Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    231s
  • max time network
    237s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/05/2024, 17:59

General

  • Target

    https://www.youtube.com/watch?v=IKgUvfS48to

Malware Config

Extracted

Family

redline

C2

194.26.232.43:20746

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Suspicious use of SetThreadContext 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 17 IoCs
  • Suspicious use of FindShellTrayWindow 35 IoCs
  • Suspicious use of SendNotifyMessage 32 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/watch?v=IKgUvfS48to
    1⤵
      PID:3488
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=3956 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:1
      1⤵
        PID:1400
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=5296 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:1
        1⤵
          PID:2296
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4936 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:8
          1⤵
            PID:3920
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=4744 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:1
            1⤵
              PID:3692
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --mojo-platform-channel-handle=4856 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:1
              1⤵
                PID:2032
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6064 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:8
                1⤵
                  PID:3816
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --mojo-platform-channel-handle=6120 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:8
                  1⤵
                    PID:1068
                  • C:\Windows\system32\AUDIODG.EXE
                    C:\Windows\system32\AUDIODG.EXE 0x350 0x500
                    1⤵
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1520
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=6348 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:8
                    1⤵
                    • Modifies registry class
                    PID:4384
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=6452 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:8
                    1⤵
                      PID:3228
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --mojo-platform-channel-handle=6676 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:1
                      1⤵
                        PID:3372
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --mojo-platform-channel-handle=6304 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:1
                        1⤵
                          PID:508
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --mojo-platform-channel-handle=6276 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:1
                          1⤵
                            PID:2416
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --mojo-platform-channel-handle=6948 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:1
                            1⤵
                              PID:4384
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --mojo-platform-channel-handle=7080 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:1
                              1⤵
                                PID:2040
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --mojo-platform-channel-handle=7284 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:1
                                1⤵
                                  PID:4492
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --mojo-platform-channel-handle=7496 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:1
                                  1⤵
                                    PID:3088
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --mojo-platform-channel-handle=7400 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:1
                                    1⤵
                                      PID:4332
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --mojo-platform-channel-handle=7696 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:1
                                      1⤵
                                        PID:2684
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --mojo-platform-channel-handle=7824 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:1
                                        1⤵
                                          PID:4632
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --mojo-platform-channel-handle=7964 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:1
                                          1⤵
                                            PID:3812
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --mojo-platform-channel-handle=8092 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:1
                                            1⤵
                                              PID:3908
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --mojo-platform-channel-handle=8236 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:1
                                              1⤵
                                                PID:1820
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --mojo-platform-channel-handle=8292 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:1
                                                1⤵
                                                  PID:3200
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --mojo-platform-channel-handle=8520 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:1
                                                  1⤵
                                                    PID:3900
                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --mojo-platform-channel-handle=8848 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:1
                                                    1⤵
                                                      PID:5360
                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --no-appcompat-clear --mojo-platform-channel-handle=9032 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:8
                                                      1⤵
                                                        PID:5740
                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=43 --mojo-platform-channel-handle=9048 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:1
                                                        1⤵
                                                          PID:5748
                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=44 --mojo-platform-channel-handle=9484 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:1
                                                          1⤵
                                                            PID:5868
                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=9056 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:8
                                                            1⤵
                                                              PID:5956
                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=9896 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:8
                                                              1⤵
                                                                PID:5996
                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=47 --mojo-platform-channel-handle=9424 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:1
                                                                1⤵
                                                                  PID:6068
                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=48 --mojo-platform-channel-handle=10100 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:1
                                                                  1⤵
                                                                    PID:4348
                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=49 --mojo-platform-channel-handle=10248 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:1
                                                                    1⤵
                                                                      PID:1928
                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=50 --mojo-platform-channel-handle=10268 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:1
                                                                      1⤵
                                                                        PID:2936
                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=51 --mojo-platform-channel-handle=10612 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:1
                                                                        1⤵
                                                                          PID:2160
                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=52 --mojo-platform-channel-handle=10532 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:1
                                                                          1⤵
                                                                            PID:4048
                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=53 --mojo-platform-channel-handle=11236 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:1
                                                                            1⤵
                                                                              PID:6176
                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=54 --mojo-platform-channel-handle=11356 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:1
                                                                              1⤵
                                                                                PID:6240
                                                                              • C:\Windows\System32\rundll32.exe
                                                                                C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                                                                1⤵
                                                                                  PID:6320
                                                                                • C:\Program Files\7-Zip\7zG.exe
                                                                                  "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\ShowPop\" -ad -an -ai#7zMap18216:76:7zEvent7670
                                                                                  1⤵
                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                  • Suspicious use of FindShellTrayWindow
                                                                                  PID:6596
                                                                                • C:\Program Files\7-Zip\7zFM.exe
                                                                                  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\ShowPop\PopShow.rar"
                                                                                  1⤵
                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                  • Suspicious use of FindShellTrayWindow
                                                                                  PID:6900
                                                                                • C:\Program Files\7-Zip\7zG.exe
                                                                                  "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\ShowPop\PopShow\" -ad -an -ai#7zMap4143:92:7zEvent12038
                                                                                  1⤵
                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                  • Suspicious use of FindShellTrayWindow
                                                                                  PID:7044
                                                                                • C:\Users\Admin\Downloads\ShowPop\PopShow\PopShow\IncMoreV2.exe
                                                                                  "C:\Users\Admin\Downloads\ShowPop\PopShow\PopShow\IncMoreV2.exe"
                                                                                  1⤵
                                                                                  • Executes dropped EXE
                                                                                  • Loads dropped DLL
                                                                                  • Suspicious use of SetThreadContext
                                                                                  • Suspicious use of WriteProcessMemory
                                                                                  PID:5288
                                                                                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                                                                                    2⤵
                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    PID:5052
                                                                                • C:\Users\Admin\Downloads\ShowPop\PopShow\PopShow\IncMoreV2.exe
                                                                                  "C:\Users\Admin\Downloads\ShowPop\PopShow\PopShow\IncMoreV2.exe"
                                                                                  1⤵
                                                                                  • Executes dropped EXE
                                                                                  • Loads dropped DLL
                                                                                  • Suspicious use of SetThreadContext
                                                                                  • Suspicious use of WriteProcessMemory
                                                                                  PID:6272
                                                                                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                                                                                    2⤵
                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    PID:2288
                                                                                • C:\Windows\system32\NOTEPAD.EXE
                                                                                  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\ShowPop\PopShow\PopShow\IncMoreV2.txt
                                                                                  1⤵
                                                                                  • Opens file in notepad (likely ransom note)
                                                                                  PID:7024
                                                                                • C:\Windows\system32\taskmgr.exe
                                                                                  "C:\Windows\system32\taskmgr.exe" /0
                                                                                  1⤵
                                                                                  • Checks SCSI registry key(s)
                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                  • Suspicious use of FindShellTrayWindow
                                                                                  • Suspicious use of SendNotifyMessage
                                                                                  PID:5428

