vidar | 3ceea626c1796347ccdf784ca0477992c39248d5f83851649e50d72df135becb

Analysis

max time kernel
100s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20250411-en
resource tags

arch:x64arch:x86image:win11-20250411-enlocale:en-usos:windows11-21h2-x64system
submitted
21/04/2025, 05:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-21_f673ead8ea61be7cd25a6bc11aa8f921_cobalt-strike_hijackloader.exe
Size

1.3MB
MD5

f673ead8ea61be7cd25a6bc11aa8f921
SHA1

d7cae6301dfc7e6a3049653f6d6e3b3cbbb52ca7
SHA256

3ceea626c1796347ccdf784ca0477992c39248d5f83851649e50d72df135becb
SHA512

5cf93bf8b9d91059f0e9b172c85cb5b4f2d1baac1ea83b354eac3400b414f8575c5a14e6332ff7736c00da0cfe81983c71b78189dda7d51bac1b93f982325484
SSDEEP

24576:MSoc97WbdaoDJ0ialHJ1hs+aeOWwjQ6VgL9pXW+hJdK1JNm:Ac97UN161hs+aaqgL9pGkJdK1JY

Score

10^/10

vidar 7a48c83a230d8076280af316c6d72f8f credential_access discovery spyware stealer

Malware Config

Extracted

Family

vidar

Version

13.5

Botnet

7a48c83a230d8076280af316c6d72f8f

https://t.me/v00rd

https://steamcommunity.com/profiles/76561199846773220

Attributes

user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/132.0.0.0 Safari/537.36 OPR/117.0.0.0

Signatures

Detect Vidar Stealer 36 IoCs

stealer

resource	yara_rule
behavioral2/memory/5116-4-0x0000000000E60000-0x0000000000E89000-memory.dmp	family_vidar_v7
behavioral2/memory/5116-5-0x0000000000E60000-0x0000000000E89000-memory.dmp	family_vidar_v7
behavioral2/memory/5116-6-0x0000000000E60000-0x0000000000E89000-memory.dmp	family_vidar_v7
behavioral2/memory/5116-15-0x0000000000E60000-0x0000000000E89000-memory.dmp	family_vidar_v7
behavioral2/memory/5116-16-0x0000000000E60000-0x0000000000E89000-memory.dmp	family_vidar_v7
behavioral2/memory/5116-21-0x0000000000E60000-0x0000000000E89000-memory.dmp	family_vidar_v7
behavioral2/memory/5116-22-0x0000000000E60000-0x0000000000E89000-memory.dmp	family_vidar_v7
behavioral2/memory/5116-25-0x0000000000E60000-0x0000000000E89000-memory.dmp	family_vidar_v7
behavioral2/memory/5116-29-0x0000000000E60000-0x0000000000E89000-memory.dmp	family_vidar_v7
behavioral2/memory/5116-30-0x0000000000E60000-0x0000000000E89000-memory.dmp	family_vidar_v7
behavioral2/memory/5116-31-0x0000000000E60000-0x0000000000E89000-memory.dmp	family_vidar_v7
behavioral2/memory/5116-35-0x0000000000E60000-0x0000000000E89000-memory.dmp	family_vidar_v7
behavioral2/memory/5116-38-0x0000000000E60000-0x0000000000E89000-memory.dmp	family_vidar_v7
behavioral2/memory/5116-54-0x0000000000E60000-0x0000000000E89000-memory.dmp	family_vidar_v7
behavioral2/memory/5116-77-0x0000000000E60000-0x0000000000E89000-memory.dmp	family_vidar_v7
behavioral2/memory/5116-78-0x0000000000E60000-0x0000000000E89000-memory.dmp	family_vidar_v7
behavioral2/memory/5116-79-0x0000000000E60000-0x0000000000E89000-memory.dmp	family_vidar_v7
behavioral2/memory/5116-80-0x0000000000E60000-0x0000000000E89000-memory.dmp	family_vidar_v7
behavioral2/memory/5116-83-0x0000000000E60000-0x0000000000E89000-memory.dmp	family_vidar_v7
behavioral2/memory/5116-87-0x0000000000E60000-0x0000000000E89000-memory.dmp	family_vidar_v7
behavioral2/memory/5116-88-0x0000000000E60000-0x0000000000E89000-memory.dmp	family_vidar_v7
behavioral2/memory/5116-89-0x0000000000E60000-0x0000000000E89000-memory.dmp	family_vidar_v7
behavioral2/memory/5116-93-0x0000000000E60000-0x0000000000E89000-memory.dmp	family_vidar_v7
behavioral2/memory/5116-96-0x0000000000E60000-0x0000000000E89000-memory.dmp	family_vidar_v7
behavioral2/memory/5116-407-0x0000000000E60000-0x0000000000E89000-memory.dmp	family_vidar_v7
behavioral2/memory/5116-458-0x0000000000E60000-0x0000000000E89000-memory.dmp	family_vidar_v7
behavioral2/memory/5116-461-0x0000000000E60000-0x0000000000E89000-memory.dmp	family_vidar_v7
behavioral2/memory/5116-463-0x0000000000E60000-0x0000000000E89000-memory.dmp	family_vidar_v7
behavioral2/memory/5116-466-0x0000000000E60000-0x0000000000E89000-memory.dmp	family_vidar_v7
behavioral2/memory/5116-467-0x0000000000E60000-0x0000000000E89000-memory.dmp	family_vidar_v7
behavioral2/memory/5116-469-0x0000000000E60000-0x0000000000E89000-memory.dmp	family_vidar_v7
behavioral2/memory/5116-470-0x0000000000E60000-0x0000000000E89000-memory.dmp	family_vidar_v7
behavioral2/memory/5116-471-0x0000000000E60000-0x0000000000E89000-memory.dmp	family_vidar_v7
behavioral2/memory/5116-472-0x0000000000E60000-0x0000000000E89000-memory.dmp	family_vidar_v7
behavioral2/memory/5116-473-0x0000000000E60000-0x0000000000E89000-memory.dmp	family_vidar_v7
behavioral2/memory/5116-476-0x0000000000E60000-0x0000000000E89000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

