vidar | 5ce7687d00cc5cdc0b7575bc68940f7a092a1f559f987f3b6a9b0c837eaa6496

Analysis

max time kernel
103s
max time network
104s
platform
windows11-21h2_x64
resource
win11-20250314-en
resource tags

arch:x64arch:x86image:win11-20250314-enlocale:en-usos:windows11-21h2-x64system
submitted
01/04/2025, 02:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

vidar.exe
Size

1.7MB
MD5

175c9b6b2db3b3624f7df4c54dff3262
SHA1

a96c038467d2d6ff0b95275a828948997b6987a3
SHA256

5ce7687d00cc5cdc0b7575bc68940f7a092a1f559f987f3b6a9b0c837eaa6496
SHA512

3d728ce053930f16c8debc087807b3eaadef3c9b21a452b49f13ce767b35b221e71b15db8c849fe71c7d0077d2c0ab31506762626622f87347c596260cddff34
SSDEEP

24576:2iB4QbCAnGZPk/jhW2DQQ3iF2K8+2ntZ8oWyOpZwrlUR:2iB490ykrlUR

Score

10^/10

vidar 00cb84c6bd4caac4bdfc1131beae4df7 credential_access discovery spyware stealer

Malware Config

Extracted

Family

vidar

Version

13.3

Botnet

00cb84c6bd4caac4bdfc1131beae4df7

https://t.me/lw25chm

https://steamcommunity.com/profiles/76561199839170361

Attributes

user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/132.0.0.0 Safari/537.36 OPR/117.0.0.0

Signatures

Detect Vidar Stealer 43 IoCs

stealer

resource	yara_rule
behavioral1/memory/3696-0-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/3696-1-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/3696-2-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/3696-11-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/3696-12-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/3696-17-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/3696-18-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/3696-21-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/3696-25-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/3696-26-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/3696-27-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/3696-31-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/3696-32-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/3696-74-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/3696-371-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/3696-372-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/3696-373-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/3696-374-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/3696-377-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/3696-381-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/3696-382-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/3696-383-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/3696-387-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/3696-420-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/3696-757-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/3696-796-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/3696-799-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/3696-801-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/3696-802-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/3696-812-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/3696-813-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/3696-817-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/3696-818-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/3696-822-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/3696-823-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/3696-830-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/3696-831-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/3696-835-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/3696-836-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/3696-837-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/3696-838-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/3696-839-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/3696-845-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

Uses browser remote debugging 2 TTPs 8 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
1316	chrome.exe
1640	chrome.exe
2408	chrome.exe
3912	chrome.exe
1328	msedge.exe
6060	msedge.exe
6136	msedge.exe
1480	chrome.exe

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 228 set thread context of 3696	228	vidar.exe	80

