vidar | 8a51d26be760d2515fdbe742bc84bd08d05d4e7f665bdd3c37b8c425f839675e

Analysis

max time kernel
33s
max time network
34s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
18/04/2025, 12:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

573KB
MD5

017e837d6e14a2412d5b7b385f8bca28
SHA1

3596a371841ec6cad17cdbfcde4425d980cb69e5
SHA256

8a51d26be760d2515fdbe742bc84bd08d05d4e7f665bdd3c37b8c425f839675e
SHA512

3aa9e36006182f8e640d8efb84fb505d8449c0d7feea0a803c5e7b283a11603ced81b076016acd15aedb15b0a1f060b7c76ebc53063c8fe9f54be925bf79c855
SSDEEP

12288:5ONjf6etLUrXh2ceG+9LKLdEEo4Edka+9LKLdEEo4Edk:5mfZxMaKLdjRaaKLdjR

Score

10^/10

vidar c466785b3a34d7b3c4d6db04a068b664 credential_access discovery stealer

Malware Config

Extracted

Family

vidar

Version

13.5

Botnet

c466785b3a34d7b3c4d6db04a068b664

https://t.me/v00rd

https://steamcommunity.com/profiles/76561199846773220

Attributes

user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/132.0.0.0 Safari/537.36 OPR/117.0.0.0

Signatures

Detect Vidar Stealer 30 IoCs

stealer

resource	yara_rule
behavioral1/memory/3456-0-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/3456-1-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/3456-2-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/3456-9-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/3456-10-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/3456-15-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/3456-16-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/3456-19-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/3456-23-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/3456-24-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/3456-25-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/3456-29-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/3456-30-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/3456-66-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/3456-76-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/3456-77-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/3456-78-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/3456-79-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/3456-82-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/3456-86-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/3456-87-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/3456-88-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/3456-92-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/3456-136-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/3456-494-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/3456-553-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/3456-556-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/3456-558-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/3456-559-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/3456-562-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

Uses browser remote debugging 2 TTPs 10 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
2708	chrome.exe
3692	chrome.exe
6012	chrome.exe
3224	chrome.exe
5668	msedge.exe
3328	msedge.exe
3528	chrome.exe
4544	msedge.exe
4568	msedge.exe
1156	msedge.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2028 set thread context of 3456	2028	file.exe	88

