vidar | f19da3c90ad45036e225845169410e70c0e3cd9e9394b000f3bb1102badc6d7b

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250211-en
resource tags

arch:x64arch:x86image:win10v2004-20250211-enlocale:en-usos:windows10-2004-x64system
submitted
13-02-2025 18:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-02-13_c063144d97874cb1e7edf5bdb84c3599_frostygoop_poet-rat_snatch.exe
Size

9.1MB
MD5

c063144d97874cb1e7edf5bdb84c3599
SHA1

f6acb702e7571633ad2c5bdd1e519d617eb34c3d
SHA256

f19da3c90ad45036e225845169410e70c0e3cd9e9394b000f3bb1102badc6d7b
SHA512

8577518ac1a4b2378dc1f9b4cea35ed7311f7f0e85e7c2d180bcc7b410e34949c926ff2258ed4b6ff2269d0d7e0729f7eb5f5d19f9c4bac08e63fa14d98e287b
SSDEEP

98304:9NuLIwcNjoy/xlt6Nd7uOsb4d1C1Jn4n6rO3uHuJ1670a6G:XHhp6DuOsbgIQ6rO3uoG

Score

10^/10

vidar credential_access discovery stealer

Malware Config

Extracted

Family

vidar

https://t.me/b4cha00

https://steamcommunity.com/profiles/76561199825403037

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:137.0) Gecko/20100101 Firefox/137.0

Signatures

Detect Vidar Stealer 9 IoCs

stealer

resource	yara_rule
behavioral2/memory/2964-1-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/2964-2-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/2964-6-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/2964-10-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/2964-11-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/2964-12-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/2964-13-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/2964-51-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/2964-52-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

Downloads MZ/PE file 1 IoCs

flow	pid	Process
88	1340	Process not Found

Uses browser remote debugging 2 TTPs 4 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
724	chrome.exe
4400	chrome.exe
3516	chrome.exe
4516	chrome.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3060 set thread context of 2964	3060	2025-02-13_c063144d97874cb1e7edf5bdb84c3599_frostygoop_poet-rat_snatch.exe	94

