vidar | f8b0d88d7094f254631363ddf906efc52ae7f71482c0c4041f07f7d069f89b43

Resubmissions

21-02-2025 16:13

250221-tpfv6avqgl 10

Analysis

max time kernel
194s
max time network
200s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250217-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250217-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
21-02-2025 16:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

trigger.ps1
Size

28B
MD5

fbde43d916bb7ec62d1863fe3de8edbf
SHA1

61787be021ab6e3e9f20f759da7b4e85747a7e22
SHA256

f8b0d88d7094f254631363ddf906efc52ae7f71482c0c4041f07f7d069f89b43
SHA512

05b22324b60a44f6b757f5a1df5566872ca08ef1b82e99947ba30415cc69454ef1927de0ff7b5e7927809d62bf89896c6a9ac9377bd4ad29971f4927fdd38421

Score

10^/10

vidar credential_access discovery execution spyware stealer

Malware Config

Extracted

Family

vidar

https://t.me/g02f04

https://steamcommunity.com/profiles/76561199828130190

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/131.0.0.0 Safari/537.36 OPR/116.0.0.0

Signatures

Detect Vidar Stealer 33 IoCs

stealer

resource	yara_rule
behavioral1/memory/2488-82-0x00000000005C0000-0x00000000005E2000-memory.dmp	family_vidar_v7
behavioral1/memory/2488-86-0x00000000005C0000-0x00000000005E2000-memory.dmp	family_vidar_v7
behavioral1/memory/2488-90-0x00000000005C0000-0x00000000005E2000-memory.dmp	family_vidar_v7
behavioral1/memory/2488-91-0x00000000005C0000-0x00000000005E2000-memory.dmp	family_vidar_v7
behavioral1/memory/2488-98-0x00000000005C0000-0x00000000005E2000-memory.dmp	family_vidar_v7
behavioral1/memory/2488-99-0x00000000005C0000-0x00000000005E2000-memory.dmp	family_vidar_v7
behavioral1/memory/2488-125-0x00000000005C0000-0x00000000005E2000-memory.dmp	family_vidar_v7
behavioral1/memory/2488-134-0x00000000005C0000-0x00000000005E2000-memory.dmp	family_vidar_v7
behavioral1/memory/2488-135-0x00000000005C0000-0x00000000005E2000-memory.dmp	family_vidar_v7
behavioral1/memory/2488-136-0x00000000005C0000-0x00000000005E2000-memory.dmp	family_vidar_v7
behavioral1/memory/2488-137-0x00000000005C0000-0x00000000005E2000-memory.dmp	family_vidar_v7
behavioral1/memory/2488-138-0x00000000005C0000-0x00000000005E2000-memory.dmp	family_vidar_v7
behavioral1/memory/2488-139-0x00000000005C0000-0x00000000005E2000-memory.dmp	family_vidar_v7
behavioral1/memory/2488-140-0x00000000005C0000-0x00000000005E2000-memory.dmp	family_vidar_v7
behavioral1/memory/2488-141-0x00000000005C0000-0x00000000005E2000-memory.dmp	family_vidar_v7
behavioral1/memory/2488-142-0x00000000005C0000-0x00000000005E2000-memory.dmp	family_vidar_v7
behavioral1/memory/2488-143-0x00000000005C0000-0x00000000005E2000-memory.dmp	family_vidar_v7
behavioral1/memory/2488-189-0x00000000005C0000-0x00000000005E2000-memory.dmp	family_vidar_v7
behavioral1/memory/2488-190-0x00000000005C0000-0x00000000005E2000-memory.dmp	family_vidar_v7
behavioral1/memory/2488-191-0x00000000005C0000-0x00000000005E2000-memory.dmp	family_vidar_v7
behavioral1/memory/2488-192-0x00000000005C0000-0x00000000005E2000-memory.dmp	family_vidar_v7
behavioral1/memory/2488-193-0x00000000005C0000-0x00000000005E2000-memory.dmp	family_vidar_v7
behavioral1/memory/2488-194-0x00000000005C0000-0x00000000005E2000-memory.dmp	family_vidar_v7
behavioral1/memory/2488-196-0x00000000005C0000-0x00000000005E2000-memory.dmp	family_vidar_v7
behavioral1/memory/2488-197-0x00000000005C0000-0x00000000005E2000-memory.dmp	family_vidar_v7
behavioral1/memory/2488-198-0x00000000005C0000-0x00000000005E2000-memory.dmp	family_vidar_v7
behavioral1/memory/2488-199-0x00000000005C0000-0x00000000005E2000-memory.dmp	family_vidar_v7
behavioral1/memory/2488-200-0x00000000005C0000-0x00000000005E2000-memory.dmp	family_vidar_v7
behavioral1/memory/2488-201-0x00000000005C0000-0x00000000005E2000-memory.dmp	family_vidar_v7
behavioral1/memory/2488-202-0x00000000005C0000-0x00000000005E2000-memory.dmp	family_vidar_v7
behavioral1/memory/2488-203-0x00000000005C0000-0x00000000005E2000-memory.dmp	family_vidar_v7
behavioral1/memory/2488-204-0x00000000005C0000-0x00000000005E2000-memory.dmp	family_vidar_v7
behavioral1/memory/2488-205-0x00000000005C0000-0x00000000005E2000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

