vidar | f0e69027e42692d86e5568255610cf9b07223b9cf07327a3d78086c60102e47d

Analysis

max time kernel
141s
max time network
135s
platform
windows11-21h2_x64
resource
win11-20250410-en
resource tags

arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system
submitted
18/04/2025, 02:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-18_3cd0db86d5e81b8825b77e67df41bf1a_black-basta_cobalt-strike_ryuk_satacom.exe
Size

820KB
MD5

3cd0db86d5e81b8825b77e67df41bf1a
SHA1

cd22219cff15afd6666866a39025cdbabcf39672
SHA256

f0e69027e42692d86e5568255610cf9b07223b9cf07327a3d78086c60102e47d
SHA512

30c04177a69bf1796ec2f059031f280a385dfeeeadb84e66172f6258efbb96184905604a402b65889430948aef0f5e8d1e86370f5959157618c52374f00821df
SSDEEP

12288:4/DKcz2a8Ep3A5WWwLUWdt6/FcMMSdLHmc+9LKLdEEo4Edka+9LKLdEEo4Edkl:QKcz2aN34WWXN/FAcaKLdjRaaKLdjRl

Score

10^/10

vidar c466785b3a34d7b3c4d6db04a068b664 credential_access discovery spyware stealer

Malware Config

Extracted

Family

vidar

Version

13.5

Botnet

c466785b3a34d7b3c4d6db04a068b664

https://t.me/v00rd

https://steamcommunity.com/profiles/76561199846773220

Attributes

user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/132.0.0.0 Safari/537.36 OPR/117.0.0.0

Signatures

Detect Vidar Stealer 40 IoCs

stealer

resource	yara_rule
behavioral2/memory/6104-0-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/6104-1-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/6104-2-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/6104-11-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/6104-12-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/6104-17-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/6104-18-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/6104-21-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/6104-25-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/6104-26-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/6104-27-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/6104-31-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/6104-32-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/6104-68-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/6104-78-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/6104-79-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/6104-80-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/6104-81-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/6104-84-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/6104-88-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/6104-89-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/6104-90-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/6104-94-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/6104-97-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/6104-452-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/6104-490-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/6104-493-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/6104-496-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/6104-497-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/6104-498-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/6104-499-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/6104-501-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/6104-503-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/6104-505-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/6104-506-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/6104-529-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/6104-530-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/6104-531-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/6104-532-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/6104-535-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

Uses browser remote debugging 2 TTPs 8 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
2816	chrome.exe
3292	chrome.exe
4028	msedge.exe
5348	msedge.exe
3332	msedge.exe
4912	chrome.exe
4888	chrome.exe
5108	chrome.exe

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2176 set thread context of 6104	2176	2025-04-18_3cd0db86d5e81b8825b77e67df41bf1a_black-basta_cobalt-strike_ryuk_satacom.exe	78

