vidar | e5dd75c651de425c6ff14196ae0b026bd38a09bc9b535315a8d03e4c3c1c0a40

Analysis

max time kernel
144s
max time network
149s
platform
windows11-21h2_x64
resource
win11-20250207-en
resource tags

arch:x64arch:x86image:win11-20250207-enlocale:en-usos:windows11-21h2-x64system
submitted
08-02-2025 16:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

UniversitiesGe.exe
Size

828KB
MD5

d05c6019e8f4f2d004ae9055e1c8079d
SHA1

13b411440b37d1134c09018fcc55b215d3743314
SHA256

e5dd75c651de425c6ff14196ae0b026bd38a09bc9b535315a8d03e4c3c1c0a40
SHA512

c33f0595b910e9664768003b76ea897a95ead7b063d5e58035587801798dfb4caa55351a0dca811c88450c6899602fcb1bd44fcb033f11d39652e65ea42e1d92
SSDEEP

24576:KG0h0scaIrCcBGUGMx2R9THpPlP0tIkYqio:MhJcZhBpGMx+lPlsJdd

Score

10^/10

vidar discovery stealer

Malware Config

Extracted

Family

vidar

https://t.me/sc1phell

https://steamcommunity.com/profiles/76561199819539662

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0

Signatures

Detect Vidar Stealer 3 IoCs

stealer

resource	yara_rule
behavioral3/memory/3276-391-0x0000000003EF0000-0x0000000003F12000-memory.dmp	family_vidar_v7
behavioral3/memory/3276-390-0x0000000003EF0000-0x0000000003F12000-memory.dmp	family_vidar_v7
behavioral3/memory/3276-389-0x0000000003EF0000-0x0000000003F12000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

Executes dropped EXE 1 IoCs

pid	Process
3276	Bat.com

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
1356	tasklist.exe
4896	tasklist.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\FavoriteElderly	UniversitiesGe.exe
File opened for modification	C:\Windows\CollinsRenaissance	UniversitiesGe.exe
File opened for modification	C:\Windows\WebsiteCoordination	UniversitiesGe.exe
File opened for modification	C:\Windows\AccompaniedMassive	UniversitiesGe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UniversitiesGe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bat.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wermgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
8	MicrosoftEdgeUpdate.exe
2324	MicrosoftEdgeUpdate.exe
3904	MicrosoftEdgeUpdate.exe

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	wermgr.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3276	Bat.com
3276	Bat.com
3276	Bat.com
3276	Bat.com
3276	Bat.com
3276	Bat.com
1764	MicrosoftEdgeUpdate.exe
1764	MicrosoftEdgeUpdate.exe
1764	MicrosoftEdgeUpdate.exe
1764	MicrosoftEdgeUpdate.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1356	tasklist.exe
Token: SeDebugPrivilege	4896	tasklist.exe
Token: SeDebugPrivilege	1764	MicrosoftEdgeUpdate.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3276	Bat.com
3276	Bat.com
3276	Bat.com

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3276	Bat.com
3276	Bat.com
3276	Bat.com