                                                                                Network

                                                                                MITRE ATT&CK Enterprise v15

                                                                                Replay Monitor

                                                                                Loading Replay Monitor...

                                                                                Downloads

                                                                                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\IncMoreV2.exe.log

                                                                                  Filesize

                                                                                  42B

                                                                                  MD5

                                                                                  84cfdb4b995b1dbf543b26b86c863adc

                                                                                  SHA1

                                                                                  d2f47764908bf30036cf8248b9ff5541e2711fa2

                                                                                  SHA256

                                                                                  d8988d672d6915b46946b28c06ad8066c50041f6152a91d37ffa5cf129cc146b

                                                                                  SHA512

                                                                                  485f0ed45e13f00a93762cbf15b4b8f996553baa021152fae5aba051e3736bcd3ca8f4328f0e6d9e3e1f910c96c4a9ae055331123ee08e3c2ce3a99ac2e177ce

                                                                                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MSBuild.exe.log

                                                                                  Filesize

                                                                                  2KB

                                                                                  MD5

                                                                                  e34b053c93dcb4160094249280888117

                                                                                  SHA1

                                                                                  bd7cd93042c200c5fb012bccf3cd9f72d7e79cef

                                                                                  SHA256

                                                                                  2bc71ddd63acfb9d101892e29033c75b4023727e1cadc489ecb2421c1960eaa8

                                                                                  SHA512

                                                                                  f8753ec3f9f413e1fac84caa1905509a978dfc63211dcd0a889a4283840ae2e6e9101e1f7ee7d582acc5e0ae722fdab8f6047aa02cee28869a094b4f494897f2

                                                                                • C:\Users\Admin\AppData\Local\Temp\TmpDF26.tmp

                                                                                  Filesize

                                                                                  2KB

                                                                                  MD5

                                                                                  1420d30f964eac2c85b2ccfe968eebce

                                                                                  SHA1

                                                                                  bdf9a6876578a3e38079c4f8cf5d6c79687ad750

                                                                                  SHA256

                                                                                  f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

                                                                                  SHA512

                                                                                  6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

                                                                                • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3808065738-1666277613-1125846146-1000\76b53b3ec448f7ccdda2063b15d2bfc3_2397ee06-28fe-4eaa-8777-f7014368c353