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	msedge.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MSBuild.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
3636	timeout.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133879490801324597"	chrome.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3696	MSBuild.exe
3696	MSBuild.exe
3696	MSBuild.exe
3696	MSBuild.exe
1480	chrome.exe
1480	chrome.exe
3696	MSBuild.exe
3696	MSBuild.exe
3696	MSBuild.exe
3696	MSBuild.exe
3696	MSBuild.exe
3696	MSBuild.exe
3696	MSBuild.exe
3696	MSBuild.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1328	msedge.exe
1328	msedge.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeCreatePagefilePrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeCreatePagefilePrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeCreatePagefilePrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeCreatePagefilePrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeCreatePagefilePrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeCreatePagefilePrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeCreatePagefilePrivilege	1480	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1328	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 228 wrote to memory of 3896	228	vidar.exe	78
PID 228 wrote to memory of 3896	228	vidar.exe	78
PID 228 wrote to memory of 3896	228	vidar.exe	78
PID 228 wrote to memory of 5372	228	vidar.exe	79
PID 228 wrote to memory of 5372	228	vidar.exe	79
PID 228 wrote to memory of 5372	228	vidar.exe	79
PID 228 wrote to memory of 3696	228	vidar.exe	80
PID 228 wrote to memory of 3696	228	vidar.exe	80
PID 228 wrote to memory of 3696	228	vidar.exe	80
PID 228 wrote to memory of 3696	228	vidar.exe	80
PID 228 wrote to memory of 3696	228	vidar.exe	80
PID 228 wrote to memory of 3696	228	vidar.exe	80
PID 228 wrote to memory of 3696	228	vidar.exe	80
PID 228 wrote to memory of 3696	228	vidar.exe	80
PID 228 wrote to memory of 3696	228	vidar.exe	80
PID 228 wrote to memory of 3696	228	vidar.exe	80
PID 228 wrote to memory of 3696	228	vidar.exe	80
PID 228 wrote to memory of 3696	228	vidar.exe	80
PID 3696 wrote to memory of 1480	3696	MSBuild.exe	81
PID 3696 wrote to memory of 1480	3696	MSBuild.exe	81
PID 1480 wrote to memory of 2884	1480	chrome.exe	82
PID 1480 wrote to memory of 2884	1480	chrome.exe	82
PID 1480 wrote to memory of 5064	1480	chrome.exe	83
PID 1480 wrote to memory of 5064	1480	chrome.exe	83
PID 1480 wrote to memory of 4340	1480	chrome.exe	84
PID 1480 wrote to memory of 4340	1480	chrome.exe	84
PID 1480 wrote to memory of 4340	1480	chrome.exe	84
PID 1480 wrote to memory of 4340	1480	chrome.exe	84
PID 1480 wrote to memory of 4340	1480	chrome.exe	84
PID 1480 wrote to memory of 4340	1480	chrome.exe	84
PID 1480 wrote to memory of 4340	1480	chrome.exe	84
PID 1480 wrote to memory of 4340	1480	chrome.exe	84
PID 1480 wrote to memory of 4340	1480	chrome.exe	84
PID 1480 wrote to memory of 4340	1480	chrome.exe	84
PID 1480 wrote to memory of 4340	1480	chrome.exe	84
PID 1480 wrote to memory of 4340	1480	chrome.exe	84
PID 1480 wrote to memory of 4340	1480	chrome.exe	84
PID 1480 wrote to memory of 4340	1480	chrome.exe	84
PID 1480 wrote to memory of 4340	1480	chrome.exe	84
PID 1480 wrote to memory of 4340	1480	chrome.exe	84
PID 1480 wrote to memory of 4340	1480	chrome.exe	84
PID 1480 wrote to memory of 4340	1480	chrome.exe	84
PID 1480 wrote to memory of 4340	1480	chrome.exe	84
PID 1480 wrote to memory of 4340	1480	chrome.exe	84
PID 1480 wrote to memory of 4340	1480	chrome.exe	84
PID 1480 wrote to memory of 4340	1480	chrome.exe	84
PID 1480 wrote to memory of 4340	1480	chrome.exe	84
PID 1480 wrote to memory of 4340	1480	chrome.exe	84
PID 1480 wrote to memory of 4340	1480	chrome.exe	84
PID 1480 wrote to memory of 4340	1480	chrome.exe	84
PID 1480 wrote to memory of 4340	1480	chrome.exe	84
PID 1480 wrote to memory of 4340	1480	chrome.exe	84
PID 1480 wrote to memory of 4340	1480	chrome.exe	84
PID 1480 wrote to memory of 4340	1480	chrome.exe	84
PID 1480 wrote to memory of 1292	1480	chrome.exe	85
PID 1480 wrote to memory of 1292	1480	chrome.exe	85
PID 1480 wrote to memory of 1292	1480	chrome.exe	85
PID 1480 wrote to memory of 1292	1480	chrome.exe	85
PID 1480 wrote to memory of 1292	1480	chrome.exe	85
PID 1480 wrote to memory of 1292	1480	chrome.exe	85
PID 1480 wrote to memory of 1292	1480	chrome.exe	85
PID 1480 wrote to memory of 1292	1480	chrome.exe	85
PID 1480 wrote to memory of 1292	1480	chrome.exe	85
PID 1480 wrote to memory of 1292	1480	chrome.exe	85

C:\Users\Admin\AppData\Local\Temp\vidar.exe
"C:\Users\Admin\AppData\Local\Temp\vidar.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:228
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:3896
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:5372
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3696
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Drops file in Windows directory
    - Enumerates system info in registry
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:1480
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa9400dcf8,0x7ffa9400dd04,0x7ffa9400dd10
      4⤵
      PID:2884
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=2060,i,3716951310717215793,52454139125077434,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2124 /prefetch:11
      4⤵
      PID:5064
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1988,i,3716951310717215793,52454139125077434,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=1984 /prefetch:2
      4⤵
      PID:4340
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2396,i,3716951310717215793,52454139125077434,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2412 /prefetch:13
      4⤵
      PID:1292
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3240,i,3716951310717215793,52454139125077434,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3312 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:1640
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3248,i,3716951310717215793,52454139125077434,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3348 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:1316
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4224,i,3716951310717215793,52454139125077434,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3864 /prefetch:9
      4⤵
      Uses browser remote debugging
      PID:2408
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4592,i,3716951310717215793,52454139125077434,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4712 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:3912
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5356,i,3716951310717215793,52454139125077434,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5368 /prefetch:14
      4⤵
      PID:5220
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5492,i,3716951310717215793,52454139125077434,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5364 /prefetch:14
      4⤵
      PID:2904
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5596,i,3716951310717215793,52454139125077434,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5608 /prefetch:14
      4⤵
      PID:2664
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5588,i,3716951310717215793,52454139125077434,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5584 /prefetch:14
      4⤵
      PID:5832
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5676,i,3716951310717215793,52454139125077434,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5600 /prefetch:14
      4⤵
      PID:6008
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5672,i,3716951310717215793,52454139125077434,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5652 /prefetch:14
      4⤵
      PID:4208
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Drops file in Windows directory
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    PID:1328
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x240,0x244,0x248,0x23c,0x260,0x7ffa93fef208,0x7ffa93fef214,0x7ffa93fef220
      4⤵
      PID:1392
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1844,i,8812059949650594331,8141979429683472138,262144 --variations-seed-version --mojo-platform-channel-handle=2288 /prefetch:11
      4⤵
      PID:5468
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2260,i,8812059949650594331,8141979429683472138,262144 --variations-seed-version --mojo-platform-channel-handle=2256 /prefetch:2
      4⤵
      PID:5536
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2500,i,8812059949650594331,8141979429683472138,262144 --variations-seed-version --mojo-platform-channel-handle=2504 /prefetch:13
      4⤵
      PID:2816
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3456,i,8812059949650594331,8141979429683472138,262144 --variations-seed-version --mojo-platform-channel-handle=3548 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:6136
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3464,i,8812059949650594331,8141979429683472138,262144 --variations-seed-version --mojo-platform-channel-handle=3552 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:6060
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\16890" & exit
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4256
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 11
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:3636

