vidar | 0921b5c74e073c331a8ba6396e8ffe3d90486d7cec0b54dd8801112e33cdb177

Analysis

max time kernel
142s
max time network
135s
platform
windows11-21h2_x64
resource
win11-20250410-en
resource tags

arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system
submitted
18/04/2025, 22:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-18_064e51084b64d71b80d70894ab511246_cobalt-strike.exe
Size

1.7MB
MD5

064e51084b64d71b80d70894ab511246
SHA1

80a04ee1a2c62e4a312fb9387508c3d08d700ecd
SHA256

0921b5c74e073c331a8ba6396e8ffe3d90486d7cec0b54dd8801112e33cdb177
SHA512

fcc27c0a60c955c7feea8ba757a148d189a44e90e512f57bb5b8e9e0ba1b6e200cb39d9a0609de0cea1959e5d4df36f30ee6ce1ccb2b601bb860e53a5bfb6004
SSDEEP

24576:6rloDyu6xW3AQpF0Fyrjw83M2HlA7Izl+63FZZ:oMyC3AQCyrjw88v7Izl+63F3

Score

10^/10

vidar eb17a39311b2fbc653bb6a88c15634e4 credential_access discovery spyware stealer

Malware Config

Extracted

Family

vidar

Version

13.5

Botnet

eb17a39311b2fbc653bb6a88c15634e4

https://t.me/v00rd

https://steamcommunity.com/profiles/76561199846773220

Attributes

user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/132.0.0.0 Safari/537.36 OPR/117.0.0.0

Signatures

Detect Vidar Stealer 35 IoCs

stealer

resource	yara_rule
behavioral2/memory/5516-4-0x0000000000F70000-0x0000000000F99000-memory.dmp	family_vidar_v7
behavioral2/memory/5516-5-0x0000000000F70000-0x0000000000F99000-memory.dmp	family_vidar_v7
behavioral2/memory/5516-6-0x0000000000F70000-0x0000000000F99000-memory.dmp	family_vidar_v7
behavioral2/memory/5516-15-0x0000000000F70000-0x0000000000F99000-memory.dmp	family_vidar_v7
behavioral2/memory/5516-16-0x0000000000F70000-0x0000000000F99000-memory.dmp	family_vidar_v7
behavioral2/memory/5516-21-0x0000000000F70000-0x0000000000F99000-memory.dmp	family_vidar_v7
behavioral2/memory/5516-24-0x0000000000F70000-0x0000000000F99000-memory.dmp	family_vidar_v7
behavioral2/memory/5516-25-0x0000000000F70000-0x0000000000F99000-memory.dmp	family_vidar_v7
behavioral2/memory/5516-29-0x0000000000F70000-0x0000000000F99000-memory.dmp	family_vidar_v7
behavioral2/memory/5516-31-0x0000000000F70000-0x0000000000F99000-memory.dmp	family_vidar_v7
behavioral2/memory/5516-35-0x0000000000F70000-0x0000000000F99000-memory.dmp	family_vidar_v7
behavioral2/memory/5516-39-0x0000000000F70000-0x0000000000F99000-memory.dmp	family_vidar_v7
behavioral2/memory/5516-81-0x0000000000F70000-0x0000000000F99000-memory.dmp	family_vidar_v7
behavioral2/memory/5516-82-0x0000000000F70000-0x0000000000F99000-memory.dmp	family_vidar_v7
behavioral2/memory/5516-83-0x0000000000F70000-0x0000000000F99000-memory.dmp	family_vidar_v7
behavioral2/memory/5516-84-0x0000000000F70000-0x0000000000F99000-memory.dmp	family_vidar_v7
behavioral2/memory/5516-87-0x0000000000F70000-0x0000000000F99000-memory.dmp	family_vidar_v7
behavioral2/memory/5516-91-0x0000000000F70000-0x0000000000F99000-memory.dmp	family_vidar_v7
behavioral2/memory/5516-92-0x0000000000F70000-0x0000000000F99000-memory.dmp	family_vidar_v7
behavioral2/memory/5516-93-0x0000000000F70000-0x0000000000F99000-memory.dmp	family_vidar_v7
behavioral2/memory/5516-97-0x0000000000F70000-0x0000000000F99000-memory.dmp	family_vidar_v7
behavioral2/memory/5516-100-0x0000000000F70000-0x0000000000F99000-memory.dmp	family_vidar_v7
behavioral2/memory/5516-451-0x0000000000F70000-0x0000000000F99000-memory.dmp	family_vidar_v7
behavioral2/memory/5516-475-0x0000000000F70000-0x0000000000F99000-memory.dmp	family_vidar_v7
behavioral2/memory/5516-480-0x0000000000F70000-0x0000000000F99000-memory.dmp	family_vidar_v7
behavioral2/memory/5516-482-0x0000000000F70000-0x0000000000F99000-memory.dmp	family_vidar_v7
behavioral2/memory/5516-483-0x0000000000F70000-0x0000000000F99000-memory.dmp	family_vidar_v7
behavioral2/memory/5516-486-0x0000000000F70000-0x0000000000F99000-memory.dmp	family_vidar_v7
behavioral2/memory/5516-487-0x0000000000F70000-0x0000000000F99000-memory.dmp	family_vidar_v7
behavioral2/memory/5516-488-0x0000000000F70000-0x0000000000F99000-memory.dmp	family_vidar_v7
behavioral2/memory/5516-489-0x0000000000F70000-0x0000000000F99000-memory.dmp	family_vidar_v7
behavioral2/memory/5516-490-0x0000000000F70000-0x0000000000F99000-memory.dmp	family_vidar_v7
behavioral2/memory/5516-491-0x0000000000F70000-0x0000000000F99000-memory.dmp	family_vidar_v7
behavioral2/memory/5516-492-0x0000000000F70000-0x0000000000F99000-memory.dmp	family_vidar_v7
behavioral2/memory/5516-495-0x0000000000F70000-0x0000000000F99000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