Uses browser remote debugging 2 TTPs 8 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
4828	msedge.exe
5160	chrome.exe
1064	chrome.exe
4408	chrome.exe
1776	chrome.exe
5784	chrome.exe
3512	msedge.exe
4820	msedge.exe

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1796 set thread context of 5116	1796	2025-04-21_f673ead8ea61be7cd25a6bc11aa8f921_cobalt-strike_hijackloader.exe	84

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	explorer.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
5948	timeout.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133896858222276382"	chrome.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
5116	explorer.exe
5116	explorer.exe
5116	explorer.exe
5116	explorer.exe
5160	chrome.exe
5160	chrome.exe
5116	explorer.exe
5116	explorer.exe
5116	explorer.exe
5116	explorer.exe
5116	explorer.exe
5116	explorer.exe
5116	explorer.exe
5116	explorer.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
5160	chrome.exe
5160	chrome.exe
5160	chrome.exe
5160	chrome.exe
3512	msedge.exe
3512	msedge.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5160	chrome.exe
Token: SeCreatePagefilePrivilege	5160	chrome.exe
Token: SeShutdownPrivilege	5160	chrome.exe
Token: SeCreatePagefilePrivilege	5160	chrome.exe
Token: SeShutdownPrivilege	5160	chrome.exe
Token: SeCreatePagefilePrivilege	5160	chrome.exe
Token: SeShutdownPrivilege	5160	chrome.exe
Token: SeCreatePagefilePrivilege	5160	chrome.exe
Token: SeShutdownPrivilege	5160	chrome.exe
Token: SeCreatePagefilePrivilege	5160	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
5160	chrome.exe
5160	chrome.exe
5160	chrome.exe
5160	chrome.exe
5160	chrome.exe
5160	chrome.exe
5160	chrome.exe
5160	chrome.exe
5160	chrome.exe
5160	chrome.exe
5160	chrome.exe
5160	chrome.exe
5160	chrome.exe
5160	chrome.exe
5160	chrome.exe
5160	chrome.exe
5160	chrome.exe
5160	chrome.exe
5160	chrome.exe
5160	chrome.exe
5160	chrome.exe
5160	chrome.exe
5160	chrome.exe
5160	chrome.exe
5160	chrome.exe
5160	chrome.exe
3512	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1796 wrote to memory of 5116	1796	2025-04-21_f673ead8ea61be7cd25a6bc11aa8f921_cobalt-strike_hijackloader.exe	84
PID 1796 wrote to memory of 5116	1796	2025-04-21_f673ead8ea61be7cd25a6bc11aa8f921_cobalt-strike_hijackloader.exe	84
PID 1796 wrote to memory of 5116	1796	2025-04-21_f673ead8ea61be7cd25a6bc11aa8f921_cobalt-strike_hijackloader.exe	84
PID 1796 wrote to memory of 5116	1796	2025-04-21_f673ead8ea61be7cd25a6bc11aa8f921_cobalt-strike_hijackloader.exe	84
PID 1796 wrote to memory of 5116	1796	2025-04-21_f673ead8ea61be7cd25a6bc11aa8f921_cobalt-strike_hijackloader.exe	84
PID 5116 wrote to memory of 5160	5116	explorer.exe	85
PID 5116 wrote to memory of 5160	5116	explorer.exe	85
PID 5160 wrote to memory of 5188	5160	chrome.exe	86
PID 5160 wrote to memory of 5188	5160	chrome.exe	86
