID 2208 wrote to memory of 4240	2208	chrome.exe	100
PID 2208 wrote to memory of 4240	2208	chrome.exe	100
PID 2208 wrote to memory of 4216	2208	chrome.exe	101
PID 2208 wrote to memory of 4216	2208	chrome.exe	101
PID 2208 wrote to memory of 2628	2208	chrome.exe	102
PID 2208 wrote to memory of 2628	2208	chrome.exe	102
PID 2208 wrote to memory of 2628	2208	chrome.exe	102
PID 2208 wrote to memory of 2628	2208	chrome.exe	102
PID 2208 wrote to memory of 2628	2208	chrome.exe	102
PID 2208 wrote to memory of 2628	2208	chrome.exe	102
PID 2208 wrote to memory of 2628	2208	chrome.exe	102
PID 2208 wrote to memory of 2628	2208	chrome.exe	102
PID 2208 wrote to memory of 2628	2208	chrome.exe	102
PID 2208 wrote to memory of 2628	2208	chrome.exe	102
PID 2208 wrote to memory of 2628	2208	chrome.exe	102
PID 2208 wrote to memory of 2628	2208	chrome.exe	102
PID 2208 wrote to memory of 2628	2208	chrome.exe	102
PID 2208 wrote to memory of 2628	2208	chrome.exe	102

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\file.ps1
1⤵
- Blocklisted process makes network request
- Downloads MZ/PE file
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3340
- C:\Users\Admin\AppData\Local\e19f684d-6eb9-4f16-a38a-880dafde5e8d\updater.exe
  "C:\Users\Admin\AppData\Local\e19f684d-6eb9-4f16-a38a-880dafde5e8d\updater.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1992
- - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
    "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2856
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
      4⤵
      Uses browser remote debugging
      Drops file in Windows directory
      Enumerates system info in registry
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:2208
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7ffd6a71cc40,0x7ffd6a71cc4c,0x7ffd6a71cc58
        5⤵
        
        PID:1148
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1956,i,702082778403355358,3756293230576984880,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=1916 /prefetch:2
        5⤵
        
        PID:4240
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2208,i,702082778403355358,3756293230576984880,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=2216 /prefetch:3
        5⤵
        
        PID:4216
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2292,i,702082778403355358,3756293230576984880,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=2492 /prefetch:8
        5⤵
        
        PID:2628
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3236,i,702082778403355358,3756293230576984880,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=3244 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:1124
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3268,i,702082778403355358,3756293230576984880,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=3416 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:812
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4524,i,702082778403355358,3756293230576984880,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=4572 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:2764
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4664,i,702082778403355358,3756293230576984880,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=4648 /prefetch:8
        5⤵
        
        PID:4496
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4608,i,702082778403355358,3756293230576984880,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=4824 /prefetch:8
        5⤵
        
        PID:720
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4808,i,702082778403355358,3756293230576984880,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=4904 /prefetch:8
        5⤵
        
        PID:2968
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4764,i,702082778403355358,3756293230576984880,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=4892 /prefetch:8
        5⤵
        
        PID:1420
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4552,i,702082778403355358,3756293230576984880,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=3852 /prefetch:8
        5⤵
        
        PID:2932
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5072,i,702082778403355358,3756293230576984880,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=4820 /prefetch:8
        5⤵
        
        PID:2360
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5012,i,702082778403355358,3756293230576984880,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=4860 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3708

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RTJFRURENjUtMTExRS00NzM5LUIxQTQtNjIwM0QwMjBDNTkwfSIgdXNlcmlkPSJ7MzNGOTIyMEMtMDRFMS00QjNGLUE4RUUtQjkwRDBGMDEyNDhFfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7Rjk3MTBFRUItOTJEQS00Q0E1LUIyMDctRkM3Rjk0MEM5NjFBfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0NC40NTI5IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iMTI1IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtyNDUydDErazJUZ3EvSFh6anZGTkJSaG9wQldSOXNialh4cWVVREg5dVgwPSZxdW90OyIvPjxhcHAgYXBwaWQ9Ins4QTY5RDM0NS1ENTY0LTQ2M2MtQUZGMS1BNjlEOUU1MzBGOTZ9IiB2ZXJzaW9uPSIxMjMuMC42MzEyLjEyMyIgbmV4dHZlcnNpb249IiIgbGFuZz0iZW4iIGJyYW5kPSJHR0xTIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMiIgaW5zdGFsbGRhdGV0aW1lPSIxNzM5MjcwNjA3IiBvb2JlX2luc3RhbGxfdGltZT0iMTMzODM3NDE5NDk1ODEwMDAwIj48ZXZlbnQgZXZlbnR0eXBlPSIzMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMjE3OTg2MiIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTE4NzQ5OTYyMCIvPjwvYXBwPjwvcmVxdWVzdD4
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:4048

