vidar | 0921b5c74e073c331a8ba6396e8ffe3d90486d7cec0b54dd8801112e33cdb177

Analysis

max time kernel
141s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20250313-en
resource tags

arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
submitted
18/04/2025, 22:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-18_064e51084b64d71b80d70894ab511246_cobalt-strike.exe
Size

1.7MB
MD5

064e51084b64d71b80d70894ab511246
SHA1

80a04ee1a2c62e4a312fb9387508c3d08d700ecd
SHA256

0921b5c74e073c331a8ba6396e8ffe3d90486d7cec0b54dd8801112e33cdb177
SHA512

fcc27c0a60c955c7feea8ba757a148d189a44e90e512f57bb5b8e9e0ba1b6e200cb39d9a0609de0cea1959e5d4df36f30ee6ce1ccb2b601bb860e53a5bfb6004
SSDEEP

24576:6rloDyu6xW3AQpF0Fyrjw83M2HlA7Izl+63FZZ:oMyC3AQCyrjw88v7Izl+63F3

Score

10^/10

vidar eb17a39311b2fbc653bb6a88c15634e4 credential_access discovery spyware stealer

Malware Config

Extracted

Family

vidar

Version

13.5

Botnet

eb17a39311b2fbc653bb6a88c15634e4

https://t.me/v00rd

https://steamcommunity.com/profiles/76561199846773220

Attributes

user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/132.0.0.0 Safari/537.36 OPR/117.0.0.0

Signatures

Detect Vidar Stealer 34 IoCs

stealer

resource	yara_rule
behavioral1/memory/4964-4-0x0000000000B00000-0x0000000000B29000-memory.dmp	family_vidar_v7
behavioral1/memory/4964-5-0x0000000000B00000-0x0000000000B29000-memory.dmp	family_vidar_v7
behavioral1/memory/4964-6-0x0000000000B00000-0x0000000000B29000-memory.dmp	family_vidar_v7
behavioral1/memory/4964-13-0x0000000000B00000-0x0000000000B29000-memory.dmp	family_vidar_v7
behavioral1/memory/4964-14-0x0000000000B00000-0x0000000000B29000-memory.dmp	family_vidar_v7
behavioral1/memory/4964-19-0x0000000000B00000-0x0000000000B29000-memory.dmp	family_vidar_v7
behavioral1/memory/4964-20-0x0000000000B00000-0x0000000000B29000-memory.dmp	family_vidar_v7
behavioral1/memory/4964-23-0x0000000000B00000-0x0000000000B29000-memory.dmp	family_vidar_v7
behavioral1/memory/4964-27-0x0000000000B00000-0x0000000000B29000-memory.dmp	family_vidar_v7
behavioral1/memory/4964-28-0x0000000000B00000-0x0000000000B29000-memory.dmp	family_vidar_v7
behavioral1/memory/4964-29-0x0000000000B00000-0x0000000000B29000-memory.dmp	family_vidar_v7
behavioral1/memory/4964-33-0x0000000000B00000-0x0000000000B29000-memory.dmp	family_vidar_v7
behavioral1/memory/4964-36-0x0000000000B00000-0x0000000000B29000-memory.dmp	family_vidar_v7
behavioral1/memory/4964-79-0x0000000000B00000-0x0000000000B29000-memory.dmp	family_vidar_v7
behavioral1/memory/4964-80-0x0000000000B00000-0x0000000000B29000-memory.dmp	family_vidar_v7
behavioral1/memory/4964-81-0x0000000000B00000-0x0000000000B29000-memory.dmp	family_vidar_v7
behavioral1/memory/4964-82-0x0000000000B00000-0x0000000000B29000-memory.dmp	family_vidar_v7
behavioral1/memory/4964-85-0x0000000000B00000-0x0000000000B29000-memory.dmp	family_vidar_v7
behavioral1/memory/4964-89-0x0000000000B00000-0x0000000000B29000-memory.dmp	family_vidar_v7
behavioral1/memory/4964-90-0x0000000000B00000-0x0000000000B29000-memory.dmp	family_vidar_v7
behavioral1/memory/4964-91-0x0000000000B00000-0x0000000000B29000-memory.dmp	family_vidar_v7
behavioral1/memory/4964-95-0x0000000000B00000-0x0000000000B29000-memory.dmp	family_vidar_v7
behavioral1/memory/4964-124-0x0000000000B00000-0x0000000000B29000-memory.dmp	family_vidar_v7
behavioral1/memory/4964-453-0x0000000000B00000-0x0000000000B29000-memory.dmp	family_vidar_v7
behavioral1/memory/4964-483-0x0000000000B00000-0x0000000000B29000-memory.dmp	family_vidar_v7
behavioral1/memory/4964-486-0x0000000000B00000-0x0000000000B29000-memory.dmp	family_vidar_v7
behavioral1/memory/4964-488-0x0000000000B00000-0x0000000000B29000-memory.dmp	family_vidar_v7
behavioral1/memory/4964-489-0x0000000000B00000-0x0000000000B29000-memory.dmp	family_vidar_v7
behavioral1/memory/4964-496-0x0000000000B00000-0x0000000000B29000-memory.dmp	family_vidar_v7
behavioral1/memory/4964-497-0x0000000000B00000-0x0000000000B29000-memory.dmp	family_vidar_v7
behavioral1/memory/4964-498-0x0000000000B00000-0x0000000000B29000-memory.dmp	family_vidar_v7
behavioral1/memory/4964-499-0x0000000000B00000-0x0000000000B29000-memory.dmp	family_vidar_v7
behavioral1/memory/4964-500-0x0000000000B00000-0x0000000000B29000-memory.dmp	family_vidar_v7
behavioral1/memory/4964-502-0x0000000000B00000-0x0000000000B29000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