PID 5160 wrote to memory of 4312	5160	chrome.exe	87
PID 5160 wrote to memory of 4312	5160	chrome.exe	87
PID 5160 wrote to memory of 3268	5160	chrome.exe	88
PID 5160 wrote to memory of 3268	5160	chrome.exe	88
PID 5160 wrote to memory of 3268	5160	chrome.exe	88
PID 5160 wrote to memory of 3268	5160	chrome.exe	88
PID 5160 wrote to memory of 3268	5160	chrome.exe	88
PID 5160 wrote to memory of 3268	5160	chrome.exe	88
PID 5160 wrote to memory of 3268	5160	chrome.exe	88
PID 5160 wrote to memory of 3268	5160	chrome.exe	88
PID 5160 wrote to memory of 3268	5160	chrome.exe	88
PID 5160 wrote to memory of 3268	5160	chrome.exe	88
PID 5160 wrote to memory of 3268	5160	chrome.exe	88
PID 5160 wrote to memory of 3268	5160	chrome.exe	88
PID 5160 wrote to memory of 3268	5160	chrome.exe	88
PID 5160 wrote to memory of 3268	5160	chrome.exe	88
PID 5160 wrote to memory of 3268	5160	chrome.exe	88
PID 5160 wrote to memory of 3268	5160	chrome.exe	88
PID 5160 wrote to memory of 3268	5160	chrome.exe	88
PID 5160 wrote to memory of 3268	5160	chrome.exe	88
PID 5160 wrote to memory of 3268	5160	chrome.exe	88
PID 5160 wrote to memory of 3268	5160	chrome.exe	88
PID 5160 wrote to memory of 3268	5160	chrome.exe	88
PID 5160 wrote to memory of 3268	5160	chrome.exe	88
PID 5160 wrote to memory of 3268	5160	chrome.exe	88
PID 5160 wrote to memory of 3268	5160	chrome.exe	88
PID 5160 wrote to memory of 3268	5160	chrome.exe	88
PID 5160 wrote to memory of 3268	5160	chrome.exe	88
PID 5160 wrote to memory of 3268	5160	chrome.exe	88
PID 5160 wrote to memory of 3268	5160	chrome.exe	88
PID 5160 wrote to memory of 3268	5160	chrome.exe	88
PID 5160 wrote to memory of 3268	5160	chrome.exe	88
PID 5160 wrote to memory of 1164	5160	chrome.exe	90
PID 5160 wrote to memory of 1164	5160	chrome.exe	90
PID 5160 wrote to memory of 1164	5160	chrome.exe	90
PID 5160 wrote to memory of 1164	5160	chrome.exe	90
PID 5160 wrote to memory of 1164	5160	chrome.exe	90
PID 5160 wrote to memory of 1164	5160	chrome.exe	90
PID 5160 wrote to memory of 1164	5160	chrome.exe	90
PID 5160 wrote to memory of 1164	5160	chrome.exe	90
PID 5160 wrote to memory of 1164	5160	chrome.exe	90
PID 5160 wrote to memory of 1164	5160	chrome.exe	90
PID 5160 wrote to memory of 1164	5160	chrome.exe	90
PID 5160 wrote to memory of 1164	5160	chrome.exe	90
PID 5160 wrote to memory of 1164	5160	chrome.exe	90
PID 5160 wrote to memory of 1164	5160	chrome.exe	90
PID 5160 wrote to memory of 1164	5160	chrome.exe	90
PID 5160 wrote to memory of 1164	5160	chrome.exe	90
PID 5160 wrote to memory of 1164	5160	chrome.exe	90
PID 5160 wrote to memory of 1164	5160	chrome.exe	90
PID 5160 wrote to memory of 1164	5160	chrome.exe	90
PID 5160 wrote to memory of 1164	5160	chrome.exe	90
PID 5160 wrote to memory of 1164	5160	chrome.exe	90
PID 5160 wrote to memory of 1164	5160	chrome.exe	90
PID 5160 wrote to memory of 1164	5160	chrome.exe	90

