vidar | cab894aaed4cbd0038876b91c471148a7eef2dea261eae4824fb9899338c766a

Analysis

max time kernel
136s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20250313-en
resource tags

arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
submitted
31/03/2025, 05:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-03-31_8edfeb2c1a7c0124f467661aa2c21427_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe
Size

47.1MB
MD5

8edfeb2c1a7c0124f467661aa2c21427
SHA1

5181ad9ea6dc4df7b972044ade6e158f3a969a97
SHA256

cab894aaed4cbd0038876b91c471148a7eef2dea261eae4824fb9899338c766a
SHA512

ec01b8e3c2894b3ed1ff1f636b7672fa7b50c33ff1a41e273093559bb405572dc550f390fbfa9cf96f1d0fde11fa27ff408d8ac795e6c34b55e51b28044edd20
SSDEEP

393216:K76L6otUitqtH7wHtXq2pt2jbOCacCFIK0fpP9HF4VW8yfdnVQx4urYsANulL7Nw:K0LoCOn+2ds4urYDNulLBiuE

Score

10^/10

vidar 2cb5abbe09ff77d555a87055cfc206b6 credential_access discovery spyware stealer

Malware Config

Extracted

Family

vidar

Version

13.2

Botnet

2cb5abbe09ff77d555a87055cfc206b6

https://t.me/g_etcontent

https://steamcommunity.com/profiles/76561199832267488

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:135.0) Firefox/135.0

Signatures

Detect Vidar Stealer 36 IoCs

stealer

resource	yara_rule
behavioral2/files/0x00070000000242a0-14.dat	family_vidar_v7
behavioral2/memory/6120-18-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/6120-17-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/6120-20-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/6120-27-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/6120-28-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/6120-33-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/6120-34-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/6120-37-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/6120-41-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/6120-42-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/6120-43-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/6120-47-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/6120-48-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/6120-91-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/6120-388-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/6120-389-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/6120-390-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/6120-391-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/6120-394-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/6120-398-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/6120-399-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/6120-400-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/6120-404-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/6120-406-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/6120-774-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/6120-834-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/6120-831-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/6120-837-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/6120-838-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/6120-839-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/6120-840-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/6120-841-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/6120-842-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/6120-843-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/6120-846-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

Uses browser remote debugging 2 TTPs 8 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
3408	chrome.exe
5272	chrome.exe
4056	chrome.exe
3056	msedge.exe
4768	msedge.exe
4660	msedge.exe
4932	chrome.exe
1320	chrome.exe

Executes dropped EXE 1 IoCs

pid	Process
5448	rty.exe

Loads dropped DLL 3 IoCs

pid	Process
5448	rty.exe
5448	rty.exe
5448	rty.exe

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5448 set thread context of 6120	5448	rty.exe	90

