Analysis
-
max time kernel
95s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
18-02-2025 18:06
Static task
static1
Behavioral task
behavioral1
Sample
config.js
Resource
win7-20240903-en
General
-
Target
config.js
-
Size
4KB
-
MD5
b50f09dd1b24a4873bf0f24447ede431
-
SHA1
4a32f009ae0f2988ccbe0994cd3e8720428891db
-
SHA256
eb7593118f659dce4e1ef47eef2d465070c8cde955696f1f4925ff0076a54e3e
-
SHA512
c99cb30f2f894ec9770638d3a0e662941bc5112c226ef0096fdd4b7ceda8541ba572602fa139c335db9cbf113937455170b73d04174cb8ef6674758f99876036
-
SSDEEP
96:ZqF9oamAr0aIuSg42sEi6EkuzwQYwld9dyLh9gZsLvsFgl:ZqFyQr0jgjs9lhzw8OgiLegl
Malware Config
Extracted
vidar
https://t.me/g02f04
https://steamcommunity.com/profiles/76561199828130190
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/131.0.0.0 Safari/537.36 OPR/116.0.0.0
Signatures
-
Detect Vidar Stealer 35 IoCs
resource yara_rule behavioral2/memory/2368-26-0x0000000000400000-0x0000000000422000-memory.dmp family_vidar_v7 behavioral2/memory/2368-28-0x0000000000400000-0x0000000000422000-memory.dmp family_vidar_v7 behavioral2/memory/2368-29-0x0000000000400000-0x0000000000422000-memory.dmp family_vidar_v7 behavioral2/memory/2368-48-0x0000000000400000-0x0000000000422000-memory.dmp family_vidar_v7 behavioral2/memory/2368-49-0x0000000000400000-0x0000000000422000-memory.dmp family_vidar_v7 behavioral2/memory/2368-50-0x0000000000400000-0x0000000000422000-memory.dmp family_vidar_v7 behavioral2/memory/2368-51-0x0000000000400000-0x0000000000422000-memory.dmp family_vidar_v7 behavioral2/memory/2368-85-0x0000000000400000-0x0000000000422000-memory.dmp family_vidar_v7 behavioral2/memory/2368-87-0x0000000000400000-0x0000000000422000-memory.dmp family_vidar_v7 behavioral2/memory/2368-88-0x0000000000400000-0x0000000000422000-memory.dmp family_vidar_v7 behavioral2/memory/2368-91-0x0000000000400000-0x0000000000422000-memory.dmp family_vidar_v7 behavioral2/memory/2368-95-0x0000000000400000-0x0000000000422000-memory.dmp family_vidar_v7 behavioral2/memory/2368-96-0x0000000000400000-0x0000000000422000-memory.dmp family_vidar_v7 behavioral2/memory/2368-97-0x0000000000400000-0x0000000000422000-memory.dmp family_vidar_v7 behavioral2/memory/2368-101-0x0000000000400000-0x0000000000422000-memory.dmp family_vidar_v7 behavioral2/memory/2368-103-0x0000000000400000-0x0000000000422000-memory.dmp family_vidar_v7 behavioral2/memory/2368-104-0x0000000000400000-0x0000000000422000-memory.dmp family_vidar_v7 behavioral2/memory/2368-105-0x0000000000400000-0x0000000000422000-memory.dmp family_vidar_v7 behavioral2/memory/2368-136-0x0000000000400000-0x0000000000422000-memory.dmp family_vidar_v7 behavioral2/memory/2368-137-0x0000000000400000-0x0000000000422000-memory.dmp family_vidar_v7 behavioral2/memory/2368-140-0x0000000000400000-0x0000000000422000-memory.dmp family_vidar_v7 behavioral2/memory/2368-144-0x0000000000400000-0x0000000000422000-memory.dmp family_vidar_v7 behavioral2/memory/2368-145-0x0000000000400000-0x0000000000422000-memory.dmp family_vidar_v7 behavioral2/memory/2368-146-0x0000000000400000-0x0000000000422000-memory.dmp family_vidar_v7 behavioral2/memory/2368-150-0x0000000000400000-0x0000000000422000-memory.dmp family_vidar_v7 behavioral2/memory/2368-154-0x0000000000400000-0x0000000000422000-memory.dmp family_vidar_v7 behavioral2/memory/2368-155-0x0000000000400000-0x0000000000422000-memory.dmp family_vidar_v7 behavioral2/memory/2368-161-0x0000000000400000-0x0000000000422000-memory.dmp family_vidar_v7 behavioral2/memory/2368-162-0x0000000000400000-0x0000000000422000-memory.dmp family_vidar_v7 behavioral2/memory/2368-163-0x0000000000400000-0x0000000000422000-memory.dmp family_vidar_v7 behavioral2/memory/2368-164-0x0000000000400000-0x0000000000422000-memory.dmp family_vidar_v7 behavioral2/memory/2368-169-0x0000000000400000-0x0000000000422000-memory.dmp family_vidar_v7 behavioral2/memory/2368-170-0x0000000000400000-0x0000000000422000-memory.dmp family_vidar_v7 behavioral2/memory/2368-171-0x0000000000400000-0x0000000000422000-memory.dmp family_vidar_v7 behavioral2/memory/2368-174-0x0000000000400000-0x0000000000422000-memory.dmp family_vidar_v7 -