C:\Users\Admin\AppData\Local\Temp\2025-04-21_f673ead8ea61be7cd25a6bc11aa8f921_cobalt-strike_hijackloader.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-21_f673ead8ea61be7cd25a6bc11aa8f921_cobalt-strike_hijackloader.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1796
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:5116
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Drops file in Windows directory
    - Enumerates system info in registry
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:5160
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa1333dcf8,0x7ffa1333dd04,0x7ffa1333dd10
      4⤵
      PID:5188
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1444,i,48578637542921842,6019800647211258099,262144 --variations-seed-version=20250410-184111.240000 --mojo-platform-channel-handle=2088 /prefetch:11
      4⤵
      PID:4312
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2060,i,48578637542921842,6019800647211258099,262144 --variations-seed-version=20250410-184111.240000 --mojo-platform-channel-handle=2056 /prefetch:2
      4⤵
      PID:3268
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2344,i,48578637542921842,6019800647211258099,262144 --variations-seed-version=20250410-184111.240000 --mojo-platform-channel-handle=2356 /prefetch:13
      4⤵
      PID:1164
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3248,i,48578637542921842,6019800647211258099,262144 --variations-seed-version=20250410-184111.240000 --mojo-platform-channel-handle=3260 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:4408
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3280,i,48578637542921842,6019800647211258099,262144 --variations-seed-version=20250410-184111.240000 --mojo-platform-channel-handle=3324 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:1064
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4212,i,48578637542921842,6019800647211258099,262144 --variations-seed-version=20250410-184111.240000 --mojo-platform-channel-handle=4220 /prefetch:9
      4⤵
      Uses browser remote debugging
      PID:1776
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4540,i,48578637542921842,6019800647211258099,262144 --variations-seed-version=20250410-184111.240000 --mojo-platform-channel-handle=4512 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:5784
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5336,i,48578637542921842,6019800647211258099,262144 --variations-seed-version=20250410-184111.240000 --mojo-platform-channel-handle=5348 /prefetch:14
      4⤵
      PID:1836
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5540,i,48578637542921842,6019800647211258099,262144 --variations-seed-version=20250410-184111.240000 --mojo-platform-channel-handle=5544 /prefetch:14
      4⤵
      PID:5252
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Drops file in Windows directory
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    PID:3512
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x240,0x244,0x248,0x23c,0x264,0x7ffa0733f208,0x7ffa0733f214,0x7ffa0733f220
      4⤵
      PID:4460
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1872,i,16922207473161121131,14523310810077467981,262144 --variations-seed-version --mojo-platform-channel-handle=2220 /prefetch:11
      4⤵
      PID:4540
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2192,i,16922207473161121131,14523310810077467981,262144 --variations-seed-version --mojo-platform-channel-handle=2108 /prefetch:2
      4⤵
      PID:2824
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2496,i,16922207473161121131,14523310810077467981,262144 --variations-seed-version --mojo-platform-channel-handle=2516 /prefetch:13
      4⤵
      PID:5732
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3464,i,16922207473161121131,14523310810077467981,262144 --variations-seed-version --mojo-platform-channel-handle=3552 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:4828
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3472,i,16922207473161121131,14523310810077467981,262144 --variations-seed-version --mojo-platform-channel-handle=3556 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:4820
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\gdba1" & exit
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4840
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 11
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:5948