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_wp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	aspnet_wp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	aspnet_wp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	chrome.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
2872	timeout.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133878726645959219"	chrome.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
6120	aspnet_wp.exe
6120	aspnet_wp.exe
6120	aspnet_wp.exe
6120	aspnet_wp.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
6120	aspnet_wp.exe
6120	aspnet_wp.exe
6120	aspnet_wp.exe
6120	aspnet_wp.exe
6120	aspnet_wp.exe
6120	aspnet_wp.exe
6120	aspnet_wp.exe
6120	aspnet_wp.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
3056	msedge.exe
3056	msedge.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4932	chrome.exe
Token: SeCreatePagefilePrivilege	4932	chrome.exe
Token: SeShutdownPrivilege	4932	chrome.exe
Token: SeCreatePagefilePrivilege	4932	chrome.exe
Token: SeShutdownPrivilege	4932	chrome.exe
Token: SeCreatePagefilePrivilege	4932	chrome.exe
Token: SeShutdownPrivilege	4932	chrome.exe
Token: SeCreatePagefilePrivilege	4932	chrome.exe
Token: SeShutdownPrivilege	4932	chrome.exe
Token: SeCreatePagefilePrivilege	4932	chrome.exe
Token: SeShutdownPrivilege	4932	chrome.exe
Token: SeCreatePagefilePrivilege	4932	chrome.exe
Token: SeShutdownPrivilege	4932	chrome.exe
Token: SeCreatePagefilePrivilege	4932	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
4932	chrome.exe
3056	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4020 wrote to memory of 5448	4020	2025-03-31_8edfeb2c1a7c0124f467661aa2c21427_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe	88
PID 4020 wrote to memory of 5448	4020	2025-03-31_8edfeb2c1a7c0124f467661aa2c21427_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe	88
PID 5448 wrote to memory of 6120	5448	rty.exe	90
PID 5448 wrote to memory of 6120	5448	rty.exe	90
PID 5448 wrote to memory of 6120	5448	rty.exe	90
PID 5448 wrote to memory of 6120	5448	rty.exe	90
PID 5448 wrote to memory of 6120	5448	rty.exe	90
PID 5448 wrote to memory of 6120	5448	rty.exe	90
PID 5448 wrote to memory of 6120	5448	rty.exe	90
PID 5448 wrote to memory of 6120	5448	rty.exe	90
PID 5448 wrote to memory of 6120	5448	rty.exe	90
PID 5448 wrote to memory of 6120	5448	rty.exe	90
PID 5448 wrote to memory of 6120	5448	rty.exe	90
PID 5448 wrote to memory of 6120	5448	rty.exe	90
PID 6120 wrote to memory of 4932	6120	aspnet_wp.exe	96
PID 6120 wrote to memory of 4932	6120	aspnet_wp.exe	96
PID 4932 wrote to memory of 5484	4932	chrome.exe	97
PID 4932 wrote to memory of 5484	4932	chrome.exe	97
PID 4932 wrote to memory of 6068	4932	chrome.exe	98
PID 4932 wrote to memory of 6068	4932	chrome.exe	98
PID 4932 wrote to memory of 5660	4932	chrome.exe	99
PID 4932 wrote to memory of 5660	4932	chrome.exe	99
PID 4932 wrote to memory of 5660	4932	chrome.exe	99
PID 4932 wrote to memory of 5660	4932	chrome.exe	99
PID 4932 wrote to memory of 5660	4932	chrome.exe	99
PID 4932 wrote to memory of 5660	4932	chrome.exe	99
PID 4932 wrote to memory of 5660	4932	chrome.exe	99
PID 4932 wrote to memory of 5660	4932	chrome.exe	99
PID 4932 wrote to memory of 5660	4932	chrome.exe	99
PID 4932 wrote to memory of 5660	4932	chrome.exe	99
PID 4932 wrote to memory of 5660	4932	chrome.exe	99
PID 4932 wrote to memory of 5660	4932	chrome.exe	99
PID 4932 wrote to memory of 5660	4932	chrome.exe	99
PID 4932 wrote to memory of 5660	4932	chrome.exe	99
PID 4932 wrote to memory of 5660	4932	chrome.exe	99
PID 4932 wrote to memory of 5660	4932	chrome.exe	99
PID 4932 wrote to memory of 5660	4932	chrome.exe	99
PID 4932 wrote to memory of 5660	4932	chrome.exe	99
PID 4932 wrote to memory of 5660	4932	chrome.exe	99
PID 4932 wrote to memory of 5660	4932	chrome.exe	99
PID 4932 wrote to memory of 5660	4932	chrome.exe	99
PID 4932 wrote to memory of 5660	4932	chrome.exe	99
PID 4932 wrote to memory of 5660	4932	chrome.exe	99
PID 4932 wrote to memory of 5660	4932	chrome.exe	99
PID 4932 wrote to memory of 5660	4932	chrome.exe	99
PID 4932 wrote to memory of 5660	4932	chrome.exe	99
PID 4932 wrote to memory of 5660	4932	chrome.exe	99
PID 4932 wrote to memory of 5660	4932	chrome.exe	99
PID 4932 wrote to memory of 5660	4932	chrome.exe	99
PID 4932 wrote to memory of 5660	4932	chrome.exe	99
PID 4932 wrote to memory of 3408	4932	chrome.exe	101
PID 4932 wrote to memory of 3408	4932	chrome.exe	101
PID 4932 wrote to memory of 3408	4932	chrome.exe	101
PID 4932 wrote to memory of 3408	4932	chrome.exe	101
PID 4932 wrote to memory of 3408	4932	chrome.exe	101
PID 4932 wrote to memory of 3408	4932	chrome.exe	101
PID 4932 wrote to memory of 3408	4932	chrome.exe	101
PID 4932 wrote to memory of 3408	4932	chrome.exe	101
PID 4932 wrote to memory of 3408	4932	chrome.exe	101
PID 4932 wrote to memory of 3408	4932	chrome.exe	101
PID 4932 wrote to memory of 3408	4932	chrome.exe	101
PID 4932 wrote to memory of 3408	4932	chrome.exe	101
PID 4932 wrote to memory of 3408	4932	chrome.exe	101
PID 4932 wrote to memory of 3408	4932	chrome.exe	101