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-02-13_c063144d97874cb1e7edf5bdb84c3599_frostygoop_poet-rat_snatch.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4672	MicrosoftEdgeUpdate.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	BitLockerToGo.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	BitLockerToGo.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133839458188310503"	chrome.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2964	BitLockerToGo.exe
2964	BitLockerToGo.exe
2964	BitLockerToGo.exe
2964	BitLockerToGo.exe
724	chrome.exe
724	chrome.exe
724	chrome.exe
724	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
724	chrome.exe
724	chrome.exe
724	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	724	chrome.exe
Token: SeCreatePagefilePrivilege	724	chrome.exe
Token: SeShutdownPrivilege	724	chrome.exe
Token: SeCreatePagefilePrivilege	724	chrome.exe
Token: SeShutdownPrivilege	724	chrome.exe
Token: SeCreatePagefilePrivilege	724	chrome.exe
Token: SeShutdownPrivilege	724	chrome.exe
Token: SeCreatePagefilePrivilege	724	chrome.exe
Token: SeShutdownPrivilege	724	chrome.exe
Token: SeCreatePagefilePrivilege	724	chrome.exe
Token: SeShutdownPrivilege	724	chrome.exe
Token: SeCreatePagefilePrivilege	724	chrome.exe
Token: SeShutdownPrivilege	724	chrome.exe
Token: SeCreatePagefilePrivilege	724	chrome.exe
Token: SeShutdownPrivilege	724	chrome.exe
Token: SeCreatePagefilePrivilege	724	chrome.exe
Token: SeShutdownPrivilege	724	chrome.exe
Token: SeCreatePagefilePrivilege	724	chrome.exe
Token: SeShutdownPrivilege	724	chrome.exe
Token: SeCreatePagefilePrivilege	724	chrome.exe
Token: SeShutdownPrivilege	724	chrome.exe
Token: SeCreatePagefilePrivilege	724	chrome.exe
Token: SeShutdownPrivilege	724	chrome.exe
Token: SeCreatePagefilePrivilege	724	chrome.exe
Token: SeShutdownPrivilege	724	chrome.exe
Token: SeCreatePagefilePrivilege	724	chrome.exe
Token: SeShutdownPrivilege	724	chrome.exe
Token: SeCreatePagefilePrivilege	724	chrome.exe
Token: SeShutdownPrivilege	724	chrome.exe
Token: SeCreatePagefilePrivilege	724	chrome.exe
Token: SeShutdownPrivilege	724	chrome.exe
Token: SeCreatePagefilePrivilege	724	chrome.exe
Token: SeShutdownPrivilege	724	chrome.exe
Token: SeCreatePagefilePrivilege	724	chrome.exe
Token: SeShutdownPrivilege	724	chrome.exe
Token: SeCreatePagefilePrivilege	724	chrome.exe
Token: SeShutdownPrivilege	724	chrome.exe
Token: SeCreatePagefilePrivilege	724	chrome.exe
Token: SeShutdownPrivilege	724	chrome.exe
Token: SeCreatePagefilePrivilege	724	chrome.exe
Token: SeShutdownPrivilege	724	chrome.exe
Token: SeCreatePagefilePrivilege	724	chrome.exe
Token: SeShutdownPrivilege	724	chrome.exe
Token: SeCreatePagefilePrivilege	724	chrome.exe
Token: SeShutdownPrivilege	724	chrome.exe
Token: SeCreatePagefilePrivilege	724	chrome.exe
Token: SeShutdownPrivilege	724	chrome.exe
Token: SeCreatePagefilePrivilege	724	chrome.exe
Token: SeShutdownPrivilege	724	chrome.exe
Token: SeCreatePagefilePrivilege	724	chrome.exe
Token: SeShutdownPrivilege	724	chrome.exe
Token: SeCreatePagefilePrivilege	724	chrome.exe
Token: SeShutdownPrivilege	724	chrome.exe
Token: SeCreatePagefilePrivilege	724	chrome.exe
Token: SeShutdownPrivilege	724	chrome.exe
Token: SeCreatePagefilePrivilege	724	chrome.exe
Token: SeShutdownPrivilege	724	chrome.exe
Token: SeCreatePagefilePrivilege	724	chrome.exe
Token: SeShutdownPrivilege	724	chrome.exe
Token: SeCreatePagefilePrivilege	724	chrome.exe
Token: SeShutdownPrivilege	724	chrome.exe
Token: SeCreatePagefilePrivilege	724	chrome.exe
Token: SeShutdownPrivilege	724	chrome.exe
Token: SeCreatePagefilePrivilege	724	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
724	chrome.exe
724	chrome.exe
724	chrome.exe
724	chrome.exe
724	chrome.exe
724	chrome.exe
724	chrome.exe
724	chrome.exe
724	chrome.exe
724	chrome.exe
724	chrome.exe
724	chrome.exe
724	chrome.exe
724	chrome.exe
724	chrome.exe
724	chrome.exe
724	chrome.exe
724	chrome.exe
724	chrome.exe
724	chrome.exe
724	chrome.exe
724	chrome.exe
724	chrome.exe
724	chrome.exe
724	chrome.exe
724	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3060 wrote to memory of 2964	3060	2025-02-13_c063144d97874cb1e7edf5bdb84c3599_frostygoop_poet-rat_snatch.exe	94
PID 3060 wrote to memory of 2964	3060	2025-02-13_c063144d97874cb1e7edf5bdb84c3599_frostygoop_poet-rat_snatch.exe	94
PID 3060 wrote to memory of 2964	3060	2025-02-13_c063144d97874cb1e7edf5bdb84c3599_frostygoop_poet-rat_snatch.exe	94
PID 3060 wrote to memory of 2964	3060	2025-02-13_c063144d97874cb1e7edf5bdb84c3599_frostygoop_poet-rat_snatch.exe	94
PID 3060 wrote to memory of 2964	3060	2025-02-13_c063144d97874cb1e7edf5bdb84c3599_frostygoop_poet-rat_snatch.exe	94
PID 3060 wrote to memory of 2964	3060	2025-02-13_c063144d97874cb1e7edf5bdb84c3599_frostygoop_poet-rat_snatch.exe	94
PID 3060 wrote to memory of 2964	3060	2025-02-13_c063144d97874cb1e7edf5bdb84c3599_frostygoop_poet-rat_snatch.exe	94
PID 3060 wrote to memory of 2964	3060	2025-02-13_c063144d97874cb1e7edf5bdb84c3599_frostygoop_poet-rat_snatch.exe	94
PID 3060 wrote to memory of 2964	3060	2025-02-13_c063144d97874cb1e7edf5bdb84c3599_frostygoop_poet-rat_snatch.exe	94
PID 3060 wrote to memory of 2964	3060	2025-02-13_c063144d97874cb1e7edf5bdb84c3599_frostygoop_poet-rat_snatch.exe	94
PID 3060 wrote to memory of 2964	3060	2025-02-13_c063144d97874cb1e7edf5bdb84c3599_frostygoop_poet-rat_snatch.exe	94
PID 2964 wrote to memory of 724	2964	BitLockerToGo.exe	98
PID 2964 wrote to memory of 724	2964	BitLockerToGo.exe	98
PID 724 wrote to memory of 440	724	chrome.exe	99
PID 724 wrote to memory of 440	724	chrome.exe	99
PID 724 wrote to memory of 3980	724	chrome.exe	100
PID 724 wrote to memory of 3980	724	chrome.exe	100
PID 724 wrote to memory of 3980	724	chrome.exe	100
PID 724 wrote to memory of 3980	724	chrome.exe	100
PID 724 wrote to memory of 3980	724	chrome.exe	100
PID 724 wrote to memory of 3980	724	chrome.exe	100
PID 724 wrote to memory of 3980	724	chrome.exe	100
PID 724 wrote to memory of 3980	724	chrome.exe	100
PID 724 wrote to memory of 3980	724	chrome.exe	100
PID 724 wrote to memory of 3980	724	chrome.exe	100
PID 724 wrote to memory of 3980	724	chrome.exe	100
PID 724 wrote to memory of 3980	724	chrome.exe	100
PID 724 wrote to memory of 3980	724	chrome.exe	100
PID 724 wrote to memory of 3980	724	chrome.exe	100
PID 724 wrote to memory of 3980	724	chrome.exe	100
PID 724 wrote to memory of 3980	724	chrome.exe	100
PID 724 wrote to memory of 3980	724	chrome.exe	100
PID 724 wrote to memory of 3980	724	chrome.exe	100
PID 724 wrote to memory of 3980	724	chrome.exe	100
PID 724 wrote to memory of 3980	724	chrome.exe	100
PID 724 wrote to memory of 3980	724	chrome.exe	100
PID 724 wrote to memory of 3980	724	chrome.exe	100
PID 724 wrote to memory of 3980	724	chrome.exe	100
PID 724 wrote to memory of 3980	724	chrome.exe	100
PID 724 wrote to memory of 3980	724	chrome.exe	100
PID 724 wrote to memory of 3980	724	chrome.exe	100
PID 724 wrote to memory of 3980	724	chrome.exe	100
PID 724 wrote to memory of 3980	724	chrome.exe	100
PID 724 wrote to memory of 3980	724	chrome.exe	100
PID 724 wrote to memory of 3980	724	chrome.exe	100
PID 724 wrote to memory of 4380	724	chrome.exe	101
PID 724 wrote to memory of 4380	724	chrome.exe	101
PID 724 wrote to memory of 4756	724	chrome.exe	102
PID 724 wrote to memory of 4756	724	chrome.exe	102
PID 724 wrote to memory of 4756	724	chrome.exe	102
PID 724 wrote to memory of 4756	724	chrome.exe	102
PID 724 wrote to memory of 4756	724	chrome.exe	102
PID 724 wrote to memory of 4756	724	chrome.exe	102
PID 724 wrote to memory of 4756	724	chrome.exe	102
PID 724 wrote to memory of 4756	724	chrome.exe	102
PID 724 wrote to memory of 4756	724	chrome.exe	102
PID 724 wrote to memory of 4756	724	chrome.exe	102
PID 724 wrote to memory of 4756	724	chrome.exe	102
PID 724 wrote to memory of 4756	724	chrome.exe	102
PID 724 wrote to memory of 4756	724	chrome.exe	102
PID 724 wrote to memory of 4756	724	chrome.exe	102
PID 724 wrote to memory of 4756	724	chrome.exe	102
PID 724 wrote to memory of 4756	724	chrome.exe	102
PID 724 wrote to memory of 4756	724	chrome.exe	102