                                                                                  Filesize

                                                                                  2KB

                                                                                  MD5

                                                                                  9342048f14337cc203776c83d6525cb5

                                                                                  SHA1

                                                                                  ed4d03509844e11d7cb675fc5b7ff181e1f2b2d4

                                                                                  SHA256

                                                                                  2e83703987946ea53d945f424f3e7b8b599ab374ac0fbc7fd0958c18f5ad64a9

                                                                                  SHA512

                                                                                  af0f7fca852a4c4a0d154d90d91409e18147b5ef40358f164f0c7b3071a4867e8986e4a942dfe25a07169f5aa65ab790ecbbaf060818fcd39694ae6b0e1a1881

                                                                                • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3808065738-1666277613-1125846146-1000\76b53b3ec448f7ccdda2063b15d2bfc3_2397ee06-28fe-4eaa-8777-f7014368c353

                                                                                  Filesize

                                                                                  2KB

                                                                                  MD5

                                                                                  0158fe9cead91d1b027b795984737614

                                                                                  SHA1

                                                                                  b41a11f909a7bdf1115088790a5680ac4e23031b

                                                                                  SHA256

                                                                                  513257326e783a862909a2a0f0941d6ff899c403e104fbd1dbc10443c41d9f9a

                                                                                  SHA512

                                                                                  c48a55cc7a92cefcefe5fb2382ccd8ef651fc8e0885e88a256cd2f5d83b824b7d910f755180b29eccb54d9361d6af82f9cc741bd7e6752122949b657da973676

                                                                                • C:\Users\Admin\AppData\Roaming\d3d9.dll

                                                                                  Filesize

                                                                                  399KB

                                                                                  MD5

                                                                                  20f5b4bc6124662b3c4f3705859f5b74

                                                                                  SHA1

                                                                                  ca131bc8dbf513b54620c49ff881b16cda09f034

                                                                                  SHA256

                                                                                  ec2b3e731921dfd83bc9838c1bd3bd939c40afe67012e70b3c9ff550b2fe3759

                                                                                  SHA512

                                                                                  fae5e630468169c08beabcd033e1274faf68421921cd76135ef2fc73c5ce05b8d426690af32e08c14d8824a82b111a762f080c6993a1894cb7f5529fc0553257

                                                                                • C:\Users\Admin\Desktop\Microsoft Edge.lnk

                                                                                  Filesize

                                                                                  2KB

                                                                                  MD5

                                                                                  90181c05b75d98ca1e20a89d78949801

                                                                                  SHA1

                                                                                  16431d82e201c4a0753ace0062081e0752b1e36d

                                                                                  SHA256

                                                                                  fa12bdb7d6789d214f44e7b256c285a2a5920de8895b715c149f717d0bd442be

                                                                                  SHA512

                                                                                  737a8317c07c964d76e6e53adf637681eb168e34a1c6f8586d876594096867d30484f53f7279104d65536be025d392bd724ddb720bfe5f3aa9c29ef2abec4829

                                                                                • C:\Users\Admin\Downloads\ShowPop\PopShow.rar

                                                                                  Filesize

                                                                                  4.8MB

                                                                                  MD5

                                                                                  154e7bb63b68204662cf3cb75c882700

                                                                                  SHA1

                                                                                  441ff56782fe2ea9ab0fdc05b6534d9ab5047630

                                                                                  SHA256

                                                                                  a6e19b3b86a29dac930407496725e0b9780dbbe757b6bc826b76a83afa1a3bfa

                                                                                  SHA512

                                                                                  0229c906f1cf88716f4edaf16507dd50507c9db403dc9f1fbb009bdc730e716cb8ed879e431dce818fb75eaf14a4232fdd4c53dcd3a12d45286b176c5b71280c

                                                                                • C:\Users\Admin\Downloads\ShowPop\PopShow\PopShow\IncMoreV2.exe

                                                                                  Filesize

                                                                                  841KB

                                                                                  MD5

                                                                                  9688ab34aba493dfad34e3424d1811cb

                                                                                  SHA1

                                                                                  ce060a74674fc9930eef50365fc1acbb781f14de

                                                                                  SHA256

                                                                                  9f5cfb681b239d6f95b34463fd709df372ad803ebdbdca2105bf17869e6cd1e2

                                                                                  SHA512

                                                                                  099883596e799a998586ef11f36813f798d4a65fa51c4afc8757e573cc0a07c69131e936bff139bff9786927c24ff1c105635680859443081a1b6cbba2375621

