vidar | 8b34e6283a4e30009a0ad792723817cfb0d5cdbbbe119948aa6e887bd59e1620

max time kernel
94s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-01-2025 22:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

66bddfcb52736_vidar.exe
Size

190KB
MD5

fedb687ed23f77925b35623027f799bb
SHA1

7f27d0290ecc2c81bf2b2d0fa1026f54fd687c81
SHA256

325396d5ffca8546730b9a56c2d0ed99238d48b5e1c3c49e7d027505ea13b8d1
SHA512

6d1fa39560f4d7ca57905bc57d615acf96b1ef69ca2a4d7c0353278e8d4466298ed87f514463c49d671cb0e3b6a269a78636a10a1e463dba5c83fe067dc5df18
SSDEEP

3072:XqsEJybpRHuJKKBardRei4UGvI96/ZO6RAkeOCeP9sZy28se:XqsMyNRHuKikUi42KZO6PffmZy2d

Score

10^/10

vidar 877956da9963e0825aa43a159a358f24 credential_access discovery spyware stealer

Malware Config

Extracted

Family

vidar

Version

10.7

Botnet

877956da9963e0825aa43a159a358f24

https://steamcommunity.com/profiles/76561199751190313

https://t.me/pech0nk

Attributes

user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36

Signatures

Detect Vidar Stealer 5 IoCs

stealer

resource	yara_rule
behavioral2/memory/2940-7-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral2/memory/2940-9-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral2/memory/2940-4-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral2/memory/2940-131-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral2/memory/2940-132-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	RegAsm.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2836 set thread context of 2940	2836	66bddfcb52736_vidar.exe	85

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	66bddfcb52736_vidar.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2372	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
2940	RegAsm.exe
2940	RegAsm.exe
5108	msedge.exe
5108	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
372	identity_helper.exe
372	identity_helper.exe
2940	RegAsm.exe
2940	RegAsm.exe
2940	RegAsm.exe
2940	RegAsm.exe
1488	msedge.exe
1488	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

pid	Process
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2836 wrote to memory of 2940	2836	66bddfcb52736_vidar.exe	85
PID 2836 wrote to memory of 2940	2836	66bddfcb52736_vidar.exe	85
PID 2836 wrote to memory of 2940	2836	66bddfcb52736_vidar.exe	85
PID 2836 wrote to memory of 2940	2836	66bddfcb52736_vidar.exe	85
PID 2836 wrote to memory of 2940	2836	66bddfcb52736_vidar.exe	85
PID 2836 wrote to memory of 2940	2836	66bddfcb52736_vidar.exe	85
PID 2836 wrote to memory of 2940	2836	66bddfcb52736_vidar.exe	85
PID 2836 wrote to memory of 2940	2836	66bddfcb52736_vidar.exe	85
PID 2836 wrote to memory of 2940	2836	66bddfcb52736_vidar.exe	85
PID 2836 wrote to memory of 2940	2836	66bddfcb52736_vidar.exe	85
PID 4972 wrote to memory of 3552	4972	msedge.exe	90
PID 4972 wrote to memory of 3552	4972	msedge.exe	90
PID 4972 wrote to memory of 4604	4972	msedge.exe	91
PID 4972 wrote to memory of 4604	4972	msedge.exe	91
PID 4972 wrote to memory of 4604	4972	msedge.exe	91
PID 4972 wrote to memory of 4604	4972	msedge.exe	91
PID 4972 wrote to memory of 4604	4972	msedge.exe	91
PID 4972 wrote to memory of 4604	4972	msedge.exe	91
PID 4972 wrote to memory of 4604	4972	msedge.exe	91
PID 4972 wrote to memory of 4604	4972	msedge.exe	91
PID 4972 wrote to memory of 4604	4972	msedge.exe	91
PID 4972 wrote to memory of 4604	4972	msedge.exe	91
PID 4972 wrote to memory of 4604	4972	msedge.exe	91
PID 4972 wrote to memory of 4604	4972	msedge.exe	91
PID 4972 wrote to memory of 4604	4972	msedge.exe	91
PID 4972 wrote to memory of 4604	4972	msedge.exe	91
PID 4972 wrote to memory of 4604	4972	msedge.exe	91
PID 4972 wrote to memory of 4604	4972	msedge.exe	91
PID 4972 wrote to memory of 4604	4972	msedge.exe	91
PID 4972 wrote to memory of 4604	4972	msedge.exe	91
PID 4972 wrote to memory of 4604	4972	msedge.exe	91
PID 4972 wrote to memory of 4604	4972	msedge.exe	91
PID 4972 wrote to memory of 4604	4972	msedge.exe	91
PID 4972 wrote to memory of 4604	4972	msedge.exe	91
PID 4972 wrote to memory of 4604	4972	msedge.exe	91
PID 4972 wrote to memory of 4604	4972	msedge.exe	91
PID 4972 wrote to memory of 4604	4972	msedge.exe	91
PID 4972 wrote to memory of 4604	4972	msedge.exe	91
PID 4972 wrote to memory of 4604	4972	msedge.exe	91
PID 4972 wrote to memory of 4604	4972	msedge.exe	91
PID 4972 wrote to memory of 4604	4972	msedge.exe	91
PID 4972 wrote to memory of 4604	4972	msedge.exe	91
PID 4972 wrote to memory of 4604	4972	msedge.exe	91
PID 4972 wrote to memory of 4604	4972	msedge.exe	91
PID 4972 wrote to memory of 4604	4972	msedge.exe	91
PID 4972 wrote to memory of 4604	4972	msedge.exe	91
PID 4972 wrote to memory of 4604	4972	msedge.exe	91
PID 4972 wrote to memory of 4604	4972	msedge.exe	91
PID 4972 wrote to memory of 4604	4972	msedge.exe	91
PID 4972 wrote to memory of 4604	4972	msedge.exe	91
PID 4972 wrote to memory of 4604	4972	msedge.exe	91
PID 4972 wrote to memory of 4604	4972	msedge.exe	91
PID 4972 wrote to memory of 5108	4972	msedge.exe	92
PID 4972 wrote to memory of 5108	4972	msedge.exe	92
PID 4972 wrote to memory of 4576	4972	msedge.exe	93
PID 4972 wrote to memory of 4576	4972	msedge.exe	93
PID 4972 wrote to memory of 4576	4972	msedge.exe	93
PID 4972 wrote to memory of 4576	4972	msedge.exe	93
PID 4972 wrote to memory of 4576	4972	msedge.exe	93
PID 4972 wrote to memory of 4576	4972	msedge.exe	93
PID 4972 wrote to memory of 4576	4972	msedge.exe	93
PID 4972 wrote to memory of 4576	4972	msedge.exe	93
PID 4972 wrote to memory of 4576	4972	msedge.exe	93
PID 4972 wrote to memory of 4576	4972	msedge.exe	93

