Overview

overview

10

Static

static

1

UniversitiesGe.exe

windows7-x64

10

UniversitiesGe.exe

windows10-ltsc 2021-x64

10

UniversitiesGe.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    134s
  • max time network
    142s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20250207-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20250207-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    08-02-2025 16:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    UniversitiesGe.exe

  • Size

    828KB

  • MD5

    d05c6019e8f4f2d004ae9055e1c8079d

  • SHA1

    13b411440b37d1134c09018fcc55b215d3743314

  • SHA256

    e5dd75c651de425c6ff14196ae0b026bd38a09bc9b535315a8d03e4c3c1c0a40

  • SHA512

    c33f0595b910e9664768003b76ea897a95ead7b063d5e58035587801798dfb4caa55351a0dca811c88450c6899602fcb1bd44fcb033f11d39652e65ea42e1d92

  • SSDEEP

    24576:KG0h0scaIrCcBGUGMx2R9THpPlP0tIkYqio:MhJcZhBpGMx+lPlsJdd

Score
10/10
vidaradwarediscoverypersistenceprivilege_escalationstealer

Malware Config

Extracted

Family

vidar

C2

https://t.me/sc1phell

https://steamcommunity.com/profiles/76561199819539662
Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0

Signatures

  • Detect Vidar Stealer 3 IoCs
    stealer
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Vidar family
    vidar
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 7 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Downloads MZ/PE file 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation
  • Executes dropped EXE 11 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Drops file in System32 directory 1 IoCs
  • Enumerates processes with tasklist 1 TTPs 2 IoCs
    discovery
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 39 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 24 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 56 IoCs
  • System policy modification 1 TTPs 4 IoCs
    defense_evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\UniversitiesGe.exe
    "C:\Users\Admin\AppData\Local\Temp\UniversitiesGe.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:936
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c copy Ment Ment.cmd & Ment.cmd
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3116
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:4852
      • C:\Windows\SysWOW64\findstr.exe
        findstr /I "opssvc wrsa"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2912
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2884
      • C:\Windows\SysWOW64\findstr.exe
        findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:5064
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c md 597658
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1104
      • C:\Windows\SysWOW64\extrac32.exe
        extrac32 /Y /E Fifth
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1256
      • C:\Windows\SysWOW64\findstr.exe
        findstr /V "Pastor" Cincinnati
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4548
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c copy /b 597658\Bat.com + Times + Much + Button + Honey + Concerns + Fly + Every + Seminar + Qualified 597658\Bat.com
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4564
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c copy /b ..\Athens + ..\Chair + ..\Celebration + ..\Casey C
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1356
      • C:\Users\Admin\AppData\Local\Temp\597658\Bat.com
        Bat.com C
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:356
      • C:\Windows\SysWOW64\choice.exe
        choice /d y /t 5
        3⤵
        • System Location Discovery: System Language Discovery
        PID:5008
  • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7M0JDRjIzRDgtRjMwQy00RDkzLTkyQjItN0ZCQjJGRDFEMDc2fSIgdXNlcmlkPSJ7OEFFMDRCNDYtRDFFNS00ODBDLUJDRTktQkE0NjgzQUQ3OUJGfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7ODUwMjc3NkYtQjA5NC00NjVCLThGN0UtNTk1QzVBQTlCQ0JFfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0NC40NTI5IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iMTI1IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtyNDUydDErazJUZ3EvSFh6anZGTkJSaG9wQldSOXNialh4cWVVREg5dVgwPSZxdW90OyIvPjxhcHAgYXBwaWQ9Ins4QTY5RDM0NS1ENTY0LTQ2M2MtQUZGMS1BNjlEOUU1MzBGOTZ9IiB2ZXJzaW9uPSIxMjMuMC42MzEyLjEyMyIgbmV4dHZlcnNpb249IiIgbGFuZz0iZW4iIGJyYW5kPSJHR0xTIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMSIgaW5zdGFsbGRhdGV0aW1lPSIxNzM4OTM1NDE3IiBvb2JlX2luc3RhbGxfdGltZT0iMTMzODM0MDc5NTg5MzQwMDAwIj48ZXZlbnQgZXZlbnR0eXBlPSIzMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMjE3OTg2MiIgc3lzdGVtX3VwdGltZV90aWNrcz0iNDk0MjkyMzYzNyIvPjwvYXBwPjwvcmVxdWVzdD4