Vidar family
-
Blocklisted process makes network request 1 IoCs
flow pid Process 2 4808 wscript.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 3636 powershell.exe 4204 powershell.exe -
Downloads MZ/PE file 1 IoCs
flow pid Process 2 4808 wscript.exe -
Uses browser remote debugging 2 TTPs 9 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
pid Process 3968 chrome.exe 3608 chrome.exe 4492 msedge.exe 4200 msedge.exe 3948 msedge.exe 3292 chrome.exe 1520 chrome.exe 1332 msedge.exe 3452 msedge.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation wscript.exe -
Executes dropped EXE 1 IoCs
pid Process 2468 main.exe -
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2468 set thread context of 2368 2468 main.exe 91 -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language main.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BitLockerToGo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe -
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 BitLockerToGo.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString BitLockerToGo.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString msedge.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 5060 timeout.exe -
Enumerates system info in registry 2 TTPs 8 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133843756367435189" chrome.exe -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 2 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 26 IoCs
pid Process 3636 powershell.exe 3636 powershell.exe 4204 powershell.exe 4204 powershell.exe 2368 BitLockerToGo.exe 2368 BitLockerToGo.exe 2368 BitLockerToGo.exe 2368 BitLockerToGo.exe 3968 chrome.exe 3968 chrome.exe 2368 BitLockerToGo.exe 2368 BitLockerToGo.exe 2368 BitLockerToGo.exe 2368 BitLockerToGo.exe 4412 msedge.exe 4412 msedge.exe 5028 msedge.exe 5028 msedge.exe 5028 msedge.exe 5028 msedge.exe 1332 msedge.exe 1332 msedge.exe 2368 BitLockerToGo.exe 2368 BitLockerToGo.exe 2368 BitLockerToGo.exe 2368 BitLockerToGo.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 3636 powershell.exe Token: SeDebugPrivilege 4204 powershell.exe Token: SeShutdownPrivilege 3968 chrome.exe Token: SeCreatePagefilePrivilege 3968 chrome.exe Token: SeShutdownPrivilege 3968 chrome.exe Token: SeCreatePagefilePrivilege 3968 chrome.exe Token: SeShutdownPrivilege 3968 chrome.exe Token: SeCreatePagefilePrivilege 3968 chrome.exe Token: SeShutdownPrivilege 3968 chrome.exe Token: SeCreatePagefilePrivilege 3968 chrome.exe Token: SeShutdownPrivilege 3968 chrome.exe Token: SeCreatePagefilePrivilege 3968 chrome.exe Token: SeShutdownPrivilege 3968 chrome.exe Token: SeCreatePagefilePrivilege 3968 chrome.exe Token: SeShutdownPrivilege 3968 chrome.exe Token: SeCreatePagefilePrivilege 3968 chrome.exe -
Suspicious use of FindShellTrayWindow 51 IoCs
pid Process 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 3968 chrome.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4808 wrote to memory of 3636 4808 wscript.exe 82 PID 4808 wrote to memory of 3636 4808 wscript.exe 82 PID 4808 wrote to memory of 2468 4808 wscript.exe 87 PID 4808 wrote to memory of 2468 4808 wscript.exe 87 PID 4808 wrote to memory of 2468 4808 wscript.exe 87 PID 2468 wrote to memory of 2368 2468 main.exe 91 PID 2468 wrote to memory of 2368 2468 main.exe 91 PID 2468 wrote to memory of 2368 2468 main.exe 91 PID 2468 wrote to memory of 2368 2468 main.exe 91 PID 2468 wrote to memory of 2368 2468 main.exe 91 PID 2468 wrote to memory of 2368 2468 main.exe 91 PID 2468 wrote to memory of 2368 2468 main.exe 91 PID 2468 wrote to memory of 2368 2468 main.exe 91 PID 2468 wrote to memory of 2368 2468 main.exe 91 PID 2468 wrote to memory of 2368 2468 main.exe 91 PID 2468 wrote to memory of 2368 2468 main.exe 91 PID 4808 wrote to memory of 4204 4808 wscript.exe 92 PID 4808 wrote to memory of 4204 4808 wscript.exe 92 PID 2368 wrote to memory of 3968 2368 BitLockerToGo.exe 94 PID 2368 wrote to memory of 3968 2368 BitLockerToGo.exe 94 PID 3968 wrote to memory of 3712 3968 chrome.exe 95 PID 3968 wrote to memory of 3712 3968 chrome.exe 95 PID 3968 wrote to memory of 4576 3968 chrome.exe 96 PID 3968 wrote