Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
231s -
max time network
237s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
15/05/2024, 17:59
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://www.youtube.com/watch?v=IKgUvfS48to
Resource
win10v2004-20240226-en
General
-
Target
https://www.youtube.com/watch?v=IKgUvfS48to
Malware Config
Extracted
redline
194.26.232.43:20746
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral1/memory/5052-404-0x0000000000400000-0x0000000000452000-memory.dmp family_redline -
Executes dropped EXE 2 IoCs
pid Process 5288 IncMoreV2.exe 6272 IncMoreV2.exe -
Loads dropped DLL 2 IoCs
pid Process 5288 IncMoreV2.exe 6272 IncMoreV2.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 5288 set thread context of 5052 5288 IncMoreV2.exe 147 PID 6272 set thread context of 2288 6272 IncMoreV2.exe 150 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3808065738-1666277613-1125846146-1000\{AD5BBD1B-BEA5-4DBE-8EBA-5DC1274D276A} msedge.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 7024 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5052 MSBuild.exe 5052 MSBuild.exe 5052 MSBuild.exe 5052 MSBuild.exe 5052 MSBuild.exe 5052 MSBuild.exe 5052 MSBuild.exe 5052 MSBuild.exe 5052 MSBuild.exe 5052 MSBuild.exe 5052 MSBuild.exe 5052 MSBuild.exe 5052 MSBuild.exe 5052 MSBuild.exe 5052 MSBuild.exe 5052 MSBuild.exe 5052 MSBuild.exe 5052 MSBuild.exe 5052 MSBuild.exe 5052 MSBuild.exe 5052 MSBuild.exe 5052 MSBuild.exe 5052 MSBuild.exe 5052 MSBuild.exe 5052 MSBuild.exe 5052 MSBuild.exe 5052 MSBuild.exe 5052 MSBuild.exe 5052 MSBuild.exe 5052 MSBuild.exe 5052 MSBuild.exe 5052 MSBuild.exe 5052 MSBuild.exe 5052 MSBuild.exe 5052 MSBuild.exe 5052 MSBuild.exe 5052 MSBuild.exe 5052 MSBuild.exe 5052 MSBuild.exe 5052 MSBuild.exe 5052 MSBuild.exe 5052 MSBuild.exe 5052 MSBuild.exe 5052 MSBuild.exe 5052 MSBuild.exe 5052 MSBuild.exe 5052 MSBuild.exe 5052 MSBuild.exe 5052 MSBuild.exe 5052 MSBuild.exe 5052 MSBuild.exe 5052 MSBuild.exe 5052 MSBuild.exe 5052 MSBuild.exe 5052 MSBuild.exe 5052 MSBuild.exe 5052 MSBuild.exe 5052 MSBuild.exe 5052 MSBuild.exe 5052 MSBuild.exe 2288 MSBuild.exe 2288 MSBuild.exe 5052 MSBuild.exe 2288 MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
description pid Process Token: 33 1520 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1520 AUDIODG.EXE Token: SeRestorePrivilege 6596 7zG.exe Token: 35 6596 7zG.exe Token: SeSecurityPrivilege 6596 7zG.exe Token: SeSecurityPrivilege 6596 7zG.exe Token: SeRestorePrivilege 6900 7zFM.exe Token: 35 6900 7zFM.exe Token: SeRestorePrivilege 7044 7zG.exe Token: 35 7044 7zG.exe Token: SeSecurityPrivilege 7044 7zG.exe Token: SeSecurityPrivilege 7044 7zG.exe Token: SeDebugPrivilege 5052 MSBuild.exe Token: SeDebugPrivilege 2288 MSBuild.exe Token: SeDebugPrivilege 5428 taskmgr.exe Token: SeSystemProfilePrivilege 5428 taskmgr.exe Token: SeCreateGlobalPrivilege 5428 taskmgr.exe -
Suspicious use of FindShellTrayWindow 35 IoCs
pid Process 6596 7zG.exe 6900 7zFM.exe 7044 7zG.exe 5428 taskmgr.exe 5428 taskmgr.exe 5428 taskmgr.exe 5428 taskmgr.exe 5428 taskmgr.exe 5428 taskmgr.exe 5428 taskmgr.exe 5428 taskmgr.exe 5428 taskmgr.exe 5428 taskmgr.exe 5428 taskmgr.exe 5428 taskmgr.exe 5428 taskmgr.exe 5428 taskmgr.exe 5428 taskmgr.exe 5428 taskmgr.exe 5428 taskmgr.exe 5428 taskmgr.exe 5428 taskmgr.exe 5428 taskmgr.exe 5428 taskmgr.exe 5428 taskmgr.exe 5428 taskmgr.exe 5428 taskmgr.exe 5428 taskmgr.exe 5428 taskmgr.exe 5428 taskmgr.exe 5428 taskmgr.exe 5428 taskmgr.exe 5428 taskmgr.exe 5428 taskmgr.exe 5428 taskmgr.exe -
Suspicious use of SendNotifyMessage 32 IoCs