C:\Users\Admin\AppData\Local\Temp\2025-02-13_c063144d97874cb1e7edf5bdb84c3599_frostygoop_poet-rat_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2025-02-13_c063144d97874cb1e7edf5bdb84c3599_frostygoop_poet-rat_snatch.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3060
- C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
  "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2964
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Enumerates system info in registry
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:724
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xf8,0x108,0x7fffeb5dcc40,0x7fffeb5dcc4c,0x7fffeb5dcc58
      4⤵
      PID:440
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1944,i,10860787362732164810,4731305127922417313,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=1940 /prefetch:2
      4⤵
      PID:3980
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2176,i,10860787362732164810,4731305127922417313,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=2188 /prefetch:3
      4⤵
      PID:4380
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2256,i,10860787362732164810,4731305127922417313,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=2432 /prefetch:8
      4⤵
      PID:4756
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3212,i,10860787362732164810,4731305127922417313,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=3232 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:4400
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3240,i,10860787362732164810,4731305127922417313,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=3272 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:3516
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4572,i,10860787362732164810,4731305127922417313,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=4584 /prefetch:8
      4⤵
      PID:2380
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=3660,i,10860787362732164810,4731305127922417313,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=3900 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:4516
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4048,i,10860787362732164810,4731305127922417313,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=4092 /prefetch:8
      4⤵
      PID:1992
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4084,i,10860787362732164810,4731305127922417313,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=4612 /prefetch:8
      4⤵
      PID:3880
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4976,i,10860787362732164810,4731305127922417313,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=4080 /prefetch:8
      4⤵
      PID:4544
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=208,i,10860787362732164810,4731305127922417313,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=5072 /prefetch:8
      4⤵
      PID:4340
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5064,i,10860787362732164810,4731305127922417313,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=4112 /prefetch:8
      4⤵
      PID:4348

