6197fb4df12b4959d598217fb3ac665f9c5989673e1a77a0d936b0a711d773cc

Analysis

max time kernel
141s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
19/02/2025, 19:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-02-19_a57b9bde642ec10198010d43d5dac1ad_frostygoop_luca-stealer_poet-rat_snatch.exe
Size

14.6MB
MD5

a57b9bde642ec10198010d43d5dac1ad
SHA1

cf2287d215683c22ac0d9c470fe474a0e50aaf46
SHA256

6197fb4df12b4959d598217fb3ac665f9c5989673e1a77a0d936b0a711d773cc
SHA512

34066742ec91f68a84bb383f70e215ed0818a08c13cdba059daf4e246143e3659d7bbe17ae05157ff6e29cccdf01e61422f4cf591493da4d9c27cde9b3590f48
SSDEEP

98304:56DISpWjeuYOfJ8DtrB/Gk8rZWOvAof/CTC8EV+yM02xd10/nxPswT0AfIgT5GiN:C3WjeuYOfkSvzh1V+UsM0AfntE

Score

8^/10

credential_access discovery execution spyware stealer

Malware Config

Signatures

Uses browser remote debugging 2 TTPs 4 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
4060	msedge.exe
1532	chrome.exe
1104	chrome.exe
2468	msedge.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\debug.log	chrome.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\debug.log	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1780	powershell.exe
4160	powershell.exe
4928	powershell.exe
3104	powershell.exe
1856	powershell.exe

Kills process with taskkill 4 IoCs

defense_evasion

pid	Process
976	taskkill.exe
1232	taskkill.exe
2984	taskkill.exe
1608	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000_Classes\Local Settings	explorer.exe