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 5088	3068	UniversitiesGe.exe	89
PID 3068 wrote to memory of 5088	3068	UniversitiesGe.exe	89
PID 3068 wrote to memory of 5088	3068	UniversitiesGe.exe	89
PID 5088 wrote to memory of 1356	5088	cmd.exe	91
PID 5088 wrote to memory of 1356	5088	cmd.exe	91
PID 5088 wrote to memory of 1356	5088	cmd.exe	91
PID 5088 wrote to memory of 2504	5088	cmd.exe	92
PID 5088 wrote to memory of 2504	5088	cmd.exe	92
PID 5088 wrote to memory of 2504	5088	cmd.exe	92
PID 5088 wrote to memory of 4896	5088	cmd.exe	94
PID 5088 wrote to memory of 4896	5088	cmd.exe	94
PID 5088 wrote to memory of 4896	5088	cmd.exe	94
PID 5088 wrote to memory of 1696	5088	cmd.exe	95
PID 5088 wrote to memory of 1696	5088	cmd.exe	95
PID 5088 wrote to memory of 1696	5088	cmd.exe	95
PID 5088 wrote to memory of 5116	5088	cmd.exe	96
PID 5088 wrote to memory of 5116	5088	cmd.exe	96
PID 5088 wrote to memory of 5116	5088	cmd.exe	96
PID 5088 wrote to memory of 3904	5088	cmd.exe	97
PID 5088 wrote to memory of 3904	5088	cmd.exe	97
PID 5088 wrote to memory of 3904	5088	cmd.exe	97
PID 5088 wrote to memory of 2236	5088	cmd.exe	98
PID 5088 wrote to memory of 2236	5088	cmd.exe	98
PID 5088 wrote to memory of 2236	5088	cmd.exe	98
PID 5088 wrote to memory of 1512	5088	cmd.exe	99
PID 5088 wrote to memory of 1512	5088	cmd.exe	99
PID 5088 wrote to memory of 1512	5088	cmd.exe	99
PID 5088 wrote to memory of 2748	5088	cmd.exe	100
PID 5088 wrote to memory of 2748	5088	cmd.exe	100
PID 5088 wrote to memory of 2748	5088	cmd.exe	100
PID 5088 wrote to memory of 3276	5088	cmd.exe	101
PID 5088 wrote to memory of 3276	5088	cmd.exe	101
PID 5088 wrote to memory of 3276	5088	cmd.exe	101
PID 5088 wrote to memory of 3396	5088	cmd.exe	102
PID 5088 wrote to memory of 3396	5088	cmd.exe	102
PID 5088 wrote to memory of 3396	5088	cmd.exe	102

C:\Users\Admin\AppData\Local\Temp\UniversitiesGe.exe
"C:\Users\Admin\AppData\Local\Temp\UniversitiesGe.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy Ment Ment.cmd & Ment.cmd
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5088
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1356
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2504
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4896
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1696
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 597658
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5116
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Fifth
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3904
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "Pastor" Cincinnati
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2236
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 597658\Bat.com + Times + Much + Button + Honey + Concerns + Fly + Every + Seminar + Qualified 597658\Bat.com
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1512
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Athens + ..\Chair + ..\Celebration + ..\Casey C
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2748
- - C:\Users\Admin\AppData\Local\Temp\597658\Bat.com
    Bat.com C
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:3276
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --string-annotations --always-read-main-dll --field-trial-handle=3836,i,4562100277163084989,990114372951809185,262144 --variations-seed-version --mojo-platform-channel-handle=3148 /prefetch:14
1⤵
PID:3384

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QTA1QjRCNEItOEFFMC00MDJFLUFCNjItMTdFMDZBMTRFQzRGfSIgdXNlcmlkPSJ7ODZEQUFFQTYtMjhGMC00QTY4LTk1MUEtNEJBMEY5MTlCMzcyfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7Njc5Q0M3QjItRjI4Ni00Njk2LUJGOEMtMEI3MjAxRjFCMjhFfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4yMjAwMC40OTMiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7RSt4YkF6Nlk2c1UxMjg5YlM2cWw0VlJMYmtqZkJVR1RNSnNqckhyNDRpST0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNjLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iMTIzLjAuNjMxMi4xMjMiIG5leHR2ZXJzaW9uPSIiIGxhbmc9ImVuIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjAiIGluc3RhbGxkYXRldGltZT0iMTczODk1NjQ2OSIgb29iZV9pbnN0YWxsX3RpbWU9IjEzMzgzNDI5MTM1MzQ4MDAwMCI-PGV2ZW50IGV2ZW50dHlwZT0iMzEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjIxNzk4NjIiIHN5c3RlbV91cHRpbWVfdGlja3M9IjUzNzc1MjcwOTIiLz48L2FwcD48L3JlcXVlc3Q-
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:8

C:\Windows\SysWOW64\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "0" "4844" "1268" "1164" "1272" "0" "0" "0" "0" "0" "0" "0" "0"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
PID:1308