pid Process 5428 taskmgr.exe 5428 taskmgr.exe 5428 taskmgr.exe 5428 taskmgr.exe 5428 taskmgr.exe 5428 taskmgr.exe 5428 taskmgr.exe 5428 taskmgr.exe 5428 taskmgr.exe 5428 taskmgr.exe 5428 taskmgr.exe 5428 taskmgr.exe 5428 taskmgr.exe 5428 taskmgr.exe 5428 taskmgr.exe 5428 taskmgr.exe 5428 taskmgr.exe 5428 taskmgr.exe 5428 taskmgr.exe 5428 taskmgr.exe 5428 taskmgr.exe 5428 taskmgr.exe 5428 taskmgr.exe 5428 taskmgr.exe 5428 taskmgr.exe 5428 taskmgr.exe 5428 taskmgr.exe 5428 taskmgr.exe 5428 taskmgr.exe 5428 taskmgr.exe 5428 taskmgr.exe 5428 taskmgr.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 5288 wrote to memory of 5052 5288 IncMoreV2.exe 147 PID 5288 wrote to memory of 5052 5288 IncMoreV2.exe 147 PID 5288 wrote to memory of 5052 5288 IncMoreV2.exe 147 PID 5288 wrote to memory of 5052 5288 IncMoreV2.exe 147 PID 5288 wrote to memory of 5052 5288 IncMoreV2.exe 147 PID 5288 wrote to memory of 5052 5288 IncMoreV2.exe 147 PID 5288 wrote to memory of 5052 5288 IncMoreV2.exe 147 PID 5288 wrote to memory of 5052 5288 IncMoreV2.exe 147 PID 6272 wrote to memory of 2288 6272 IncMoreV2.exe 150 PID 6272 wrote to memory of 2288 6272 IncMoreV2.exe 150 PID 6272 wrote to memory of 2288 6272 IncMoreV2.exe 150 PID 6272 wrote to memory of 2288 6272 IncMoreV2.exe 150 PID 6272 wrote to memory of 2288 6272 IncMoreV2.exe 150 PID 6272 wrote to memory of 2288 6272 IncMoreV2.exe 150 PID 6272 wrote to memory of 2288 6272 IncMoreV2.exe 150 PID 6272 wrote to memory of 2288 6272 IncMoreV2.exe 150
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/watch?v=IKgUvfS48to1⤵PID:3488
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=3956 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:11⤵PID:1400
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=5296 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:11⤵PID:2296
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4936 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:81⤵PID:3920
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=4744 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:11⤵PID:3692
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --mojo-platform-channel-handle=4856 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:11⤵PID:2032
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6064 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:81⤵PID:3816
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --mojo-platform-channel-handle=6120 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:81⤵PID:1068
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x350 0x5001⤵
- Suspicious use of AdjustPrivilegeToken
PID:1520
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=6348 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:81⤵
- Modifies registry class
PID:4384
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=6452 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:81⤵PID:3228
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --mojo-platform-channel-handle=6676 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:11⤵PID:3372
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --mojo-platform-channel-handle=6304 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:11⤵PID:508
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --mojo-platform-channel-handle=6276 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:11⤵PID:2416
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --mojo-platform-channel-handle=6948 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:11⤵PID:4384
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --mojo-platform-channel-handle=7080 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:11⤵PID:2040
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --mojo-platform-channel-handle=7284 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:11⤵PID:4492
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --mojo-platform-channel-handle=7496 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:11⤵PID:3088