Blocklisted process makes network request 3 IoCs

flow	pid	Process
2	1760	powershell.exe
3	1760	powershell.exe
6	1760	powershell.exe

Downloads MZ/PE file 1 IoCs

flow	pid	Process
6	1760	powershell.exe

Uses browser remote debugging 2 TTPs 9 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
2724	msedge.exe
4468	msedge.exe
5064	msedge.exe
1716	msedge.exe
1736	chrome.exe
2388	chrome.exe
824	msedge.exe
4708	chrome.exe
4380	chrome.exe

Executes dropped EXE 1 IoCs

pid	Process
3756	updater.exe

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3756 set thread context of 2488	3756	updater.exe	84

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1760	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	BitLockerToGo.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	BitLockerToGo.exe

Enumerates system info in registry 2 TTPs 8 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133846282008036660"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	powershell.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
1760	powershell.exe
1760	powershell.exe
2488	BitLockerToGo.exe
2488	BitLockerToGo.exe
2488	BitLockerToGo.exe
2488	BitLockerToGo.exe
4708	chrome.exe
4708	chrome.exe
2488	BitLockerToGo.exe
2488	BitLockerToGo.exe
2488	BitLockerToGo.exe
2488	BitLockerToGo.exe
5028	msedge.exe
5028	msedge.exe
3300	msedge.exe
3300	msedge.exe
3300	msedge.exe
3300	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2488	BitLockerToGo.exe
2488	BitLockerToGo.exe
2488	BitLockerToGo.exe
2488	BitLockerToGo.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: SeDebugPrivilege	1760	powershell.exe
Token: SeIncreaseQuotaPrivilege	1760	powershell.exe
Token: SeSecurityPrivilege	1760	powershell.exe
Token: SeTakeOwnershipPrivilege	1760	powershell.exe
Token: SeLoadDriverPrivilege	1760	powershell.exe
Token: SeSystemProfilePrivilege	1760	powershell.exe
Token: SeSystemtimePrivilege	1760	powershell.exe
Token: SeProfSingleProcessPrivilege	1760	powershell.exe
Token: SeIncBasePriorityPrivilege	1760	powershell.exe
Token: SeCreatePagefilePrivilege	1760	powershell.exe
Token: SeBackupPrivilege	1760	powershell.exe
Token: SeRestorePrivilege	1760	powershell.exe
Token: SeShutdownPrivilege	1760	powershell.exe
Token: SeDebugPrivilege	1760	powershell.exe
Token: SeSystemEnvironmentPrivilege	1760	powershell.exe
Token: SeRemoteShutdownPrivilege	1760	powershell.exe
Token: SeUndockPrivilege	1760	powershell.exe
Token: SeManageVolumePrivilege	1760	powershell.exe
Token: 33	1760	powershell.exe
Token: 34	1760	powershell.exe
Token: 35	1760	powershell.exe
Token: 36	1760	powershell.exe
Token: SeShutdownPrivilege	4708	chrome.exe
Token: SeCreatePagefilePrivilege	4708	chrome.exe
Token: SeShutdownPrivilege	4708	chrome.exe
Token: SeCreatePagefilePrivilege	4708	chrome.exe
Token: SeShutdownPrivilege	4708	chrome.exe
Token: SeCreatePagefilePrivilege	4708	chrome.exe
Token: SeShutdownPrivilege	4708	chrome.exe
Token: SeCreatePagefilePrivilege	4708	chrome.exe
Token: SeShutdownPrivilege	4708	chrome.exe
Token: SeCreatePagefilePrivilege	4708	chrome.exe
Token: SeShutdownPrivilege	4708	chrome.exe
Token: SeCreatePagefilePrivilege	4708	chrome.exe
Token: SeShutdownPrivilege	4708	chrome.exe
Token: SeCreatePagefilePrivilege	4708	chrome.exe