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QTA1QjRCNEItOEFFMC00MDJFLUFCNjItMTdFMDZBMTRFQzRGfSIgdXNlcmlkPSJ7ODZEQUFFQTYtMjhGMC00QTY4LTk1MUEtNEJBMEY5MTlCMzcyfSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9Ins4NjgzRjM5Qy03MzFBLTRDRTUtOUE1MC02NEE0QjY3QzZCRDd9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iMiIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjIyMDAwLjQ5MyIgc3A9IiIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjQ4IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtWUFFvUDFGK2ZxMTV3UnpoMWtQTDRQTXBXaDhPUk1CNWl6dnJPQy9jaGpRPSZxdW90OyIvPjxhcHAgYXBwaWQ9Ins1NkVCMThGOC1CMDA4LTRDQkQtQjZEMi04Qzk3RkU3RTkwNjJ9IiB2ZXJzaW9uPSIxMzMuMC4zMDY1LjUxIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJJTkJYIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMCIgaW5zdGFsbGRhdGV0aW1lPSIxNzM4OTU1OTg2Ij48ZXZlbnQgZXZlbnR0eXBlPSIzMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iNCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTM4NTMzOTgyNSIvPjwvYXBwPjwvcmVxdWVzdD4
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:2324

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QTA1QjRCNEItOEFFMC00MDJFLUFCNjItMTdFMDZBMTRFQzRGfSIgdXNlcmlkPSJ7ODZEQUFFQTYtMjhGMC00QTY4LTk1MUEtNEJBMEY5MTlCMzcyfSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9Ins3RENBOEI2MS1EOThCLTQzNEEtOTBBNy1DOUZCMjNDNkIxMDJ9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iMiIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjIyMDAwLjQ5MyIgc3A9IiIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjQ4IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtWUFFvUDFGK2ZxMTV3UnpoMWtQTDRQTXBXaDhPUk1CNWl6dnJPQy9jaGpRPSZxdW90OyIvPjxhcHAgYXBwaWQ9IntGM0M0RkUwMC1FRkQ1LTQwM0ItOTU2OS0zOThBMjBGMUJBNEF9IiB2ZXJzaW9uPSIxLjMuMTk1LjQzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJJTkJYIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMCIgY29ob3J0PSJycmZAMC42MCI-PHVwZGF0ZWNoZWNrLz48cGluZyByPSIxIiByZD0iNjYxMiIgcGluZ19mcmVzaG5lc3M9IntFRTgzQjkzNS0yMTBGLTRFNzktOTg3OS02MTAzNjcwMTFGRTV9Ii8-PC9hcHA-PGFwcCBhcHBpZD0iezU2RUIxOEY4LUIwMDgtNENCRC1CNkQyLThDOTdGRTdFOTA2Mn0iIHZlcnNpb249IjEzMy4wLjMwNjUuNTEiIG5leHR2ZXJzaW9uPSIiIGxhbmc9IiIgYnJhbmQ9IklOQlgiIGNsaWVudD0iIiBleHBlcmltZW50cz0iY29uc2VudD1mYWxzZSIgaW5zdGFsbGFnZT0iMCIgY29ob3J0PSJycmZAMC4yNCIgb29iZV9pbnN0YWxsX3RpbWU9IjE4NDQ2NzQ0MDczNzA5NTUxNjA2IiB1cGRhdGVfY291bnQ9IjEiIGxhc3RfbGF1bmNoX2NvdW50PSIxIiBsYXN0X2xhdW5jaF90aW1lPSIxMzM4MzQzMjQ0MzE3NTYzMjAiPjx1cGRhdGVjaGVjay8-PHBpbmcgYWN0aXZlPSIxIiBhPSIxIiByPSIxIiBhZD0iNjYxMiIgcmQ9IjY2MTIiIHBpbmdfZnJlc2huZXNzPSJ7MUJEQjBFOUUtOUMzQy00MDMwLTlEMjEtNkNDREQxMTlEMkFBfSIvPjwvYXBwPjxhcHAgYXBwaWQ9IntGMzAxNzIyNi1GRTJBLTQyOTUtOEJERi0wMEMzQTlBN0U0QzV9IiB2ZXJzaW9uPSIxMzIuMC4yOTU3LjE0MCIgbmV4dHZlcnNpb249IiIgbGFuZz0iIiBicmFuZD0iSU5CWCIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjAiIGNvaG9ydD0icnJmQDAuNDMiIHVwZGF0ZV9jb3VudD0iMSI-PHVwZGF0ZWNoZWNrLz48cGluZyByPSIxIiByZD0iNjYxMiIgcGluZ19mcmVzaG5lc3M9InswNzM0NEQxMi1BNEY0LTQ4OTQtQkM3My00QkZEQzBFNkJDQzF9Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:3904

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=4860,i,4562100277163084989,990114372951809185,262144 --variations-seed-version --mojo-platform-channel-handle=5280 /prefetch:14
1⤵
PID:3644