C:\Users\Admin\AppData\Local\Temp\2025-03-31_8edfeb2c1a7c0124f467661aa2c21427_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe
"C:\Users\Admin\AppData\Local\Temp\2025-03-31_8edfeb2c1a7c0124f467661aa2c21427_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4020
- C:\Users\Admin\AppData\Local\Temp\bf18a1e43914a2aad940427bf2fbf1e6\rty.exe
  C:\Users\Admin\AppData\Local\Temp\bf18a1e43914a2aad940427bf2fbf1e6\rty.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:5448
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:6120
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
      4⤵
      Uses browser remote debugging
      Checks processor information in registry
      Enumerates system info in registry
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:4932
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xd4,0x108,0x7ffd3074dcf8,0x7ffd3074dd04,0x7ffd3074dd10
        5⤵
        
        PID:5484
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1548,i,13997278434016533621,14535329280432613962,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=2080 /prefetch:3
        5⤵
        
        PID:6068
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2052,i,13997278434016533621,14535329280432613962,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=2040 /prefetch:2
        5⤵
        
        PID:5660
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2384,i,13997278434016533621,14535329280432613962,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=2504 /prefetch:8
        5⤵
        
        PID:5640
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3032,i,13997278434016533621,14535329280432613962,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=3076 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:3408
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3024,i,13997278434016533621,14535329280432613962,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=3052 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:1320
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4212,i,13997278434016533621,14535329280432613962,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=4272 /prefetch:2
        5⤵
        Uses browser remote debugging
        
        PID:5272
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4552,i,13997278434016533621,14535329280432613962,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=4700 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:4056
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4956,i,13997278434016533621,14535329280432613962,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5272 /prefetch:8
        5⤵
        
        PID:4516
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5476,i,13997278434016533621,14535329280432613962,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5488 /prefetch:8
        5⤵
        
        PID:4960
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3716,i,13997278434016533621,14535329280432613962,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5280 /prefetch:8
        5⤵
        
        PID:5328
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5288,i,13997278434016533621,14535329280432613962,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5712 /prefetch:8
        5⤵
        
        PID:5000
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5348,i,13997278434016533621,14535329280432613962,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5304 /prefetch:8
        5⤵
        
        PID:1132
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5380,i,13997278434016533621,14535329280432613962,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5376 /prefetch:8
        5⤵
        
        PID:3432
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
      4⤵
      Uses browser remote debugging
      Enumerates system info in registry
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      PID:3056
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x238,0x264,0x7ffd20daf208,0x7ffd20daf214,0x7ffd20daf220
        5⤵
        
        PID:3904
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1924,i,921790291658082263,14561757142126563137,262144 --variations-seed-version --mojo-platform-channel-handle=2316 /prefetch:3
        5⤵
        
        PID:264
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2284,i,921790291658082263,14561757142126563137,262144 --variations-seed-version --mojo-platform-channel-handle=2280 /prefetch:2
        5⤵
        