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MSBuild.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
4536	timeout.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133894160521109915"	chrome.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
6104	MSBuild.exe
6104	MSBuild.exe
6104	MSBuild.exe
6104	MSBuild.exe
4912	chrome.exe
4912	chrome.exe
6104	MSBuild.exe
6104	MSBuild.exe
6104	MSBuild.exe
6104	MSBuild.exe
6104	MSBuild.exe
6104	MSBuild.exe
6104	MSBuild.exe
6104	MSBuild.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4028	msedge.exe
4028	msedge.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4912	chrome.exe
Token: SeCreatePagefilePrivilege	4912	chrome.exe
Token: SeShutdownPrivilege	4912	chrome.exe
Token: SeCreatePagefilePrivilege	4912	chrome.exe
Token: SeShutdownPrivilege	4912	chrome.exe
Token: SeCreatePagefilePrivilege	4912	chrome.exe
Token: SeShutdownPrivilege	4912	chrome.exe
Token: SeCreatePagefilePrivilege	4912	chrome.exe
Token: SeShutdownPrivilege	4912	chrome.exe
Token: SeCreatePagefilePrivilege	4912	chrome.exe
Token: SeShutdownPrivilege	4912	chrome.exe
Token: SeCreatePagefilePrivilege	4912	chrome.exe
Token: SeShutdownPrivilege	4912	chrome.exe
Token: SeCreatePagefilePrivilege	4912	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4912	chrome.exe
4028	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 6104	2176	2025-04-18_3cd0db86d5e81b8825b77e67df41bf1a_black-basta_cobalt-strike_ryuk_satacom.exe	78
PID 2176 wrote to memory of 6104	2176	2025-04-18_3cd0db86d5e81b8825b77e67df41bf1a_black-basta_cobalt-strike_ryuk_satacom.exe	78
PID 2176 wrote to memory of 6104	2176	2025-04-18_3cd0db86d5e81b8825b77e67df41bf1a_black-basta_cobalt-strike_ryuk_satacom.exe	78
PID 2176 wrote to memory of 6104	2176	2025-04-18_3cd0db86d5e81b8825b77e67df41bf1a_black-basta_cobalt-strike_ryuk_satacom.exe	78
PID 2176 wrote to memory of 6104	2176	2025-04-18_3cd0db86d5e81b8825b77e67df41bf1a_black-basta_cobalt-strike_ryuk_satacom.exe	78
PID 2176 wrote to memory of 6104	2176	2025-04-18_3cd0db86d5e81b8825b77e67df41bf1a_black-basta_cobalt-strike_ryuk_satacom.exe	78
PID 2176 wrote to memory of 6104	2176	2025-04-18_3cd0db86d5e81b8825b77e67df41bf1a_black-basta_cobalt-strike_ryuk_satacom.exe	78
PID 2176 wrote to memory of 6104	2176	2025-04-18_3cd0db86d5e81b8825b77e67df41bf1a_black-basta_cobalt-strike_ryuk_satacom.exe	78
PID 2176 wrote to memory of 6104	2176	2025-04-18_3cd0db86d5e81b8825b77e67df41bf1a_black-basta_cobalt-strike_ryuk_satacom.exe	78
PID 2176 wrote to memory of 6104	2176	2025-04-18_3cd0db86d5e81b8825b77e67df41bf1a_black-basta_cobalt-strike_ryuk_satacom.exe	78
PID 2176 wrote to memory of 6104	2176	2025-04-18_3cd0db86d5e81b8825b77e67df41bf1a_black-basta_cobalt-strike_ryuk_satacom.exe	78
PID 2176 wrote to memory of 6104	2176	2025-04-18_3cd0db86d5e81b8825b77e67df41bf1a_black-basta_cobalt-strike_ryuk_satacom.exe	78
PID 6104 wrote to memory of 4912	6104	MSBuild.exe	79
PID 6104 wrote to memory of 4912	6104	MSBuild.exe	79
PID 4912 wrote to memory of 4684	4912	chrome.exe	80
PID 4912 wrote to memory of 4684	4912	chrome.exe	80
PID 4912 wrote to memory of 4812	4912	chrome.exe	81
PID 4912 wrote to memory of 4812	4912	chrome.exe	81
PID 4912 wrote to memory of 4812	4912	chrome.exe	81
PID 4912 wrote to memory of 4812	4912	chrome.exe	81
PID 4912 wrote to memory of 4812	4912	chrome.exe	81
PID 4912 wrote to memory of 4812	4912	chrome.exe	81
PID 4912 wrote to memory of 4812	4912	chrome.exe	81
PID 4912 wrote to memory of 4812	4912	chrome.exe	81
PID 4912 wrote to memory of 4812	4912	chrome.exe	81
PID 4912 wrote to memory of 4812	4912	chrome.exe	81
PID 4912 wrote to memory of 4812	4912	chrome.exe	81
PID 4912 wrote to memory of 4812	4912	chrome.exe	81
PID 4912 wrote to memory of 4812	4912	chrome.exe	81
PID 4912 wrote to memory of 4812	4912	chrome.exe	81
PID 4912 wrote to memory of 4812	4912	chrome.exe	81
PID 4912 wrote to memory of 4812	4912	chrome.exe	81
PID 4912 wrote to memory of 4812	4912	chrome.exe	81
PID 4912 wrote to memory of 4812	4912	chrome.exe	81
PID 4912 wrote to memory of 4812	4912	chrome.exe	81
PID 4912 wrote to memory of 4812	4912	chrome.exe	81
PID 4912 wrote to memory of 4812	4912	chrome.exe	81
PID 4912 wrote to memory of 4812	4912	chrome.exe	81
PID 4912 wrote to memory of 4812	4912	chrome.exe	81
PID 4912 wrote to memory of 4812	4912	chrome.exe	81
PID 4912 wrote to memory of 4812	4912	chrome.exe	81
PID 4912 wrote to memory of 4812	4912	chrome.exe	81
PID 4912 wrote to memory of 4812	4912	chrome.exe	81
PID 4912 wrote to memory of 4812	4912	chrome.exe	81
PID 4912 wrote to memory of 4812	4912	chrome.exe	81
PID 4912 wrote to memory of 4812	4912	chrome.exe	81
PID 4912 wrote to memory of 4792	4912	chrome.exe	82
PID 4912 wrote to memory of 4792	4912	chrome.exe	82
PID 4912 wrote to memory of 5080	4912	chrome.exe	83
PID 4912 wrote to memory of 5080	4912	chrome.exe	83
PID 4912 wrote to memory of 5080	4912	chrome.exe	83
PID 4912 wrote to memory of 5080	4912	chrome.exe	83
PID 4912 wrote to memory of 5080	4912	chrome.exe	83
PID 4912 wrote to memory of 5080	4912	chrome.exe	83
PID 4912 wrote to memory of 5080	4912	chrome.exe	83
PID 4912 wrote to memory of 5080	4912	chrome.exe	83
PID 4912 wrote to memory of 5080	4912	chrome.exe	83
PID 4912 wrote to memory of 5080	4912	chrome.exe	83
PID 4912 wrote to memory of 5080	4912	chrome.exe	83
PID 4912 wrote to memory of 5080	4912	chrome.exe	83
PID 4912 wrote to memory of 5080	4912	chrome.exe	83
PID 4912 wrote to memory of 5080	4912	chrome.exe	83
PID 4912 wrote to memory of 5080	4912	chrome.exe	83
PID 4912 wrote to memory of 5080	4912	chrome.exe	83

