vidar | 5ce7687d00cc5cdc0b7575bc68940f7a092a1f559f987f3b6a9b0c837eaa6496

Analysis

max time kernel
134s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20250313-en
resource tags

arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
submitted
30/03/2025, 11:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

crypted.exe
Size

1.7MB
MD5

175c9b6b2db3b3624f7df4c54dff3262
SHA1

a96c038467d2d6ff0b95275a828948997b6987a3
SHA256

5ce7687d00cc5cdc0b7575bc68940f7a092a1f559f987f3b6a9b0c837eaa6496
SHA512

3d728ce053930f16c8debc087807b3eaadef3c9b21a452b49f13ce767b35b221e71b15db8c849fe71c7d0077d2c0ab31506762626622f87347c596260cddff34
SSDEEP

24576:2iB4QbCAnGZPk/jhW2DQQ3iF2K8+2ntZ8oWyOpZwrlUR:2iB490ykrlUR

Score

10^/10

vidar 00cb84c6bd4caac4bdfc1131beae4df7 credential_access discovery spyware stealer

Malware Config

Extracted

Family

vidar

Version

13.3

Botnet

00cb84c6bd4caac4bdfc1131beae4df7

https://t.me/lw25chm

https://steamcommunity.com/profiles/76561199839170361

Attributes

user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/132.0.0.0 Safari/537.36 OPR/117.0.0.0

Signatures

Detect Vidar Stealer 41 IoCs

stealer

resource	yara_rule
behavioral2/memory/3260-0-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/3260-1-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/3260-2-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/3260-9-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/3260-10-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/3260-15-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/3260-16-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/3260-19-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/3260-23-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/3260-24-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/3260-25-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/3260-29-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/3260-30-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/3260-79-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/3260-376-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/3260-377-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/3260-378-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/3260-379-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/3260-382-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/3260-386-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/3260-387-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/3260-388-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/3260-392-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/3260-395-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/3260-732-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/3260-747-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/3260-750-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/3260-752-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/3260-753-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/3260-760-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/3260-761-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/3260-765-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/3260-766-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/3260-770-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/3260-771-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/3260-778-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/3260-779-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/3260-780-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/3260-781-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/3260-782-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/3260-787-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

Uses browser remote debugging 2 TTPs 8 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
4216	msedge.exe
5032	msedge.exe
1912	msedge.exe
4316	chrome.exe
2132	chrome.exe
5884	chrome.exe
2560	chrome.exe
1932	chrome.exe

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3108 set thread context of 3260	3108	crypted.exe	85