Modifies system certificate store 2 TTPs 3 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD	2025-02-19_a57b9bde642ec10198010d43d5dac1ad_frostygoop_luca-stealer_poet-rat_snatch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	2025-02-19_a57b9bde642ec10198010d43d5dac1ad_frostygoop_luca-stealer_poet-rat_snatch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	2025-02-19_a57b9bde642ec10198010d43d5dac1ad_frostygoop_luca-stealer_poet-rat_snatch.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2096	vlc.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4928	powershell.exe
4928	powershell.exe
4928	powershell.exe
3104	powershell.exe
3104	powershell.exe
3104	powershell.exe
1856	powershell.exe
1856	powershell.exe
1780	powershell.exe
1780	powershell.exe
4160	powershell.exe
4160	powershell.exe
3636	msedge.exe
3636	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2096	vlc.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeDebugPrivilege	4928	powershell.exe
Token: SeDebugPrivilege	3104	powershell.exe
Token: 33	4168	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4168	AUDIODG.EXE
Token: 33	2096	vlc.exe
Token: SeIncBasePriorityPrivilege	2096	vlc.exe
Token: SeDebugPrivilege	1856	powershell.exe
Token: SeDebugPrivilege	1780	powershell.exe
Token: SeDebugPrivilege	4160	powershell.exe
Token: SeDebugPrivilege	1608	taskkill.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeDebugPrivilege	976	taskkill.exe
Token: SeDebugPrivilege	1232	taskkill.exe
Token: SeDebugPrivilege	2984	taskkill.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2096	vlc.exe
2096	vlc.exe
2096	vlc.exe
2096	vlc.exe
2096	vlc.exe
2096	vlc.exe
2096	vlc.exe
2096	vlc.exe
2096	vlc.exe
2096	vlc.exe
2096	vlc.exe
2096	vlc.exe
2096	vlc.exe
2096	vlc.exe
2096	vlc.exe
2096	vlc.exe
2096	vlc.exe
2096	vlc.exe
2096	vlc.exe
2096	vlc.exe
2096	vlc.exe
2096	vlc.exe
2096	vlc.exe
2096	vlc.exe
2096	vlc.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
2096	vlc.exe
2096	vlc.exe
2096	vlc.exe
2096	vlc.exe
2096	vlc.exe
2096	vlc.exe
2096	vlc.exe
2096	vlc.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2096	vlc.exe
2096	vlc.exe
2096	vlc.exe
2096	vlc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1288 wrote to memory of 1388	1288	2025-02-19_a57b9bde642ec10198010d43d5dac1ad_frostygoop_luca-stealer_poet-rat_snatch.exe	83
PID 1288 wrote to memory of 1388	1288	2025-02-19_a57b9bde642ec10198010d43d5dac1ad_frostygoop_luca-stealer_poet-rat_snatch.exe	83
PID 4848 wrote to memory of 2096	4848	explorer.exe	86
PID 4848 wrote to memory of 2096	4848	explorer.exe	86
PID 1288 wrote to memory of 4928	1288	2025-02-19_a57b9bde642ec10198010d43d5dac1ad_frostygoop_luca-stealer_poet-rat_snatch.exe	89
PID 1288 wrote to memory of 4928	1288	2025-02-19_a57b9bde642ec10198010d43d5dac1ad_frostygoop_luca-stealer_poet-rat_snatch.exe	89
PID 1288 wrote to memory of 3104	1288	2025-02-19_a57b9bde642ec10198010d43d5dac1ad_frostygoop_luca-stealer_poet-rat_snatch.exe	91
PID 1288 wrote to memory of 3104	1288	2025-02-19_a57b9bde642ec10198010d43d5dac1ad_frostygoop_luca-stealer_poet-rat_snatch.exe	91
PID 1288 wrote to memory of 1856	1288	2025-02-19_a57b9bde642ec10198010d43d5dac1ad_frostygoop_luca-stealer_poet-rat_snatch.exe	94
PID 1288 wrote to memory of 1856	1288	2025-02-19_a57b9bde642ec10198010d43d5dac1ad_frostygoop_luca-stealer_poet-rat_snatch.exe	94
PID 1288 wrote to memory of 1780	1288	2025-02-19_a57b9bde642ec10198010d43d5dac1ad_frostygoop_luca-stealer_poet-rat_snatch.exe	98
PID 1288 wrote to memory of 1780	1288	2025-02-19_a57b9bde642ec10198010d43d5dac1ad_frostygoop_luca-stealer_poet-rat_snatch.exe	98
PID 1288 wrote to memory of 4160	1288	2025-02-19_a57b9bde642ec10198010d43d5dac1ad_frostygoop_luca-stealer_poet-rat_snatch.exe	100
PID 1288 wrote to memory of 4160	1288	2025-02-19_a57b9bde642ec10198010d43d5dac1ad_frostygoop_luca-stealer_poet-rat_snatch.exe	100
PID 1288 wrote to memory of 1608	1288	2025-02-19_a57b9bde642ec10198010d43d5dac1ad_frostygoop_luca-stealer_poet-rat_snatch.exe	104
PID 1288 wrote to memory of 1608	1288	2025-02-19_a57b9bde642ec10198010d43d5dac1ad_frostygoop_luca-stealer_poet-rat_snatch.exe	104
PID 1288 wrote to memory of 1532	1288	2025-02-19_a57b9bde642ec10198010d43d5dac1ad_frostygoop_luca-stealer_poet-rat_snatch.exe	106
PID 1288 wrote to memory of 1532	1288	2025-02-19_a57b9bde642ec10198010d43d5dac1ad_frostygoop_luca-stealer_poet-rat_snatch.exe	106
PID 1532 wrote to memory of 1992	1532	chrome.exe	107
PID 1532 wrote to memory of 1992	1532	chrome.exe	107
PID 1532 wrote to memory of 1280	1532	chrome.exe	108
PID 1532 wrote to memory of 1280	1532	chrome.exe	108
PID 1532 wrote to memory of 1280	1532	chrome.exe	108
PID 1532 wrote to memory of 1280	1532	chrome.exe	108
PID 1532 wrote to memory of 1280	1532	chrome.exe	108
PID 1532 wrote to memory of 1280	1532	chrome.exe	108
PID 1532 wrote to memory of 1280	1532	chrome.exe	108
PID 1532 wrote to memory of 1280	1532	chrome.exe	108
PID 1532 wrote to memory of 1280	1532	chrome.exe	108
PID 1532 wrote to memory of 1280	1532	chrome.exe	108
PID 1532 wrote to memory of 1280	1532	chrome.exe	108
PID 1532 wrote to memory of 1280	1532	chrome.exe	108
PID 1532 wrote to memory of 1280	1532	chrome.exe	108
PID 1532 wrote to memory of 1280	1532	chrome.exe	108
PID 1532 wrote to memory of 1280	1532	chrome.exe	108
PID 1532 wrote to memory of 1280	1532	chrome.exe	108
PID 1532 wrote to memory of 1280	1532	chrome.exe	108
PID 1532 wrote to memory of 1280	1532	chrome.exe	108
PID 1532 wrote to memory of 1280	1532	chrome.exe	108
PID 1532 wrote to memory of 1280	1532	chrome.exe	108
PID 1532 wrote to memory of 1280	1532	chrome.exe	108
PID 1532 wrote to memory of 1280	1532	chrome.exe	108
PID 1532 wrote to memory of 1280	1532	chrome.exe	108
PID 1532 wrote to memory of 1280	1532	chrome.exe	108
PID 1532 wrote to memory of 1280	1532	chrome.exe	108
PID 1532 wrote to memory of 1280	1532	chrome.exe	108
PID 1532 wrote to memory of 1280	1532	chrome.exe	108
PID 1532 wrote to memory of 1280	1532	chrome.exe	108
PID 1532 wrote to memory of 1280	1532	chrome.exe	108
PID 1532 wrote to memory of 1280	1532	chrome.exe	108
PID 1532 wrote to memory of 1280	1532	chrome.exe	108
PID 1532 wrote to memory of 1280	1532	chrome.exe	108
PID 1532 wrote to memory of 1280	1532	chrome.exe	108
PID 1532 wrote to memory of 1280	1532	chrome.exe	108
PID 1532 wrote to memory of 1280	1532	chrome.exe	108
PID 1532 wrote to memory of 1280	1532	chrome.exe	108
PID 1532 wrote to memory of 1280	1532	chrome.exe	108
PID 1532 wrote to memory of 1280	1532	chrome.exe	108
PID 1532 wrote to memory of 1280	1532	chrome.exe	108
PID 1532 wrote to memory of 1280	1532	chrome.exe	108
PID 1532 wrote to memory of 1280	1532	chrome.exe	108
PID 1532 wrote to memory of 4544	1532	chrome.exe	109
PID 1532 wrote to memory of 4544	1532	chrome.exe	109
PID 1532 wrote to memory of 1104	1532	chrome.exe	110