C:\Users\Admin\AppData\Local\Temp\2025-04-18_3cd0db86d5e81b8825b77e67df41bf1a_black-basta_cobalt-strike_ryuk_satacom.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-18_3cd0db86d5e81b8825b77e67df41bf1a_black-basta_cobalt-strike_ryuk_satacom.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:6104
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Drops file in Windows directory
    - Enumerates system info in registry
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:4912
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff880b4dcf8,0x7ff880b4dd04,0x7ff880b4dd10
      4⤵
      PID:4684
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1968,i,4815861369418483469,3915615292538256084,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=1964 /prefetch:2
      4⤵
      PID:4812
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1316,i,4815861369418483469,3915615292538256084,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=2260 /prefetch:11
      4⤵
      PID:4792
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2396,i,4815861369418483469,3915615292538256084,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=2576 /prefetch:13
      4⤵
      PID:5080
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3276,i,4815861369418483469,3915615292538256084,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=3348 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:5108
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3284,i,4815861369418483469,3915615292538256084,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=3368 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:4888
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4288,i,4815861369418483469,3915615292538256084,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=4308 /prefetch:9
      4⤵
      Uses browser remote debugging
      PID:2816
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=3884,i,4815861369418483469,3915615292538256084,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=4708 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:3292
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5208,i,4815861369418483469,3915615292538256084,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=5280 /prefetch:14
      4⤵
      PID:2128
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5500,i,4815861369418483469,3915615292538256084,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=5512 /prefetch:14
      4⤵
      PID:5588
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Drops file in Windows directory
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    PID:4028
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x240,0x244,0x248,0x23c,0x264,0x7ff8807df208,0x7ff8807df214,0x7ff8807df220
      4⤵
      PID:5364
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2344,i,3780234997517741423,15086719930089953941,262144 --variations-seed-version --mojo-platform-channel-handle=2340 /prefetch:2
      4⤵
      PID:1564
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1840,i,3780234997517741423,15086719930089953941,262144 --variations-seed-version --mojo-platform-channel-handle=2388 /prefetch:11
      4⤵
      PID:5564
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2316,i,3780234997517741423,15086719930089953941,262144 --variations-seed-version --mojo-platform-channel-handle=2492 /prefetch:13
      4⤵
      PID:572
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3456,i,3780234997517741423,15086719930089953941,262144 --variations-seed-version --mojo-platform-channel-handle=3536 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:3332
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3464,i,3780234997517741423,15086719930089953941,262144 --variations-seed-version --mojo-platform-channel-handle=3540 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:5348
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\i5fua" & exit
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4852
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 11
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:4536