                                                                                • memory/2288-460-0x0000000006CB0000-0x0000000006CC2000-memory.dmp

                                                                                  Filesize

                                                                                  72KB

                                                                                • memory/2288-416-0x0000000005880000-0x000000000588A000-memory.dmp

                                                                                  Filesize

                                                                                  40KB

                                                                                • memory/2288-463-0x0000000006FE0000-0x0000000007046000-memory.dmp

                                                                                  Filesize

                                                                                  408KB

                                                                                • memory/2288-459-0x0000000006D70000-0x0000000006E7A000-memory.dmp

                                                                                  Filesize

                                                                                  1.0MB

                                                                                • memory/2288-458-0x0000000007220000-0x0000000007838000-memory.dmp

                                                                                  Filesize

                                                                                  6.1MB

                                                                                • memory/5052-461-0x00000000064C0000-0x00000000064FC000-memory.dmp

                                                                                  Filesize

                                                                                  240KB

                                                                                • memory/5052-452-0x0000000006390000-0x00000000063AE000-memory.dmp

                                                                                  Filesize

                                                                                  120KB

                                                                                • memory/5052-451-0x0000000005CA0000-0x0000000005D16000-memory.dmp

                                                                                  Filesize

                                                                                  472KB

                                                                                • memory/5052-407-0x0000000004E40000-0x0000000004ED2000-memory.dmp

                                                                                  Filesize

                                                                                  584KB

                                                                                • memory/5052-406-0x00000000052F0000-0x0000000005894000-memory.dmp

                                                                                  Filesize

                                                                                  5.6MB

                                                                                • memory/5052-462-0x0000000006630000-0x000000000667C000-memory.dmp

                                                                                  Filesize

                                                                                  304KB

                                                                                • memory/5052-404-0x0000000000400000-0x0000000000452000-memory.dmp

                                                                                  Filesize

                                                                                  328KB

                                                                                • memory/5052-464-0x00000000076C0000-0x0000000007882000-memory.dmp

                                                                                  Filesize

                                                                                  1.8MB

                                                                                • memory/5052-465-0x0000000007DC0000-0x00000000082EC000-memory.dmp

                                                                                  Filesize

                                                                                  5.2MB

                                                                                • memory/5052-466-0x00000000079E0000-0x0000000007A30000-memory.dmp

                                                                                  Filesize

                                                                                  320KB

                                                                                • memory/5288-397-0x0000000000350000-0x000000000042C000-memory.dmp

                                                                                  Filesize

                                                                                  880KB

                                                                                • memory/5288-398-0x0000000002840000-0x0000000002846000-memory.dmp

                                                                                  Filesize

                                                                                  24KB

                                                                                • memory/5428-472-0x0000022D9CB80000-0x0000022D9CB81000-memory.dmp

                                                                                  Filesize

                                                                                  4KB

                                                                                • memory/5428-473-0x0000022D9CB80000-0x0000022D9CB81000-memory.dmp

                                                                                  Filesize

                                                                                  4KB

                                                                                • memory/5428-474-0x0000022D9CB80000-0x0000022D9CB81000-memory.dmp

                                                                                  Filesize

                                                                                  4KB

                                                                                • memory/5428-484-0x0000022D9CB80000-0x0000022D9CB81000-memory.dmp

                                                                                  Filesize

                                                                                  4KB

                                                                                • memory/5428-483-0x0000022D9CB80000-0x0000022D9CB81000-memory.dmp

                                                                                  Filesize

                                                                                  4KB

                                                                                • memory/5428-482-0x0000022D9CB80000-0x0000022D9CB81000-memory.dmp

                                                                                  Filesize

                                                                                  4KB

                                                                                • memory/5428-481-0x0000022D9CB80000-0x0000022D9CB81000-memory.dmp

                                                                                  Filesize

                                                                                  4KB

                                                                                • memory/5428-480-0x0000022D9CB80000-0x0000022D9CB81000-memory.dmp

                                                                                  Filesize

                                                                                  4KB

                                                                                • memory/5428-479-0x0000022D9CB80000-0x0000022D9CB81000-memory.dmp

                                                                                  Filesize

                                                                                  4KB

                                                                                • memory/5428-478-0x0000022D9CB80000-0x0000022D9CB81000-memory.dmp

                                                                                  Filesize

                                                                                  4KB