Suspicious use of FindShellTrayWindow 51 IoCs

pid	Process
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1760 wrote to memory of 3756	1760	powershell.exe	83
PID 1760 wrote to memory of 3756	1760	powershell.exe	83
PID 1760 wrote to memory of 3756	1760	powershell.exe	83
PID 3756 wrote to memory of 2488	3756	updater.exe	84
PID 3756 wrote to memory of 2488	3756	updater.exe	84
PID 3756 wrote to memory of 2488	3756	updater.exe	84
PID 3756 wrote to memory of 2488	3756	updater.exe	84
PID 3756 wrote to memory of 2488	3756	updater.exe	84
PID 3756 wrote to memory of 2488	3756	updater.exe	84
PID 3756 wrote to memory of 2488	3756	updater.exe	84
PID 3756 wrote to memory of 2488	3756	updater.exe	84
PID 3756 wrote to memory of 2488	3756	updater.exe	84
PID 3756 wrote to memory of 2488	3756	updater.exe	84
PID 3756 wrote to memory of 2488	3756	updater.exe	84
PID 2488 wrote to memory of 4708	2488	BitLockerToGo.exe	85
PID 2488 wrote to memory of 4708	2488	BitLockerToGo.exe	85
PID 4708 wrote to memory of 1940	4708	chrome.exe	86
PID 4708 wrote to memory of 1940	4708	chrome.exe	86
PID 4708 wrote to memory of 3644	4708	chrome.exe	87
PID 4708 wrote to memory of 3644	4708	chrome.exe	87
PID 4708 wrote to memory of 3644	4708	chrome.exe	87
PID 4708 wrote to memory of 3644	4708	chrome.exe	87
PID 4708 wrote to memory of 3644	4708	chrome.exe	87
PID 4708 wrote to memory of 3644	4708	chrome.exe	87
PID 4708 wrote to memory of 3644	4708	chrome.exe	87
PID 4708 wrote to memory of 3644	4708	chrome.exe	87
PID 4708 wrote to memory of 3644	4708	chrome.exe	87
PID 4708 wrote to memory of 3644	4708	chrome.exe	87
PID 4708 wrote to memory of 3644	4708	chrome.exe	87
PID 4708 wrote to memory of 3644	4708	chrome.exe	87
PID 4708 wrote to memory of 3644	4708	chrome.exe	87
PID 4708 wrote to memory of 3644	4708	chrome.exe	87
PID 4708 wrote to memory of 3644	4708	chrome.exe	87
PID 4708 wrote to memory of 3644	4708	chrome.exe	87
PID 4708 wrote to memory of 3644	4708	chrome.exe	87
PID 4708 wrote to memory of 3644	4708	chrome.exe	87
PID 4708 wrote to memory of 3644	4708	chrome.exe	87
PID 4708 wrote to memory of 3644	4708	chrome.exe	87
PID 4708 wrote to memory of 3644	4708	chrome.exe	87
PID 4708 wrote to memory of 3644	4708	chrome.exe	87
PID 4708 wrote to memory of 3644	4708	chrome.exe	87
PID 4708 wrote to memory of 3644	4708	chrome.exe	87
PID 4708 wrote to memory of 3644	4708	chrome.exe	87
PID 4708 wrote to memory of 3644	4708	chrome.exe	87
PID 4708 wrote to memory of 3644	4708	chrome.exe	87
PID 4708 wrote to memory of 3644	4708	chrome.exe	87
PID 4708 wrote to memory of 3644	4708	chrome.exe	87
PID 4708 wrote to memory of 3644	4708	chrome.exe	87
PID 4708 wrote to memory of 1800	4708	chrome.exe	88
PID 4708 wrote to memory of 1800	4708	chrome.exe	88
PID 4708 wrote to memory of 2736	4708	chrome.exe	89
PID 4708 wrote to memory of 2736	4708	chrome.exe	89
PID 4708 wrote to memory of 2736	4708	chrome.exe	89
PID 4708 wrote to memory of 2736	4708	chrome.exe	89
PID 4708 wrote to memory of 2736	4708	chrome.exe	89
PID 4708 wrote to memory of 2736	4708	chrome.exe	89
PID 4708 wrote to memory of 2736	4708	chrome.exe	89
PID 4708 wrote to memory of 2736	4708	chrome.exe	89
PID 4708 wrote to memory of 2736	4708	chrome.exe	89
PID 4708 wrote to memory of 2736	4708	chrome.exe	89
PID 4708 wrote to memory of 2736	4708	chrome.exe	89
PID 4708 wrote to memory of 2736	4708	chrome.exe	89
PID 4708 wrote to memory of 2736	4708	chrome.exe	89
PID 4708 wrote to memory of 2736	4708	chrome.exe	89