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MSBuild.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msedge.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133894533061772627"	chrome.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3456	MSBuild.exe
3456	MSBuild.exe
3456	MSBuild.exe
3456	MSBuild.exe
2708	chrome.exe
2708	chrome.exe
3456	MSBuild.exe
3456	MSBuild.exe
3456	MSBuild.exe
3456	MSBuild.exe
3456	MSBuild.exe
3456	MSBuild.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
5668	msedge.exe
5668	msedge.exe
5668	msedge.exe
5668	msedge.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeCreatePagefilePrivilege	2708	chrome.exe
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeCreatePagefilePrivilege	2708	chrome.exe
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeCreatePagefilePrivilege	2708	chrome.exe
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeCreatePagefilePrivilege	2708	chrome.exe
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeCreatePagefilePrivilege	2708	chrome.exe
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeCreatePagefilePrivilege	2708	chrome.exe
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeCreatePagefilePrivilege	2708	chrome.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
5668	msedge.exe
5668	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 3456	2028	file.exe	88
PID 2028 wrote to memory of 3456	2028	file.exe	88
PID 2028 wrote to memory of 3456	2028	file.exe	88
PID 2028 wrote to memory of 3456	2028	file.exe	88
PID 2028 wrote to memory of 3456	2028	file.exe	88
PID 2028 wrote to memory of 3456	2028	file.exe	88
PID 2028 wrote to memory of 3456	2028	file.exe	88
PID 2028 wrote to memory of 3456	2028	file.exe	88
PID 2028 wrote to memory of 3456	2028	file.exe	88
PID 2028 wrote to memory of 3456	2028	file.exe	88
PID 2028 wrote to memory of 3456	2028	file.exe	88
PID 2028 wrote to memory of 3456	2028	file.exe	88
PID 3456 wrote to memory of 2708	3456	MSBuild.exe	96
PID 3456 wrote to memory of 2708	3456	MSBuild.exe	96
PID 2708 wrote to memory of 6028	2708	chrome.exe	97
PID 2708 wrote to memory of 6028	2708	chrome.exe	97
PID 2708 wrote to memory of 3120	2708	chrome.exe	98
PID 2708 wrote to memory of 3120	2708	chrome.exe	98
PID 2708 wrote to memory of 3120	2708	chrome.exe	98
PID 2708 wrote to memory of 3120	2708	chrome.exe	98
PID 2708 wrote to memory of 3120	2708	chrome.exe	98
PID 2708 wrote to memory of 3120	2708	chrome.exe	98
PID 2708 wrote to memory of 3120	2708	chrome.exe	98
PID 2708 wrote to memory of 3120	2708	chrome.exe	98
PID 2708 wrote to memory of 3120	2708	chrome.exe	98
PID 2708 wrote to memory of 3120	2708	chrome.exe	98
PID 2708 wrote to memory of 3120	2708	chrome.exe	98
PID 2708 wrote to memory of 3120	2708	chrome.exe	98
PID 2708 wrote to memory of 3120	2708	chrome.exe	98
PID 2708 wrote to memory of 3120	2708	chrome.exe	98
PID 2708 wrote to memory of 3120	2708	chrome.exe	98
PID 2708 wrote to memory of 3120	2708	chrome.exe	98
PID 2708 wrote to memory of 3120	2708	chrome.exe	98
PID 2708 wrote to memory of 3120	2708	chrome.exe	98
PID 2708 wrote to memory of 3120	2708	chrome.exe	98
PID 2708 wrote to memory of 3120	2708	chrome.exe	98
PID 2708 wrote to memory of 3120	2708	chrome.exe	98
PID 2708 wrote to memory of 3120	2708	chrome.exe	98
PID 2708 wrote to memory of 3120	2708	chrome.exe	98
PID 2708 wrote to memory of 3120	2708	chrome.exe	98
PID 2708 wrote to memory of 3120	2708	chrome.exe	98
PID 2708 wrote to memory of 3120	2708	chrome.exe	98
PID 2708 wrote to memory of 3120	2708	chrome.exe	98
PID 2708 wrote to memory of 3120	2708	chrome.exe	98
PID 2708 wrote to memory of 3120	2708	chrome.exe	98
PID 2708 wrote to memory of 3120	2708	chrome.exe	98
PID 2708 wrote to memory of 4924	2708	chrome.exe	99
PID 2708 wrote to memory of 4924	2708	chrome.exe	99
PID 2708 wrote to memory of 3692	2708	chrome.exe	102
PID 2708 wrote to memory of 3692	2708	chrome.exe	102
PID 2708 wrote to memory of 3692	2708	chrome.exe	102
PID 2708 wrote to memory of 3692	2708	chrome.exe	102
PID 2708 wrote to memory of 3692	2708	chrome.exe	102
PID 2708 wrote to memory of 3692	2708	chrome.exe	102
PID 2708 wrote to memory of 3692	2708	chrome.exe	102
PID 2708 wrote to memory of 3692	2708	chrome.exe	102
PID 2708 wrote to memory of 3692	2708	chrome.exe	102
PID 2708 wrote to memory of 3692	2708	chrome.exe	102
PID 2708 wrote to memory of 3692	2708	chrome.exe	102
PID 2708 wrote to memory of 3692	2708	chrome.exe	102
PID 2708 wrote to memory of 3692	2708	chrome.exe	102
PID 2708 wrote to memory of 3692	2708	chrome.exe	102
PID 2708 wrote to memory of 3692	2708	chrome.exe	102
PID 2708 wrote to memory of 3692	2708	chrome.exe	102

