vidar | 28b3e2861996ebc0fe11d6c4db2cdb51d0543de25522cd1348a1d92f56ec5b99

Analysis

max time kernel
104s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
07-02-2025 03:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-02-07_431b2a3c61cc267041f56b7fe9ddd42d_frostygoop_hijackloader_poet-rat_snatch.exe
Size

7.3MB
MD5

431b2a3c61cc267041f56b7fe9ddd42d
SHA1

a4db5dfe07b43db0f764db61a243f72e504da405
SHA256

28b3e2861996ebc0fe11d6c4db2cdb51d0543de25522cd1348a1d92f56ec5b99
SHA512

e712c6e50404d9300eca6c83c84906714a84deebb3930b4db876b7f3051ca0d69ab4e16b6eb40f2d8d591e4cbb12c09bc4609233f365363a53d9ff1ec8bbdd83
SSDEEP

49152:Mu7j2db6v4MmTW+cs832y1O1GdM7Ugxu5gez60YQLoGzmytaO4jpvBFmIzs7O8Ac:Mu7jMZMmTWpr31dpz60hL39axZkpGGKs

Score

10^/10

vidar credential_access discovery spyware stealer

Malware Config

Extracted

Family

vidar

https://t.me/sok33tn

https://steamcommunity.com/profiles/76561199824159981

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0

Signatures

Detect Vidar Stealer 35 IoCs

stealer

resource	yara_rule
behavioral2/memory/1588-1-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/1588-2-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/1588-9-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/1588-10-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/1588-11-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/1588-12-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/1588-53-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/1588-60-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/1588-61-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/1588-64-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/1588-68-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/1588-69-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/1588-70-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/1588-74-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/1588-76-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/1588-77-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/1588-78-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/1588-109-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/1588-110-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/1588-113-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/1588-117-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/1588-118-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/1588-119-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/1588-123-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/1588-127-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/1588-128-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/1588-131-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/1588-133-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/1588-134-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/1588-145-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/1588-146-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/1588-147-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/1588-148-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/1588-149-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/1588-153-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

Uses browser remote debugging 2 TTPs 9 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
668	chrome.exe
2860	msedge.exe
1988	msedge.exe
4840	msedge.exe
2288	msedge.exe
1492	chrome.exe
2072	chrome.exe
636	chrome.exe
4744	msedge.exe

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2772 set thread context of 1588	2772	2025-02-07_431b2a3c61cc267041f56b7fe9ddd42d_frostygoop_hijackloader_poet-rat_snatch.exe	99

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-02-07_431b2a3c61cc267041f56b7fe9ddd42d_frostygoop_hijackloader_poet-rat_snatch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	BitLockerToGo.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
4472	timeout.exe

Enumerates system info in registry 2 TTPs 8 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133833715822216117"	chrome.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
1588	BitLockerToGo.exe
1588	BitLockerToGo.exe
1588	BitLockerToGo.exe
1588	BitLockerToGo.exe
1492	chrome.exe
1492	chrome.exe
1588	BitLockerToGo.exe
1588	BitLockerToGo.exe
1588	BitLockerToGo.exe
1588	BitLockerToGo.exe
1652	msedge.exe
1652	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4080	msedge.exe
4744	msedge.exe
4744	msedge.exe
1588	BitLockerToGo.exe
1588	BitLockerToGo.exe
1588	BitLockerToGo.exe
1588	BitLockerToGo.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1492	chrome.exe
Token: SeCreatePagefilePrivilege	1492	chrome.exe
Token: SeShutdownPrivilege	1492	chrome.exe
Token: SeCreatePagefilePrivilege	1492	chrome.exe
Token: SeShutdownPrivilege	1492	chrome.exe
Token: SeCreatePagefilePrivilege	1492	chrome.exe
Token: SeShutdownPrivilege	1492	chrome.exe
Token: SeCreatePagefilePrivilege	1492	chrome.exe
Token: SeShutdownPrivilege	1492	chrome.exe
Token: SeCreatePagefilePrivilege	1492	chrome.exe
Token: SeShutdownPrivilege	1492	chrome.exe
Token: SeCreatePagefilePrivilege	1492	chrome.exe
Token: SeShutdownPrivilege	1492	chrome.exe
Token: SeCreatePagefilePrivilege	1492	chrome.exe