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ua /installsource scheduler
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1764

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --string-annotations --always-read-main-dll --field-trial-handle=4132,i,4562100277163084989,990114372951809185,262144 --variations-seed-version --mojo-platform-channel-handle=5396 /prefetch:14
1⤵
PID:4260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

Filesize
350KB

MD5
f12ccdddce812e18970de3e7db5e857d

SHA1
d452c65214bf1358f0be17f1374492f78c380a10

SHA256
267b87f63b4a0c6eb64564d32607f416e59445da72d9b15068e0959794630004

SHA512
57d6fa2cb9a63d17f99f1135fc2e8cb3058b133ac792543797e33e63b255ef4a13dd875e0c80ede85d7b198cff0eebb90ff4f7c7d8ad102ee4d3b1c466628385

Download Submit
C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

Filesize
376KB

MD5
732f71cfc2dfc5c042cf2187d1b789ae

SHA1
9ea3df45e4d5476d560a016cf38e774c3a702ed3

SHA256
bc85d77bad63a9fa456fd9855649ac15b590b9884b7a6ff79bf7d96be61756d8

SHA512
bebdc4f62ad341ba3503b2388986d6e50657e943e1fb22d24d306cf8fe69dd985d7bdd09e129f6c8e77ab166b2f290972db86d0c7bb803fb39e9c422d2a04118

Download Submit
C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

Filesize
388KB

MD5
f9f74988f3f7c906cbf493f4bb988678

SHA1
2970b64796c3383bc4df89de3c4762c67fc1369b

SHA256
c2c75a9a7a9d1830ae0b614c5e8b502046de1af91586dcddddf8bc9413aa6c4d

SHA512
cd65d626abca98d56af09b69742140d63dac80a05bd9b782b5e3af7148d397d239d2b00ceb2cb73508356f1f9f40f279c1902417303ea1be1254417d956dedbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\G8ZU93JO\76561199819539662[1].htm

Filesize
34KB

MD5
6aa69f8d5fb236a01b146f533b4c1351

SHA1
3365468457ed84f1419ea9a0fcba616783cd1f76

SHA256
c2404ec287e95219e570af9ed24f09431647127c5a9a520a6baea5801fbdd501

SHA512
f922a21e699ef9824af134d5ad73aaf941ca4c830d2935e5b4c62de7c7e593bcdb64ade78c228f414b1b3f165ad461b90695962054ba27b9b599e263116cb335

Download Submit
C:\Users\Admin\AppData\Local\Temp\597658\Bat.com

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
C:\Users\Admin\AppData\Local\Temp\597658\C

Filesize
242KB

MD5
e5081be3c43b71f2c324509e3905c919

SHA1
a9a9e3455de38e23901bd19c35084cb487d56c3e

SHA256
dfc4959b1ffd2f633ca1b0d2c9a5a8850e8e7bf5d59a8dc848050362b11f2dca

SHA512
47bfb4b5a345a9f557c11e8220b8fe6d3de41bbe6c5917de1a1c6f4269e851cd60ee2bce3f69aa9eab70bfc37d319df61a3baff17303ab224bacdbffa416983b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Athens

Filesize
57KB

MD5
fa1fd78212a58de0533495c6778e6d3e

SHA1
95e58c0bc9103618236a241d58ada1d15f449b29

SHA256
9534b5fb95c518194ac8b218cb9080ec6cdd6877481ba1fcf82a84b9007b1df3

SHA512
ab61ab59f0ea136206bf2546027ae68c0af7db2ba98d185a3dd26445b50a6c54f36fe03002588370bae15680d37106b810cd0b5f2cf20b944ae07e715b219e13

Download Submit
C:\Users\Admin\AppData\Local\Temp\Button

Filesize
70KB

MD5
ae86c29f25c53974e66f90a49be69796

SHA1
490a417f8024ddca87caaaddb8366deff1ab8c4e

SHA256
6f88f53220c40ee9f2fdb549e9ba7e0998e3279934448776119767948f5f9ffd

SHA512
a35280428c19f72051b2323672c7d79544dbf14fade70a3c5e874cf6d37be5677b036353c1c1881f9997359bdc461567a76c41cd7e4c087df2379116ba1fa063