    1⤵
    • System Location Discovery: System Language Discovery
    • System Network Configuration Discovery: Internet Connection Discovery
    PID:4932
  • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{5FD6773E-6FC0-4632-AAE8-93AF834B2EE2}\MicrosoftEdge_X64_132.0.2957.140.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{5FD6773E-6FC0-4632-AAE8-93AF834B2EE2}\MicrosoftEdge_X64_132.0.2957.140.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1732
    • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{5FD6773E-6FC0-4632-AAE8-93AF834B2EE2}\EDGEMITMP_1655A.tmp\setup.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{5FD6773E-6FC0-4632-AAE8-93AF834B2EE2}\EDGEMITMP_1655A.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{5FD6773E-6FC0-4632-AAE8-93AF834B2EE2}\MicrosoftEdge_X64_132.0.2957.140.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Installs/modifies Browser Helper Object
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:220
      • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{5FD6773E-6FC0-4632-AAE8-93AF834B2EE2}\EDGEMITMP_1655A.tmp\setup.exe
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{5FD6773E-6FC0-4632-AAE8-93AF834B2EE2}\EDGEMITMP_1655A.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{5FD6773E-6FC0-4632-AAE8-93AF834B2EE2}\EDGEMITMP_1655A.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff66724a818,0x7ff66724a824,0x7ff66724a830
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:1528
      • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{5FD6773E-6FC0-4632-AAE8-93AF834B2EE2}\EDGEMITMP_1655A.tmp\setup.exe
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{5FD6773E-6FC0-4632-AAE8-93AF834B2EE2}\EDGEMITMP_1655A.tmp\setup.exe" --msedge --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Modifies data under HKEY_USERS
        • Suspicious use of WriteProcessMemory
        PID:4436
        • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{5FD6773E-6FC0-4632-AAE8-93AF834B2EE2}\EDGEMITMP_1655A.tmp\setup.exe
          "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{5FD6773E-6FC0-4632-AAE8-93AF834B2EE2}\EDGEMITMP_1655A.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{5FD6773E-6FC0-4632-AAE8-93AF834B2EE2}\EDGEMITMP_1655A.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff66724a818,0x7ff66724a824,0x7ff66724a830
          4⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          PID:2584
      • C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --msedge --channel=stable --register-package-identity --verbose-logging --system-level
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3808
        • C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff6c059a818,0x7ff6c059a824,0x7ff6c059a830
          4⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          PID:1912
      • C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --msedge --channel=stable --remove-deprecated-packages --verbose-logging --system-level
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:2748
        • C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff6c059a818,0x7ff6c059a824,0x7ff6c059a830
          4⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          PID:4708
      • C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --msedge --channel=stable --update-game-assist-package --verbose-logging --system-level
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:3144
        • C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff6c059a818,0x7ff6c059a824,0x7ff6c059a830
          4⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          PID:856
  • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7M0JDRjIzRDgtRjMwQy00RDkzLTkyQjItN0ZCQjJGRDFEMDc2fSIgdXNlcmlkPSJ7OEFFMDRCNDYtRDFFNS00ODBDLUJDRTktQkE0NjgzQUQ3OUJGfSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9Ins4NDU4Q0YzNS0yOUVDLTQ3MjctOEFDQS0xRTZFMEQyNDM5MTV9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iMiIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQ0LjQ1MjkiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSIxMjUiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O1ZQUW9QMUYrZnExNXdSemgxa1BMNFBNcFdoOE9STUI1aXp2ck9DL2NoalE9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0ie0YzQzRGRTAwLUVGRDUtNDAzQi05NTY5LTM5OEEyMEYxQkE0QX0iIHZlcnNpb249IjEuMy4xOTUuNDMiIG5leHR2ZXJzaW9uPSIiIGxhbmc9IiIgYnJhbmQ9IklOQlgiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBjb2hvcnQ9InJyZkAwLjkwIj48dXBkYXRlY2hlY2svPjxwaW5nIHI9IjEiIHJkPSI2NjEyIiBwaW5nX2ZyZXNobmVzcz0iezUxODJGRTNFLTNBMEEtNEU2OC04NTgxLTkzQTEzNzY3MDUxN30iLz48L2FwcD48YXBwIGFwcGlkPSJ7NTZFQjE4RjgtQjAwOC00Q0JELUI2RDItOEM5N0ZFN0U5MDYyfSIgdmVyc2lvbj0iOTIuMC45MDIuNjciIG5leHR2ZXJzaW9uPSIxMzIuMC4yOTU3LjE0MCIgbGFuZz0iIiBicmFuZD0iSU5CWCIgY2xpZW50PSIiIGV4cGVyaW1lbnRzPSJjb25zZW50PWZhbHNlIiBpbnN0YWxsYWdlPSIxIiBsYXN0X2xhdW5jaF9jb3VudD0iMSIgbGFzdF9sYXVuY2hfdGltZT0iMTMzODM0MTI3NTM0NzU0NDEwIj48dXBkYXRlY2hlY2svPjxldmVudCBldmVudHR5cGU9IjEyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0OTU5NDg2MjAzIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTMiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjQ5NTk2NDIzNTIiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNCIgZXZlbnRyZXN1bHQ9IjAiIGVycm9yY29kZT0iLTIxNDcwMjM4MzgiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjU1MTgwODAwODgiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIGRvd25sb2FkZXI9ImRvIiB1cmw9Imh0dHA6Ly9tc2VkZ2UuYi50bHUuZGwuZGVsaXZlcnkubXAubWljcm9zb2Z0LmNvbS9maWxlc3RyZWFtaW5nc2VydmljZS9maWxlcy8wNzQwMDM2YS00ZTE4LTQ1NmQtOTZmYS1kMWQ5YzRjYTQ2NzY_UDE9MTczOTYzNjgwMCZhbXA7UDI9NDA0JmFtcDtQMz0yJmFtcDtQND1HblRnZ2xBcThrOGMzZkxmcDVRaVVBZzF0Q0FSTnpTWHIyR09jcURDMVNDdDhLVHlkNmtwZ2tBbkZBTGRzRXFZcHoza25kZ0VubkN4JTJidWRCNkE0VzJnJTNkJTNkIiBzZXJ2ZXJfaXBfaGludD0iIiBjZG5fY2lkPSItMSIgY2RuX2NjYz0iIiBjZG5fbXNlZGdlX3JlZj0iIiBjZG5fYXp1cmVfcmVmX29yaWdpbl9zaGllbGQ9IiIgY2RuX2NhY2hlPSIiIGNkbl9wM3A9IiIgZG93bmxvYWRlZD0iMCIgdG90YWw9IjAiIGRvd25sb2FkX3RpbWVfbXM9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNCIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTUxODA4MDA4OCIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgZG93bmxvYWRlcj0iYml0cyIgdXJsPSJodHRwOi8vbXNlZGdlLmIudGx1LmRsLmRlbGl2ZXJ5Lm1wLm1pY3Jvc29mdC5jb20vZmlsZXN0cmVhbWluZ3NlcnZpY2UvZmlsZXMvMDc0MDAzNmEtNGUxOC00NTZkLTk2ZmEtZDFkOWM0Y2E0Njc2P1AxPTE3Mzk2MzY4MDAmYW1wO1AyPTQwNCZhbXA7UDM9MiZhbXA7UDQ9R25UZ2dsQXE4azhjM2ZMZnA1UWlVQWcxdENBUk56U1hyMkdPY3FEQzFTQ3Q4S1R5ZDZrcGdrQW5GQUxkc0VxWXB6M2tuZGdFbm5DeCUyYnVkQjZBNFcyZyUzZCUzZCIgc2VydmVyX2lwX2hpbnQ9IiIgY2RuX2NpZD0iLTEiIGNkbl9jY2M9IiIgY2RuX21zZWRnZV9yZWY9IiIgY2RuX2F6dXJlX3JlZl9vcmlnaW5fc2hpZWxkPSIiIGNkbl9jYWNoZT0iIiBjZG5fcDNwPSIiIGRvd25sb2FkZWQ9IjE3NzE4MDIxNiIgdG90YWw9IjE3NzE4MDIxNiIgZG93bmxvYWRfdGltZV9tcz0iNDkzOTEiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNCIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTUxODA4MDA4OCIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjE1IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1NTMxNjc0MjY2IiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMyIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMTk2NzU3IiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI2MDYxODMwMzQ0IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiB1cGRhdGVfY2hlY2tfdGltZV9tcz0iMTE3MiIgZG93bmxvYWRfdGltZV9tcz0iNTU4NDMiIGRvd25sb2FkZWQ9IjE3NzE4MDIxNiIgdG90YWw9IjE3NzE4MDIxNiIgcGFja2FnZV9jYWNoZV9yZXN1bHQ9IjAiIGluc3RhbGxfdGltZV9tcz0iNTMwMDAiLz48cGluZyBhY3RpdmU9IjEiIGE9IjEiIHI9IjEiIGFkPSI2NjEyIiByZD0iNjYxMiIgcGluZ19mcmVzaG5lc3M9IntCNjUzQjE2NC0zMTYzLTQyMTctOTVFMS1GNTZFOTMzMzFFOEF9Ii8-PC9hcHA-PGFwcCBhcHBpZD0ie0YzMDE3MjI2LUZFMkEtNDI5NS04QkRGLTAwQzNBOUE3RTRDNX0iIHZlcnNpb249IjEzMi4wLjI5NTcuMTQwIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJHR0xTIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMSIgaW5zdGFsbGRhdGU9IjY2MDgiIGNvaG9ydD0icnJmQDAuNTQiPjx1cGRhdGVjaGVjay8-PHBpbmcgcj0iMSIgcmQ9IjY2MTIiIHBpbmdfZnJlc2huZXNzPSJ7NzA0NjE3MDMtMzA3QS00QUFCLThBQUYtQTg2NzlEOTk1ODE0fSIvPjwvYXBwPjwvcmVxdWVzdD4
    1⤵
    • System Location Discovery: System Language Discovery
    • System Network Configuration Discovery: Internet Connection Discovery
    PID:4972

