vidar | e705563d5634d217e0ebb3dcde0326e0cae0d57bc866871d8f4032747c8347f6

Analysis

max time kernel
136s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
31/03/2025, 13:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-03-31_61903c7168838b2fd1c701756d1efb15_black-basta_cobalt-strike_ryuk_satacom.exe
Size

1.9MB
MD5

61903c7168838b2fd1c701756d1efb15
SHA1

918de67ab700e3856d6ee40d239e68c0e806d11f
SHA256

e705563d5634d217e0ebb3dcde0326e0cae0d57bc866871d8f4032747c8347f6
SHA512

5f513cbc9e3fba4c3c0707d3ebca755664b09a8e8ce796826036a57b2ad6a6eec7dfa1b9fcec1b99af696bac71fbb6cfd0254f841e1dd466f3d7b61f4edf4c3c
SSDEEP

24576:NNI2LXlFLf2uee/0kd+mELBX11GyDXcOSbNpZwglUR:LnFFytugglUR

Score

10^/10

vidar 286abd424eeeb855a080435369086f7f credential_access discovery spyware stealer

Malware Config

Extracted

Family

vidar

Version

13.3

Botnet

286abd424eeeb855a080435369086f7f

https://t.me/lw25chm

https://steamcommunity.com/profiles/76561199839170361

Attributes

user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/132.0.0.0 Safari/537.36 OPR/117.0.0.0

Signatures

Detect Vidar Stealer 34 IoCs

stealer

resource	yara_rule
behavioral1/memory/1204-0-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/1204-1-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/1204-2-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/1204-9-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/1204-10-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/1204-15-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/1204-16-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/1204-19-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/1204-23-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/1204-24-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/1204-28-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/1204-29-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/1204-47-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/1204-368-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/1204-369-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/1204-370-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/1204-371-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/1204-374-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/1204-378-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/1204-379-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/1204-380-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/1204-384-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/1204-422-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/1204-673-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/1204-734-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/1204-737-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/1204-738-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/1204-739-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/1204-740-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/1204-741-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/1204-742-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/1204-743-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/1204-744-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/1204-747-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

Uses browser remote debugging 2 TTPs 8 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
4616	msedge.exe
4656	msedge.exe
1740	chrome.exe
1720	chrome.exe
1856	chrome.exe
756	chrome.exe
5672	chrome.exe
6068	msedge.exe

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5776 set thread context of 1204	5776	2025-03-31_61903c7168838b2fd1c701756d1efb15_black-basta_cobalt-strike_ryuk_satacom.exe	86