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MSBuild.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	chrome.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
768	timeout.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133878074033510399"	chrome.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3260	MSBuild.exe
3260	MSBuild.exe
3260	MSBuild.exe
3260	MSBuild.exe
4316	chrome.exe
4316	chrome.exe
3260	MSBuild.exe
3260	MSBuild.exe
3260	MSBuild.exe
3260	MSBuild.exe
3260	MSBuild.exe
3260	MSBuild.exe
3260	MSBuild.exe
3260	MSBuild.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4316	chrome.exe
4316	chrome.exe
4316	chrome.exe
4316	chrome.exe
4216	msedge.exe
4216	msedge.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4316	chrome.exe
Token: SeCreatePagefilePrivilege	4316	chrome.exe
Token: SeShutdownPrivilege	4316	chrome.exe
Token: SeCreatePagefilePrivilege	4316	chrome.exe
Token: SeShutdownPrivilege	4316	chrome.exe
Token: SeCreatePagefilePrivilege	4316	chrome.exe
Token: SeShutdownPrivilege	4316	chrome.exe
Token: SeCreatePagefilePrivilege	4316	chrome.exe
Token: SeShutdownPrivilege	4316	chrome.exe
Token: SeCreatePagefilePrivilege	4316	chrome.exe
Token: SeShutdownPrivilege	4316	chrome.exe
Token: SeCreatePagefilePrivilege	4316	chrome.exe
Token: SeShutdownPrivilege	4316	chrome.exe
Token: SeCreatePagefilePrivilege	4316	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
4316	chrome.exe
4316	chrome.exe
4316	chrome.exe
4316	chrome.exe
4316	chrome.exe
4316	chrome.exe
4316	chrome.exe
4316	chrome.exe
4316	chrome.exe
4316	chrome.exe
4316	chrome.exe
4316	chrome.exe
4316	chrome.exe
4316	chrome.exe
4316	chrome.exe
4316	chrome.exe
4316	chrome.exe
4316	chrome.exe
4316	chrome.exe
4316	chrome.exe
4316	chrome.exe
4316	chrome.exe
4316	chrome.exe
4316	chrome.exe
4316	chrome.exe
4316	chrome.exe
4216	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3108 wrote to memory of 3260	3108	crypted.exe	85
PID 3108 wrote to memory of 3260	3108	crypted.exe	85
PID 3108 wrote to memory of 3260	3108	crypted.exe	85
PID 3108 wrote to memory of 3260	3108	crypted.exe	85
PID 3108 wrote to memory of 3260	3108	crypted.exe	85
PID 3108 wrote to memory of 3260	3108	crypted.exe	85
PID 3108 wrote to memory of 3260	3108	crypted.exe	85
PID 3108 wrote to memory of 3260	3108	crypted.exe	85
PID 3108 wrote to memory of 3260	3108	crypted.exe	85
PID 3108 wrote to memory of 3260	3108	crypted.exe	85
PID 3108 wrote to memory of 3260	3108	crypted.exe	85
PID 3108 wrote to memory of 3260	3108	crypted.exe	85
PID 3260 wrote to memory of 4316	3260	MSBuild.exe	95
PID 3260 wrote to memory of 4316	3260	MSBuild.exe	95
PID 4316 wrote to memory of 5780	4316	chrome.exe	96
PID 4316 wrote to memory of 5780	4316	chrome.exe	96
PID 4316 wrote to memory of 1528	4316	chrome.exe	97
PID 4316 wrote to memory of 1528	4316	chrome.exe	97
PID 4316 wrote to memory of 3740	4316	chrome.exe	98
PID 4316 wrote to memory of 3740	4316	chrome.exe	98
PID 4316 wrote to memory of 3740	4316	chrome.exe	98
PID 4316 wrote to memory of 3740	4316	chrome.exe	98
PID 4316 wrote to memory of 3740	4316	chrome.exe	98
PID 4316 wrote to memory of 3740	4316	chrome.exe	98
PID 4316 wrote to memory of 3740	4316	chrome.exe	98
PID 4316 wrote to memory of 3740	4316	chrome.exe	98
PID 4316 wrote to memory of 3740	4316	chrome.exe	98
PID 4316 wrote to memory of 3740	4316	chrome.exe	98
PID 4316 wrote to memory of 3740	4316	chrome.exe	98
PID 4316 wrote to memory of 3740	4316	chrome.exe	98
PID 4316 wrote to memory of 3740	4316	chrome.exe	98
PID 4316 wrote to memory of 3740	4316	chrome.exe	98
PID 4316 wrote to memory of 3740	4316	chrome.exe	98
PID 4316 wrote to memory of 3740	4316	chrome.exe	98
PID 4316 wrote to memory of 3740	4316	chrome.exe	98
PID 4316 wrote to memory of 3740	4316	chrome.exe	98
PID 4316 wrote to memory of 3740	4316	chrome.exe	98
PID 4316 wrote to memory of 3740	4316	chrome.exe	98
PID 4316 wrote to memory of 3740	4316	chrome.exe	98
PID 4316 wrote to memory of 3740	4316	chrome.exe	98
PID 4316 wrote to memory of 3740	4316	chrome.exe	98
PID 4316 wrote to memory of 3740	4316	chrome.exe	98
PID 4316 wrote to memory of 3740	4316	chrome.exe	98
PID 4316 wrote to memory of 3740	4316	chrome.exe	98
PID 4316 wrote to memory of 3740	4316	chrome.exe	98
PID 4316 wrote to memory of 3740	4316	chrome.exe	98
PID 4316 wrote to memory of 3740	4316	chrome.exe	98
PID 4316 wrote to memory of 3740	4316	chrome.exe	98
PID 4316 wrote to memory of 968	4316	chrome.exe	99
PID 4316 wrote to memory of 968	4316	chrome.exe	99
PID 4316 wrote to memory of 968	4316	chrome.exe	99
PID 4316 wrote to memory of 968	4316	chrome.exe	99
PID 4316 wrote to memory of 968	4316	chrome.exe	99
PID 4316 wrote to memory of 968	4316	chrome.exe	99
PID 4316 wrote to memory of 968	4316	chrome.exe	99
PID 4316 wrote to memory of 968	4316	chrome.exe	99
PID 4316 wrote to memory of 968	4316	chrome.exe	99
PID 4316 wrote to memory of 968	4316	chrome.exe	99
PID 4316 wrote to memory of 968	4316	chrome.exe	99
PID 4316 wrote to memory of 968	4316	chrome.exe	99
PID 4316 wrote to memory of 968	4316	chrome.exe	99
PID 4316 wrote to memory of 968	4316	chrome.exe	99
PID 4316 wrote to memory of 968	4316	chrome.exe	99
PID 4316 wrote to memory of 968	4316	chrome.exe	99