        PID:400
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2456,i,921790291658082263,14561757142126563137,262144 --variations-seed-version --mojo-platform-channel-handle=3004 /prefetch:8
        5⤵
        
        PID:2072
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3572,i,921790291658082263,14561757142126563137,262144 --variations-seed-version --mojo-platform-channel-handle=3632 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:4660
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3584,i,921790291658082263,14561757142126563137,262144 --variations-seed-version --mojo-platform-channel-handle=3652 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:4768
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\n7glx" & exit
      4⤵
      System Location Discovery: System Language Discovery
      PID:5992
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 11
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:2872

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:4348

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:460

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:4396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Modify Authentication Process

T1556

Privilege Escalation

Defense Evasion

Modify Authentication Process

T1556

Credential Access

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
69344e73153599b001c8791acbb5d2d2

SHA1
f70c632c20d44ac3991d44d22292de6932069725

SHA256
bb1a7f6ebe525aeec7dd7bf09e2e78c117ba162760fdcff6c2fc745072198b47

SHA512
3d7a68f395dc0043f2bd07c17e911ec52fd5878c6e00a80fa3fcd4964a8a522d904251b0f8993a227057330d730f003cf83b640097be454dc3ad9eb4513f971c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
79KB

MD5
e7be102eec73173ea727ca8724f9eff3

SHA1
9d4ebe8c3c339b9e0edd065b621b087549985851

SHA256
1efd8a9c49fdfeb1a86d7a39d08f2ffcaea510d1548baec3c9256f283133b329

SHA512
6079c0cf77f51f79699c1003ae5e7b93b6d2bde36a092b6b3d603c940589f729a86f5adc938c61e70edc6f442bba190e9029142b925d5dbb8cf64c975e7a3695

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
998db8a9f40f71e2f3d9e19aac4db4a9

SHA1
dade0e68faef54a59d68ae8cb3b8314b6947b6d7

SHA256
1b28744565eb600485d9800703f2fb635ecf4187036c12d47f86bbd1e078e06b

SHA512
0e66fd26a11507f78fb1b173fd50555dbd95b0d330e095cdd93206757c6af2780ece914a11a23cd4c840636a59470f44c6db35fa392303fb583806264e652016

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\2d2ec62e-ba9e-45ad-9fe9-73bac6e966d3.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_ntp.msn.com_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\index.txt

Filesize
327B

MD5
490e2d43006e175673245ceca0c989bd

SHA1
cceaad5aaea9cf89a6a21941243a5d38b291513e

SHA256
c325a0d3d595e0cefd9fd560ec7137c8c697e6cae6a27c05a40a505a330ccb58

SHA512
eb58669a5cca0f31c675283f5ce6d639e37417693224033a918a3ad937003de6b24ba2282cda96e314d0b4757445b60a802559096312c67088eadfe15e74391b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
16965372a42ea4ea9184cb2da3b8d305

SHA1
2029550b95c73caa363af4cdbb731022181fd074

SHA256
505f720964d3d7fdebed11116a0faa6b0b3ab046b923866680ec9fd680c7bb5b

SHA512
96abe75c5f487085b2eb38c5f569fa1e51048eb5bab57ecebc9ebd1237a833a59a469218670b6bade2efbbc9b312077102befe98309fd0c49ebd0b790fd56b1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\bf18a1e43914a2aad940427bf2fbf1e6\msvcp290.dll

Filesize
6.9MB

MD5
7869688b27b18ff3ee4cc25b29cdc131

SHA1
932d8ce6657f3853d1d81b9e376998fc2a5d147f

SHA256
454764248611a42f13dfcc2fd100bb494d4985205a97730e8892225c353e0635

SHA512
714452dbafad773ab8b1db6eb7625a2839cb744f27b966f3b8cd25bbc82480a74412203c055d62c878ec42a9714e9af3d2083c203fd74b95db2a72b596bd061e

Download Submit
C:\Users\Admin\AppData\Local\Temp\bf18a1e43914a2aad940427bf2fbf1e6\nasrallah_x86.dll