C:\Users\Admin\AppData\Local\Temp\2025-02-19_a57b9bde642ec10198010d43d5dac1ad_frostygoop_luca-stealer_poet-rat_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2025-02-19_a57b9bde642ec10198010d43d5dac1ad_frostygoop_luca-stealer_poet-rat_snatch.exe"
1⤵
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1288
- C:\Windows\explorer.exe
  explorer C:\Users\Admin\AppData\Local\Temp\bunnyexposed.mp4
  2⤵
  PID:1388
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Get-Process | Select-Object -ExpandProperty ProcessName"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4928
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Get-Process | Select-Object -ExpandProperty ProcessName"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3104
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Get-WmiObject Win32_Processor | Select-Object -ExpandProperty Name"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1856
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Get-WmiObject Win32_VideoController | Select-Object -ExpandProperty Name"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1780
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Get-WmiObject Win32_OperatingSystem | Select-Object -ExpandProperty TotalVisibleMemorySize"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4160
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM chrome.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --restore-last-session --remote-debugging-port=49422 --remote-allow-origins=* --headless "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" https://greyshare.pics/home
  2⤵
  - Uses browser remote debugging
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1532
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb9320cc40,0x7ffb9320cc4c,0x7ffb9320cc58
    3⤵
    PID:1992
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --headless --use-angle=swiftshader-webgl --headless --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=angle --field-trial-handle=1464,i,5677116294468714083,1028492633639931865,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=1456 /prefetch:2
    3⤵
    PID:1280
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --use-angle=swiftshader-webgl --use-gl=angle --headless --field-trial-handle=1720,i,5677116294468714083,1028492633639931865,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=1716 /prefetch:3
    3⤵
    PID:4544
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --remote-debugging-port=49422 --allow-pre-commit-input --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --field-trial-handle=1872,i,5677116294468714083,1028492633639931865,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=1868 /prefetch:1
    3⤵
    - Uses browser remote debugging
    - Drops file in Program Files directory
    PID:1104
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM chrome.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:976
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM msedge.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --restore-last-session --remote-debugging-port=49422 --remote-allow-origins=* --headless "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" https://greyshare.pics/home
  2⤵
  - Uses browser remote debugging
  PID:2468
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffb932146f8,0x7ffb93214708,0x7ffb93214718
    3⤵
    PID:2868
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1476,9008969574797676713,7333080380548759674,131072 --disable-features=PaintHolding --headless --headless --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --override-use-software-gl-for-tests --mojo-platform-channel-handle=1484 /prefetch:2
    3⤵
    PID:5048
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1476,9008969574797676713,7333080380548759674,131072 --disable-features=PaintHolding --lang=en-US --service-sandbox-type=none --use-gl=swiftshader-webgl --headless --mojo-platform-channel-handle=1848 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3636
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=49422 --allow-pre-commit-input --field-trial-handle=1476,9008969574797676713,7333080380548759674,131072 --disable-features=PaintHolding --lang=en-US --headless --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2008 /prefetch:1
    3⤵
    - Uses browser remote debugging
    PID:4060
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM msedge.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2984