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --mojo-platform-channel-handle=7400 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:11⤵PID:4332
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --mojo-platform-channel-handle=7696 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:11⤵PID:2684
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --mojo-platform-channel-handle=7824 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:11⤵PID:4632
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --mojo-platform-channel-handle=7964 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:11⤵PID:3812
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --mojo-platform-channel-handle=8092 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:11⤵PID:3908
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --mojo-platform-channel-handle=8236 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:11⤵PID:1820
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --mojo-platform-channel-handle=8292 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:11⤵PID:3200
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --mojo-platform-channel-handle=8520 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:11⤵PID:3900
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --mojo-platform-channel-handle=8848 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:11⤵PID:5360
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --no-appcompat-clear --mojo-platform-channel-handle=9032 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:81⤵PID:5740
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=43 --mojo-platform-channel-handle=9048 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:11⤵PID:5748
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=44 --mojo-platform-channel-handle=9484 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:11⤵PID:5868
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=9056 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:81⤵PID:5956
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=9896 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:81⤵PID:5996
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=47 --mojo-platform-channel-handle=9424 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:11⤵PID:6068
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=48 --mojo-platform-channel-handle=10100 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:11⤵PID:4348
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=49 --mojo-platform-channel-handle=10248 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:11⤵PID:1928
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=50 --mojo-platform-channel-handle=10268 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:11⤵PID:2936
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=51 --mojo-platform-channel-handle=10612 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:11⤵PID:2160
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=52 --mojo-platform-channel-handle=10532 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:11⤵PID:4048
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=53 --mojo-platform-channel-handle=11236 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:11⤵PID:6176
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=54 --mojo-platform-channel-handle=11356 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:11⤵PID:6240
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:6320
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\ShowPop\" -ad -an -ai#7zMap18216:76:7zEvent76701⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:6596
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\ShowPop\PopShow.rar"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:6900