C:\Users\Admin\AppData\Local\Temp\66bddfcb52736_vidar.exe
"C:\Users\Admin\AppData\Local\Temp\66bddfcb52736_vidar.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2836
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:2940
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" & rd /s /q "C:\ProgramData\JJDBAAEGDBKK" & exit
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2252
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 10
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:2372

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffaf3dc46f8,0x7ffaf3dc4708,0x7ffaf3dc4718
  2⤵
  PID:3552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,8467266869927421362,5923330967454134759,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2080 /prefetch:2
  2⤵
  PID:4604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,8467266869927421362,5923330967454134759,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,8467266869927421362,5923330967454134759,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2600 /prefetch:8
  2⤵
  PID:4576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,8467266869927421362,5923330967454134759,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
  2⤵
  PID:916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,8467266869927421362,5923330967454134759,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
  2⤵
  PID:4428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,8467266869927421362,5923330967454134759,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4236 /prefetch:1
  2⤵
  PID:4772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,8467266869927421362,5923330967454134759,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4836 /prefetch:1
  2⤵
  PID:4916
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,8467266869927421362,5923330967454134759,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5348 /prefetch:8
  2⤵
  PID:2028
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,8467266869927421362,5923330967454134759,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5348 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,8467266869927421362,5923330967454134759,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4952 /prefetch:1
  2⤵
  PID:2948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,8467266869927421362,5923330967454134759,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1
  2⤵
  PID:1612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,8467266869927421362,5923330967454134759,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4960 /prefetch:1
  2⤵
  PID:1552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,8467266869927421362,5923330967454134759,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:1
  2⤵
  PID:4160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,8467266869927421362,5923330967454134759,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4964 /prefetch:1
  2⤵
  PID:5104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,8467266869927421362,5923330967454134759,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6008 /prefetch:1
  2⤵
  PID:1428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,8467266869927421362,5923330967454134759,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5696 /prefetch:1
  2⤵
  PID:3916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,8467266869927421362,5923330967454134759,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6052 /prefetch:1
  2⤵
  PID:4216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,8467266869927421362,5923330967454134759,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3648 /prefetch:1
  2⤵
  PID:3800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2076,8467266869927421362,5923330967454134759,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=2944 /prefetch:8
  2⤵
  PID:916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,8467266869927421362,5923330967454134759,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1908 /prefetch:1
  2⤵
  PID:4740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,8467266869927421362,5923330967454134759,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4204 /prefetch:1
  2⤵
  PID:4216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,8467266869927421362,5923330967454134759,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6480 /prefetch:1
  2⤵
  PID:820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2076,8467266869927421362,5923330967454134759,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1332 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1488