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3632

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Modify Authentication Process

T1556

Privilege Escalation

Defense Evasion

Modify Authentication Process

T1556

Credential Access

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
83445d8d3948ad992d6b08d3c131e5b7

SHA1
3d0299b98b76540a69c3833711a1ca2a5e6f1f1b

SHA256
989bc8c7b0557c3cee35de2138a38b5f978d3064daa98c317d3d33235a41e659

SHA512
88c787608ce2c6db5f6615c6c497a5dae1ce1d732dabb267244f1f803bd1c69f2d42c7e820e218a70a4037bf58f7f8a362be06fa0c4cd7f9a1d9d2dd72e18ed7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
ad953c1fcaa1a0f6d11c42a62e5de8db

SHA1
1c6f392252e1328a7efeacee8938720be5e4e085

SHA256
42c26ba9bd5112240ab9208caec1474aafba9387853c2c9fc01b71b4874adc61

SHA512
c424e93767c2bbc1b384560043dc584f2236b4d0118feae66dc9105b87a94a9a5b9afe029b22ec2113bf50a69b70f3904b7307522db36d902b69626217fad21e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
8b6fdcda53e7648f1767984341acca01

SHA1
9d17ba347dbefad048a15762891930a13c0f0e7e

SHA256
049981beec47e46c75f851b32f1b77ad23505e921540613a4758deeb4d95772b

SHA512
51bccf1f8f70fc24a8b6df0513da1190683214d14613b5920446b2a84c52dd5a3bb83e7aa9e23f8e034fb8fc89b55e049ca76e78450efc9b3448e5640c2e9215

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
1cf83ea0e9fc7346b25a328711e90828

SHA1
5d60c236a96930a12b7f3203a8f5bbb4b2655a76

SHA256
d18ec543160466ea8fed4e7ca26952ba9ffa05313d9ee57b1d4a5b6a3da58777

SHA512
c733f29810cd469e78fcbf9cbf9c1eb41de2cd8b6c7506c189fb8cd1dd3be65e8037697ea9a9761ca140f80ebaed33ea5f7caa7b694316c9ae4630352ffd8083

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
edf6f800fad861dd544029e0606118c3

SHA1
f3fce06357814897f22425c5041e0e15bab533c8

SHA256
499bf6f920e1b85d5092c03533aeb4f537b1206706441325404fc838ea94e0c0

SHA512
741338effeb3f29f7845ce27718850f22fd6f89796dc8bb2126bba8f955d4241dce737b9e5cee0ce73e58317057f113e44400f80602bbfa5cae4bd2546086913

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
a7af1073524e62c97958a48bcb557dcf

SHA1
fb69a1daab44c902ef0839d911bac6c28ca3580a

SHA256
5d07a9adf6cd210235e6b063e1dc577ebe7b016eb0cfc6624e05de0b4b082912

SHA512
5c2ec7d6dd9545047688e18607c5ad48cf24944564cdbec6be34e3143d9205345d8014584aaa5031eb3d3af79a4f061eb5e6025fc067d78c0a748cfd4a2bab78

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
0692c9e22e0685a0d5c9bc316658757a

SHA1
6e0bc5d11fd729588eae93cbcff7c32ccc4da3e4

SHA256
cd5c77ccf36dc7031541d1a96f0329fd9f3c66f0bd4a1a46f2c8bd144f220e08

SHA512
3a7011f8f572bd808b4b274d497ea862278f3b3191fe0a632179703c21696e09cb93f5c415ba292ca30bebcec22ae1760d6d8b53d5c68033bf2a22d3cae547aa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
984824bfc1a075cf884399c5b845a983

SHA1
996522f590871260fc4d1871689a18546df0aa9c

SHA256
5e771aed10dd090d60cef61879c86dd167afc67dca2ef90015323a2393d03b85

SHA512
4e92267d9cff789ebbd70ddc9d552ece7d6e4525a1c96d6839b6dc5d976730c2931d69d3d3e6b657da0e94ce4ca3c30e6a7ee334565179740b713be5621fee57

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
d3863a1148fbaedc4fd480243082ca2f