Filesize
137KB

MD5
20b62567046a96744bac2da399544c3e

SHA1
dc801f8392bd35af77c75d5a576003e3a282e6c1

SHA256
570951cebbe069ff3fa0bd37821ee1454fdd6c2a08e401aca936e7e00ee0b3d6

SHA512
c34a9d0c395c8b690b7843aa3e086a27624e52bad4e9b3992fa438cd2ded2667bc861e9fc0b9144c6c21b80202898e03fedc2e38bfe548fb3cf5f8f242f7bdf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\bf18a1e43914a2aad940427bf2fbf1e6\rty.exe

Filesize
633KB

MD5
573c3aa20cab92c93663f0e475323557

SHA1
647598a3a90b23787b83f0c23ba26a8b4b779592

SHA256
9ebea5ecb5f86bccf0564f563a35665876e5bcb1b66285a19965af5f24534b4a

SHA512
06fbf4dfea02ac62c81c9e47581d779891e2da9113ed45f349af2e4c52b86da9701a807872a5cfc059c5553de63bab3a24953a06a63d82cf8bf877c3dc538694

Download Submit
C:\Users\Admin\AppData\Local\Temp\bf18a1e43914a2aad940427bf2fbf1e6\tier0_s64.dll

Filesize
412KB

MD5
de738f87b7a558476d73d590ea20a3b9

SHA1
ea2da2c8b5c811ea798805d3e77250f12cf6da76

SHA256
87b2d5cd0f667d8f72468ffd146dcf2aebdf7e65db575c04ffe6a4df9c1f1850

SHA512
934a24556d0a4dd7643c03f96cb057ff25bceecbc9795c4a30884aecc5afd441fa99bfe0d978c8879f3fb10260373f055731f51a18775c55de68fa716bccb81b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bf18a1e43914a2aad940427bf2fbf1e6\vcruntime210.dll

Filesize
3KB

MD5
9c0702613992090355c13b517ed50e0c

SHA1
2664d6386d1e4260632614a179f091f848b63cc7

SHA256
a5a3b2eb81a03eb6e75c890788dd4d83d0eab61eb17c4be4807858228be73ba9

SHA512
f4be29b967a0ffcfad92c3ee453d9f6c5b5554aeee1f2686f26346000b94bad2b4c9b3bc71b9e883af4f0a8d6397294dafa7647a5aa21045ea0ee0617dda7353

Download Submit
C:\Users\Admin\AppData\Local\Temp\bf18a1e43914a2aad940427bf2fbf1e6\vstdlib_s64.dll

Filesize
2.4MB

MD5
97806e10bddfd2717e8414e8a4d45e3f

SHA1
757e8778042881950bbbd3f53c8da71e06a633ae

SHA256
902556559c4dac7aa1825a5d26824912033946dd88b401dee7fc99358948a7c5

SHA512
b37d3be0d0b9830184d4249f0741ad612a72062b02950a4cb4e81934c603ffc54086874fe218aac5f726d6c7cef16ceaeff855a5e4de62af39c8421f8c39b4c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4932_1122942668\1b90c710-816a-4e7d-94e9-005c1fbcb479.tmp

Filesize
152KB

MD5
dd9bf8448d3ddcfd067967f01e8bf6d7

SHA1
d7829475b2bd6a3baa8fabfaf39af57c6439b35e

SHA256
fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

SHA512
65347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de

Download Submit
memory/5448-19-0x00007FFD21550000-0x00007FFD21827000-memory.dmp

Filesize
2.8MB

Download
memory/6120-34-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6120-404-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6120-48-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6120-43-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6120-42-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6120-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6120-91-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6120-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6120-33-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6120-388-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6120-389-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6120-390-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6120-391-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6120-394-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6120-398-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6120-399-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6120-400-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6120-47-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6120-406-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6120-28-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6120-27-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6120-20-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6120-17-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6120-18-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6120-774-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6120-834-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6120-831-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6120-837-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6120-838-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6120-839-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6120-840-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6120-841-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6120-842-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6120-843-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6120-846-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download