to memory of 4576 3968 chrome.exe 96 PID 3968 wrote to memory of 4576 3968 chrome.exe 96 PID 3968 wrote to memory of 4576 3968 chrome.exe 96 PID 3968 wrote to memory of 4576 3968 chrome.exe 96 PID 3968 wrote to memory of 4576 3968 chrome.exe 96 PID 3968 wrote to memory of 4576 3968 chrome.exe 96 PID 3968 wrote to memory of 4576 3968 chrome.exe 96 PID 3968 wrote to memory of 4576 3968 chrome.exe 96 PID 3968 wrote to memory of 4576 3968 chrome.exe 96 PID 3968 wrote to memory of 4576 3968 chrome.exe 96 PID 3968 wrote to memory of 4576 3968 chrome.exe 96 PID 3968 wrote to memory of 4576 3968 chrome.exe 96 PID 3968 wrote to memory of 4576 3968 chrome.exe 96 PID 3968 wrote to memory of 4576 3968 chrome.exe 96 PID 3968 wrote to memory of 4576 3968 chrome.exe 96 PID 3968 wrote to memory of 4576 3968 chrome.exe 96 PID 3968 wrote to memory of 4576 3968 chrome.exe 96 PID 3968 wrote to memory of 4576 3968 chrome.exe 96 PID 3968 wrote to memory of 4576 3968 chrome.exe 96 PID 3968 wrote to memory of 4576 3968 chrome.exe 96 PID 3968 wrote to memory of 4576 3968 chrome.exe 96 PID 3968 wrote to memory of 4576 3968 chrome.exe 96 PID 3968 wrote to memory of 4576 3968 chrome.exe 96 PID 3968 wrote to memory of 4576 3968 chrome.exe 96 PID 3968 wrote to memory of 4576 3968 chrome.exe 96 PID 3968 wrote to memory of 4576 3968 chrome.exe 96 PID 3968 wrote to memory of 4576 3968 chrome.exe 96 PID 3968 wrote to memory of 4576 3968 chrome.exe 96 PID 3968 wrote to memory of 4576 3968 chrome.exe 96 PID 3968 wrote to memory of 3516 3968 chrome.exe 97 PID 3968 wrote to memory of 3516 3968 chrome.exe 97 PID 3968 wrote to memory of 3588 3968 chrome.exe 98 PID 3968 wrote to memory of 3588 3968 chrome.exe 98 PID 3968 wrote to memory of 3588 3968 chrome.exe 98 PID 3968 wrote to memory of 3588 3968 chrome.exe 98 PID 3968 wrote to memory of 3588 3968 chrome.exe 98 PID 3968 wrote to memory of 3588 3968 chrome.exe 98 PID 3968 wrote to memory of 3588 3968 chrome.exe 98 PID 3968 wrote to memory of 3588 3968 chrome.exe 98 PID 3968 wrote to memory of 3588 3968 chrome.exe 98 PID 3968 wrote to memory of 3588 3968 chrome.exe 98
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\config.js1⤵
- Blocklisted process makes network request
- Downloads MZ/PE file
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Add-MpPreference -ExclusionPath \"C:\Users\Admin\AppData\Local\Temp\tmp_lj8aifp4\""2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3636
-
-
C:\Users\Admin\AppData\Local\Temp\tmp_lj8aifp4\main.exe"C:\Users\Admin\AppData\Local\Temp\tmp_lj8aifp4\main.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"3⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"4⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3968 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8c79bcc40,0x7ff8c79bcc4c,0x7ff8c79bcc585⤵PID:3712
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2068,i,15099072542811952305,6356127142520087677,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2064 /prefetch:25⤵PID:4576
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1896,i,15099072542811952305,6356127142520087677,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2524 /prefetch:35⤵PID:3516
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2040,i,15099072542811952305,6356127142520087677,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2628 /prefetch:85⤵PID:3588
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3208,i,15099072542811952305,6356127142520087677,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3216 /prefetch:15⤵
- Uses browser remote debugging
PID:3292
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3240,i,15099072542811952305,6356127142520087677,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3276 /prefetch:15⤵
- Uses browser remote debugging
PID:3608
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3200,i,15099072542811952305,6356127142520087677,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4588 /prefetch:15⤵
- Uses browser remote debugging
PID:1520
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4604,i,15099072542811952305,6356127142520087677,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4660 /prefetch:85⤵PID:2808