SHA1
6ba65677b09dad5ff5103b6aa5c0cc85b8961dc3

SHA256
e0a7d5d04a5d31c981689d105a77fc312abaade470ac8dae49e41c19e3eb030d

SHA512
05099a35e73c5b2c56ef3b5d6101fbf8a9c47b86726c6fd6f03ccf3f197bba1768324a796fc0d591db8de719d74d384ed3cce6c4417d2d985cd874505cdaca52

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
278KB

MD5
c8ac5029520b31a94a172adad500574d

SHA1
1c1d460b7f590165244511160b5df1d743a321d5

SHA256
4ef1ee715141b17205d3cc392720869ce6ffe9c73ae5f68de71ae00fe0ee3ef1

SHA512
661a50ff02f1cf3aad8c747ef7ef72e50553341f7be7e116f25885a4d927ad77efb7706cd3bc74cc76681e53aeaae3df589d1cd6f57184b5753cc2d71b3e8587

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
126KB

MD5
22bc24ff2e3156801d29c89f137ce3ac

SHA1
a572fe7700bd8c18eeb24449050d2952699f908e

SHA256
677b51e43f68405ba06aa1e16a480c7338e1612b13cb02030247bb5d3fbcc18c

SHA512
33d3c9abe1841735bb823dfd59a2beda86edb851cb0789419a8dd3c4e57aa689b2f570f9d430e8ed381e61a8124c10ffdbe362877428ea7459a3ef2b1a8571a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
249KB

MD5
35d4c211b46d0e26593cbca905a3e3a4

SHA1
ec090a436c1100378c6f42d10ed94688cca87b96

SHA256
aeb9dfcb68b0782c81aaa1017fe960929a24f00c673edb09318dad6341c3cfa0

SHA512
e26974cd251e95a4dc08543b1aadd85deb6c9b9f504521ee74c71730f19fa0fbe4a83958c40bf0bd9c27f11539649d7b81014f1ebb674c97d5fdfdecb5b55277

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
249KB

MD5
fb7f6e2665dc9e3939309cac1bdd9ce8

SHA1
d43c1fed6981287f77f48626d38e7fe3ef8d2540

SHA256
da4d2824da7db8bdc7d5e1c86380924fdfd7474464b2c105cb600b05d977f8ec

SHA512
2f5ab4dc0545d1a9f44e08d502fe31476afa16caa172e887e064fcf0d931f5edb2f99d5bc5c62f40efc0dfd3b359c7fe117696b932188c0554c6ca88277aecac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
249KB

MD5
5cf2d432db52226d1b795434d3189016

SHA1
fb33098a812e2713c8deccb3122e008ae2d8ee4d

SHA256
702de086ea18f46110db5c6ca23d988cb6ba359d5139a45dc5d02a0328e26892

SHA512
c6c126f6953a9c5433ba5803396a2d79928561007993b9aa3462c81b4837a1eaa70268bcb40d0a28c897aaf6f293495c073905197079f651fdf8e73ba6cc17b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ehts2awn.35y.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\e19f684d-6eb9-4f16-a38a-880dafde5e8d\updater.exe

Filesize
4.8MB

MD5
9c34d1555408e02bf79d305e14da648f

SHA1
3ade53d77f21861819565b4902d42d17b26b0771

SHA256
81a16262857bdc1497888c2196a6abb068da74a736724f34828b048777560cce

SHA512
be426e3af1d0888cf1b9dd61f01f9010f4f2f83a979acdafb27eae99b21b96e96391ecd73d01f60d087c36adce9538ce8f307bf9660a8b6cf4306e7b6dca1a46

Download Submit
memory/2856-55-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2856-65-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2856-108-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2856-66-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2856-56-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2856-64-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2856-107-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2856-63-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3340-0-0x00007FFD71C93000-0x00007FFD71C95000-memory.dmp

Filesize
8KB

Download
memory/3340-16-0x000001107D710000-0x000001107DEB6000-memory.dmp

Filesize
7.6MB

Download
memory/3340-15-0x00007FFD71C90000-0x00007FFD72752000-memory.dmp

Filesize
10.8MB

Download
memory/3340-14-0x00007FFD71C93000-0x00007FFD71C95000-memory.dmp

Filesize
8KB

Download
memory/3340-13-0x00007FFD71C90000-0x00007FFD72752000-memory.dmp

Filesize
10.8MB

Download
memory/3340-12-0x00007FFD71C90000-0x00007FFD72752000-memory.dmp

Filesize
10.8MB

Download
memory/3340-11-0x00007FFD71C90000-0x00007FFD72752000-memory.dmp

Filesize
10.8MB

Download
memory/3340-1-0x000001107A880000-0x000001107A8A2000-memory.dmp

Filesize
136KB

Download