Uses browser remote debugging 2 TTPs 8 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
5620	chrome.exe
4608	chrome.exe
2792	chrome.exe
6052	msedge.exe
4076	msedge.exe
5672	msedge.exe
5100	chrome.exe
4520	chrome.exe

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 800 set thread context of 5516	800	2025-04-18_064e51084b64d71b80d70894ab511246_cobalt-strike.exe	78

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	BitLockerToGo.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	BitLockerToGo.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
3208	timeout.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133894887873529899"	chrome.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
5516	BitLockerToGo.exe
5516	BitLockerToGo.exe
5516	BitLockerToGo.exe
5516	BitLockerToGo.exe
5100	chrome.exe
5100	chrome.exe
5516	BitLockerToGo.exe
5516	BitLockerToGo.exe
5516	BitLockerToGo.exe
5516	BitLockerToGo.exe
5516	BitLockerToGo.exe
5516	BitLockerToGo.exe
5516	BitLockerToGo.exe
5516	BitLockerToGo.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
5100	chrome.exe
5100	chrome.exe
5100	chrome.exe
5100	chrome.exe
6052	msedge.exe
6052	msedge.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5100	chrome.exe
Token: SeCreatePagefilePrivilege	5100	chrome.exe
Token: SeShutdownPrivilege	5100	chrome.exe
Token: SeCreatePagefilePrivilege	5100	chrome.exe
Token: SeShutdownPrivilege	5100	chrome.exe
Token: SeCreatePagefilePrivilege	5100	chrome.exe
Token: SeShutdownPrivilege	5100	chrome.exe
Token: SeCreatePagefilePrivilege	5100	chrome.exe
Token: SeShutdownPrivilege	5100	chrome.exe
Token: SeCreatePagefilePrivilege	5100	chrome.exe
Token: SeShutdownPrivilege	5100	chrome.exe
Token: SeCreatePagefilePrivilege	5100	chrome.exe
Token: SeShutdownPrivilege	5100	chrome.exe
Token: SeCreatePagefilePrivilege	5100	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
5100	chrome.exe
5100	chrome.exe
5100	chrome.exe
5100	chrome.exe
5100	chrome.exe
5100	chrome.exe
5100	chrome.exe
5100	chrome.exe
5100	chrome.exe
5100	chrome.exe
5100	chrome.exe
5100	chrome.exe
5100	chrome.exe
5100	chrome.exe
5100	chrome.exe
5100	chrome.exe
5100	chrome.exe
5100	chrome.exe
5100	chrome.exe
5100	chrome.exe
5100	chrome.exe
5100	chrome.exe
5100	chrome.exe
5100	chrome.exe
5100	chrome.exe
5100	chrome.exe
6052	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 800 wrote to memory of 5516	800	2025-04-18_064e51084b64d71b80d70894ab511246_cobalt-strike.exe	78
PID 800 wrote to memory of 5516	800	2025-04-18_064e51084b64d71b80d70894ab511246_cobalt-strike.exe	78
PID 800 wrote to memory of 5516	800	2025-04-18_064e51084b64d71b80d70894ab511246_cobalt-strike.exe	78
PID 800 wrote to memory of 5516	800	2025-04-18_064e51084b64d71b80d70894ab511246_cobalt-strike.exe	78
PID 800 wrote to memory of 5516	800	2025-04-18_064e51084b64d71b80d70894ab511246_cobalt-strike.exe	78
PID 5516 wrote to memory of 5100	5516	BitLockerToGo.exe	79
PID 5516 wrote to memory of 5100	5516	BitLockerToGo.exe	79
