vidar | e226a8c19929e94761027accb16309d9a64589b9bf67778cc114ad75636790b3

Analysis

max time kernel
93s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
24/02/2025, 01:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-02-24_6768e4499258c2b0de9500e3df9f1091_frostygoop_poet-rat_snatch.exe
Size

5.4MB
MD5

6768e4499258c2b0de9500e3df9f1091
SHA1

be85cdd2afc5ef803cbd27a3f9e5981728e9ac39
SHA256

e226a8c19929e94761027accb16309d9a64589b9bf67778cc114ad75636790b3
SHA512

a0f1fa5a14268e4cb977001121bf0f9691f9a1dc1210bfc08b077d36527b86c658fe897669ee58071f0d62178039fef690587f66256fbd060c3553fe2b6677de
SSDEEP

49152:ecUeR/4tXOwssxLkn8lMZ6FkkUQDe16Scz5ROJTqLTaUgyQgSmJ1xjSlVR0oBIqY:ejm/OQsxI8lKk8GTaUgyQFKm

Score

10^/10

vidar credential_access discovery spyware stealer

Malware Config

Extracted

Family

vidar

https://t.me/g02f04

https://steamcommunity.com/profiles/76561199828130190

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/131.0.0.0 Safari/537.36 OPR/116.0.0.0

Signatures

Detect Vidar Stealer 34 IoCs

stealer

resource	yara_rule
behavioral2/memory/3712-1-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/3712-2-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/3712-9-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/3712-10-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/3712-11-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/3712-12-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/3712-46-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/3712-48-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/3712-49-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/3712-52-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/3712-56-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/3712-57-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/3712-61-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/3712-62-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/3712-64-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/3712-65-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/3712-66-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/3712-98-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/3712-99-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/3712-102-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/3712-103-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/3712-107-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/3712-108-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/3712-112-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/3712-113-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/3712-117-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/3712-120-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/3712-121-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/3712-122-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/3712-123-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/3712-128-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/3712-129-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/3712-130-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/3712-133-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

Uses browser remote debugging 2 TTPs 9 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
184	chrome.exe
3196	chrome.exe
4168	chrome.exe
3744	msedge.exe
2008	msedge.exe
4656	msedge.exe
1136	chrome.exe
3588	msedge.exe
2324	msedge.exe

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4948 set thread context of 3712	4948	2025-02-24_6768e4499258c2b0de9500e3df9f1091_frostygoop_poet-rat_snatch.exe	91

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-02-24_6768e4499258c2b0de9500e3df9f1091_frostygoop_poet-rat_snatch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	BitLockerToGo.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	msedge.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
5080	timeout.exe

Enumerates system info in registry 2 TTPs 8 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133848358649352136"	chrome.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
3712	BitLockerToGo.exe
3712	BitLockerToGo.exe
3712	BitLockerToGo.exe
3712	BitLockerToGo.exe
184	chrome.exe
184	chrome.exe
3712	BitLockerToGo.exe
3712	BitLockerToGo.exe
3712	BitLockerToGo.exe
3712	BitLockerToGo.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
1744	msedge.exe
1744	msedge.exe
3588	msedge.exe
3588	msedge.exe
3712	BitLockerToGo.exe
3712	BitLockerToGo.exe
3712	BitLockerToGo.exe
3712	BitLockerToGo.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
184	chrome.exe
184	chrome.exe
184	chrome.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeShutdownPrivilege	184	chrome.exe
Token: SeCreatePagefilePrivilege	184	chrome.exe
Token: SeShutdownPrivilege	184	chrome.exe
Token: SeCreatePagefilePrivilege	184	chrome.exe
Token: SeShutdownPrivilege	184	chrome.exe
Token: SeCreatePagefilePrivilege	184	chrome.exe
Token: SeShutdownPrivilege	184	chrome.exe
Token: SeCreatePagefilePrivilege	184	chrome.exe
Token: SeShutdownPrivilege	184	chrome.exe
Token: SeCreatePagefilePrivilege	184	chrome.exe
Token: SeShutdownPrivilege	184	chrome.exe
Token: SeCreatePagefilePrivilege	184	chrome.exe
Token: SeShutdownPrivilege	184	chrome.exe
Token: SeCreatePagefilePrivilege	184	chrome.exe