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:2804

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2444

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:3840

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Modify Authentication Process

T1556

Privilege Escalation

Defense Evasion

Modify Authentication Process

T1556

Credential Access

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
456f0375b61a39bcc21bc633a693dbdd

SHA1
c651d1931303aa6b8a9df59a41e7de344e92a190

SHA256
d4567f9f8343d9ff7b3d16cce95d3c956c2891ac2d47a8c441fb4497ec30e875

SHA512
42e37daf3228ca685e9a73c807333258c7af6901cf113e76e637d1d347329fd352702eab387e952d205eee86f8a2fd6d1b5e3cabc86b9dd05d16abcbb59cd5a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
78KB

MD5
90f349e6f12fccc02acc7395da1dee26

SHA1
d195c0ca8552fca0ddd42d6575be9b80c4d774d3

SHA256
8fa4e3ad1278128d514620fe99454454b4503604f2c54041dba184ce66ed8710

SHA512
bd52fc53f9c0ce1cb5ccba86512925366350f69354d1f306bc20d4c2f5aa1717b4856322ebaad94333ce6a06991f653bdf275160a4c1eeb4ea7fbd3fe0a195e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
0c45ee0655e29b0a935a305e66bba8cf

SHA1
ad52868d94ba826e1f0b9db56d8fb7ff1c8fff2e

SHA256
d23f3010a3dd3688741250e254dd07d508883c099e1911c3e7d0854be85ca599

SHA512
479b8d020e5f818a452c050f27488928faed74c6d329ab58befc860f5bf76878efcdd03bd0eb7b83f22afb4e74aa40c7a0d6bb29677cb4cc03ff4dbd2687bb2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\21cadfbf-a7e3-4662-88e0-29f664fa1dcc\index-dir\the-real-index

Filesize
2KB

MD5
b4e36a972c23fe0fa0e98672dd8d4fb0

SHA1
5fc3da0ccfab11e364f22aecd3299fd1365d3e40

SHA256
f94de50deb555a20d18d390e3ec62f3a698efd5433e33339b16f4a130f209729

SHA512
7f64115e21f49457023951ff4ce7943cc30e808615eaa968780d3f40f2342dc4484c14539a1ca5f679bfa528629f754128a2d5d7dfcf50c59fb76a8d87dcb158

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\21cadfbf-a7e3-4662-88e0-29f664fa1dcc\index-dir\the-real-index~RFe57ad47.TMP

Filesize
2KB

MD5
6f644e814037a63974d189aaf0937b82

SHA1
7ec41e12af0e856d6c214fed99931e4edb074b43

SHA256
02914c2aea494fdfd72937c2b7f3b1336a2ef2a722e4b9f51f1166ab275fd549

SHA512
19e124b8820f1444830e258c3addb381b4c5168eeff62b5a8fbfb6ce39d3a4148374ff8db2ee11440a702073b5269da312c4d68343ac106434eafdf1cc3a5fd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
d5d2d6f74e44850d06920c94ae132e21

SHA1
2f6e0c6adc436d7349a65cc4839ae64ca694fef7

SHA256
a0a26fba231c70c9bb7cc583b751a6c4f72f7509599f40c76d88c11828ffe85c

SHA512
ad0aa9b8f933ec8f8cfa4ef369b4158a96fec588c071f62e09fdc81edd25189a427d7cbe0486b2049b22e622cf9f221fb062c713e5f9233970a326fae4a0383d

Download Submit
memory/6104-89-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6104-97-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6104-27-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6104-31-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6104-32-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6104-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6104-21-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6104-18-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6104-68-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6104-17-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6104-78-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6104-79-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6104-80-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6104-81-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6104-84-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6104-88-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6104-0-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6104-90-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6104-94-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6104-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6104-12-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6104-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6104-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6104-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6104-452-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6104-490-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6104-493-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6104-496-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6104-497-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6104-498-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6104-499-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6104-501-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6104-503-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6104-505-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6104-506-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6104-529-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6104-530-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6104-531-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6104-532-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6104-535-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download