PID 5100 wrote to memory of 4468	5100	chrome.exe	80
PID 5100 wrote to memory of 4468	5100	chrome.exe	80
PID 5100 wrote to memory of 5464	5100	chrome.exe	81
PID 5100 wrote to memory of 5464	5100	chrome.exe	81
PID 5100 wrote to memory of 5464	5100	chrome.exe	81
PID 5100 wrote to memory of 5464	5100	chrome.exe	81
PID 5100 wrote to memory of 5464	5100	chrome.exe	81
PID 5100 wrote to memory of 5464	5100	chrome.exe	81
PID 5100 wrote to memory of 5464	5100	chrome.exe	81
PID 5100 wrote to memory of 5464	5100	chrome.exe	81
PID 5100 wrote to memory of 5464	5100	chrome.exe	81
PID 5100 wrote to memory of 5464	5100	chrome.exe	81
PID 5100 wrote to memory of 5464	5100	chrome.exe	81
PID 5100 wrote to memory of 5464	5100	chrome.exe	81
PID 5100 wrote to memory of 5464	5100	chrome.exe	81
PID 5100 wrote to memory of 5464	5100	chrome.exe	81
PID 5100 wrote to memory of 5464	5100	chrome.exe	81
PID 5100 wrote to memory of 5464	5100	chrome.exe	81
PID 5100 wrote to memory of 5464	5100	chrome.exe	81
PID 5100 wrote to memory of 5464	5100	chrome.exe	81
PID 5100 wrote to memory of 5464	5100	chrome.exe	81
PID 5100 wrote to memory of 5464	5100	chrome.exe	81
PID 5100 wrote to memory of 5464	5100	chrome.exe	81
PID 5100 wrote to memory of 5464	5100	chrome.exe	81
PID 5100 wrote to memory of 5464	5100	chrome.exe	81
PID 5100 wrote to memory of 5464	5100	chrome.exe	81
PID 5100 wrote to memory of 5464	5100	chrome.exe	81
PID 5100 wrote to memory of 5464	5100	chrome.exe	81
PID 5100 wrote to memory of 5464	5100	chrome.exe	81
PID 5100 wrote to memory of 5464	5100	chrome.exe	81
PID 5100 wrote to memory of 5464	5100	chrome.exe	81
PID 5100 wrote to memory of 5464	5100	chrome.exe	81
PID 5100 wrote to memory of 2072	5100	chrome.exe	82
PID 5100 wrote to memory of 2072	5100	chrome.exe	82
PID 5100 wrote to memory of 1260	5100	chrome.exe	83
PID 5100 wrote to memory of 1260	5100	chrome.exe	83
PID 5100 wrote to memory of 1260	5100	chrome.exe	83
PID 5100 wrote to memory of 1260	5100	chrome.exe	83
PID 5100 wrote to memory of 1260	5100	chrome.exe	83
PID 5100 wrote to memory of 1260	5100	chrome.exe	83
PID 5100 wrote to memory of 1260	5100	chrome.exe	83
PID 5100 wrote to memory of 1260	5100	chrome.exe	83
PID 5100 wrote to memory of 1260	5100	chrome.exe	83
PID 5100 wrote to memory of 1260	5100	chrome.exe	83
PID 5100 wrote to memory of 1260	5100	chrome.exe	83
PID 5100 wrote to memory of 1260	5100	chrome.exe	83
PID 5100 wrote to memory of 1260	5100	chrome.exe	83
PID 5100 wrote to memory of 1260	5100	chrome.exe	83
PID 5100 wrote to memory of 1260	5100	chrome.exe	83
PID 5100 wrote to memory of 1260	5100	chrome.exe	83
PID 5100 wrote to memory of 1260	5100	chrome.exe	83
PID 5100 wrote to memory of 1260	5100	chrome.exe	83
PID 5100 wrote to memory of 1260	5100	chrome.exe	83
PID 5100 wrote to memory of 1260	5100	chrome.exe	83
PID 5100 wrote to memory of 1260	5100	chrome.exe	83
PID 5100 wrote to memory of 1260	5100	chrome.exe	83
PID 5100 wrote to memory of 1260	5100	chrome.exe	83