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4792,i,15099072542811952305,6356127142520087677,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4576 /prefetch:85⤵PID:3668
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4872,i,15099072542811952305,6356127142520087677,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4848 /prefetch:85⤵PID:2372
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4904,i,15099072542811952305,6356127142520087677,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3188 /prefetch:85⤵PID:1088
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"4⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:1332 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8c79c46f8,0x7ff8c79c4708,0x7ff8c79c47185⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:5028
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,13471810993603170921,6750738497630511283,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:25⤵PID:1412
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,13471810993603170921,6750738497630511283,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
PID:4412
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2168,13471810993603170921,6750738497630511283,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2760 /prefetch:85⤵PID:2768
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2168,13471810993603170921,6750738497630511283,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:15⤵
- Uses browser remote debugging
PID:4492
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2168,13471810993603170921,6750738497630511283,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:15⤵
- Uses browser remote debugging
PID:4200
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2168,13471810993603170921,6750738497630511283,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4532 /prefetch:15⤵
- Uses browser remote debugging
PID:3452
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2168,13471810993603170921,6750738497630511283,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4468 /prefetch:15⤵
- Uses browser remote debugging
PID:3948
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\yc2d2" & exit4⤵
- System Location Discovery: System Language Discovery
PID:4460 -
C:\Windows\SysWOW64\timeout.exetimeout /t 105⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:5060
-
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Remove-MpPreference -ExclusionPath \"C:\Users\Admin\AppData\Local\Temp\tmp_lj8aifp4\""2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4204
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:1532
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:3852
Network
MITRE ATT&CK Enterprise v15
Credential Access
Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
152B
MD59f4a0b24e1ad3a25fc9435eb63195e60
SHA1052b5a37605d7e0e27d8b47bf162a000850196cd
SHA2567d70a8fc286520712421636b563e9ee32335bca9a5be764544a084c77ddd5feb
SHA51270897560b30f7885745fede85def923fb9a4f63820e351247d5dcbe81daab9dab49c1db03b29c390f58b3907d5025737a84fff026af2372c3233bc585dcfd284
-
Filesize
152B
MD54c9b7e612ef21ee665c70534d72524b0
SHA1e76e22880ffa7d643933bf09544ceb23573d5add
SHA256a64366387921aba157bba7472244791d5368aef8ecaf6472b616e1e130d7d05e
SHA512e195e1ce5e7c06d193aa1f924d0079ea72b66eb22c3aea5b6811172251768f649368734e817996d9f0f72ddfd0e2bf2454aaee0bc650eaffd56fa125a334ae88
-
Filesize
6KB
MD5d1ae42fa7887cb956011ff0f9f7201f2
SHA19fbdbeec339f26dc56acc1b651374e0ffc004083
SHA2564fd7cba367e78583ee02be91a815b04427b5701ee16751465a858a2f688d0acc
SHA512d994997f0c2e89e2f1c989546f36474c24934c3abf19446065241381871cf7c60655028db7da5fd82b0ae76ea437af8d8b8e4ba4f4114908995b833b8d1cb677
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
5.4MB
MD56768e4499258c2b0de9500e3df9f1091
SHA1be85cdd2afc5ef803cbd27a3f9e5981728e9ac39
SHA256e226a8c19929e94761027accb16309d9a64589b9bf67778cc114ad75636790b3
SHA512a0f1fa5a14268e4cb977001121bf0f9691f9a1dc1210bfc08b077d36527b86c658fe897669ee58071f0d62178039fef690587f66256fbd060c3553fe2b6677de