vidar | f85233c2e5336f961070529581d6f1a2557435ec7c11ccabb708321c2419d1b2

Analysis

max time kernel
105s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20250211-en
resource tags

arch:x64arch:x86image:win10v2004-20250211-enlocale:en-usos:windows10-2004-x64system
submitted
13-02-2025 20:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-02-13_7de3106bf80053132e35d123cca2eb8b_frostygoop_poet-rat_snatch.exe
Size

5.0MB
MD5

7de3106bf80053132e35d123cca2eb8b
SHA1

4d699b2c5f24af383e4cf09db72814c86e84879f
SHA256

f85233c2e5336f961070529581d6f1a2557435ec7c11ccabb708321c2419d1b2
SHA512

55b1e7ed15f611cd0f3664d7fd58161c1869f7da040ba4f89df9af12c7a96454a5624db445a5ce34d8add6c7daa2adc5b9e13d1c8bc6357e6cfb6ef5c5e1b453
SSDEEP

49152:aEjRNxxJ4r2qNRN6CTe1pkdKdbEtfuIwvXSTA1Ea7gdhQSvl45Nf63u713i:/FNfJwrRN6CTQp2KNPSbal

Score

10^/10

vidar credential_access discovery stealer

Malware Config

Extracted

Family

vidar

https://t.me/b4cha00

https://steamcommunity.com/profiles/76561199825403037

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:137.0) Gecko/20100101 Firefox/137.0

Signatures

Detect Vidar Stealer 19 IoCs

stealer

resource	yara_rule
behavioral2/memory/3836-2-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/3836-3-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/3836-4-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/3836-11-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/3836-12-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/3836-13-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/3836-28-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/3836-35-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/3836-36-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/3836-39-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/3836-43-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/3836-47-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/3836-48-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/3836-50-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/3836-51-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/3836-77-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/3836-83-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/3836-86-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/3836-87-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

Downloads MZ/PE file 1 IoCs

flow	pid	Process
31	4532	Process not Found

Uses browser remote debugging 2 TTPs 9 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
1188	msedge.exe
4544	chrome.exe
2796	msedge.exe
1172	msedge.exe
4324	msedge.exe
1960	msedge.exe
5024	chrome.exe
3012	chrome.exe
4048	chrome.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1288 set thread context of 3836	1288	2025-02-13_7de3106bf80053132e35d123cca2eb8b_frostygoop_poet-rat_snatch.exe	95

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-02-13_7de3106bf80053132e35d123cca2eb8b_frostygoop_poet-rat_snatch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2280	MicrosoftEdgeUpdate.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	BitLockerToGo.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	msedge.exe

Enumerates system info in registry 2 TTPs 8 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133839532667229966"	chrome.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
3836	BitLockerToGo.exe
3836	BitLockerToGo.exe
3836	BitLockerToGo.exe
3836	BitLockerToGo.exe
5024	chrome.exe
5024	chrome.exe
3836	BitLockerToGo.exe
3836	BitLockerToGo.exe
3836	BitLockerToGo.exe
3836	BitLockerToGo.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
3656	msedge.exe
3656	msedge.exe
4324	msedge.exe
4324	msedge.exe
3836	BitLockerToGo.exe
3836	BitLockerToGo.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5024	chrome.exe
Token: SeCreatePagefilePrivilege	5024	chrome.exe
Token: SeShutdownPrivilege	5024	chrome.exe
Token: SeCreatePagefilePrivilege	5024	chrome.exe
Token: SeShutdownPrivilege	5024	chrome.exe
Token: SeCreatePagefilePrivilege	5024	chrome.exe
Token: SeShutdownPrivilege	5024	chrome.exe
Token: SeCreatePagefilePrivilege	5024	chrome.exe
Token: SeShutdownPrivilege	5024	chrome.exe
Token: SeCreatePagefilePrivilege	5024	chrome.exe
Token: SeShutdownPrivilege	5024	chrome.exe
Token: SeCreatePagefilePrivilege	5024	chrome.exe
Token: SeShutdownPrivilege	5024	chrome.exe
Token: SeCreatePagefilePrivilege	5024	chrome.exe