C:\Users\Admin\AppData\Local\Temp\2025-04-18_064e51084b64d71b80d70894ab511246_cobalt-strike.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-18_064e51084b64d71b80d70894ab511246_cobalt-strike.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:800
- C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
  C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:5516
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Drops file in Windows directory
    - Enumerates system info in registry
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:5100
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff4971dcf8,0x7fff4971dd04,0x7fff4971dd10
      4⤵
      PID:4468
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1980,i,15118718498918046472,1926616061596569802,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=1976 /prefetch:2
      4⤵
      PID:5464
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1484,i,15118718498918046472,1926616061596569802,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=2268 /prefetch:11
      4⤵
      PID:2072
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2376,i,15118718498918046472,1926616061596569802,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=2392 /prefetch:13
      4⤵
      PID:1260
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3156,i,15118718498918046472,1926616061596569802,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=2308 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:5620
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3172,i,15118718498918046472,1926616061596569802,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=3184 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:4520
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4284,i,15118718498918046472,1926616061596569802,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=4316 /prefetch:9
      4⤵
      Uses browser remote debugging
      PID:4608
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4724,i,15118718498918046472,1926616061596569802,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=4656 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:2792
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4764,i,15118718498918046472,1926616061596569802,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=5344 /prefetch:14
      4⤵
      PID:5848
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5532,i,15118718498918046472,1926616061596569802,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=5544 /prefetch:14
      4⤵
      PID:5924
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Drops file in Windows directory
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    PID:6052
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x240,0x244,0x248,0x23c,0x250,0x7fff4953f208,0x7fff4953f214,0x7fff4953f220
      4⤵
      PID:3904
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1864,i,5954904354653165034,16184306912871581120,262144 --variations-seed-version --mojo-platform-channel-handle=2608 /prefetch:11
      4⤵
      PID:3560
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2556,i,5954904354653165034,16184306912871581120,262144 --variations-seed-version --mojo-platform-channel-handle=2532 /prefetch:2
      4⤵
      PID:4800
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2136,i,5954904354653165034,16184306912871581120,262144 --variations-seed-version --mojo-platform-channel-handle=2688 /prefetch:13
      4⤵
      PID:1860
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3524,i,5954904354653165034,16184306912871581120,262144 --variations-seed-version --mojo-platform-channel-handle=3552 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:5672
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3528,i,5954904354653165034,16184306912871581120,262144 --variations-seed-version --mojo-platform-channel-handle=3560 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:4076
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\nozuk" & exit
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2364
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 11
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:3208