Download Submit
C:\Users\Admin\AppData\Local\Temp\Casey

Filesize
34KB

MD5
118ffa8e5a9eabed5d95aa012f7a6db5

SHA1
4be84544f8df04e944f6741c8c207f50b35360a6

SHA256
2d8ba5fede231abe3f58f9a2be7b1729d47d934f3d5616f81d7c07cad4a6b9df

SHA512
fd6a04bd6b3ec3c9becfa4d12e6d8820bb17b15330b8650a809ddd035cdc3c49c2d4c9c6aab5cee5c5bb6b8cfea30c8f503e76e6d7f16b81ef95f40fc8a8b8ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\Celebration

Filesize
83KB

MD5
11d8e2219353b27b7793128a5ff79e36

SHA1
1ce87f177fa10341a8c312a95e5d81abcfb06875

SHA256
6dad534d0d6179104b64ce3e26f28a4c5edc9e9b030fe634a8f06107b8f77f50

SHA512
d63bdbf650b24c81330aed48504e841708c10fa94ab8f54105a077d6a77ab1357cb7e0907ddf93705c6f21fd74c423bc3b44b2797a3bfd7a3587a715e1cc08f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Chair

Filesize
68KB

MD5
47d8a54fa650d6fd74eba187eebeab85

SHA1
a7828bdf2c81e0083b80d8a9262459667ee22e67

SHA256
522c47e2993416aee57a788aa3655e54ad2ec49223d5205285e7ccbdc24694ec

SHA512
a88d15a76e55b2cb479d9b1637c2d34d96d24966c482dfb64766916da7d211f6a579f4799b4e19c59abe27a84ec2d73ea65114ee62cf1207afee77f7f6b53fdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cincinnati

Filesize
1KB

MD5
df863dfe1528490598409b41f940b9df

SHA1
d0cd2316f752bfaa222e70066c3d00fed07d3eb1

SHA256
ae799aa0b5eec813beea8423ace784172aa91b0e6c3ada1769338e0a3f617d75

SHA512
5dee2b641eea04e76c3f97beaf47a00f051d3cabe47382b74bf1b98ee84a1518937b578000aa6fe4bc9dcf8322fa222c6629e778da1a4c8a483a0adf6a5404f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Concerns

Filesize
94KB

MD5
004180fdb3d0fcadce55390ee219c97d

SHA1
e579fa8418655603b1ebcf9ded9dac398fc00bbd

SHA256
6e87f83a658ec477296fdd0e52309f5f8d82279f3336b42dec486239480321ae

SHA512
820ba44c6ff8a3d269431f64d23fc892bf4499f957d4b377296269236106f8a3c01f0fc3c02f1f4b0a14e2e9372d130ea4d9d16e97b0ff6401da9cf528f38992

Download Submit
C:\Users\Admin\AppData\Local\Temp\Every

Filesize
132KB

MD5
c8846f057078acc3cd27c0eb132c515d

SHA1
63496ec40103039868130096509dd8aa3492f224

SHA256
96f2352ffb731bbac2fa080086fdb11d2f7b01a10f8c3634d32d0498ae9b71ff

SHA512
fb262c02ce772c93f742eabb528dfd86c0ece0c0e2425b68846a62b1262ae6cb452bcae42e4aacc7767a71ea193cfde5da10069776eb12f285c9a0b6daaf0357

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fifth

Filesize
476KB

MD5
642e781e97ebbe41489a2e209a112d79

SHA1
8c5f2e5948c0b422a52b844d5a5184a9264c1bb6

SHA256
ac589821b3508b48f460935f8a2b8fae481ca3228c98a187546337d192ad837b

SHA512
8107d8e7adadcb6ccecbbff19080aeaf02245cfd2a503fc7934fae309c75835f698a5203f2a4e29a2d01cf25e27c050ddaa06c9058c27d7b1fdfbb4b8c51d510

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fly

Filesize
102KB

MD5
39dd73a39987b1e07f215ff3bd9dac79

SHA1
b0f6a3adec49fee690ffeffee5c41c5318e44ad8

SHA256
2c06fed7c4c902ca5c036e1974ceb187efeb47fc663bdf6cec33674cd5ef2368

SHA512
4dbcec767011a2f73d6660f887c9838218e4b7df8eabdd8e6018793528524ae1bd7da78a5e9f5bddcf88331d43e228dab3b3c4c5d352d670d5cd2cadf2b71000