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{5FD6773E-6FC0-4632-AAE8-93AF834B2EE2}\EDGEMITMP_1655A.tmp\setup.exe
    Filesize

    6.6MB

    MD5

    b4c8ad75087b8634d4f04dc6f92da9aa

    SHA1

    7efaa2472521c79d58c4ef18a258cc573704fb5d

    SHA256

    522a25568bb503cf8b44807661f31f0921dee91d37691bf399868733205690bf

    SHA512

    5094505b33a848badcffd6b3b93aad9ad73f391e201dee052376c4f8573ba351f0b8c102131216088ffb38d0ed7b5fe70ba95c3ac2c33a50c993584fe7c435e3

    Download Submit

  • C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log
    Filesize

    522KB

    MD5

    39350b32b0dbcc368621a2c2c851d4ee

    SHA1

    2d40553be0b947887e3b1400d6be14380e540b3a

    SHA256

    1aa7996368ada96fcdad0169c7b2a1a3966ec7713dc60854ba142919571dc441

    SHA512

    a4d6423cac15a0df2d1b67bb594821c4f2d85dd455f092605c1f67b9fa403b65a48d77a412d1541b93f6972370c06dd22bbeaf0b72ab5fefeb6436d5076cee36

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\TRJRABP8\76561199819539662[1].htm
    Filesize

    34KB

    MD5

    c887dbb4801d839754dc48c461572755

    SHA1

    f01a54694f59f85d4a249fc12340ae5ebd8329f3

    SHA256

    ac084fc958a1de7e1cc99c6223630f8488196554a84800359e0dc72ac85833b7

    SHA512

    c25d631f292b42e98c8457f2a3506cfbda51c7a59c8a9506bfd9adf41921ce40911b43b66c10466a3c81d4bdbc1c5489bf5a48b1320b7173d47ab4adb56e8cea

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\597658\Bat.com
    Filesize

    198KB

    MD5

    f347ac8194ab411938e67e5c2b15198b

    SHA1

    b7ee1b372e29415f715d33384a095f13a2ac6e81

    SHA256

    dd1d7b3d30f2d6c838a521e22974b87667b59da911a2273ac76ee4c363c05900

    SHA512

    18d0024ef690c7b284280c7fd5cbda0f8ba3c8386c0271ef1ae05cc01bff11112b3e5feae7db381ae4e6bcc9284e61b930aee67aeeea4fd6b80524c3441df8fe