Uses browser remote debugging 2 TTPs 8 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
5780	chrome.exe
3276	chrome.exe
4208	chrome.exe
5464	chrome.exe
3680	chrome.exe
1756	msedge.exe
3876	msedge.exe
1116	msedge.exe

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1360 set thread context of 4964	1360	2025-04-18_064e51084b64d71b80d70894ab511246_cobalt-strike.exe	96

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	BitLockerToGo.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	chrome.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
6104	timeout.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133894886069296886"	chrome.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4964	BitLockerToGo.exe
4964	BitLockerToGo.exe
4964	BitLockerToGo.exe
4964	BitLockerToGo.exe
5780	chrome.exe
5780	chrome.exe
4964	BitLockerToGo.exe
4964	BitLockerToGo.exe
4964	BitLockerToGo.exe
4964	BitLockerToGo.exe
4964	BitLockerToGo.exe
4964	BitLockerToGo.exe
4964	BitLockerToGo.exe
4964	BitLockerToGo.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
1756	msedge.exe
1756	msedge.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5780	chrome.exe
Token: SeCreatePagefilePrivilege	5780	chrome.exe
Token: SeShutdownPrivilege	5780	chrome.exe
Token: SeCreatePagefilePrivilege	5780	chrome.exe
Token: SeShutdownPrivilege	5780	chrome.exe
Token: SeCreatePagefilePrivilege	5780	chrome.exe
Token: SeShutdownPrivilege	5780	chrome.exe
Token: SeCreatePagefilePrivilege	5780	chrome.exe
Token: SeShutdownPrivilege	5780	chrome.exe
Token: SeCreatePagefilePrivilege	5780	chrome.exe
Token: SeShutdownPrivilege	5780	chrome.exe
Token: SeCreatePagefilePrivilege	5780	chrome.exe
Token: SeShutdownPrivilege	5780	chrome.exe
Token: SeCreatePagefilePrivilege	5780	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
1756	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1360 wrote to memory of 4964	1360	2025-04-18_064e51084b64d71b80d70894ab511246_cobalt-strike.exe	96
PID 1360 wrote to memory of 4964	1360	2025-04-18_064e51084b64d71b80d70894ab511246_cobalt-strike.exe	96
PID 1360 wrote to memory of 4964	1360	2025-04-18_064e51084b64d71b80d70894ab511246_cobalt-strike.exe	96
PID 1360 wrote to memory of 4964	1360	2025-04-18_064e51084b64d71b80d70894ab511246_cobalt-strike.exe	96
PID 1360 wrote to memory of 4964	1360	2025-04-18_064e51084b64d71b80d70894ab511246_cobalt-strike.exe	96
PID 4964 wrote to memory of 5780	4964	BitLockerToGo.exe	100
PID 4964 wrote to memory of 5780	4964	BitLockerToGo.exe	100
PID 5780 wrote to memory of 5712	5780	chrome.exe	101
PID 5780 wrote to memory of 5712	5780	chrome.exe	101
PID 5780 wrote to memory of 4516	5780	chrome.exe	102
PID 5780 wrote to memory of 4516	5780	chrome.exe	102
PID 5780 wrote to memory of 5444	5780	chrome.exe	103