Suspicious use of FindShellTrayWindow 51 IoCs

pid	Process
184	chrome.exe
184	chrome.exe
184	chrome.exe
184	chrome.exe
184	chrome.exe
184	chrome.exe
184	chrome.exe
184	chrome.exe
184	chrome.exe
184	chrome.exe
184	chrome.exe
184	chrome.exe
184	chrome.exe
184	chrome.exe
184	chrome.exe
184	chrome.exe
184	chrome.exe
184	chrome.exe
184	chrome.exe
184	chrome.exe
184	chrome.exe
184	chrome.exe
184	chrome.exe
184	chrome.exe
184	chrome.exe
184	chrome.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4948 wrote to memory of 3712	4948	2025-02-24_6768e4499258c2b0de9500e3df9f1091_frostygoop_poet-rat_snatch.exe	91
PID 4948 wrote to memory of 3712	4948	2025-02-24_6768e4499258c2b0de9500e3df9f1091_frostygoop_poet-rat_snatch.exe	91
PID 4948 wrote to memory of 3712	4948	2025-02-24_6768e4499258c2b0de9500e3df9f1091_frostygoop_poet-rat_snatch.exe	91
PID 4948 wrote to memory of 3712	4948	2025-02-24_6768e4499258c2b0de9500e3df9f1091_frostygoop_poet-rat_snatch.exe	91
PID 4948 wrote to memory of 3712	4948	2025-02-24_6768e4499258c2b0de9500e3df9f1091_frostygoop_poet-rat_snatch.exe	91
PID 4948 wrote to memory of 3712	4948	2025-02-24_6768e4499258c2b0de9500e3df9f1091_frostygoop_poet-rat_snatch.exe	91
PID 4948 wrote to memory of 3712	4948	2025-02-24_6768e4499258c2b0de9500e3df9f1091_frostygoop_poet-rat_snatch.exe	91
PID 4948 wrote to memory of 3712	4948	2025-02-24_6768e4499258c2b0de9500e3df9f1091_frostygoop_poet-rat_snatch.exe	91
PID 4948 wrote to memory of 3712	4948	2025-02-24_6768e4499258c2b0de9500e3df9f1091_frostygoop_poet-rat_snatch.exe	91
PID 4948 wrote to memory of 3712	4948	2025-02-24_6768e4499258c2b0de9500e3df9f1091_frostygoop_poet-rat_snatch.exe	91
PID 4948 wrote to memory of 3712	4948	2025-02-24_6768e4499258c2b0de9500e3df9f1091_frostygoop_poet-rat_snatch.exe	91
PID 3712 wrote to memory of 184	3712	BitLockerToGo.exe	96
PID 3712 wrote to memory of 184	3712	BitLockerToGo.exe	96
PID 184 wrote to memory of 1384	184	chrome.exe	97
PID 184 wrote to memory of 1384	184	chrome.exe	97
PID 184 wrote to memory of 4856	184	chrome.exe	98
PID 184 wrote to memory of 4856	184	chrome.exe	98
PID 184 wrote to memory of 4856	184	chrome.exe	98
PID 184 wrote to memory of 4856	184	chrome.exe	98
PID 184 wrote to memory of 4856	184	chrome.exe	98
PID 184 wrote to memory of 4856	184	chrome.exe	98
PID 184 wrote to memory of 4856	184	chrome.exe	98
PID 184 wrote to memory of 4856	184	chrome.exe	98
PID 184 wrote to memory of 4856	184	chrome.exe	98
PID 184 wrote to memory of 4856	184	chrome.exe	98
PID 184 wrote to memory of 4856	184	chrome.exe	98
PID 184 wrote to memory of 4856	184	chrome.exe	98
PID 184 wrote to memory of 4856	184	chrome.exe	98
PID 184 wrote to memory of 4856	184	chrome.exe	98
PID 184 wrote to memory of 4856	184	chrome.exe	98
PID 184 wrote to memory of 4856	184	chrome.exe	98
PID 184 wrote to memory of 4856	184	chrome.exe	98
PID 184 wrote to memory of 4856	184	chrome.exe	98
PID 184 wrote to memory of 4856	184	chrome.exe	98
PID 184 wrote to memory of 4856	184	chrome.exe	98
PID 184 wrote to memory of 4856	184	chrome.exe	98
PID 184 wrote to memory of 4856	184	chrome.exe	98
PID 184 wrote to memory of 4856	184	chrome.exe	98
PID 184 wrote to memory of 4856	184	chrome.exe	98
PID 184 wrote to memory of 4856	184	chrome.exe	98
PID 184 wrote to memory of 4856	184	chrome.exe	98
PID 184 wrote to memory of 4856	184	chrome.exe	98
PID 184 wrote to memory of 4856	184	chrome.exe	98
PID 184 wrote to memory of 4856	184	chrome.exe	98
PID 184 wrote to memory of 4856	184	chrome.exe	98
PID 184 wrote to memory of 400	184	chrome.exe	99
PID 184 wrote to memory of 400	184	chrome.exe	99
PID 184 wrote to memory of 3008	184	chrome.exe	100
PID 184 wrote to memory of 3008	184	chrome.exe	100
PID 184 wrote to memory of 3008	184	chrome.exe	100
PID 184 wrote to memory of 3008	184	chrome.exe	100
PID 184 wrote to memory of 3008	184	chrome.exe	100
PID 184 wrote to memory of 3008	184	chrome.exe	100
PID 184 wrote to memory of 3008	184	chrome.exe	100
PID 184 wrote to memory of 3008	184	chrome.exe	100
PID 184 wrote to memory of 3008	184	chrome.exe	100
PID 184 wrote to memory of 3008	184	chrome.exe	100
PID 184 wrote to memory of 3008	184	chrome.exe	100
PID 184 wrote to memory of 3008	184	chrome.exe	100
PID 184 wrote to memory of 3008	184	chrome.exe	100
PID 184 wrote to memory of 3008	184	chrome.exe	100
PID 184 wrote to memory of 3008	184	chrome.exe	100
PID 184 wrote to memory of 3008	184	chrome.exe	100
PID 184 wrote to memory of 3008	184	chrome.exe	100