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:920

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4356

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7M0IwMUZBRDMtRDUwOC00MzlDLUEyQzEtQUNDREE1OUFGNkZBfSIgdXNlcmlkPSJ7NzFBOUNCQzItRUE3RS00REYzLTlDNjMtM0JGNTI2MzZERDMyfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7OEVBNUM2MUQtNkVBMy00M0VDLUJCMEItQUQ1NkNGNjUxMEYyfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIyIiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODMzNzEiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1NDE5Mjc1MzAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MzM0Mjc3MTMwIi8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:4672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Modify Authentication Process

T1556

Privilege Escalation

Defense Evasion

Modify Authentication Process

T1556

Credential Access

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\309214f1-3302-4a39-9ba3-b742259933a5.tmp

Filesize
127KB

MD5
37585c6ea6b25db10029832cab11adf0

SHA1
302d561ecb66a28cd579ad47bef303def590926d

SHA256
213055bb17ffcf114c3f4a4161d5471b3e670ac1b7b9bf24d0ab078eb1ff443c

SHA512
b6c29814c0b919f831e4b068e3c6f84a26fa59c1c8e1eb2be3cf5dfa7630937f17f32196d7df50d53205e6fff6d672ea1146e4393ff42026dd20be7dc52a5c68

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
a481053f7f8935ed01c1629fad85c631

SHA1
455e0144b62116783ecd65fbdc7ad492e14a2847

SHA256
f14f613670d5b6dff4f2c01b7b9edbdf89a5c4a586c38d8ac5c9f65577f5628b

SHA512
0aaf4bfdc22be0a893f5e5617fb562da8fe52673db828053b5b8fa37ac7253f9f6fef718b6f571b3675c0f1856098d98685f337c1b7f11d6e46bb8b4c88532ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
db08ff10778ad37b7ae81411cef960f5

SHA1
d130c59e2862e1ab0cb86c8339f9d50f10d5e66e

SHA256
7e0f1cabe3d67065d238eef5bf051e5259bee12bb24af2906cbe79985310a61a

SHA512
edc38a16d5fdd6685a0487713bf0e488aa186d4763ac158920754f0cfce82db3dee726eed5bf0fc9fd20cb9fe3f70abf94aada23ebc8ac39d7e8cbe2f6fdfe77

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
605f8b5b59efafcb87cb49cc78a8226a

SHA1
08d9ad6e8e6e7124f9d21d395b6e0283a4d85050

SHA256
87607486b5f40578413377812c04292a49bc366894e410d891adfc7f623ba07c

SHA512
52ff09ec7315dcfc7deb4d7e342e57167483d81c574db8fae3449d81a43cc0c75ff43b5759e34847d2f0f711064bd28393ade79dd46e1d54fd039c3ee80b2d34