PID 5780 wrote to memory of 5444	5780	chrome.exe	103
PID 5780 wrote to memory of 5444	5780	chrome.exe	103
PID 5780 wrote to memory of 5444	5780	chrome.exe	103
PID 5780 wrote to memory of 5444	5780	chrome.exe	103
PID 5780 wrote to memory of 5444	5780	chrome.exe	103
PID 5780 wrote to memory of 5444	5780	chrome.exe	103
PID 5780 wrote to memory of 5444	5780	chrome.exe	103
PID 5780 wrote to memory of 5444	5780	chrome.exe	103
PID 5780 wrote to memory of 5444	5780	chrome.exe	103
PID 5780 wrote to memory of 5444	5780	chrome.exe	103
PID 5780 wrote to memory of 5444	5780	chrome.exe	103
PID 5780 wrote to memory of 5444	5780	chrome.exe	103
PID 5780 wrote to memory of 5444	5780	chrome.exe	103
PID 5780 wrote to memory of 5444	5780	chrome.exe	103
PID 5780 wrote to memory of 5444	5780	chrome.exe	103
PID 5780 wrote to memory of 5444	5780	chrome.exe	103
PID 5780 wrote to memory of 5444	5780	chrome.exe	103
PID 5780 wrote to memory of 5444	5780	chrome.exe	103
PID 5780 wrote to memory of 5444	5780	chrome.exe	103
PID 5780 wrote to memory of 5444	5780	chrome.exe	103
PID 5780 wrote to memory of 5444	5780	chrome.exe	103
PID 5780 wrote to memory of 5444	5780	chrome.exe	103
PID 5780 wrote to memory of 5444	5780	chrome.exe	103
PID 5780 wrote to memory of 5444	5780	chrome.exe	103
PID 5780 wrote to memory of 5444	5780	chrome.exe	103
PID 5780 wrote to memory of 5444	5780	chrome.exe	103
PID 5780 wrote to memory of 5444	5780	chrome.exe	103
PID 5780 wrote to memory of 5444	5780	chrome.exe	103
PID 5780 wrote to memory of 5444	5780	chrome.exe	103
PID 5780 wrote to memory of 5464	5780	chrome.exe	105
PID 5780 wrote to memory of 5464	5780	chrome.exe	105
PID 5780 wrote to memory of 3276	5780	chrome.exe	106
PID 5780 wrote to memory of 3276	5780	chrome.exe	106
PID 5780 wrote to memory of 5464	5780	chrome.exe	105
PID 5780 wrote to memory of 5464	5780	chrome.exe	105
PID 5780 wrote to memory of 5464	5780	chrome.exe	105
PID 5780 wrote to memory of 5464	5780	chrome.exe	105
PID 5780 wrote to memory of 5464	5780	chrome.exe	105
PID 5780 wrote to memory of 5464	5780	chrome.exe	105
PID 5780 wrote to memory of 5464	5780	chrome.exe	105
PID 5780 wrote to memory of 5464	5780	chrome.exe	105
PID 5780 wrote to memory of 5464	5780	chrome.exe	105
PID 5780 wrote to memory of 5464	5780	chrome.exe	105
PID 5780 wrote to memory of 5464	5780	chrome.exe	105
PID 5780 wrote to memory of 5464	5780	chrome.exe	105
PID 5780 wrote to memory of 5464	5780	chrome.exe	105
PID 5780 wrote to memory of 5464	5780	chrome.exe	105
PID 5780 wrote to memory of 5464	5780	chrome.exe	105
PID 5780 wrote to memory of 5464	5780	chrome.exe	105
PID 5780 wrote to memory of 5464	5780	chrome.exe	105
PID 5780 wrote to memory of 5464	5780	chrome.exe	105
PID 5780 wrote to memory of 5464	5780	chrome.exe	105