Suspicious use of FindShellTrayWindow 51 IoCs

pid	Process
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe
5024	chrome.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1288 wrote to memory of 3836	1288	2025-02-13_7de3106bf80053132e35d123cca2eb8b_frostygoop_poet-rat_snatch.exe	95
PID 1288 wrote to memory of 3836	1288	2025-02-13_7de3106bf80053132e35d123cca2eb8b_frostygoop_poet-rat_snatch.exe	95
PID 1288 wrote to memory of 3836	1288	2025-02-13_7de3106bf80053132e35d123cca2eb8b_frostygoop_poet-rat_snatch.exe	95
PID 1288 wrote to memory of 3836	1288	2025-02-13_7de3106bf80053132e35d123cca2eb8b_frostygoop_poet-rat_snatch.exe	95
PID 1288 wrote to memory of 3836	1288	2025-02-13_7de3106bf80053132e35d123cca2eb8b_frostygoop_poet-rat_snatch.exe	95
PID 1288 wrote to memory of 3836	1288	2025-02-13_7de3106bf80053132e35d123cca2eb8b_frostygoop_poet-rat_snatch.exe	95
PID 1288 wrote to memory of 3836	1288	2025-02-13_7de3106bf80053132e35d123cca2eb8b_frostygoop_poet-rat_snatch.exe	95
PID 1288 wrote to memory of 3836	1288	2025-02-13_7de3106bf80053132e35d123cca2eb8b_frostygoop_poet-rat_snatch.exe	95
PID 1288 wrote to memory of 3836	1288	2025-02-13_7de3106bf80053132e35d123cca2eb8b_frostygoop_poet-rat_snatch.exe	95
PID 1288 wrote to memory of 3836	1288	2025-02-13_7de3106bf80053132e35d123cca2eb8b_frostygoop_poet-rat_snatch.exe	95
PID 1288 wrote to memory of 3836	1288	2025-02-13_7de3106bf80053132e35d123cca2eb8b_frostygoop_poet-rat_snatch.exe	95
PID 3836 wrote to memory of 5024	3836	BitLockerToGo.exe	96
PID 3836 wrote to memory of 5024	3836	BitLockerToGo.exe	96
PID 5024 wrote to memory of 864	5024	chrome.exe	97
PID 5024 wrote to memory of 864	5024	chrome.exe	97
PID 5024 wrote to memory of 3920	5024	chrome.exe	98
PID 5024 wrote to memory of 3920	5024	chrome.exe	98
PID 5024 wrote to memory of 3920	5024	chrome.exe	98
PID 5024 wrote to memory of 3920	5024	chrome.exe	98
PID 5024 wrote to memory of 3920	5024	chrome.exe	98
PID 5024 wrote to memory of 3920	5024	chrome.exe	98
PID 5024 wrote to memory of 3920	5024	chrome.exe	98
PID 5024 wrote to memory of 3920	5024	chrome.exe	98
PID 5024 wrote to memory of 3920	5024	chrome.exe	98
PID 5024 wrote to memory of 3920	5024	chrome.exe	98
PID 5024 wrote to memory of 3920	5024	chrome.exe	98
PID 5024 wrote to memory of 3920	5024	chrome.exe	98
PID 5024 wrote to memory of 3920	5024	chrome.exe	98
PID 5024 wrote to memory of 3920	5024	chrome.exe	98
PID 5024 wrote to memory of 3920	5024	chrome.exe	98
PID 5024 wrote to memory of 3920	5024	chrome.exe	98
PID 5024 wrote to memory of 3920	5024	chrome.exe	98
PID 5024 wrote to memory of 3920	5024	chrome.exe	98
PID 5024 wrote to memory of 3920	5024	chrome.exe	98
PID 5024 wrote to memory of 3920	5024	chrome.exe	98
PID 5024 wrote to memory of 3920	5024	chrome.exe	98
PID 5024 wrote to memory of 3920	5024	chrome.exe	98
PID 5024 wrote to memory of 3920	5024	chrome.exe	98
PID 5024 wrote to memory of 3920	5024	chrome.exe	98
PID 5024 wrote to memory of 3920	5024	chrome.exe	98
PID 5024 wrote to memory of 3920	5024	chrome.exe	98
PID 5024 wrote to memory of 3920	5024	chrome.exe	98
PID 5024 wrote to memory of 3920	5024	chrome.exe	98
PID 5024 wrote to memory of 3920	5024	chrome.exe	98
PID 5024 wrote to memory of 3920	5024	chrome.exe	98
PID 5024 wrote to memory of 1432	5024	chrome.exe	99
PID 5024 wrote to memory of 1432	5024	chrome.exe	99
PID 5024 wrote to memory of 4900	5024	chrome.exe	100
PID 5024 wrote to memory of 4900	5024	chrome.exe	100
PID 5024 wrote to memory of 4900	5024	chrome.exe	100
PID 5024 wrote to memory of 4900	5024	chrome.exe	100
PID 5024 wrote to memory of 4900	5024	chrome.exe	100
PID 5024 wrote to memory of 4900	5024	chrome.exe	100
PID 5024 wrote to memory of 4900	5024	chrome.exe	100
PID 5024 wrote to memory of 4900	5024	chrome.exe	100
PID 5024 wrote to memory of 4900	5024	chrome.exe	100
PID 5024 wrote to memory of 4900	5024	chrome.exe	100
PID 5024 wrote to memory of 4900	5024	chrome.exe	100
PID 5024 wrote to memory of 4900	5024	chrome.exe	100
PID 5024 wrote to memory of 4900	5024	chrome.exe	100
PID 5024 wrote to memory of 4900	5024	chrome.exe	100
PID 5024 wrote to memory of 4900	5024	chrome.exe	100
PID 5024 wrote to memory of 4900	5024	chrome.exe	100
PID 5024 wrote to memory of 4900	5024	chrome.exe	100