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\ShowPop\PopShow\" -ad -an -ai#7zMap4143:92:7zEvent120381⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:7044
-
C:\Users\Admin\Downloads\ShowPop\PopShow\PopShow\IncMoreV2.exe"C:\Users\Admin\Downloads\ShowPop\PopShow\PopShow\IncMoreV2.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5288 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5052
-
-
C:\Users\Admin\Downloads\ShowPop\PopShow\PopShow\IncMoreV2.exe"C:\Users\Admin\Downloads\ShowPop\PopShow\PopShow\IncMoreV2.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:6272 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2288
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\ShowPop\PopShow\PopShow\IncMoreV2.txt1⤵
- Opens file in notepad (likely ransom note)
PID:7024
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /01⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5428
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
42B
MD584cfdb4b995b1dbf543b26b86c863adc
SHA1d2f47764908bf30036cf8248b9ff5541e2711fa2
SHA256d8988d672d6915b46946b28c06ad8066c50041f6152a91d37ffa5cf129cc146b
SHA512485f0ed45e13f00a93762cbf15b4b8f996553baa021152fae5aba051e3736bcd3ca8f4328f0e6d9e3e1f910c96c4a9ae055331123ee08e3c2ce3a99ac2e177ce
-
Filesize
2KB
MD5e34b053c93dcb4160094249280888117
SHA1bd7cd93042c200c5fb012bccf3cd9f72d7e79cef
SHA2562bc71ddd63acfb9d101892e29033c75b4023727e1cadc489ecb2421c1960eaa8
SHA512f8753ec3f9f413e1fac84caa1905509a978dfc63211dcd0a889a4283840ae2e6e9101e1f7ee7d582acc5e0ae722fdab8f6047aa02cee28869a094b4f494897f2
-
Filesize
2KB
MD51420d30f964eac2c85b2ccfe968eebce
SHA1bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA5126fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3808065738-1666277613-1125846146-1000\76b53b3ec448f7ccdda2063b15d2bfc3_2397ee06-28fe-4eaa-8777-f7014368c353
Filesize2KB
MD59342048f14337cc203776c83d6525cb5
SHA1ed4d03509844e11d7cb675fc5b7ff181e1f2b2d4
SHA2562e83703987946ea53d945f424f3e7b8b599ab374ac0fbc7fd0958c18f5ad64a9
SHA512af0f7fca852a4c4a0d154d90d91409e18147b5ef40358f164f0c7b3071a4867e8986e4a942dfe25a07169f5aa65ab790ecbbaf060818fcd39694ae6b0e1a1881
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3808065738-1666277613-1125846146-1000\76b53b3ec448f7ccdda2063b15d2bfc3_2397ee06-28fe-4eaa-8777-f7014368c353
Filesize2KB
MD50158fe9cead91d1b027b795984737614
SHA1b41a11f909a7bdf1115088790a5680ac4e23031b
SHA256513257326e783a862909a2a0f0941d6ff899c403e104fbd1dbc10443c41d9f9a
SHA512c48a55cc7a92cefcefe5fb2382ccd8ef651fc8e0885e88a256cd2f5d83b824b7d910f755180b29eccb54d9361d6af82f9cc741bd7e6752122949b657da973676
-
Filesize
399KB
MD520f5b4bc6124662b3c4f3705859f5b74
SHA1ca131bc8dbf513b54620c49ff881b16cda09f034
SHA256ec2b3e731921dfd83bc9838c1bd3bd939c40afe67012e70b3c9ff550b2fe3759
SHA512fae5e630468169c08beabcd033e1274faf68421921cd76135ef2fc73c5ce05b8d426690af32e08c14d8824a82b111a762f080c6993a1894cb7f5529fc0553257
-
Filesize
2KB
MD590181c05b75d98ca1e20a89d78949801
SHA116431d82e201c4a0753ace0062081e0752b1e36d
SHA256fa12bdb7d6789d214f44e7b256c285a2a5920de8895b715c149f717d0bd442be
SHA512737a8317c07c964d76e6e53adf637681eb168e34a1c6f8586d876594096867d30484f53f7279104d65536be025d392bd724ddb720bfe5f3aa9c29ef2abec4829
-
Filesize
4.8MB
MD5154e7bb63b68204662cf3cb75c882700
SHA1441ff56782fe2ea9ab0fdc05b6534d9ab5047630
SHA256a6e19b3b86a29dac930407496725e0b9780dbbe757b6bc826b76a83afa1a3bfa
SHA5120229c906f1cf88716f4edaf16507dd50507c9db403dc9f1fbb009bdc730e716cb8ed879e431dce818fb75eaf14a4232fdd4c53dcd3a12d45286b176c5b71280c
-
Filesize
841KB
MD59688ab34aba493dfad34e3424d1811cb
SHA1ce060a74674fc9930eef50365fc1acbb781f14de
SHA2569f5cfb681b239d6f95b34463fd709df372ad803ebdbdca2105bf17869e6cd1e2
SHA512099883596e799a998586ef11f36813f798d4a65fa51c4afc8757e573cc0a07c69131e936bff139bff9786927c24ff1c105635680859443081a1b6cbba2375621