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3456
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Checks processor information in registry
    - Enumerates system info in registry
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2708
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffb3a2bdcf8,0x7ffb3a2bdd04,0x7ffb3a2bdd10
      4⤵
      PID:6028
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1972,i,6537585441746769556,2548908706846324469,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=1968 /prefetch:2
      4⤵
      PID:3120
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1564,i,6537585441746769556,2548908706846324469,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2248 /prefetch:3
      4⤵
      PID:4924
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2376,i,6537585441746769556,2548908706846324469,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2528 /prefetch:8
      4⤵
      PID:5060
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3032,i,6537585441746769556,2548908706846324469,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3060 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:3528
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3040,i,6537585441746769556,2548908706846324469,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3100 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:3692
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4228,i,6537585441746769556,2548908706846324469,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4236 /prefetch:2
      4⤵
      Uses browser remote debugging
      PID:6012
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4640,i,6537585441746769556,2548908706846324469,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4656 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:3224
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5292,i,6537585441746769556,2548908706846324469,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5304 /prefetch:8
      4⤵
      PID:5320
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5460,i,6537585441746769556,2548908706846324469,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5472 /prefetch:8
      4⤵
      PID:1464
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    PID:5668
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x238,0x260,0x7ffb3a29f208,0x7ffb3a29f214,0x7ffb3a29f220
      4⤵
      PID:3820
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1884,i,14704867724980766587,5211421790666681582,262144 --variations-seed-version --mojo-platform-channel-handle=2212 /prefetch:3
      4⤵
      PID:3264
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2184,i,14704867724980766587,5211421790666681582,262144 --variations-seed-version --mojo-platform-channel-handle=2180 /prefetch:2
      4⤵
      PID:5616
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2432,i,14704867724980766587,5211421790666681582,262144 --variations-seed-version --mojo-platform-channel-handle=2220 /prefetch:8
      4⤵
      PID:2116
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3524,i,14704867724980766587,5211421790666681582,262144 --variations-seed-version --mojo-platform-channel-handle=3608 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:3328
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3532,i,14704867724980766587,5211421790666681582,262144 --variations-seed-version --mojo-platform-channel-handle=3612 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:4544
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=2460,i,14704867724980766587,5211421790666681582,262144 --variations-seed-version --mojo-platform-channel-handle=4136 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:1156
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=4140,i,14704867724980766587,5211421790666681582,262144 --variations-seed-version --mojo-platform-channel-handle=4196 /prefetch:2
      4⤵
      Uses browser remote debugging
      PID:4568
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5232,i,14704867724980766587,5211421790666681582,262144 --variations-seed-version --mojo-platform-channel-handle=3760 /prefetch:8
      4⤵
      PID:5148
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5204,i,14704867724980766587,5211421790666681582,262144 --variations-seed-version --mojo-platform-channel-handle=5284 /prefetch:8
      4⤵
      PID:3804
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4740,i,14704867724980766587,5211421790666681582,262144 --variations-seed-version --mojo-platform-channel-handle=5320 /prefetch:8
      4⤵
      PID:3832
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4960,i,14704867724980766587,5211421790666681582,262144 --variations-seed-version --mojo-platform-channel-handle=5364 /prefetch:8
      4⤵
      PID:3752

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:4208

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1532

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:3340

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Modify Authentication Process

T1556

Privilege Escalation

Defense Evasion

Modify Authentication Process

T1556

Credential Access

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
414B

MD5
8d1c40d0417c6ce85086261ab19f8bed

SHA1
d6087a440890c6e204debd494e4a5883a2ee6f42

SHA256
08d3a1e173c7cc7488cc350d187841cc19576112b0e3f25983e3f872d5cfbefd

SHA512
c2372ac1258ac65304efd1857f5793fbaca1b395e5c9f9e7890727da7a2c6e9b04ab51492760dcaee3024a3ceaebcad56afceee9b18a7094fec2ab828ca422ea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
80KB

MD5
4bac7f1c06ebdb20372e202f6c296cbd

SHA1
e9dbac572c47d4c6bca46498f43d2797a08ea9ab

SHA256
5c59604ab41d60c4b964143649f620cc9aa83af08fddc8fe17a2afb1efeb6482

SHA512
c96b26020f055138eae7db2019e13a5f79493a4d358263ed4da935c5aa74c27e6d427e2cf42ec3adb0c5cba3b115a332f7b11e7ad640de1868b356143e68fcb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
5a7e1750438748bd333b79a94ca69b2a

SHA1
94fd1be56969e269ce195ba29c3d464d356d6556

SHA256
6d7a64a318c25c643323d5cf1c0c80ccf2f2433e7d74b722fca90468f8f9b914

SHA512
842509c0f495ee24d152ab3f7867183d7cd64b01b5a9305405682abbbff3aa18a8ad7d97ee039393fdd1766fc17ad2df1caf711dc4db8dc7b9df608ffc0fdc7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
eec55fe349980566b1dbf1d409d28c3e