Download Submit
C:\Users\Admin\AppData\Local\Temp\Honey

Filesize
127KB

MD5
62a89b70fddb0b5617c79041c763621b

SHA1
6293781334f2cc9ed7709811526c3aa00b7a8755

SHA256
625cfcab94d8a4b83497260617e126ed694e5a0712a638f80ada101ea14b9821

SHA512
218955f15bfb8fa659eb85130a8de9249a8aec187f106975165bf18b055721204cc03445b7eae31978025fa2ec57bc0f4cf399fe9864b930490bb95351c89af7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ment

Filesize
13KB

MD5
a67f25f56cb23fbc29e019e0cccd0a7b

SHA1
5f7b04dde51844b6a21d60766b893764693efa52

SHA256
aff0699b0257ab27762b1285b872e18f7d72cae40a01acd8cacf3155c7e7150f

SHA512
9f658c9c0423a25a3d70f8224ff0bb5e3dbb593994a0e4c0a3013d73ffbd3a6360b0b83653c6b4559c9152076951e7ce4fc88483f616dd152c4ad271a1c161df

Download Submit
C:\Users\Admin\AppData\Local\Temp\Much

Filesize
79KB

MD5
599d37d9b9fce86beae9fa45b594a2eb

SHA1
19d806e5d722774db3503662baba4d5916c06586

SHA256
f26f5a7a461b445dfaf187c2d3beee5edfbcf01acfb65fd0fe08a279603a6cef

SHA512
1563da7567837f3fa191e434a0c125abff07163ca8cea8db59c811b9893b145f0e7d971b21699358cd0f614959d546b03a219eb0e9a64b4d491bffaf500aedcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qualified

Filesize
57KB

MD5
22169ccdb223ac6f9a4b6eb418e42694

SHA1
c2d34ff063a02bfebd94ab7ac422492eeb580673

SHA256
51fa2faebd30d506ef658476a2645a394deedd22b0e06a6f96d48a7a2b855c4b

SHA512
e0aaa1800260b89af45d5cfa85bc03aa1cd5dd2af093a419ee2502a856e4b0f0c32639ed413a38f066c7205e04cdedf46f876d0e80c6582b73c81309d6a38b90

Download Submit
C:\Users\Admin\AppData\Local\Temp\Seminar

Filesize
144KB

MD5
d284a50463ae857c47bd026148c1282e

SHA1
aea523cb5997f4caade22c9c432c9a2e712de356

SHA256
38fde8383b4cfc29b2ec19f5f8983ae67eddd2fa91e741c730111d726d85340c

SHA512
0305c6135406dde002fb17b7a059ffd2fa3f6bbbed8c1f7fa11ffc77609a7a70936f0ea8179246e1175fd31823bde8445309ca3774852c0b8721fa8ba5d7f562

Download Submit
C:\Users\Admin\AppData\Local\Temp\Times

Filesize
118KB

MD5
5c3d7b5bcc0336e55c9b07a5c1f6c03e

SHA1
2088651b12fd9b88c52cd0d1cddd63c10c538f84

SHA256
cca4b7e90e4eed0c1b7560c80547329147e2e4886e39e3e183d4ba5e7c49db36

SHA512
394517c8950746cf37488888336974d310b5448e5b55a1d7f312ea4f848e3530b1146845a1430768bd7f04794921bbbf5cd1d8cf21bbcd9c9a3b286a856adcea

Download Submit
memory/3276-385-0x0000000003EF0000-0x0000000003F12000-memory.dmp

Filesize
136KB

Download
memory/3276-389-0x0000000003EF0000-0x0000000003F12000-memory.dmp

Filesize
136KB

Download
memory/3276-390-0x0000000003EF0000-0x0000000003F12000-memory.dmp

Filesize
136KB

Download
memory/3276-391-0x0000000003EF0000-0x0000000003F12000-memory.dmp

Filesize
136KB

Download
memory/3276-388-0x0000000003EF0000-0x0000000003F12000-memory.dmp

Filesize
136KB

Download
memory/3276-386-0x0000000003EF0000-0x0000000003F12000-memory.dmp

Filesize
136KB

Download
memory/3276-387-0x0000000003EF0000-0x0000000003F12000-memory.dmp

Filesize
136KB

Download