C:\Users\Admin\AppData\Local\Temp\2025-02-13_7de3106bf80053132e35d123cca2eb8b_frostygoop_poet-rat_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2025-02-13_7de3106bf80053132e35d123cca2eb8b_frostygoop_poet-rat_snatch.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1288
- C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
  "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3836
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Enumerates system info in registry
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:5024
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffc624bcc40,0x7ffc624bcc4c,0x7ffc624bcc58
      4⤵
      PID:864
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1792,i,6664443456521440386,244466904390230562,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=1920 /prefetch:2
      4⤵
      PID:3920
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1512,i,6664443456521440386,244466904390230562,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=2188 /prefetch:3
      4⤵
      PID:1432
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2240,i,6664443456521440386,244466904390230562,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=2456 /prefetch:8
      4⤵
      PID:4900
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3164,i,6664443456521440386,244466904390230562,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=3184 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:3012
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3424,i,6664443456521440386,244466904390230562,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=3432 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:4048
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3888,i,6664443456521440386,244466904390230562,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=4368 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:4544
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4672,i,6664443456521440386,244466904390230562,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=4492 /prefetch:8
      4⤵
      PID:2480
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4788,i,6664443456521440386,244466904390230562,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=4656 /prefetch:8
      4⤵
      PID:1808
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4144,i,6664443456521440386,244466904390230562,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=4140 /prefetch:8
      4⤵
      PID:640
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4820,i,6664443456521440386,244466904390230562,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=4832 /prefetch:8
      4⤵
      PID:1692
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    PID:4324
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc71c146f8,0x7ffc71c14708,0x7ffc71c14718
      4⤵
      Checks processor information in registry
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      PID:4524
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,13354985996020425411,5889986542758383850,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
      4⤵
      PID:2708
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,13354985996020425411,5889986542758383850,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3656
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,13354985996020425411,5889986542758383850,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2808 /prefetch:8
      4⤵
      PID:2680
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2096,13354985996020425411,5889986542758383850,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:2796
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2096,13354985996020425411,5889986542758383850,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:1960
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2096,13354985996020425411,5889986542758383850,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4836 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:1172
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2096,13354985996020425411,5889986542758383850,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4776 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:1188

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QTBFMDQxQkYtQTM4RS00MkEyLThGMzYtREZGMEI5RTJENzM4fSIgdXNlcmlkPSJ7REQ0NjZEOTItOTAxNy00OUIwLTlFODktQkJEQjk0QTBBMDcxfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7OTUwMUQ3RDgtOTU0Qi00NkJFLUE2NzUtMDU3NTg2RjYxMzVDfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIyIiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODMzNzEiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1NDE5Mjc1MzAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0OTEyNDI3ODQ0Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:2280

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3984

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Modify Authentication Process

T1556

Privilege Escalation

Defense Evasion

Modify Authentication Process

T1556

Credential Access

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
127KB

MD5
6ddc426fa23676452defa182f6f83294

SHA1
fc7ba67fec937f105e9f9c62f5f0ee862f2e488c

SHA256
a8eb02f2c7297108ad2ced30c3481fa329ae832db30e3c21a6cc96481bf8cdb3

SHA512
5a0cb31153575ae2b67d677b24100f5eb3d8349ed59df646c3c6f04db5314fcd72ebfccc6abe194b9c6fe4a7e58e660eaf429fc4e79e713d0a678d0cebabd420

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
19a7f42782b4e728bb12731ff9a460f6

SHA1
495d51f1a8fa8b55063f307f919f3bc6d67af241

SHA256
126eee474c67271293ded1ff06e56bab87c21c0884d22a419fb40e4bc87cacba

SHA512
50f21223f1b013c727b26327976f74faa11ec830f6d540eee02d728d9d7b9b617e0b48b63c7b9ebf248d818e5c65bd6e4007e2352f9f59e182c4625a28b28f0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
08edd5c04b02f0b7175bcda703fd0f38

SHA1
d4f1968dd481ea01a4023b1ad333e16115cb0e18

SHA256
afbae8fd296e93092ced684ac3683e56b28a3e809fe952fab4c9116995dfec09

SHA512
474dbd8d089b549cb68585a2657486f35b8aff0b644bceca10714077c4149b84e5d910d4fda400beca016ac83620d8627d2b0ce7cac292fda7c45f3abaea1379

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\38085c15-7414-4ca4-8002-a42f0d4c86dc.tmp

Filesize
6KB

MD5
76b6cbfbb23b879c484ebcd03ff7016e

SHA1
18969368e12b381d1b9621a358c1458d2644b23f

SHA256
c92637720ac6cf90772d4667fce4626c82c4c1d4695f4db57903081a90774ac6

SHA512
99008958c02b6a5992f954c4853b7b0212f08824cb989137e3a97863d1de2e1c7cc4c5e51c5096b174517e1c0d51464442239e21931fec8c052001e7477db1c8

Download Submit
memory/3836-13-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3836-47-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3836-12-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3836-11-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3836-28-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3836-35-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3836-36-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3836-39-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3836-43-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3836-1-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3836-48-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3836-50-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3836-51-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3836-4-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3836-3-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3836-2-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3836-77-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3836-83-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3836-86-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3836-87-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download