SHA1
654ce4b550defea0851f12e8ff81ae9298bb3f60

SHA256
2e81ea3d7ddfc0274f3955d5131143c481e63f2529514c5295873b393d508efe

SHA512
58e02658d08732b5f36e868331a483b5fde15475a6c5f704a19c97d920399c3f7d41a8fa163c66683bf403598f8f48f0cf9fa468f9783fcabd9136a55cec0059

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
69KB

MD5
164a788f50529fc93a6077e50675c617

SHA1
c53f6cd0531fd98d6abbd2a9e5fbb4319b221f48

SHA256
b305e470fb9f8b69a8cd53b5a8ffb88538c9f6a9c7c2c194a226e8f6c9b53c17

SHA512
ec7d173b55283f3e59a468a0037921dc4e1bf3fab1c693330b9d8e5826273c917b374c4b802f3234bbb5e5e210d55e52351426867e0eb8c9f6fba1a053cb05d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\b6a380d4-5862-40a9-a645-ceea7f421bc5\index-dir\the-real-index

Filesize
1KB

MD5
797f754c1466ae3dcc6865f7dcedd357

SHA1
8bace186b7946657e5823a1ac2d6de22ad2491d6

SHA256
788840cef3876c45afb3d92c0ac23607349a996754b8af9c5fd38cd4f7c021ba

SHA512
747a77760fac0a02832a8e7eed38e8f5535f1abc04730af6a4ab3949958a3df063b06793dfa40979958b6785081e430e372e90de109507cd31610e379515ee76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\b6a380d4-5862-40a9-a645-ceea7f421bc5\index-dir\the-real-index~RFe57d949.TMP

Filesize
1KB

MD5
84f83384b64659f5aea9a0e272f48f3a

SHA1
59dae5c25611fff61d49afffae860d3d5b82305b

SHA256
0f7c2bf7aa1c7a7109f53fe6ebdfbc1b07933f2e90c5565bdccc0f658b8aab98

SHA512
21b7e1ff394c2d27243b83bf278846106461a85ef306fedeb0db45d32aadeb2e21834ee71dda9f6d9434fe53d09fcf5eabfda4f11a1813dbcbbd9aef6d04eca9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
6KB

MD5
b097effdf48a0cd32930ffc2279c8a5e

SHA1
692986e1c1e0ebf6f053fc18bbd5298f92261fb9

SHA256
a2fb101b2b5855ccd279f0ea8786daecc491bacaf1049a44a690ea54e77f9610

SHA512
05920f38266edae92f59f379bacc38b4a88023a49a24aa54f9c1846b7690b611a2cce04b974c309b3639be792e55eb6eaceaadcb7fe52565e6a2a70314e9795c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
7KB

MD5
e0742483550217b5cbc429222559e19e

SHA1
94aa5bab64014675ac97f0987225210267704000

SHA256
94d1b259a28fb1116eb602d8cc925d0bf403a1352dcf3211be5f8893c0b08259

SHA512
e8fcf6829479808905439b7d6bd8a75eaa0167abf9e4b5bd2675e693e051575db52d14395aa6f26fd942a6094aba49e72362ca84090b83d3ef677a4b51aeb2a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

Filesize
2KB

MD5
2a3388599100d012488dd477ae1a5af7

SHA1
e83bd1ac0d4984d268d8f55b08b45d4a7a12fa3c

SHA256
f55a71af409da768953e8de6422ca4b3491d85a98079412c00881c9673854138

SHA512
d62f1c21e178f7b55dc257d1ab55b1d5c9010ddccbf4551742e349ceee322150c269674b418aaae28b9a0d45ae3cdb2f7509a7c882c156a8cc8380eac0fe07e7

Download Submit
memory/3456-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3456-23-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3456-29-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3456-0-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3456-66-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3456-24-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3456-76-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3456-77-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3456-78-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3456-79-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3456-82-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3456-86-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3456-87-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3456-88-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3456-92-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3456-30-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3456-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3456-16-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3456-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3456-136-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3456-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3456-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3456-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3456-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3456-494-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3456-553-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3456-556-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3456-558-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3456-559-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3456-562-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download