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
7e10a4e2b7f8ee2bb94076c9c3a4f7d7

SHA1
915a3a54a7548754a38c470b13fd3a8bb2df8405

SHA256
cd29ee7df3832ab3a02054d840cee203edad8e035fd8e116604d2a792517f57b

SHA512
7cf2ac6c727148f0e47fb675bfaa78959ff889f9aac198d3191ebf3c2600bf1884c0390e9c9fc680574a3d4d639768754e5b0cdcc48b3336cd06facece0409fe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
8d646065c054963bbbb3679990c05826

SHA1
28a3e3e8e772bafb9089927c8fcd6157ab5cf824

SHA256
cef54dcd4d546046cd8b75ff15cecabb58b58aba776f5acb27a3ba01d25cd257

SHA512
c2deff6c6c2a057bd47f0396df250f39a7bb7c0ca0c7241caae7af0f69063e6b8d75fd40fe8719c4b9f241118dd135a28a6727ace40adc22e30583d3c9b84733

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
d6963731ce14134893b16ed468823a63

SHA1
17787d48167fd2e6dd83873213ef36aebcc8274c

SHA256
62eb0591f3c3de0e669cfccbfcf4a1ae27a429871c45052bc2499b53c617f81e

SHA512
26e977f1492088b3a20bb864de99aa03168ffd775176fc7ff67a2fb46fa514d5e27800c2bce99fd024e1ea5f4690f40ae8037e8c236233db1d2511a112b8e191

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
13KB

MD5
d0c3fc3b6d39f6c968a3c366673da313

SHA1
0ba2e3e5e6a9c4fa6354b232f249fae782b5621f

SHA256
adf40a6642df34b211e1336b9769795743ed055c10a849ab86ffe159be097ffa

SHA512
0810732b8793b0934ce3b63e3721d05a3acda35d8c309413a568eff820215e622493f311795187d33c1645f3396b611931e2121e578fddbaca24bb9dc3b22d44

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
249KB

MD5
bf299b415ca0869e16cef872c91cd19f

SHA1
dd872fab63b70b8e634575f05fc5036686352796

SHA256
c2ad06c3615e023985404fcc56b0a32799f509f86b7516c18f71589dd0843362

SHA512
f09fe83230d90c98f4db212eb7a51ea4bf0914432ea2afb0dbb76af69bbbd1553dc53db94be67ba56ef9b22402b589de25432ff6e55c8d2db332a125b200284a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
249KB

MD5
186dd1ada6b0318a752079416855cdfd

SHA1
c4aa9d62c188c10e00b2e570716cded9670c38c5

SHA256
9b6f346db2c9092fd6f99733e26688f36ad0a8b8b6569f577b2369d82abc397f

SHA512
fc23fcd38698aacdae9c275aee6a4401a21fbc106df8f508b3f4e313c6c66ed8b5aca0fb34275f9716f3196ae58cdd6f97aab985570701b31733cd0ef4f8f161

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
277KB

MD5
24278b9f4a91d59ce71c6b716c20848b

SHA1
7a8d3a97fbd7217a85996aa1f2853062d57e42bb

SHA256
f72715200d79a18816b3f8a59895bc8151405b97fa254ee30e934487b759ce14

SHA512
6da899e12d2f0181076932835b48dabb7a41802195be289f1a0f6943fa1178979fa2b8b5eae7e5d1b0ced62a19c04b770d986287c93791340afa7e5d35723d0d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
249KB

MD5
c85c4da08ed73d2e97c2414e7fe181da

SHA1
58f7a69505dc8b4596cb573ce4d790b4155eea47

SHA256
c7de06c9d23afea89738b3aff3ba2cf2819d6b492488c950726b44841907059c

SHA512
5895806b01516be42474757371c61644d0a8a72c6ef8f6cb3b643a28c430cc3d76a446665d18b6f0d9d9ac0f03375a74bdfbddfbaa5774dddef93fc2407aecd3

Download Submit
memory/2964-12-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2964-52-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2964-51-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2964-13-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2964-0-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2964-11-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2964-10-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2964-6-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2964-2-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2964-1-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download