C:\Users\Admin\AppData\Local\Temp\2025-04-18_064e51084b64d71b80d70894ab511246_cobalt-strike.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-18_064e51084b64d71b80d70894ab511246_cobalt-strike.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1360
- C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
  C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4964
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Checks processor information in registry
    - Enumerates system info in registry
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:5780
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffbe06bdcf8,0x7ffbe06bdd04,0x7ffbe06bdd10
      4⤵
      PID:5712
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1564,i,1166835537690952799,7635442029992007222,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=2044 /prefetch:3
      4⤵
      PID:4516
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2028,i,1166835537690952799,7635442029992007222,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=2024 /prefetch:2
      4⤵
      PID:5444
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2384,i,1166835537690952799,7635442029992007222,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=2552 /prefetch:8
      4⤵
      PID:5956
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3060,i,1166835537690952799,7635442029992007222,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=3104 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:5464
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3052,i,1166835537690952799,7635442029992007222,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=2872 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:3276
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4232,i,1166835537690952799,7635442029992007222,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=4252 /prefetch:2
      4⤵
      Uses browser remote debugging
      PID:4208
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4588,i,1166835537690952799,7635442029992007222,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=4676 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:3680
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5308,i,1166835537690952799,7635442029992007222,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5320 /prefetch:8
      4⤵
      PID:4048
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5560,i,1166835537690952799,7635442029992007222,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5540 /prefetch:8
      4⤵
      PID:212
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    PID:1756
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x238,0x260,0x7ffbe069f208,0x7ffbe069f214,0x7ffbe069f220
      4⤵
      PID:1856
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1776,i,18047247901493355827,9075326234494294727,262144 --variations-seed-version --mojo-platform-channel-handle=2132 /prefetch:3
      4⤵
      PID:4272
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2080,i,18047247901493355827,9075326234494294727,262144 --variations-seed-version --mojo-platform-channel-handle=2076 /prefetch:2
      4⤵
      PID:432
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=1404,i,18047247901493355827,9075326234494294727,262144 --variations-seed-version --mojo-platform-channel-handle=2712 /prefetch:8
      4⤵
      PID:1068
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3456,i,18047247901493355827,9075326234494294727,262144 --variations-seed-version --mojo-platform-channel-handle=3528 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:1116
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3464,i,18047247901493355827,9075326234494294727,262144 --variations-seed-version --mojo-platform-channel-handle=3544 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:3876
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\tjeuk" & exit
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2456
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 11
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:6104

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:4368

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:832

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:4520

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Modify Authentication Process

T1556

Privilege Escalation

Defense Evasion

Modify Authentication Process

T1556

Credential Access

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\tjeuk\aaie3o

Filesize
288KB

MD5
9a3efac6cbb953007e61987d5299af8c

SHA1
1b636605499b29843c6e174e4839ba9b5903a4ab

SHA256
8d5473e4703144bc973151bf6d6b77fa6e3cc75b22996b308560468ae966491d

SHA512
da6115118c04a34aa90d8a1b353270f4fe9350a5ae0eed51918ebb8e3f97e14c42eea98b7e0080e9e8ee451cd3ab00c751aa1493c5ad2e9e9e79d5e88d74dc01