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MSBuild.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	chrome.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
5076	timeout.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133879026886283262"	chrome.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1204	MSBuild.exe
1204	MSBuild.exe
1204	MSBuild.exe
1204	MSBuild.exe
1740	chrome.exe
1740	chrome.exe
1204	MSBuild.exe
1204	MSBuild.exe
1204	MSBuild.exe
1204	MSBuild.exe
1204	MSBuild.exe
1204	MSBuild.exe
1204	MSBuild.exe
1204	MSBuild.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
6068	msedge.exe
6068	msedge.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeCreatePagefilePrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeCreatePagefilePrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeCreatePagefilePrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeCreatePagefilePrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeCreatePagefilePrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeCreatePagefilePrivilege	1740	chrome.exe
Token: SeShutdownPrivilege	1740	chrome.exe
Token: SeCreatePagefilePrivilege	1740	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
6068	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5776 wrote to memory of 1204	5776	2025-03-31_61903c7168838b2fd1c701756d1efb15_black-basta_cobalt-strike_ryuk_satacom.exe	86
PID 5776 wrote to memory of 1204	5776	2025-03-31_61903c7168838b2fd1c701756d1efb15_black-basta_cobalt-strike_ryuk_satacom.exe	86
PID 5776 wrote to memory of 1204	5776	2025-03-31_61903c7168838b2fd1c701756d1efb15_black-basta_cobalt-strike_ryuk_satacom.exe	86
PID 5776 wrote to memory of 1204	5776	2025-03-31_61903c7168838b2fd1c701756d1efb15_black-basta_cobalt-strike_ryuk_satacom.exe	86
PID 5776 wrote to memory of 1204	5776	2025-03-31_61903c7168838b2fd1c701756d1efb15_black-basta_cobalt-strike_ryuk_satacom.exe	86
PID 5776 wrote to memory of 1204	5776	2025-03-31_61903c7168838b2fd1c701756d1efb15_black-basta_cobalt-strike_ryuk_satacom.exe	86
PID 5776 wrote to memory of 1204	5776	2025-03-31_61903c7168838b2fd1c701756d1efb15_black-basta_cobalt-strike_ryuk_satacom.exe	86
PID 5776 wrote to memory of 1204	5776	2025-03-31_61903c7168838b2fd1c701756d1efb15_black-basta_cobalt-strike_ryuk_satacom.exe	86
PID 5776 wrote to memory of 1204	5776	2025-03-31_61903c7168838b2fd1c701756d1efb15_black-basta_cobalt-strike_ryuk_satacom.exe	86
PID 5776 wrote to memory of 1204	5776	2025-03-31_61903c7168838b2fd1c701756d1efb15_black-basta_cobalt-strike_ryuk_satacom.exe	86
PID 5776 wrote to memory of 1204	5776	2025-03-31_61903c7168838b2fd1c701756d1efb15_black-basta_cobalt-strike_ryuk_satacom.exe	86
PID 5776 wrote to memory of 1204	5776	2025-03-31_61903c7168838b2fd1c701756d1efb15_black-basta_cobalt-strike_ryuk_satacom.exe	86
PID 1204 wrote to memory of 1740	1204	MSBuild.exe	96
PID 1204 wrote to memory of 1740	1204	MSBuild.exe	96
PID 1740 wrote to memory of 704	1740	chrome.exe	97
PID 1740 wrote to memory of 704	1740	chrome.exe	97
PID 1740 wrote to memory of 5276	1740	chrome.exe	98
PID 1740 wrote to memory of 5276	1740	chrome.exe	98
PID 1740 wrote to memory of 968	1740	chrome.exe	99
PID 1740 wrote to memory of 968	1740	chrome.exe	99
PID 1740 wrote to memory of 968	1740	chrome.exe	99
PID 1740 wrote to memory of 968	1740	chrome.exe	99
PID 1740 wrote to memory of 968	1740	chrome.exe	99
PID 1740 wrote to memory of 968	1740	chrome.exe	99
PID 1740 wrote to memory of 968	1740	chrome.exe	99
PID 1740 wrote to memory of 968	1740	chrome.exe	99
PID 1740 wrote to memory of 968	1740	chrome.exe	99
PID 1740 wrote to memory of 968	1740	chrome.exe	99
PID 1740 wrote to memory of 968	1740	chrome.exe	99
PID 1740 wrote to memory of 968	1740	chrome.exe	99
PID 1740 wrote to memory of 968	1740	chrome.exe	99
PID 1740 wrote to memory of 968	1740	chrome.exe	99
PID 1740 wrote to memory of 968	1740	chrome.exe	99
PID 1740 wrote to memory of 968	1740	chrome.exe	99
PID 1740 wrote to memory of 968	1740	chrome.exe	99
PID 1740 wrote to memory of 968	1740	chrome.exe	99
PID 1740 wrote to memory of 968	1740	chrome.exe	99
PID 1740 wrote to memory of 968	1740	chrome.exe	99
PID 1740 wrote to memory of 968	1740	chrome.exe	99
PID 1740 wrote to memory of 968	1740	chrome.exe	99
PID 1740 wrote to memory of 968	1740	chrome.exe	99
PID 1740 wrote to memory of 968	1740	chrome.exe	99
PID 1740 wrote to memory of 968	1740	chrome.exe	99
PID 1740 wrote to memory of 968	1740	chrome.exe	99
PID 1740 wrote to memory of 968	1740	chrome.exe	99
PID 1740 wrote to memory of 968	1740	chrome.exe	99
PID 1740 wrote to memory of 968	1740	chrome.exe	99
PID 1740 wrote to memory of 968	1740	chrome.exe	99
PID 1740 wrote to memory of 1856	1740	chrome.exe	101
PID 1740 wrote to memory of 1856	1740	chrome.exe	101
PID 1740 wrote to memory of 1856	1740	chrome.exe	101
PID 1740 wrote to memory of 1856	1740	chrome.exe	101
PID 1740 wrote to memory of 1856	1740	chrome.exe	101
PID 1740 wrote to memory of 1856	1740	chrome.exe	101
PID 1740 wrote to memory of 1856	1740	chrome.exe	101
PID 1740 wrote to memory of 1856	1740	chrome.exe	101
PID 1740 wrote to memory of 1856	1740	chrome.exe	101
PID 1740 wrote to memory of 1856	1740	chrome.exe	101
PID 1740 wrote to memory of 1856	1740	chrome.exe	101
PID 1740 wrote to memory of 1856	1740	chrome.exe	101
PID 1740 wrote to memory of 1856	1740	chrome.exe	101
PID 1740 wrote to memory of 1856	1740	chrome.exe	101
PID 1740 wrote to memory of 1856	1740	chrome.exe	101
PID 1740 wrote to memory of 1856	1740	chrome.exe	101