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4848
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\bunnyexposed.mp4"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2096

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2fc 0x150
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4168

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Modify Authentication Process

T1556

Privilege Escalation

Defense Evasion

Modify Authentication Process

T1556

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
223bd4ae02766ddc32e6145fd1a29301

SHA1
900cfd6526d7e33fb4039a1cc2790ea049bc2c5b

SHA256
1022ec2fed08ff473817fc53893e192a8e33e6a16f3d2c8cb6fd37f49c938e1e

SHA512
648cd3f8a89a18128d2b1bf960835e087a74cdbc783dbfcc712b3cb9e3a2e4f715e534ba2ef81d89af8f60d4882f6859373248c875ceb26ad0922e891f2e74cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f380d62a69e1ea1237d8ae7153ed2d69

SHA1
b6c1bf4c5e995c070d542771a14abc6ae8d4f6be

SHA256
72af84db6a35b043619c568d82802c382e3c037ae0d6cc1c36c43d8795672447

SHA512
4afba6d4bbb7ee136c643930a807877c517a328377c8b23db019420047911ca72006c5becc393bc510a85444b7ceccaae6adf0d7cabff35b83b46f408ac5f544

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7b0bed2fdd77e0b96594582487940549

SHA1
774269195ad3c9a1ae24123e2dfa48df490fad9a

SHA256
6fefd67a4423d92a482a0594c22afcc35e1bb2473edd0a1eaeaa9964413e7a10

SHA512
d205a53dead056d46f170a1d62b3a4aea0bae9025973e9b6f319ed8930857e94892cde39cfb5b7aa7075b9ee9dcaf1a5049a6e47b289544ff76cd7365dbc1f9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
92034b26c20eedc7f1d06f0aebb1e0df

SHA1
706c50cb6a1d32cff50221e7d2dde897fbb3f978

SHA256
4ef81f1cbddc3649915945f3bcd50b86c57cf8fe80c6e118cdf4d2ab33276626

SHA512
62ad73325b1df2cbbf767ae6ac668d7bdd022d146fde376f6c830a53be985ce167818bfa30aea2d588af2b80ab7aeb44a5718549dd50b8e373d8d58c71c5efa6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
54dc457f01f51107dc1db86f022a90ab