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:3788

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3532

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:5632

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Modify Authentication Process

T1556

Privilege Escalation

Defense Evasion

Modify Authentication Process

T1556

Credential Access

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
83e88cb23f14b9fc53ce32728b41dc3a

SHA1
ce0ee930c629ca313102695e0f85c244dd0f7922

SHA256
1dda2ed02089f1d63fb7044e5f2a7b30ce43294c93fbbe379e2d36835cd9f63b

SHA512
2e12fe66ddd8b53f5a525eb55a4a4e5cbdd93f12be42aff433e3353af0ea2720c07e6c5444e5462eb722eb3a46e13d6fcf3dc1f4ac451c901a2417603ab479c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
78KB

MD5
dbe81e4d9a558818d62265afefb155c6

SHA1
cb45a26302925928d7561d75431a60349083c3c9

SHA256
93f552cf1ca859daa21f65cd2a1b7c151e92ed999634e3eae3e477e531feaa4f

SHA512
590634987e1f5ab390f35878b47d1e79e869b01a6691bec5a841f30703f46306e76d0b210fb94dc5978441f725e1ddccc7f9c8a8163a68590966c35c7a682ee5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
34d09b852bf4a5ef1d936591501926ca

SHA1
88ff0b1c2a5664765e11e47843a5ac8e1782ed0c

SHA256
52bd897dfdfca849d627b36a49b976eef861b1a7af075527c8f247adb862dc20

SHA512
dc63eebf94384dc9580f5e3c9291047e8d410f8fc1f746d180673f445a9bbe746608c01cbf10a38f2f935cfa5c8bb89864f87cabd8fece809dcaa1fa137f71d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\60f96cdb-14c3-421d-815c-7468d92ae6d0\index-dir\the-real-index

Filesize
3KB

MD5
b7c9c2d8cab788ace6b68579bbef209a

SHA1
a40df93bd50c2acebb5067627c910096227d1403

SHA256
e3688570e2d1e80e78cce05e353bf0a4f074be4774f8c4075bb0151f5441d770

SHA512
26584fc509d2a566107bc6a375f88ba0d5aff9873196941fdfee499b76d2448ab1185d86349893aa0762e66be81b8ca7f619500421959400c137c57d8960af3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\60f96cdb-14c3-421d-815c-7468d92ae6d0\index-dir\the-real-index~RFe57f0d8.TMP

Filesize
3KB

MD5
46d7354f2af9280ebd7f5aacc6862d96

SHA1
fd63d185bb8aec14582ef0e8664e21edfcc43701

SHA256
6d1e30fdc5bf3675437bc479e41bf73835327d2a4a95f722d40d935a6a6c2dca

SHA512
745c29e655772cb189a3bc9845212c85db5c551821e6bd49406750a13a5b1af4638d4d661a5040a35330a35000463c12713f30a17386b9ad898327c07001e84b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
a29a00577da8ad51389edd0deef71396

SHA1
6b2609535fb4f8a7825070848b926db6306f4c30

SHA256
69ff0a5de980306230b334a477388a2c31f91a21bb5cc125bbc64309370b0bae

SHA512
09ec2a053f8e34ad37a2c36e587932a636699fdaf3e96af7ea62c2ab0eaed4001a9ef305b7fbb77f668e4f225a2d57e441055715db12c72a61cbbe94412776b8