C:\Users\Admin\AppData\Local\Temp\2025-03-31_61903c7168838b2fd1c701756d1efb15_black-basta_cobalt-strike_ryuk_satacom.exe
"C:\Users\Admin\AppData\Local\Temp\2025-03-31_61903c7168838b2fd1c701756d1efb15_black-basta_cobalt-strike_ryuk_satacom.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5776
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1204
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Checks processor information in registry
    - Enumerates system info in registry
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:1740
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffd8256dcf8,0x7ffd8256dd04,0x7ffd8256dd10
      4⤵
      PID:704
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1600,i,16643669985204988063,9042213444999052923,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2136 /prefetch:3
      4⤵
      PID:5276
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2108,i,16643669985204988063,9042213444999052923,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2104 /prefetch:2
      4⤵
      PID:968
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2448,i,16643669985204988063,9042213444999052923,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2592 /prefetch:8
      4⤵
      PID:5804
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3080,i,16643669985204988063,9042213444999052923,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3128 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:1856
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3088,i,16643669985204988063,9042213444999052923,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3148 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:1720
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4116,i,16643669985204988063,9042213444999052923,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4016 /prefetch:2
      4⤵
      Uses browser remote debugging
      PID:756
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4608,i,16643669985204988063,9042213444999052923,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4648 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:5672
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5300,i,16643669985204988063,9042213444999052923,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5296 /prefetch:8
      4⤵
      PID:1136
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5484,i,16643669985204988063,9042213444999052923,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5496 /prefetch:8
      4⤵
      PID:1628
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3748,i,16643669985204988063,9042213444999052923,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5360 /prefetch:8
      4⤵
      PID:4024
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5732,i,16643669985204988063,9042213444999052923,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5592 /prefetch:8
      4⤵
      PID:3368
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5336,i,16643669985204988063,9042213444999052923,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5724 /prefetch:8
      4⤵
      PID:5140
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5412,i,16643669985204988063,9042213444999052923,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5376 /prefetch:8
      4⤵
      PID:1760
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    PID:6068
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x238,0x260,0x7ffd8254f208,0x7ffd8254f214,0x7ffd8254f220
      4⤵
      PID:4044
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1920,i,14213931564320715715,7274387859668223594,262144 --variations-seed-version --mojo-platform-channel-handle=2232 /prefetch:3
      4⤵
      PID:3400
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2204,i,14213931564320715715,7274387859668223594,262144 --variations-seed-version --mojo-platform-channel-handle=2200 /prefetch:2
      4⤵
      PID:5728
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2372,i,14213931564320715715,7274387859668223594,262144 --variations-seed-version --mojo-platform-channel-handle=2720 /prefetch:8
      4⤵
      PID:4160
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3284,i,14213931564320715715,7274387859668223594,262144 --variations-seed-version --mojo-platform-channel-handle=3524 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:4656
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3276,i,14213931564320715715,7274387859668223594,262144 --variations-seed-version --mojo-platform-channel-handle=3584 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:4616
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\hlfct" & exit
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4648
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 11
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:5076