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\597658\Bat.com
    Filesize

    925KB

    MD5

    62d09f076e6e0240548c2f837536a46a

    SHA1

    26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

    SHA256

    1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

    SHA512

    32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\597658\C
    Filesize

    242KB

    MD5

    e5081be3c43b71f2c324509e3905c919

    SHA1

    a9a9e3455de38e23901bd19c35084cb487d56c3e

    SHA256

    dfc4959b1ffd2f633ca1b0d2c9a5a8850e8e7bf5d59a8dc848050362b11f2dca

    SHA512

    47bfb4b5a345a9f557c11e8220b8fe6d3de41bbe6c5917de1a1c6f4269e851cd60ee2bce3f69aa9eab70bfc37d319df61a3baff17303ab224bacdbffa416983b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Athens
    Filesize

    57KB

    MD5

    fa1fd78212a58de0533495c6778e6d3e

    SHA1

    95e58c0bc9103618236a241d58ada1d15f449b29

    SHA256

    9534b5fb95c518194ac8b218cb9080ec6cdd6877481ba1fcf82a84b9007b1df3

    SHA512

    ab61ab59f0ea136206bf2546027ae68c0af7db2ba98d185a3dd26445b50a6c54f36fe03002588370bae15680d37106b810cd0b5f2cf20b944ae07e715b219e13

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Button
    Filesize

    70KB

    MD5

    ae86c29f25c53974e66f90a49be69796

    SHA1

    490a417f8024ddca87caaaddb8366deff1ab8c4e

    SHA256

    6f88f53220c40ee9f2fdb549e9ba7e0998e3279934448776119767948f5f9ffd

    SHA512

    a35280428c19f72051b2323672c7d79544dbf14fade70a3c5e874cf6d37be5677b036353c1c1881f9997359bdc461567a76c41cd7e4c087df2379116ba1fa063

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Casey
    Filesize

    34KB

    MD5

    118ffa8e5a9eabed5d95aa012f7a6db5

    SHA1

    4be84544f8df04e944f6741c8c207f50b35360a6

    SHA256

    2d8ba5fede231abe3f58f9a2be7b1729d47d934f3d5616f81d7c07cad4a6b9df

    SHA512

    fd6a04bd6b3ec3c9becfa4d12e6d8820bb17b15330b8650a809ddd035cdc3c49c2d4c9c6aab5cee5c5bb6b8cfea30c8f503e76e6d7f16b81ef95f40fc8a8b8ad

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Celebration
    Filesize

    83KB

    MD5

    11d8e2219353b27b7793128a5ff79e36

    SHA1

    1ce87f177fa10341a8c312a95e5d81abcfb06875

    SHA256

    6dad534d0d6179104b64ce3e26f28a4c5edc9e9b030fe634a8f06107b8f77f50

    SHA512

    d63bdbf650b24c81330aed48504e841708c10fa94ab8f54105a077d6a77ab1357cb7e0907ddf93705c6f21fd74c423bc3b44b2797a3bfd7a3587a715e1cc08f0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Chair
    Filesize

    68KB

    MD5

    47d8a54fa650d6fd74eba187eebeab85

    SHA1

    a7828bdf2c81e0083b80d8a9262459667ee22e67

    SHA256

    522c47e2993416aee57a788aa3655e54ad2ec49223d5205285e7ccbdc24694ec

    SHA512

    a88d15a76e55b2cb479d9b1637c2d34d96d24966c482dfb64766916da7d211f6a579f4799b4e19c59abe27a84ec2d73ea65114ee62cf1207afee77f7f6b53fdf

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cincinnati
    Filesize

    1KB

    MD5

    df863dfe1528490598409b41f940b9df

    SHA1

    d0cd2316f752bfaa222e70066c3d00fed07d3eb1

    SHA256

    ae799aa0b5eec813beea8423ace784172aa91b0e6c3ada1769338e0a3f617d75

    SHA512

    5dee2b641eea04e76c3f97beaf47a00f051d3cabe47382b74bf1b98ee84a1518937b578000aa6fe4bc9dcf8322fa222c6629e778da1a4c8a483a0adf6a5404f3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Concerns
    Filesize