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2332

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1720

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://proramdata/
1⤵
PID:5064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffaf3dc46f8,0x7ffaf3dc4708,0x7ffaf3dc4718
  2⤵
  PID:3192

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
443a627d539ca4eab732bad0cbe7332b

SHA1
86b18b906a1acd2a22f4b2c78ac3564c394a9569

SHA256
1e1ad9dce141f5f17ea07c7e9c2a65e707c9943f172b9134b0daf9eef25f0dc9

SHA512
923b86d75a565c91250110162ce13dd3ef3f6bdde1a83f7af235ed302d4a96b8c9ed722e2152781e699dfcb26bb98afc73f5adb298f8fd673f14c9f28b5f764d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
99afa4934d1e3c56bbce114b356e8a99

SHA1
3f0e7a1a28d9d9c06b6663df5d83a65c84d52581

SHA256
08e098bb97fd91d815469cdfd5568607a3feca61f18b6b5b9c11b531fde206c8

SHA512
76686f30ed68144cf943b80ac10b52c74eee84f197cee3c24ef7845ef44bdb5586b6e530824543deeed59417205ac0e2559808bcb46450504106ac8f4c95b9da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\35495d4d-ec35-4713-86d9-81b3fda75d2a.tmp

Filesize
5KB

MD5
e2b7bf7ad682bccc0338b447869cee94

SHA1
57f306f40cde4cb4fcf1fd8d03d04914cc5b236b

SHA256
afafc014ee96f574626507b9bacfbdf1b724254cee5c740e8c5a11b9b894aa1a

SHA512
06f399faec6c48311a0a03b3345a980e39dc078308235b32e511ee1efcd5cf2afd6187bca4c0ec35cdad58e418f5f09a8eba7d276758241d479856b49a7fc4a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
e04cc8a145ef572d4acdd528f2799884

SHA1
111e78275300b4c744aff12fe97fb680d77a8090

SHA256
195f4d10cf8152f0c876d83fd9d32bc0cfeef5ec7824f12bd3e79cbb8e2e9fa6

SHA512
411b9315ae1e69a99c52af1a298be5729db9da6c98ebf7c3bd86bf9650e256719ea23f627ae99167c17034707d372261bf54daccfe899debacfa11da6abfd403

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
1c5fe62323f24f8dd8a9f4de7b52efa4

SHA1
069088887dc092f908eb1af4c581953222aeab69

SHA256
e6195b82ce79855d5ebddcc67fc1e3fcbfbe558fa3890a9a0caf5126c863ea00

SHA512
8c5db208a03bec72bdd5f3115bf5ff7624836063f8dfd5819a381ccab4d97c9ad9e884c57600498d348da5bb3b2d3e177cda6550024c3ff3b5e0827551f40855

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a73189d89a41f4196ed2a4becc8d1003

SHA1
0d3aabf3a5604e66784aeaf4ba7ef90477e8e999

SHA256
e020ac96709ec0dc6ae88e11fc0860fc9ccfd0be088caee91bfe45da13dc2d30

SHA512
a284af5d3962af52bd3f9ebb472bb1dbef5474629217d4ae70b64041bdcaf25c85db8b8a1aed7da3fe6322972bb7c57780b40c41f30cbdb546974928ad48fbf6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
94216e04257613fa3f94aba10a6a347e

SHA1
265242b5101d23e5b01d8efba955e466a959ba2c

SHA256
b6e8f2ccbc277984d32617613a5b0d9a386aead8a7890e8f823b4cd2ab752c9d

SHA512
0e4c32622dbaa72d10c89dbfbae1f852f56b218c93e26eafad841c45e0257162eee3a5ae5fee4b2edd01a4ac7b742137286ee9feec4ed41ae6f751bfcd0acd92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
f501e6a5b085486b18348389a9698730

SHA1
577a909bd7d98cce53b8e69514ce23f1252a3497

SHA256
b07cfe51d9d124328539bd253ac740efa9ea4a9f35f72f8380a01d5aeed634d2

SHA512
b09c247b23696a5aabacad4a91209f5c94a71767d157fa452806ec31aab43a3f7efa3a373e75981b3c4573251a0ade0fb3966f131cf5a69bc1fd359b6c4105aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
8af6f30b2290ab43b12520ad3e5e76d2