Download Submit
memory/5516-87-0x0000000000F70000-0x0000000000F99000-memory.dmp

Filesize
164KB

Download
memory/5516-100-0x0000000000F70000-0x0000000000F99000-memory.dmp

Filesize
164KB

Download
memory/5516-35-0x0000000000F70000-0x0000000000F99000-memory.dmp

Filesize
164KB

Download
memory/5516-39-0x0000000000F70000-0x0000000000F99000-memory.dmp

Filesize
164KB

Download
memory/5516-29-0x0000000000F70000-0x0000000000F99000-memory.dmp

Filesize
164KB

Download
memory/5516-25-0x0000000000F70000-0x0000000000F99000-memory.dmp

Filesize
164KB

Download
memory/5516-24-0x0000000000F70000-0x0000000000F99000-memory.dmp

Filesize
164KB

Download
memory/5516-21-0x0000000000F70000-0x0000000000F99000-memory.dmp

Filesize
164KB

Download
memory/5516-81-0x0000000000F70000-0x0000000000F99000-memory.dmp

Filesize
164KB

Download
memory/5516-82-0x0000000000F70000-0x0000000000F99000-memory.dmp

Filesize
164KB

Download
memory/5516-83-0x0000000000F70000-0x0000000000F99000-memory.dmp

Filesize
164KB

Download
memory/5516-84-0x0000000000F70000-0x0000000000F99000-memory.dmp

Filesize
164KB

Download
memory/5516-4-0x0000000000F70000-0x0000000000F99000-memory.dmp

Filesize
164KB

Download
memory/5516-91-0x0000000000F70000-0x0000000000F99000-memory.dmp

Filesize
164KB

Download
memory/5516-92-0x0000000000F70000-0x0000000000F99000-memory.dmp

Filesize
164KB

Download
memory/5516-93-0x0000000000F70000-0x0000000000F99000-memory.dmp

Filesize
164KB

Download
memory/5516-97-0x0000000000F70000-0x0000000000F99000-memory.dmp

Filesize
164KB

Download
memory/5516-31-0x0000000000F70000-0x0000000000F99000-memory.dmp

Filesize
164KB

Download
memory/5516-16-0x0000000000F70000-0x0000000000F99000-memory.dmp

Filesize
164KB

Download
memory/5516-15-0x0000000000F70000-0x0000000000F99000-memory.dmp

Filesize
164KB

Download
memory/5516-6-0x0000000000F70000-0x0000000000F99000-memory.dmp

Filesize
164KB

Download
memory/5516-5-0x0000000000F70000-0x0000000000F99000-memory.dmp

Filesize
164KB

Download
memory/5516-451-0x0000000000F70000-0x0000000000F99000-memory.dmp

Filesize
164KB

Download
memory/5516-475-0x0000000000F70000-0x0000000000F99000-memory.dmp

Filesize
164KB

Download
memory/5516-480-0x0000000000F70000-0x0000000000F99000-memory.dmp

Filesize
164KB

Download
memory/5516-482-0x0000000000F70000-0x0000000000F99000-memory.dmp

Filesize
164KB

Download
memory/5516-483-0x0000000000F70000-0x0000000000F99000-memory.dmp

Filesize
164KB

Download
memory/5516-486-0x0000000000F70000-0x0000000000F99000-memory.dmp

Filesize
164KB

Download
memory/5516-487-0x0000000000F70000-0x0000000000F99000-memory.dmp

Filesize
164KB

Download
memory/5516-488-0x0000000000F70000-0x0000000000F99000-memory.dmp

Filesize
164KB

Download
memory/5516-489-0x0000000000F70000-0x0000000000F99000-memory.dmp

Filesize
164KB

Download
memory/5516-490-0x0000000000F70000-0x0000000000F99000-memory.dmp

Filesize
164KB

Download
memory/5516-491-0x0000000000F70000-0x0000000000F99000-memory.dmp

Filesize
164KB

Download
memory/5516-492-0x0000000000F70000-0x0000000000F99000-memory.dmp

Filesize
164KB

Download
memory/5516-495-0x0000000000F70000-0x0000000000F99000-memory.dmp

Filesize
164KB

Download