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\trigger.ps1
1⤵
- Blocklisted process makes network request
- Downloads MZ/PE file
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1760
- C:\Users\Admin\AppData\Local\5ca88bf1-8b14-4282-ba2e-d3a58115e9a1\updater.exe
  "C:\Users\Admin\AppData\Local\5ca88bf1-8b14-4282-ba2e-d3a58115e9a1\updater.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3756
- - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
    "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2488
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
      4⤵
      Uses browser remote debugging
      Drops file in Windows directory
      Enumerates system info in registry
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:4708
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x22c,0x230,0x234,0x208,0x238,0x7ffe4d90cc40,0x7ffe4d90cc4c,0x7ffe4d90cc58
        5⤵
        
        PID:1940
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2024,i,17120553823364186645,15139131917867808245,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2020 /prefetch:2
        5⤵
        
        PID:3644
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1912,i,17120553823364186645,15139131917867808245,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1972 /prefetch:3
        5⤵
        
        PID:1800
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1864,i,17120553823364186645,15139131917867808245,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2144 /prefetch:8
        5⤵
        
        PID:2736
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3180,i,17120553823364186645,15139131917867808245,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3208 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:1736
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3216,i,17120553823364186645,15139131917867808245,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3336 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:4380
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4572,i,17120553823364186645,15139131917867808245,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4184 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:2388
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3740,i,17120553823364186645,15139131917867808245,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4780 /prefetch:8
        5⤵
        
        PID:2228
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4872,i,17120553823364186645,15139131917867808245,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4864 /prefetch:8
        5⤵
        
        PID:780
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4772,i,17120553823364186645,15139131917867808245,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4608 /prefetch:8
        5⤵
        
        PID:396
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5048,i,17120553823364186645,15139131917867808245,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4880 /prefetch:8
        5⤵
        
        PID:4228
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
      4⤵
      Uses browser remote debugging
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      PID:2724
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ffe43b246f8,0x7ffe43b24708,0x7ffe43b24718
        5⤵
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:3300
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,1410436692208645463,9937115393625745802,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2
        5⤵
        
        PID:2192
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,1410436692208645463,9937115393625745802,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2364 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5028
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,1410436692208645463,9937115393625745802,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2856 /prefetch:8
        5⤵
        