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
414B

MD5
1e48c730a441a2117b41b6af927fc238

SHA1
c91390decd9cfafc4ecde0828b0077478182ca6b

SHA256
5faeef9b28f50520f1da150218f265018fd7440d9663952e87136e64cf02a25e

SHA512
357eb6dc77d6201c91791afa4cf52f879192085d4ed69f462ce2c6a5ae55c95f5a2d96887a46b592672c0c96a84321ee1c1e8c8384ed4473428fec9beb265442

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
79KB

MD5
31ae7e2798af80569064f337c2d9e6a9

SHA1
66a1526de5fa45f546a5146bdac1d14df05d29cb

SHA256
450c237e17a0ad03be6d629dcf09d614b92fed56837d87888f81ff828d21ecca

SHA512
652a1d140ec1a91a62b14bb4b140c065a0f4e80a50372ea9088d5b2b89b892496eafad64f246b77f1e1133f4e85171d6b425aba543fe73740ad6ab217be5548b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
998db8a9f40f71e2f3d9e19aac4db4a9

SHA1
dade0e68faef54a59d68ae8cb3b8314b6947b6d7

SHA256
1b28744565eb600485d9800703f2fb635ecf4187036c12d47f86bbd1e078e06b

SHA512
0e66fd26a11507f78fb1b173fd50555dbd95b0d330e095cdd93206757c6af2780ece914a11a23cd4c840636a59470f44c6db35fa392303fb583806264e652016

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\3b23d876-3b29-4552-b5ee-c094dacbfe2e\index-dir\the-real-index

Filesize
2KB

MD5
db11fe9a01cb8fb714f328fd47f2caec

SHA1
a38713bb2db4e1b26398aa85b54cfab769de729c

SHA256
1c3f08002261dbfc0abbbc5f3fdfc0e40476fdedcafca602ec8ef125127d942d

SHA512
ae72f7de297c53388487946ec0c55807629cfdffed0fde73f39a73d57cbcf00f0189e40f43f9a883bc5839f86220d0dce5560a1635bf397899ac84a5dae1caa2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\3b23d876-3b29-4552-b5ee-c094dacbfe2e\index-dir\the-real-index~RFe58290f.TMP

Filesize
2KB

MD5
736fa6ac46f2a6728b65d0700253d54a

SHA1
1feb6b214fbe8172366818a1d8d41ab0f912ee65

SHA256
09b4c1e9c697f5d9ebb8e2dfed0b9a68b22861ddd3faee4f9d48d6828c863cbe

SHA512
c1a55e754388c74f69f36d6092f01362fa2169933e6a4afa6a08eab4dac19831105ea74d0b35b7531d8ca255f377f5d1a5647140632ee1053f1826a1d633ae20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
0f07caa5e53135cf0d0c47af0a7639fb

SHA1
2f7f4b57b63f4192f967f81f78212847b93bff2f

SHA256
d42b3ceb35b0cee01954f0ae93958862e67573e1901c17df93d3fe68ac8dc7e2

SHA512
31c5e3148a7de9e09373a6a08b4501d7c3afaa5ff314f8be26eaf6892f6287d611e1ae8a046c0122a07959c2ea739b12918e8928194a90ea5be64ee6a10995e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
bf69dfed8056adce2156224b751491f7

SHA1
34959a8628e7aee56689c4c13b0e664a5063b6cf

SHA256
55aa985e1e07ac57d96dff018d397cb892354573451f80a78bf0d29c65d61377

SHA512
c3cf05f5b20fdfd5bfa1449824e8ff48b065462d15f1f73b93d83e99241a7a67a8aae0f4513d1520c13849248890fbe820eba4f1b40ad96cb6f5bb238a552510