    94KB

    MD5

    004180fdb3d0fcadce55390ee219c97d

    SHA1

    e579fa8418655603b1ebcf9ded9dac398fc00bbd

    SHA256

    6e87f83a658ec477296fdd0e52309f5f8d82279f3336b42dec486239480321ae

    SHA512

    820ba44c6ff8a3d269431f64d23fc892bf4499f957d4b377296269236106f8a3c01f0fc3c02f1f4b0a14e2e9372d130ea4d9d16e97b0ff6401da9cf528f38992

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Every
    Filesize

    132KB

    MD5

    c8846f057078acc3cd27c0eb132c515d

    SHA1

    63496ec40103039868130096509dd8aa3492f224

    SHA256

    96f2352ffb731bbac2fa080086fdb11d2f7b01a10f8c3634d32d0498ae9b71ff

    SHA512

    fb262c02ce772c93f742eabb528dfd86c0ece0c0e2425b68846a62b1262ae6cb452bcae42e4aacc7767a71ea193cfde5da10069776eb12f285c9a0b6daaf0357

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Fifth
    Filesize

    476KB

    MD5

    642e781e97ebbe41489a2e209a112d79

    SHA1

    8c5f2e5948c0b422a52b844d5a5184a9264c1bb6

    SHA256

    ac589821b3508b48f460935f8a2b8fae481ca3228c98a187546337d192ad837b

    SHA512

    8107d8e7adadcb6ccecbbff19080aeaf02245cfd2a503fc7934fae309c75835f698a5203f2a4e29a2d01cf25e27c050ddaa06c9058c27d7b1fdfbb4b8c51d510

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Fly
    Filesize

    102KB

    MD5

    39dd73a39987b1e07f215ff3bd9dac79

    SHA1

    b0f6a3adec49fee690ffeffee5c41c5318e44ad8

    SHA256

    2c06fed7c4c902ca5c036e1974ceb187efeb47fc663bdf6cec33674cd5ef2368

    SHA512

    4dbcec767011a2f73d6660f887c9838218e4b7df8eabdd8e6018793528524ae1bd7da78a5e9f5bddcf88331d43e228dab3b3c4c5d352d670d5cd2cadf2b71000

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Honey
    Filesize

    127KB

    MD5

    62a89b70fddb0b5617c79041c763621b

    SHA1

    6293781334f2cc9ed7709811526c3aa00b7a8755

    SHA256

    625cfcab94d8a4b83497260617e126ed694e5a0712a638f80ada101ea14b9821

    SHA512

    218955f15bfb8fa659eb85130a8de9249a8aec187f106975165bf18b055721204cc03445b7eae31978025fa2ec57bc0f4cf399fe9864b930490bb95351c89af7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Ment
    Filesize

    13KB

    MD5

    a67f25f56cb23fbc29e019e0cccd0a7b

    SHA1

    5f7b04dde51844b6a21d60766b893764693efa52

    SHA256

    aff0699b0257ab27762b1285b872e18f7d72cae40a01acd8cacf3155c7e7150f

    SHA512

    9f658c9c0423a25a3d70f8224ff0bb5e3dbb593994a0e4c0a3013d73ffbd3a6360b0b83653c6b4559c9152076951e7ce4fc88483f616dd152c4ad271a1c161df

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Much
    Filesize

    79KB

    MD5

    599d37d9b9fce86beae9fa45b594a2eb

    SHA1

    19d806e5d722774db3503662baba4d5916c06586

    SHA256

    f26f5a7a461b445dfaf187c2d3beee5edfbcf01acfb65fd0fe08a279603a6cef

    SHA512

    1563da7567837f3fa191e434a0c125abff07163ca8cea8db59c811b9893b145f0e7d971b21699358cd0f614959d546b03a219eb0e9a64b4d491bffaf500aedcd

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Qualified
    Filesize

    57KB

    MD5

    22169ccdb223ac6f9a4b6eb418e42694

    SHA1

    c2d34ff063a02bfebd94ab7ac422492eeb580673

    SHA256

    51fa2faebd30d506ef658476a2645a394deedd22b0e06a6f96d48a7a2b855c4b

    SHA512

    e0aaa1800260b89af45d5cfa85bc03aa1cd5dd2af093a419ee2502a856e4b0f0c32639ed413a38f066c7205e04cdedf46f876d0e80c6582b73c81309d6a38b90