Suspicious use of FindShellTrayWindow 51 IoCs

pid	Process
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
1492	chrome.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2772 wrote to memory of 1588	2772	2025-02-07_431b2a3c61cc267041f56b7fe9ddd42d_frostygoop_hijackloader_poet-rat_snatch.exe	99
PID 2772 wrote to memory of 1588	2772	2025-02-07_431b2a3c61cc267041f56b7fe9ddd42d_frostygoop_hijackloader_poet-rat_snatch.exe	99
PID 2772 wrote to memory of 1588	2772	2025-02-07_431b2a3c61cc267041f56b7fe9ddd42d_frostygoop_hijackloader_poet-rat_snatch.exe	99
PID 2772 wrote to memory of 1588	2772	2025-02-07_431b2a3c61cc267041f56b7fe9ddd42d_frostygoop_hijackloader_poet-rat_snatch.exe	99
PID 2772 wrote to memory of 1588	2772	2025-02-07_431b2a3c61cc267041f56b7fe9ddd42d_frostygoop_hijackloader_poet-rat_snatch.exe	99
PID 2772 wrote to memory of 1588	2772	2025-02-07_431b2a3c61cc267041f56b7fe9ddd42d_frostygoop_hijackloader_poet-rat_snatch.exe	99
PID 2772 wrote to memory of 1588	2772	2025-02-07_431b2a3c61cc267041f56b7fe9ddd42d_frostygoop_hijackloader_poet-rat_snatch.exe	99
PID 2772 wrote to memory of 1588	2772	2025-02-07_431b2a3c61cc267041f56b7fe9ddd42d_frostygoop_hijackloader_poet-rat_snatch.exe	99
PID 2772 wrote to memory of 1588	2772	2025-02-07_431b2a3c61cc267041f56b7fe9ddd42d_frostygoop_hijackloader_poet-rat_snatch.exe	99
PID 2772 wrote to memory of 1588	2772	2025-02-07_431b2a3c61cc267041f56b7fe9ddd42d_frostygoop_hijackloader_poet-rat_snatch.exe	99
PID 2772 wrote to memory of 1588	2772	2025-02-07_431b2a3c61cc267041f56b7fe9ddd42d_frostygoop_hijackloader_poet-rat_snatch.exe	99
PID 1588 wrote to memory of 1492	1588	BitLockerToGo.exe	104
PID 1588 wrote to memory of 1492	1588	BitLockerToGo.exe	104
PID 1492 wrote to memory of 1788	1492	chrome.exe	105
PID 1492 wrote to memory of 1788	1492	chrome.exe	105
PID 1492 wrote to memory of 1396	1492	chrome.exe	106
PID 1492 wrote to memory of 1396	1492	chrome.exe	106
PID 1492 wrote to memory of 1396	1492	chrome.exe	106
PID 1492 wrote to memory of 1396	1492	chrome.exe	106
PID 1492 wrote to memory of 1396	1492	chrome.exe	106
PID 1492 wrote to memory of 1396	1492	chrome.exe	106
PID 1492 wrote to memory of 1396	1492	chrome.exe	106
PID 1492 wrote to memory of 1396	1492	chrome.exe	106
PID 1492 wrote to memory of 1396	1492	chrome.exe	106
PID 1492 wrote to memory of 1396	1492	chrome.exe	106
PID 1492 wrote to memory of 1396	1492	chrome.exe	106
PID 1492 wrote to memory of 1396	1492	chrome.exe	106
PID 1492 wrote to memory of 1396	1492	chrome.exe	106
PID 1492 wrote to memory of 1396	1492	chrome.exe	106
PID 1492 wrote to memory of 1396	1492	chrome.exe	106
PID 1492 wrote to memory of 1396	1492	chrome.exe	106
PID 1492 wrote to memory of 1396	1492	chrome.exe	106
PID 1492 wrote to memory of 1396	1492	chrome.exe	106
PID 1492 wrote to memory of 1396	1492	chrome.exe	106
PID 1492 wrote to memory of 1396	1492	chrome.exe	106
PID 1492 wrote to memory of 1396	1492	chrome.exe	106
PID 1492 wrote to memory of 1396	1492	chrome.exe	106
PID 1492 wrote to memory of 1396	1492	chrome.exe	106
PID 1492 wrote to memory of 1396	1492	chrome.exe	106
PID 1492 wrote to memory of 1396	1492	chrome.exe	106
PID 1492 wrote to memory of 1396	1492	chrome.exe	106
PID 1492 wrote to memory of 1396	1492	chrome.exe	106
PID 1492 wrote to memory of 1396	1492	chrome.exe	106
PID 1492 wrote to memory of 1396	1492	chrome.exe	106
PID 1492 wrote to memory of 1396	1492	chrome.exe	106
PID 1492 wrote to memory of 2636	1492	chrome.exe	107
PID 1492 wrote to memory of 2636	1492	chrome.exe	107
PID 1492 wrote to memory of 4780	1492	chrome.exe	108
PID 1492 wrote to memory of 4780	1492	chrome.exe	108
PID 1492 wrote to memory of 4780	1492	chrome.exe	108
PID 1492 wrote to memory of 4780	1492	chrome.exe	108
PID 1492 wrote to memory of 4780	1492	chrome.exe	108
PID 1492 wrote to memory of 4780	1492	chrome.exe	108
PID 1492 wrote to memory of 4780	1492	chrome.exe	108
PID 1492 wrote to memory of 4780	1492	chrome.exe	108
PID 1492 wrote to memory of 4780	1492	chrome.exe	108
PID 1492 wrote to memory of 4780	1492	chrome.exe	108
PID 1492 wrote to memory of 4780	1492	chrome.exe	108
PID 1492 wrote to memory of 4780	1492	chrome.exe	108
PID 1492 wrote to memory of 4780	1492	chrome.exe	108
PID 1492 wrote to memory of 4780	1492	chrome.exe	108
PID 1492 wrote to memory of 4780	1492	chrome.exe	108
PID 1492 wrote to memory of 4780	1492	chrome.exe	108
PID 1492 wrote to memory of 4780	1492	chrome.exe	108