C:\Users\Admin\AppData\Local\Temp\2025-02-24_6768e4499258c2b0de9500e3df9f1091_frostygoop_poet-rat_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2025-02-24_6768e4499258c2b0de9500e3df9f1091_frostygoop_poet-rat_snatch.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4948
- C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
  "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3712
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Enumerates system info in registry
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:184
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffb319ccc40,0x7ffb319ccc4c,0x7ffb319ccc58
      4⤵
      PID:1384
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2088,i,4145130314469805834,5496921295466032622,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2084 /prefetch:2
      4⤵
      PID:4856
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1868,i,4145130314469805834,5496921295466032622,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2120 /prefetch:3
      4⤵
      PID:400
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1724,i,4145130314469805834,5496921295466032622,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2268 /prefetch:8
      4⤵
      PID:3008
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3176,i,4145130314469805834,5496921295466032622,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3184 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:1136
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3204,i,4145130314469805834,5496921295466032622,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3192 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:3196
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4236,i,4145130314469805834,5496921295466032622,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4560 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:4168
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4496,i,4145130314469805834,5496921295466032622,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4720 /prefetch:8
      4⤵
      PID:3112
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4776,i,4145130314469805834,5496921295466032622,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4788 /prefetch:8
      4⤵
      PID:1320
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4740,i,4145130314469805834,5496921295466032622,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4924 /prefetch:8
      4⤵
      PID:4988
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4992,i,4145130314469805834,5496921295466032622,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5056 /prefetch:8
      4⤵
      PID:4896
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    PID:3588
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb319d46f8,0x7ffb319d4708,0x7ffb319d4718
      4⤵
      Checks processor information in registry
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      PID:4716
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,3043080869680398536,18350653600903363237,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
      4⤵
      PID:456
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,3043080869680398536,18350653600903363237,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2520 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1744
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,3043080869680398536,18350653600903363237,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2788 /prefetch:8
      4⤵
      PID:516
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2088,3043080869680398536,18350653600903363237,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:3744
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2088,3043080869680398536,18350653600903363237,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:2324
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2088,3043080869680398536,18350653600903363237,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4804 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:2008
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2088,3043080869680398536,18350653600903363237,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3672 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:4656
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\m7ymo" & exit
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4856
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 10
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:5080

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2172

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Modify Authentication Process

T1556

Privilege Escalation

Defense Evasion

Modify Authentication Process

T1556

Credential Access

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3c6e13dc1762aa873320bed152204f3c

SHA1
38df427d38ca5ce6ce203490a9fb8461c7444e12

SHA256
5c441148843b7c8dbff4c4a72962a532aaf0bdd484d07a03dd9a32fd461b1371

SHA512
133054cb042e11013bfdad1bd11e3407d08cf26a66d0743bea9708d261aa904a1047bb0097b187ecf8436cb6cff3bec28c89e435862cad0e0fa264799556b70c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f5da507c2059b715761792e7106405f0

SHA1
a277fd608467c5a666cf4a4a3e16823b93c6777f

SHA256
8c1d99de087ac5f2e7b2afce66eff36a646bef46800c0c1d7737d6f0df74b7e8

SHA512
01c92729dd8061aa122b116a674c73bb78016f66d2cb8f7fb64907352758a825e87a1e345334386440699d2a6d1e17baccb400c5aee151eb64e64019cbebb870

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d04ad1e4bc181fd4037fadaf26d14c30

SHA1
98c0ba81ac8ad284180a2f218b00522aa512fe5a

SHA256
15fec1affa023e05e3703f48c3909f6f6e2ee392e58000d92bcfeb1a0eb1edfa

SHA512
bcbfbafba3320046a4095f01ecda2014f2368f9c5c6ca779b46f3e4e55f3c3f48c60ebdd32b5a06d5f5747ba092d0c28469816a12636389706a8b6c258479b02

Download Submit
memory/3712-48-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3712-1-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3712-11-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3712-10-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3712-46-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3712-0-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3712-49-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3712-52-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3712-56-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3712-57-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3712-61-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3712-62-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3712-64-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3712-65-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3712-66-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3712-9-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3712-2-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3712-12-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3712-98-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3712-99-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3712-102-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3712-103-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3712-107-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3712-108-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3712-112-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3712-113-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3712-117-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3712-120-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3712-121-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3712-122-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3712-123-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3712-128-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3712-129-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3712-130-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3712-133-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download