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:5956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1684

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:1184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Modify Authentication Process

T1556

Privilege Escalation

Defense Evasion

Modify Authentication Process

T1556

Credential Access

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\16890\26f3e3

Filesize
288KB

MD5
5ea5ade6ec10354b783ff9e3e98c3500

SHA1
9d501fd9a7ca63da2073c2dc4f427d926ac730d1

SHA256
d72b3ac67ec41f44b604ca3b851522887dc2c7df2f14e7d99c7b2c98d211455f

SHA512
bb90c0419de462a27fd1480077a20bfbf146bae5931d2c393c4f896a2f61c0c4afe3f0e149e0f34729467bac42379370d091f2a322ef73ecceb7f74b7ac6f4cc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
bdf1437adf0bee398b11e53a851cbca2

SHA1
b79395388ce2c6a77713e33144548fe577ff9f9e

SHA256
e5125e596fda90280bbb4bd4bdcc598205b4fb6f2134b601331629244ad0139b

SHA512
e43d0d3bd2d8f167f7a8906cb449c3fa5a519b32cc2db6089f43350ad5746fab3c66ed690c4ad3d576cedf11055d3b3bac556803d32ec372f42dc58ada4bb2d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
80KB

MD5
a5c242ccf689e64f60d693296fe2ecfb

SHA1
2a93cc3b462e2668b234fe35d943ff59a040be64

SHA256
91518d4a1c7e9969a0bdd3d92ee9c2cad7129aef005a4038ebcbcc17c567be03

SHA512
b5dfb027820d6e309f107d81798d2fbadf75690a8556ed7d59b37b201dbfcf5824eb31cb2036cad88d45ad23cf38a7c6971112e966ab564d0025b35e0a307be0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
509e630f2aea0919b6158790ecedff06

SHA1
ba9a6adff6f624a938f6ac99ece90fdeadcb47e7

SHA256
067308f8a68703d3069336cb4231478addc400f1b5cbb95a5948e87d9dc4f78b

SHA512
1cb2680d3b8ddef287547c26f32be407feae3346a8664288de38fe6157fb4aeceb72f780fd21522417298e1639b721b96846d381da34a5eb1f3695e8e6ef7264

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\9bbd94ff-c138-48ca-aaaa-c6a0f6cdf9f3.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_ntp.msn.com_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\index.txt

Filesize
327B

MD5
be237555a7fe39bc0b949c8c57fba94e

SHA1
d5e0a10ce76b2854d8d203fa2d92a4e3dfa1a38a

SHA256
004a84f00ba3a61c821fdf5a301f1e831ffcb8f961e7d18a39d2f63df177b9c2

SHA512
90d933ed59c8bc10ace477ad199fd3057e0ba9e7ef81ef8801208c38c1426fdbdee52b742f7bd599943c03bb5f8e1900037610d6bc60d9ca2f8c7f7eb858818a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
41KB

MD5
9aa144e6d0bf82d5fa0f4455655dfe55

SHA1
7bb12e72031aef9b851b7b3eb8f861c4a9a6a52d

SHA256
9f380f944fd3eea77e447db266bfcfc1366fdae530196bee0e51f29f047877a9

SHA512
28cf8f9092d77604dcfc525190593ee28b49b1665f471a24812a406ac0d93c4a1a08335476cf18e8055f7e76ecd5a97ff9c9e741272bb4821b356946972c58b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir1480_959359802\519a08db-0958-47a1-a210-2c75f2c54dab.tmp

Filesize
152KB

MD5
dd9bf8448d3ddcfd067967f01e8bf6d7

SHA1
d7829475b2bd6a3baa8fabfaf39af57c6439b35e

SHA256
fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

SHA512
65347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de

Download Submit
memory/3696-383-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3696-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3696-31-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3696-27-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3696-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3696-74-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3696-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3696-21-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3696-371-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3696-372-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3696-373-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3696-374-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3696-377-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3696-381-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3696-382-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3696-0-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3696-387-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3696-18-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3696-17-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3696-12-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3696-420-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3696-32-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3696-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3696-757-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3696-796-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3696-799-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3696-801-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3696-802-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3696-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3696-812-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3696-813-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3696-817-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3696-818-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3696-822-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3696-823-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3696-830-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3696-831-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3696-835-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3696-836-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3696-837-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3696-838-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3696-839-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3696-845-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download