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Seminar
    Filesize

    144KB

    MD5

    d284a50463ae857c47bd026148c1282e

    SHA1

    aea523cb5997f4caade22c9c432c9a2e712de356

    SHA256

    38fde8383b4cfc29b2ec19f5f8983ae67eddd2fa91e741c730111d726d85340c

    SHA512

    0305c6135406dde002fb17b7a059ffd2fa3f6bbbed8c1f7fa11ffc77609a7a70936f0ea8179246e1175fd31823bde8445309ca3774852c0b8721fa8ba5d7f562

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Times
    Filesize

    118KB

    MD5

    5c3d7b5bcc0336e55c9b07a5c1f6c03e

    SHA1

    2088651b12fd9b88c52cd0d1cddd63c10c538f84

    SHA256

    cca4b7e90e4eed0c1b7560c80547329147e2e4886e39e3e183d4ba5e7c49db36

    SHA512

    394517c8950746cf37488888336974d310b5448e5b55a1d7f312ea4f848e3530b1146845a1430768bd7f04794921bbbf5cd1d8cf21bbcd9c9a3b286a856adcea

    Download Submit

  • C:\Windows\SystemTemp\msedge_installer.log
    Filesize

    99KB

    MD5

    1675caaebd736efc59971c1a55aec8fd

    SHA1

    0ed651ce1aa1b9b49bc10fa2349a665ab1c4b89e

    SHA256

    3e6ae4709123ee505fbd9e14c841f673c422846a00f803d733245725756ee668

    SHA512

    aa60ea36b1d46853be80a998694eaa51873daeacf2cba40a09c0715344b3c879f35fa38e2f4ce56426d04a80853317cf5341b5fadf61eb2ba9e8053653b2677d

    Download Submit

  • C:\Windows\SystemTemp\msedge_installer.log
    Filesize

    100KB

    MD5

    7e895338e4c66c157831bbdafc3125ac

    SHA1

    b78dc1a74c6667b5055f1d44e495b457db403b1d

    SHA256

    01f199525ca060e42a3818e257be22d0db00484b1b61813d51665fe02e6bb23f

    SHA512

    ce01af85e3bf8683108923f38ed58b4ec07619ca943f444bc3ab9612592282b85b28aacda530d4e5ae92593b80ac00e1fb3550d40c9e200e081d314f8eb351c5

    Download Submit

  • C:\Windows\SystemTemp\msedge_installer.log
    Filesize

    71KB

    MD5

    e3e693427c10942d5c560106d1590578

    SHA1

    d5f8620fbd08d2992871f4598b29528031d14a32

    SHA256

    d5a747316b2e9bba59b8fb17794757966f092812c25b39ade2d995e51a004e48

    SHA512

    5c8bb2e38ff66d48acd45844c25b9e39498ba9bd88d9a5b5a3c4b69e592fd5129c290cd6dbff9dca344a09ecbefed83a2db34223bae5d73fa1b3fac37b5c23ab

    Download Submit

  • C:\Windows\SystemTemp\msedge_installer.log
    Filesize

    95KB

    MD5

    3b2bf9f47dc89d09aa2cd7e58ccb9204

    SHA1

    386d2895d91e78fd0df4cc85ed9ca8d656bf4507

    SHA256

    1146f0d9a5fcac44fc3393543242cfe4e55f3744ac9cca960f7ded0d7a6587a8

    SHA512

    018816a7bf28e784bf3545a7080c723a8ebbade68a00043408bb665775ffb79f222f4e397dc779e824082767a181148d916ce2f33d0a116664c28bd57a89c8df

    Download Submit

  • memory/356-65-0x0000000004ED0000-0x0000000004EF2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/356-67-0x0000000004ED0000-0x0000000004EF2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/356-66-0x0000000004ED0000-0x0000000004EF2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/356-64-0x0000000004ED0000-0x0000000004EF2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/356-62-0x0000000004ED0000-0x0000000004EF2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/356-63-0x0000000004ED0000-0x0000000004EF2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/356-61-0x0000000004ED0000-0x0000000004EF2000-memory.dmp

    Filesize

    136KB

    Download