C:\Users\Admin\AppData\Local\Temp\crypted.exe
"C:\Users\Admin\AppData\Local\Temp\crypted.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3108
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3260
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Checks processor information in registry
    - Enumerates system info in registry
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:4316
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8aa52dcf8,0x7ff8aa52dd04,0x7ff8aa52dd10
      4⤵
      PID:5780
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1600,i,12397233257964379956,15736264488203209848,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=2180 /prefetch:3
      4⤵
      PID:1528
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2080,i,12397233257964379956,15736264488203209848,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=2084 /prefetch:2
      4⤵
      PID:3740
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2400,i,12397233257964379956,15736264488203209848,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=2560 /prefetch:8
      4⤵
      PID:968
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3108,i,12397233257964379956,15736264488203209848,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=3136 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:2132
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3116,i,12397233257964379956,15736264488203209848,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=3128 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:5884
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4124,i,12397233257964379956,15736264488203209848,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=4268 /prefetch:2
      4⤵
      Uses browser remote debugging
      PID:2560
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4680,i,12397233257964379956,15736264488203209848,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=4756 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:1932
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3848,i,12397233257964379956,15736264488203209848,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=4892 /prefetch:8
      4⤵
      PID:2884
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4992,i,12397233257964379956,15736264488203209848,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=4604 /prefetch:8
      4⤵
      PID:2668
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5296,i,12397233257964379956,15736264488203209848,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5312 /prefetch:8
      4⤵
      PID:4104
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5504,i,12397233257964379956,15736264488203209848,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5516 /prefetch:8
      4⤵
      PID:3096
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5520,i,12397233257964379956,15736264488203209848,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5592 /prefetch:8
      4⤵
      PID:220
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3996,i,12397233257964379956,15736264488203209848,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5432 /prefetch:8
      4⤵
      PID:4604
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5512,i,12397233257964379956,15736264488203209848,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5540 /prefetch:8
      4⤵
      PID:1272
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5728,i,12397233257964379956,15736264488203209848,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5336 /prefetch:8
      4⤵
      PID:4740
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    PID:4216
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x238,0x264,0x7ff89a77f208,0x7ff89a77f214,0x7ff89a77f220
      4⤵
      PID:4056
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1932,i,2692976674662456700,10385112162831882517,262144 --variations-seed-version --mojo-platform-channel-handle=2148 /prefetch:3
      4⤵
      PID:3076
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2100,i,2692976674662456700,10385112162831882517,262144 --variations-seed-version --mojo-platform-channel-handle=2096 /prefetch:2
      4⤵
      PID:5912
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2544,i,2692976674662456700,10385112162831882517,262144 --variations-seed-version --mojo-platform-channel-handle=2564 /prefetch:8
      4⤵
      PID:1956
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3480,i,2692976674662456700,10385112162831882517,262144 --variations-seed-version --mojo-platform-channel-handle=3532 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:1912
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3496,i,2692976674662456700,10385112162831882517,262144 --variations-seed-version --mojo-platform-channel-handle=3536 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:5032
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\phlno" & exit
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4644
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 11
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:768

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:1412

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2692

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:1324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Modify Authentication Process