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:2224

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4036

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:3180

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Modify Authentication Process

T1556

Privilege Escalation

Defense Evasion

Modify Authentication Process

T1556

Credential Access

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
78KB

MD5
87f8375867eda3e847bd9ddcd1557f23

SHA1
e3e9398a936dfee827d93588dd39432ea61d84e6

SHA256
b3e56150a9286ac8a3652fc1622ed53bd279f43358280da367307e3bb42169f8

SHA512
775f151f8fc0d5e042655b62768983d595514250446e17dee681b0b7f2906307a56d89d7a260196fa24d1abb6baac823de8dc591c7f4df7a66ef1bf97d5e58d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
f0a264821ad56f587ef8a5f5000b3cbd

SHA1
fa8ccbacc8036038543f20fea54b289f0b4fc0f8

SHA256
4a198d269b94f672544ed22c86c64f30b4e6fb3db8c4ffbde13759c6e16a2e48

SHA512
91f708803cc29b551649f039a8579c122f850698b580335813f90b9993a0b6b132ba119185f845666ddaaca5aa255ed14f3a0b34c8cccdd95ac24e0c53574117

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\f0631e4f-572c-4490-b8d7-80ec75ff9b62\index-dir\the-real-index

Filesize
2KB

MD5
fd688b98f30be5915091d2c2775f88eb

SHA1
1f0ea3c0c99ea06c4113ddeb199ebaae43c218e6

SHA256
be1fb71f2d570e79a58ba4e52cba1d7b425fb33b08ec7823cd3db4eba6cec550

SHA512
f3286d762d3527526cfbf3890196b97991de1ed636d94fa30b77fb1580dff97891e6c11b226aa6d1326a5e39f777d362c6898cf104499312dbd0cfd412dfc950

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\f0631e4f-572c-4490-b8d7-80ec75ff9b62\index-dir\the-real-index~RFe58310e.TMP

Filesize
2KB

MD5
46b60531b68a4e3dcd0e31c4a580b282

SHA1
c49c8d6be308bae064254e42a6e9105cf56f92e5

SHA256
4a58eff0922cef39cc0c577694e71812e3649a00aa2eebc7f8575a182f14a1a4

SHA512
a67c65684507290691deca63fd10b5add97055e2d210cfa75389057948a4a88a700c081ce3a325124793f76f97e7922de5551631277224aadf3ee3d7f4fb6c84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
69471900176856bce37193a419e3da36

SHA1
60b627e706d26b16ee0ed19a2bb4e0a467e1c185

SHA256
2226ace8879ff314714462901bf73d0eb2046ebd5b9868203bfd49b023ae867f

SHA512
c957b345cdc0028a9e5267e0752869bfa5e9fb2a4d83625fbe48f9ced2e4ff3ab5dfdc109aa7fb2f9049c100ace4c27c5729f6fbeab30b03782034a32effaf4e