SHA1
c1cbe5b4931d1d5ac2fdd6b6cc6fd4441f1c9840

SHA256
66df8cef56f2077c2ea68b826c78d9baad7ce62c59b360d0bbdd6d4c0b3097c1

SHA512
ee882379039fd2a290a51e38922a20b71e767716b4b10f6fe6f6e031eb4f55b35f9d5b521cb7ce54dd0c1db28206bc389ed2a8f2927d1d39398896df06bb98b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Local Storage\leveldb_7.temp\CURRENT.bak

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\Session Storage_8.temp\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cnpswzgx.myq.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bunnyexposed.mp4

Filesize
1.5MB

MD5
c65cd2177b23dd745afc1875a793a37f

SHA1
cd90cc8c2a3102fd2a47fe535251cf1c979e195b

SHA256
d6705723e12c100fdc523f7c51a0e94c743502abd08ce963b5ed988f7c854b89

SHA512
4b06a75346c42da31c3478fa95d8710f64385468a620ef2b63c1525149fd0202fb22d047559f1711539bf97ef47f2a7a573bdfd1235257c8d10b29f46ca0b6dd

Download Submit
memory/2096-75-0x00007FFB7D450000-0x00007FFB7D65B000-memory.dmp

Filesize
2.0MB

Download
memory/2096-67-0x00007FFB842F0000-0x00007FFB845A6000-memory.dmp

Filesize
2.7MB

Download
memory/2096-72-0x00007FFB93670000-0x00007FFB93681000-memory.dmp

Filesize
68KB

Download
memory/2096-71-0x00007FFB93780000-0x00007FFB93797000-memory.dmp

Filesize
92KB

Download
memory/2096-74-0x00007FFB92F50000-0x00007FFB92F61000-memory.dmp

Filesize
68KB

Download
memory/2096-70-0x00007FFB93810000-0x00007FFB93821000-memory.dmp

Filesize
68KB

Download
memory/2096-76-0x00007FFB92B60000-0x00007FFB92BA1000-memory.dmp

Filesize
260KB

Download
memory/2096-69-0x00007FFB99970000-0x00007FFB99987000-memory.dmp

Filesize
92KB

Download
memory/2096-68-0x00007FFB9B550000-0x00007FFB9B568000-memory.dmp

Filesize
96KB

Download
memory/2096-73-0x00007FFB92F70000-0x00007FFB92F8D000-memory.dmp

Filesize
116KB

Download
memory/2096-82-0x00007FFB8BF90000-0x00007FFB8BFA1000-memory.dmp

Filesize
68KB

Download
memory/2096-81-0x00007FFB8BFB0000-0x00007FFB8BFC1000-memory.dmp

Filesize
68KB

Download
memory/2096-80-0x00007FFB8F330000-0x00007FFB8F341000-memory.dmp

Filesize
68KB

Download
memory/2096-79-0x00007FFB8F350000-0x00007FFB8F368000-memory.dmp

Filesize
96KB

Download
memory/2096-78-0x00007FFB92B30000-0x00007FFB92B51000-memory.dmp

Filesize
132KB

Download
memory/2096-77-0x00007FFB7A320000-0x00007FFB7B3D0000-memory.dmp

Filesize
16.7MB

Download
memory/2096-113-0x00007FFB7A320000-0x00007FFB7B3D0000-memory.dmp

Filesize
16.7MB

Download
memory/2096-66-0x00007FFB938A0000-0x00007FFB938D4000-memory.dmp

Filesize
208KB

Download
memory/2096-65-0x00007FF60F3D0000-0x00007FF60F4C8000-memory.dmp

Filesize
992KB

Download
memory/4928-8-0x000002C36E7A0000-0x000002C36E7C2000-memory.dmp

Filesize
136KB

Download