        PID:3148
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2160,1410436692208645463,9937115393625745802,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:824
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2160,1410436692208645463,9937115393625745802,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:4468
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2160,1410436692208645463,9937115393625745802,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5152 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:5064
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2160,1410436692208645463,9937115393625745802,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:1716

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2112

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5076

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Modify Authentication Process

T1556

Privilege Escalation

Defense Evasion

Modify Authentication Process

T1556

Credential Access

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\5ca88bf1-8b14-4282-ba2e-d3a58115e9a1\updater.exe

Filesize
5.2MB

MD5
fcdd5d8bbdd7e9c70b30904c37267bb2

SHA1
6c8c923851462e0c97b48b3826643eea441ed8b6

SHA256
d9b7cd71505bd423ba63c900c792c585314c44d9515cd2767f6c9826e8237979

SHA512
2ea5167cb7c6f4d87d2e3a595cdd40a2be9e24098841a40c64bf50db9e55f954ae7da0646d9ae10f4e833ba793a94fb304791445c8f9f78197e11ce04af012eb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9091da214c5c97c04dfbd4afc733ec2f

SHA1
680c48d5c7cdf8b85d12d76e5b5af7d9ccf452b7

SHA256
565c816ea4b9387afdda41c0fc27e21ff9ae434cdca28af87483a29408d85f68

SHA512
5a561d5ebba54af22f33471f622ece68d4d9ba7e7a4f5b6848122aeb9ce07e51e9a56c1357165a5a7daabd03ecd8244b5759b893660958fe5d9264f7cbca0bee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
292a6ce7c71334c36bf4672abb161f55

SHA1
6cb88323126830f8468e3fe46aef880e2e6e7d98

SHA256
128a7c0e8dd1f19e06e6d450318f285db1ec974f27b7b5423bbfb2a0d658c45b

SHA512
7aa36903cfeb7f71a402a72e431b935bb2edf8b288abaf49561ed71c00b0204c105124d2ec3bacf688795af307770f9a78a9f07f9d88509db6edf5648355299a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data

Filesize
112KB

MD5
e03fc0ff83fdfa203efc0eb3d2b8ed35

SHA1
c705b1aa42d84b3414fdc5058e0fa0a3dc9e1664

SHA256
08d550d1866b479c6c41ebbda7b453dba198ee8744a52c530ff34458024ee1fe

SHA512
c0840930d7a9cf16e8fbefefd09c564eabfcfb6e9df1f9b906b830e8218a818c3f9721f9ce1fc2a96b2e6ce725baba0dcd5810a9b55d20b3c9d6f4569b9008a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_k3xgix4e.b2x.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1760-12-0x00007FFE36A00000-0x00007FFE374C2000-memory.dmp