C:\Users\Admin\AppData\Local\Temp\2025-02-07_431b2a3c61cc267041f56b7fe9ddd42d_frostygoop_hijackloader_poet-rat_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2025-02-07_431b2a3c61cc267041f56b7fe9ddd42d_frostygoop_hijackloader_poet-rat_snatch.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2772
- C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
  "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1588
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Enumerates system info in registry
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:1492
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fffac65cc40,0x7fffac65cc4c,0x7fffac65cc58
      4⤵
      PID:1788
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2028,i,6325558490182551755,7448423428853120225,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=2044 /prefetch:2
      4⤵
      PID:1396
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1956,i,6325558490182551755,7448423428853120225,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=2296 /prefetch:3
      4⤵
      PID:2636
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2188,i,6325558490182551755,7448423428853120225,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=2444 /prefetch:8
      4⤵
      PID:4780
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3192,i,6325558490182551755,7448423428853120225,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=3196 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:668
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3216,i,6325558490182551755,7448423428853120225,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=3372 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:2072
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4496,i,6325558490182551755,7448423428853120225,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=4516 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:636
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4492,i,6325558490182551755,7448423428853120225,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=4588 /prefetch:8
      4⤵
      PID:4944
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4580,i,6325558490182551755,7448423428853120225,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=4816 /prefetch:8
      4⤵
      PID:4876
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4428,i,6325558490182551755,7448423428853120225,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=4780 /prefetch:8
      4⤵
      PID:3144
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4736,i,6325558490182551755,7448423428853120225,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=4748 /prefetch:8
      4⤵
      PID:640
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    PID:4744
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffac6646f8,0x7fffac664708,0x7fffac664718
      4⤵
      Checks processor information in registry
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      PID:4080
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,9522754377094012452,6110146678938067604,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
      4⤵
      PID:5056
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,9522754377094012452,6110146678938067604,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1652
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,9522754377094012452,6110146678938067604,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2872 /prefetch:8
      4⤵
      PID:1496
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2156,9522754377094012452,6110146678938067604,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:1988
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2156,9522754377094012452,6110146678938067604,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:2860
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2156,9522754377094012452,6110146678938067604,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2240 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:4840
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2156,9522754377094012452,6110146678938067604,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4116 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:2288
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe" & rd /s /q "C:\ProgramData\wtjw4" & exit
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3964
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 10
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:4472