Download Submit
memory/5116-31-0x0000000000E60000-0x0000000000E89000-memory.dmp

Filesize
164KB

Download
memory/5116-89-0x0000000000E60000-0x0000000000E89000-memory.dmp

Filesize
164KB

Download
memory/5116-30-0x0000000000E60000-0x0000000000E89000-memory.dmp

Filesize
164KB

Download
memory/5116-4-0x0000000000E60000-0x0000000000E89000-memory.dmp

Filesize
164KB

Download
memory/5116-35-0x0000000000E60000-0x0000000000E89000-memory.dmp

Filesize
164KB

Download
memory/5116-38-0x0000000000E60000-0x0000000000E89000-memory.dmp

Filesize
164KB

Download
memory/5116-25-0x0000000000E60000-0x0000000000E89000-memory.dmp

Filesize
164KB

Download
memory/5116-22-0x0000000000E60000-0x0000000000E89000-memory.dmp

Filesize
164KB

Download
memory/5116-54-0x0000000000E60000-0x0000000000E89000-memory.dmp

Filesize
164KB

Download
memory/5116-21-0x0000000000E60000-0x0000000000E89000-memory.dmp

Filesize
164KB

Download
memory/5116-77-0x0000000000E60000-0x0000000000E89000-memory.dmp

Filesize
164KB

Download
memory/5116-78-0x0000000000E60000-0x0000000000E89000-memory.dmp

Filesize
164KB

Download
memory/5116-79-0x0000000000E60000-0x0000000000E89000-memory.dmp

Filesize
164KB

Download
memory/5116-80-0x0000000000E60000-0x0000000000E89000-memory.dmp

Filesize
164KB

Download
memory/5116-83-0x0000000000E60000-0x0000000000E89000-memory.dmp

Filesize
164KB

Download
memory/5116-87-0x0000000000E60000-0x0000000000E89000-memory.dmp

Filesize
164KB

Download
memory/5116-88-0x0000000000E60000-0x0000000000E89000-memory.dmp

Filesize
164KB

Download
memory/5116-29-0x0000000000E60000-0x0000000000E89000-memory.dmp

Filesize
164KB

Download
memory/5116-93-0x0000000000E60000-0x0000000000E89000-memory.dmp

Filesize
164KB

Download
memory/5116-96-0x0000000000E60000-0x0000000000E89000-memory.dmp

Filesize
164KB

Download
memory/5116-16-0x0000000000E60000-0x0000000000E89000-memory.dmp

Filesize
164KB

Download
memory/5116-15-0x0000000000E60000-0x0000000000E89000-memory.dmp

Filesize
164KB

Download
memory/5116-6-0x0000000000E60000-0x0000000000E89000-memory.dmp

Filesize
164KB

Download
memory/5116-5-0x0000000000E60000-0x0000000000E89000-memory.dmp

Filesize
164KB

Download
memory/5116-407-0x0000000000E60000-0x0000000000E89000-memory.dmp

Filesize
164KB

Download
memory/5116-458-0x0000000000E60000-0x0000000000E89000-memory.dmp

Filesize
164KB

Download
memory/5116-461-0x0000000000E60000-0x0000000000E89000-memory.dmp

Filesize
164KB

Download
memory/5116-463-0x0000000000E60000-0x0000000000E89000-memory.dmp

Filesize
164KB

Download
memory/5116-466-0x0000000000E60000-0x0000000000E89000-memory.dmp

Filesize
164KB

Download
memory/5116-467-0x0000000000E60000-0x0000000000E89000-memory.dmp

Filesize
164KB

Download
memory/5116-469-0x0000000000E60000-0x0000000000E89000-memory.dmp

Filesize
164KB

Download
memory/5116-470-0x0000000000E60000-0x0000000000E89000-memory.dmp

Filesize
164KB

Download
memory/5116-471-0x0000000000E60000-0x0000000000E89000-memory.dmp

Filesize
164KB

Download
memory/5116-472-0x0000000000E60000-0x0000000000E89000-memory.dmp

Filesize
164KB

Download
memory/5116-473-0x0000000000E60000-0x0000000000E89000-memory.dmp

Filesize
164KB

Download
memory/5116-476-0x0000000000E60000-0x0000000000E89000-memory.dmp

Filesize
164KB

Download