Filesize
10.8MB

Download
memory/1760-11-0x00007FFE36A00000-0x00007FFE374C2000-memory.dmp

Filesize
10.8MB

Download
memory/1760-13-0x00007FFE36A00000-0x00007FFE374C2000-memory.dmp

Filesize
10.8MB

Download
memory/1760-14-0x000002ACF60C0000-0x000002ACF6282000-memory.dmp

Filesize
1.8MB

Download
memory/1760-15-0x00007FFE36A03000-0x00007FFE36A05000-memory.dmp

Filesize
8KB

Download
memory/1760-16-0x00007FFE36A00000-0x00007FFE374C2000-memory.dmp

Filesize
10.8MB

Download
memory/1760-17-0x00007FFE36A00000-0x00007FFE374C2000-memory.dmp

Filesize
10.8MB

Download
memory/1760-18-0x00007FFE36A00000-0x00007FFE374C2000-memory.dmp

Filesize
10.8MB

Download
memory/1760-7-0x000002ACF5AD0000-0x000002ACF5AF2000-memory.dmp

Filesize
136KB

Download
memory/1760-0-0x00007FFE36A03000-0x00007FFE36A05000-memory.dmp

Filesize
8KB

Download
memory/2488-135-0x00000000005C0000-0x00000000005E2000-memory.dmp

Filesize
136KB

Download
memory/2488-189-0x00000000005C0000-0x00000000005E2000-memory.dmp

Filesize
136KB

Download
memory/2488-91-0x00000000005C0000-0x00000000005E2000-memory.dmp

Filesize
136KB

Download
memory/2488-98-0x00000000005C0000-0x00000000005E2000-memory.dmp

Filesize
136KB

Download
memory/2488-99-0x00000000005C0000-0x00000000005E2000-memory.dmp

Filesize
136KB

Download
memory/2488-125-0x00000000005C0000-0x00000000005E2000-memory.dmp

Filesize
136KB

Download
memory/2488-134-0x00000000005C0000-0x00000000005E2000-memory.dmp

Filesize
136KB

Download
memory/2488-86-0x00000000005C0000-0x00000000005E2000-memory.dmp

Filesize
136KB

Download
memory/2488-136-0x00000000005C0000-0x00000000005E2000-memory.dmp

Filesize
136KB

Download
memory/2488-137-0x00000000005C0000-0x00000000005E2000-memory.dmp

Filesize
136KB

Download
memory/2488-138-0x00000000005C0000-0x00000000005E2000-memory.dmp

Filesize
136KB

Download
memory/2488-139-0x00000000005C0000-0x00000000005E2000-memory.dmp

Filesize
136KB

Download
memory/2488-140-0x00000000005C0000-0x00000000005E2000-memory.dmp

Filesize
136KB

Download
memory/2488-141-0x00000000005C0000-0x00000000005E2000-memory.dmp

Filesize
136KB

Download
memory/2488-142-0x00000000005C0000-0x00000000005E2000-memory.dmp

Filesize
136KB

Download
memory/2488-82-0x00000000005C0000-0x00000000005E2000-memory.dmp

Filesize
136KB

Download
memory/2488-143-0x00000000005C0000-0x00000000005E2000-memory.dmp

Filesize
136KB

Download
memory/2488-90-0x00000000005C0000-0x00000000005E2000-memory.dmp

Filesize
136KB

Download
memory/2488-190-0x00000000005C0000-0x00000000005E2000-memory.dmp

Filesize
136KB

Download
memory/2488-191-0x00000000005C0000-0x00000000005E2000-memory.dmp

Filesize
136KB

Download
memory/2488-192-0x00000000005C0000-0x00000000005E2000-memory.dmp

Filesize
136KB

Download
memory/2488-193-0x00000000005C0000-0x00000000005E2000-memory.dmp

Filesize
136KB

Download
memory/2488-194-0x00000000005C0000-0x00000000005E2000-memory.dmp

Filesize
136KB

Download
memory/2488-81-0x00000000005C0000-0x00000000005E2000-memory.dmp

Filesize
136KB

Download
memory/2488-196-0x00000000005C0000-0x00000000005E2000-memory.dmp

Filesize
136KB

Download
memory/2488-197-0x00000000005C0000-0x00000000005E2000-memory.dmp

Filesize
136KB

Download
memory/2488-198-0x00000000005C0000-0x00000000005E2000-memory.dmp

Filesize
136KB

Download
memory/2488-199-0x00000000005C0000-0x00000000005E2000-memory.dmp

Filesize
136KB

Download
memory/2488-200-0x00000000005C0000-0x00000000005E2000-memory.dmp

Filesize
136KB

Download
memory/2488-201-0x00000000005C0000-0x00000000005E2000-memory.dmp

Filesize
136KB

Download
memory/2488-202-0x00000000005C0000-0x00000000005E2000-memory.dmp

Filesize
136KB

Download
memory/2488-203-0x00000000005C0000-0x00000000005E2000-memory.dmp

Filesize
136KB

Download
memory/2488-204-0x00000000005C0000-0x00000000005E2000-memory.dmp

Filesize
136KB

Download
memory/2488-205-0x00000000005C0000-0x00000000005E2000-memory.dmp

Filesize
136KB

Download