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5076

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Modify Authentication Process

T1556

Privilege Escalation

Defense Evasion

Modify Authentication Process

T1556

Credential Access

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
6109db61020e8bf9f23620cc51a86099

SHA1
0fe86804044724901608e8d212f0db62a670120b

SHA256
ae3adccb57dd3ac65956d7e6edce6d523f99c137f688e0506383e9a6f40104d7

SHA512
4c4b8e3db93aa50d1b2d82255e2a320aef010af04c40b6ec12fb6878a2eba4efb295d8c1fe97e9ed8b311f0191b3c95d5d2cbbbf2df0ce7ab20e1f13e0578054

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
124KB

MD5
f37e35799d38c268dd0f7538001578ca

SHA1
333c23081242a9d7725f14bfeac7605e3566eeae

SHA256
65fb7f92b9950c7b84db1d83e092ba212a21989071da1ab7a3da953b46229fcc

SHA512
d7f7720f4a97950c32cf4a34b3e09a996f225abcc728640e6df4194196671c1485dc36a493ccc2a7f5fa875c6ea0c4c4410efbef5efab46aa3d62f808f3c3aee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a451e41e51facc395053e7b74c3490d0

SHA1
c866ac24af529f0265e99bd88529da46c9ff6dcc

SHA256
cc33bfdf9c856a2e9e9aa8eeddf9723a0396fad82b0dcae7a408bb4c84fdb584

SHA512
553489450d55d7adb9c859e521d0e46961490e54c533c826adc8c546ca0b51ecda82c159801bd060a291e724355c6d4fd2ee603ff65d4a15603f34f1472664fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6a53cceb7a396402c1eccd08dbe38a73

SHA1
96e06029b79791df1b1a0a7cef7508a5c44d13c4

SHA256
31c8ba2ce8a088515e4feff78968e8916c759331b7428421a990cc349a208b51

SHA512
bda381d092d0272a19350a66533ec0fac2efccfd26fc87695a8270eb3d4abec01483b31dfae75ba3f128623454d471c9e948c44df478edbdb6b5a15377637036

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
452b295028f870ab57440921bb86ae21

SHA1
68aae8b915d8a0b5f59896ec3c62a09fcdb6f2f4

SHA256
fcab6ca0da22a766ec4b4ee374b1092f9893f994f4043bb42800d038027d9af6

SHA512
5ce2f1e912d895b16d7f216a846f63206ba2a3dc3238a79e07527f0763f49ac7325c5eee802e7227e43c30ad1b048b4deb7fe3e0a84b9d0c4717f7accbfe353c

Download Submit
memory/1588-77-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1588-1-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1588-11-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1588-53-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1588-10-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1588-60-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1588-61-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1588-64-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1588-68-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1588-69-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1588-70-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1588-74-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1588-76-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1588-0-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1588-78-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1588-9-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1588-2-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1588-12-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1588-109-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1588-110-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1588-113-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1588-117-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1588-118-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1588-119-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1588-123-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1588-127-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1588-128-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1588-131-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1588-133-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1588-134-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1588-145-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1588-146-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1588-147-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1588-148-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1588-149-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1588-153-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download