Download Submit
memory/4964-89-0x0000000000B00000-0x0000000000B29000-memory.dmp

Filesize
164KB

Download
memory/4964-19-0x0000000000B00000-0x0000000000B29000-memory.dmp

Filesize
164KB

Download
memory/4964-36-0x0000000000B00000-0x0000000000B29000-memory.dmp

Filesize
164KB

Download
memory/4964-29-0x0000000000B00000-0x0000000000B29000-memory.dmp

Filesize
164KB

Download
memory/4964-28-0x0000000000B00000-0x0000000000B29000-memory.dmp

Filesize
164KB

Download
memory/4964-27-0x0000000000B00000-0x0000000000B29000-memory.dmp

Filesize
164KB

Download
memory/4964-23-0x0000000000B00000-0x0000000000B29000-memory.dmp

Filesize
164KB

Download
memory/4964-79-0x0000000000B00000-0x0000000000B29000-memory.dmp

Filesize
164KB

Download
memory/4964-80-0x0000000000B00000-0x0000000000B29000-memory.dmp

Filesize
164KB

Download
memory/4964-81-0x0000000000B00000-0x0000000000B29000-memory.dmp

Filesize
164KB

Download
memory/4964-82-0x0000000000B00000-0x0000000000B29000-memory.dmp

Filesize
164KB

Download
memory/4964-85-0x0000000000B00000-0x0000000000B29000-memory.dmp

Filesize
164KB

Download
memory/4964-4-0x0000000000B00000-0x0000000000B29000-memory.dmp

Filesize
164KB

Download
memory/4964-90-0x0000000000B00000-0x0000000000B29000-memory.dmp

Filesize
164KB

Download
memory/4964-91-0x0000000000B00000-0x0000000000B29000-memory.dmp

Filesize
164KB

Download
memory/4964-95-0x0000000000B00000-0x0000000000B29000-memory.dmp

Filesize
164KB

Download
memory/4964-20-0x0000000000B00000-0x0000000000B29000-memory.dmp

Filesize
164KB

Download
memory/4964-33-0x0000000000B00000-0x0000000000B29000-memory.dmp

Filesize
164KB

Download
memory/4964-14-0x0000000000B00000-0x0000000000B29000-memory.dmp

Filesize
164KB

Download
memory/4964-124-0x0000000000B00000-0x0000000000B29000-memory.dmp

Filesize
164KB

Download
memory/4964-13-0x0000000000B00000-0x0000000000B29000-memory.dmp

Filesize
164KB

Download
memory/4964-6-0x0000000000B00000-0x0000000000B29000-memory.dmp

Filesize
164KB

Download
memory/4964-453-0x0000000000B00000-0x0000000000B29000-memory.dmp

Filesize
164KB

Download
memory/4964-483-0x0000000000B00000-0x0000000000B29000-memory.dmp

Filesize
164KB

Download
memory/4964-486-0x0000000000B00000-0x0000000000B29000-memory.dmp

Filesize
164KB

Download
memory/4964-488-0x0000000000B00000-0x0000000000B29000-memory.dmp

Filesize
164KB

Download
memory/4964-489-0x0000000000B00000-0x0000000000B29000-memory.dmp

Filesize
164KB

Download
memory/4964-5-0x0000000000B00000-0x0000000000B29000-memory.dmp

Filesize
164KB

Download
memory/4964-496-0x0000000000B00000-0x0000000000B29000-memory.dmp

Filesize
164KB

Download
memory/4964-497-0x0000000000B00000-0x0000000000B29000-memory.dmp

Filesize
164KB

Download
memory/4964-498-0x0000000000B00000-0x0000000000B29000-memory.dmp

Filesize
164KB

Download
memory/4964-499-0x0000000000B00000-0x0000000000B29000-memory.dmp

Filesize
164KB

Download
memory/4964-500-0x0000000000B00000-0x0000000000B29000-memory.dmp

Filesize
164KB

Download
memory/4964-502-0x0000000000B00000-0x0000000000B29000-memory.dmp

Filesize
164KB

Download