T1556

Privilege Escalation

Defense Evasion

Modify Authentication Process

T1556

Credential Access

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\phlno\j5ppzu

Filesize
288KB

MD5
9a3efac6cbb953007e61987d5299af8c

SHA1
1b636605499b29843c6e174e4839ba9b5903a4ab

SHA256
8d5473e4703144bc973151bf6d6b77fa6e3cc75b22996b308560468ae966491d

SHA512
da6115118c04a34aa90d8a1b353270f4fe9350a5ae0eed51918ebb8e3f97e14c42eea98b7e0080e9e8ee451cd3ab00c751aa1493c5ad2e9e9e79d5e88d74dc01

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
4926d443c4eec8fa1d1ba9d52aa17271

SHA1
c40e45a9938bade4a3efb19862c3f7b8a76a874a

SHA256
524fe6950e5fb242781d29b5c2cc1c872112bb98ee7091a59ecf8504fb48b01f

SHA512
e52aecabf17a6d9bb142af3be41a088ac0dd0f66df7c392eeb9eddd4e482bbffe2432cb828336f03ad190a1b971496ca73d1924ed3485153a3b2ccd0b5375685

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
79KB

MD5
7254d04dc88e91f8d195a959b3371ba1

SHA1
88d272b012ffc415beb02192235d7b44bd0ecbbb

SHA256
4f6f053d34fa4c48a0c47a778ee4cef8071bef4530ce0f927fb878b2068a56fc

SHA512
1237dd66874c2cb1fa3b83d0f917065b68f0c499d0b581df514a031e33f5f3bbd5f5dc94a1d4e9919a16e1b6705b282c76747e7dce170f3252b8f20b22dedd14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
998db8a9f40f71e2f3d9e19aac4db4a9

SHA1
dade0e68faef54a59d68ae8cb3b8314b6947b6d7

SHA256
1b28744565eb600485d9800703f2fb635ecf4187036c12d47f86bbd1e078e06b

SHA512
0e66fd26a11507f78fb1b173fd50555dbd95b0d330e095cdd93206757c6af2780ece914a11a23cd4c840636a59470f44c6db35fa392303fb583806264e652016

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\90a6d29b-a48a-4f91-8bcd-bab6b835fb63.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_ntp.msn.com_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\index.txt

Filesize
327B

MD5
f23cf06bff957f6a57e4e9246aae43fc

SHA1
f1488aea022f396512b9de9da4b12621d3bc857a

SHA256
d77e7dddbb665b60f38186ac714a7da1fa708dfcbf2ab5488a662f13f7920330

SHA512
f9c4c52b07bd3dcb95694f6187cd3bab0f11aee78e543e55de2e0bdfa4dac0718009b7066f02c1d2091960161e7761c5c2bb4fa94fc6550677deddc714d58b8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
72f2f5d037b0734d4c2ac7f449fb5995

SHA1
370499607342466002963ed445f973eb8b92fa2f

SHA256
2e31259a74a0e6339c1c9a4db5f324778ff28fb633163cdaf6f84eabe5445080

SHA512
6cf2326080486618ff4a9b4d732ac8eb0a5d63b285715ede932197e41aac3423add795b3397d8f7c3bd301f5b38fd23d178dca959fdaacedefa18e67050b6d61

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4316_1263158426\878592ed-1bf7-48bb-b618-bbb4afd18472.tmp

Filesize
152KB

MD5
dd9bf8448d3ddcfd067967f01e8bf6d7

SHA1
d7829475b2bd6a3baa8fabfaf39af57c6439b35e

SHA256
fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

SHA512
65347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de

Download Submit
memory/3260-388-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3260-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3260-29-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3260-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3260-24-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3260-79-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3260-23-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3260-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3260-376-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3260-377-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3260-378-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3260-379-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3260-382-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3260-386-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3260-387-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3260-0-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3260-392-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3260-395-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3260-16-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3260-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3260-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3260-30-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3260-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3260-732-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3260-747-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3260-750-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3260-752-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3260-753-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3260-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3260-760-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3260-761-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3260-765-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3260-766-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3260-770-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3260-771-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3260-778-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3260-779-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3260-780-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3260-781-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3260-782-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3260-787-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download