SHA1
b2ce1032068257fb22b4747088f965e036628ed6

SHA256
c90a50cba439810597855f435068ccd81ac07a92c7c33ed398f9be608b86f32b

SHA512
5b71c2a1a76d2ea13a5dd12726f1963330da1f6c83cb690abba5ca6576f93571472ff4f93eec203fa78c6c4b675c5c1ed163261d9a91860b4cecf52d6539ae49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ba04c1c3c97373c095301776a7c662d2

SHA1
781a87ec6b59d6c18728710eaefd6fb0fbe16a7e

SHA256
4396417f24ec11c989f6a83980a36ba9a56cdbbb9bd2adee4bf6b8eb42abeb0b

SHA512
ec750f80102781995c9a440e0d3e6b7240f14d37d4e6adc75e9239c5ae20546c5a3c16b07204deee58bba3c0a5ad50f8dc4563aae14b82e6c37f10450977dae3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
601a501190f51d318975e5bfa261f274

SHA1
8d9fe76776f85dfb5d51a0f2955e5ab86b9c1bd9

SHA256
ca08afc61d8154154c0a8b5d3594070eb4d087c72d92907a5d8a61aaf673e9d9

SHA512
d3907585ed63b280484667ac98e2120009ffa094a0765e6ec52ed0d11d2563920ffae50fe7fc209527b3e6f6675f26058af6ace2d3acce36a437eeea50ec3b64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe583beb.TMP

Filesize
705B

MD5
7b920bec209a14740c03b67877c0943b

SHA1
a8f26cea1abef0d2e3d167f52177e8b61a3aad35

SHA256
7a2defb8d9f677df5ba99e3effd0009f9f3e2f7ad9ab2a08a6374d15755857e7

SHA512
135c3957c468dc96b0223b7fe45af2c0ae55ac45525a9c0d770894200a372cf726dbd4b5261767ed5fc4648312b345df4f02916399b09f79e1b7fe3d371ef538

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
de8660a7b189396cc7fb2a6dc4c0bf02

SHA1
16b3e93f3b72c840f085b38f87afe32ab79c3ead

SHA256
357827f2f95ef465bb396afc5e27915db03f331163392f67c95813e27e84e0d2

SHA512
7c727d676e019c60460c8e498bf758300fbcc1782f6ad8b2b60aefc544b6774bf3926c4e237acda818aca62a835327dee5e437fa6f4a23393cb1270939e2a8a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
1a5666f4fb73cdea81203e0e409be4a5

SHA1
eb96d8b72619f699ab00da369d81ab2b155f5229

SHA256
8386c8bdd6f365a18ab97cecbe5bff826b379b240844260cec8eab013c1ddeee

SHA512
89108b630675865e6f216be0206166efdc3a876855a73c645a4d00636b3081f2d2e7fe86a68359659768bb5278604666684413f4a265d505c933efb72476c587

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ab7f726fafb870bc42b7399139855c26

SHA1
19f8fa241366a63dc81d5903572f44ea1c977683

SHA256
1b09fd98b1310951555940b4c51ed7f27af84a6e679a8bf8d066154ce43ce6f5

SHA512
6119d35ee976b59ae562da8e533993e98c7a098659f15e0a02522d392e07b7c967ff2390d7079f519a03dd7985e3f7ca3ea487e0e97e28ee852d8e3dea41775f

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 721652.crdownload

Filesize
8.0MB

MD5
85de6b0dd12dcea4946c9854401f7788

SHA1
00286f22f65a617333a8ca2f1df1daa7b6fa392a

SHA256
cd3f263a01926366643118c541a6ad24a171b4369363a60deb9a570a1d600865

SHA512
2d30328d96d7aeb61834db4f2709e92d6226e06ab6e0fafce77dede7134ac30d5620c1603949a050e418ba4b09d524dd3d85229dbfa3915fc2510b035af34571

Download Submit
memory/2836-66-0x00000000745B0000-0x0000000074D60000-memory.dmp

Filesize
7.7MB

Download
memory/2836-0-0x00000000745BE000-0x00000000745BF000-memory.dmp

Filesize
4KB

Download
memory/2836-11-0x00000000745B0000-0x0000000074D60000-memory.dmp

Filesize
7.7MB

Download
memory/2836-1-0x00000000006A0000-0x00000000006D6000-memory.dmp

Filesize
216KB

Download
memory/2940-132-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2940-131-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2940-4-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2940-9-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2940-7-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download