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:692

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3844

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:1528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Modify Authentication Process

T1556

Privilege Escalation

Defense Evasion

Modify Authentication Process

T1556

Credential Access

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
58892cdcdfc4bb3ad8521cc3d5c69350

SHA1
555cfa89e5920b9591c9a7f6a84998350dcd1d3c

SHA256
202e25013e4ba95736295dacc87f22dfb376013cc69a9eda22356a5b39835c97

SHA512
0f9372be96cbf4573cdd52bd2b49655574e4c215f7803e758d1f8a57ac722d56cf6d4eb7ec07633ea962b65cd70b934ac2979d03e5778c0a569d36c0a08e7923

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
80KB

MD5
740c120bd691b882712b148005ed5212

SHA1
8543aaa11c118be452d3d07e0ae1098f6e76223d

SHA256
2499dbaa74b81209d69c746a57a5d0a5ef05927498fdac6df7683793709abdd7

SHA512
1daf7702c8df7c8eab8703c3fcf70353d005701b901fc0841fe717bd3fa9aef6590a4d5ee21c5507432e4ec4733c920e8f89c2c8d59aad08f08e8c023a8c40bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
65044109d1beb8ed8d59560642cbc519

SHA1
0084485b0aa26069232fab51ee603682e8edfd17

SHA256
a1e0b448218678b30356cbbe4092ea091435e7450822a9748361b6e8b198962d

SHA512
96dcc68fe92f98c4329a8335cfffdb0849a52562431045ccc42076bda0abf3842491303fb669246bfd04e64113688d3f90000a09571dd76ff84b52e34e45f9b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\index.txt

Filesize
325B

MD5
cdf79f862e0e7af2636bdaa934ae8b12

SHA1
333f172c7ca01019dc3c348a0ebe85b0759d2c18

SHA256
3431b987e029b20d144c6be40c2a84fa43f9a213c8ab22e6584adaa6e1d8e804

SHA512
a1f15688e204cc3b7477249477efa56e92f72cd3be131a2910da29524525b22f281ac3294f26340a5dbdae91d2dd412f631df20dba3bffc167cccf67f19ec0d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\c4870dc8-2b7f-4eae-bb79-e381c8112132.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
7e897bfe4e15d9089e4fa5284792be83

SHA1
1b9b9c324c1e94b87c4b6bfde0247828e6b6b791

SHA256
27a4677e792776966294e1a8b16a0e048fd5cf2d522498c05b482c7298e3a102

SHA512
8871198f0729c048f9d16e14f4447e07c84d7b0fa6fd90ce5fc0a9466a88cb97d376a842ac5b3765e97b9ef5388c5fe66f17b0ef6242959e61fe1b2176c77823

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir1740_947510930\de1da0bc-5f29-41ce-9d40-8939291753c9.tmp

Filesize
152KB

MD5
dd9bf8448d3ddcfd067967f01e8bf6d7

SHA1
d7829475b2bd6a3baa8fabfaf39af57c6439b35e

SHA256
fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

SHA512
65347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de

Download Submit
memory/1204-370-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1204-384-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1204-29-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1204-24-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1204-23-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1204-47-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1204-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1204-16-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1204-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1204-368-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1204-369-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1204-0-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1204-371-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1204-374-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1204-378-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1204-379-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1204-380-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1204-28-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1204-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1204-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1204-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1204-422-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1204-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1204-673-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1204-734-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1204-737-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1204-738-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1204-739-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1204-740-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1204-741-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1204-742-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1204-743-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1204-744-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1204-747-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download