Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
68s -
max time network
70s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
14/07/2024, 15:50
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://www.mediafire.com/folder/jowz4gde73ba7/launcher.3.1.7.v2.rar
Resource
win10v2004-20240709-en
General
-
Target
https://www.mediafire.com/folder/jowz4gde73ba7/launcher.3.1.7.v2.rar
Malware Config
Extracted
redline
@spynky
94.228.166.68:80
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral1/memory/1652-427-0x0000000000400000-0x0000000000450000-memory.dmp family_redline -
Executes dropped EXE 1 IoCs
pid Process 116 installer.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 116 set thread context of 1652 116 installer.exe 113 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133654459352406598" chrome.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings chrome.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 2072 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 3956 chrome.exe 3956 chrome.exe 1304 taskmgr.exe 1304 taskmgr.exe 1304 taskmgr.exe 1304 taskmgr.exe 1304 taskmgr.exe 1304 taskmgr.exe 1304 taskmgr.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
pid Process 3956 chrome.exe 3956 chrome.exe 3956 chrome.exe 3956 chrome.exe 3956 chrome.exe 3956 chrome.exe 3956 chrome.exe 3956 chrome.exe 3956 chrome.exe 3956 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 3956 chrome.exe Token: SeCreatePagefilePrivilege 3956 chrome.exe Token: SeShutdownPrivilege 3956 chrome.exe Token: SeCreatePagefilePrivilege 3956 chrome.exe Token: SeShutdownPrivilege 3956 chrome.exe Token: SeCreatePagefilePrivilege 3956 chrome.exe Token: SeShutdownPrivilege 3956 chrome.exe Token: SeCreatePagefilePrivilege 3956 chrome.exe Token: SeShutdownPrivilege 3956 chrome.exe Token: SeCreatePagefilePrivilege 3956 chrome.exe Token: SeShutdownPrivilege 3956 chrome.exe Token: SeCreatePagefilePrivilege 3956 chrome.exe Token: SeShutdownPrivilege 3956 chrome.exe Token: SeCreatePagefilePrivilege 3956 chrome.exe Token: SeShutdownPrivilege 3956 chrome.exe Token: SeCreatePagefilePrivilege 3956 chrome.exe Token: SeShutdownPrivilege 3956 chrome.exe Token: SeCreatePagefilePrivilege 3956 chrome.exe Token: SeShutdownPrivilege 3956 chrome.exe Token: SeCreatePagefilePrivilege 3956 chrome.exe Token: SeShutdownPrivilege 3956 chrome.exe Token: SeCreatePagefilePrivilege 3956 chrome.exe Token: SeShutdownPrivilege 3956 chrome.exe Token: SeCreatePagefilePrivilege 3956 chrome.exe Token: SeShutdownPrivilege 3956 chrome.exe Token: SeCreatePagefilePrivilege 3956 chrome.exe Token: SeShutdownPrivilege 3956 chrome.exe Token: SeCreatePagefilePrivilege 3956 chrome.exe Token: SeShutdownPrivilege 3956 chrome.exe Token: SeCreatePagefilePrivilege 3956 chrome.exe Token: SeShutdownPrivilege 3956 chrome.exe Token: SeCreatePagefilePrivilege 3956 chrome.exe Token: SeShutdownPrivilege 3956 chrome.exe Token: SeCreatePagefilePrivilege 3956 chrome.exe Token: SeShutdownPrivilege 3956 chrome.exe Token: SeCreatePagefilePrivilege 3956 chrome.exe Token: SeShutdownPrivilege 3956 chrome.exe Token: SeCreatePagefilePrivilege 3956 chrome.exe Token: SeShutdownPrivilege 3956 chrome.exe Token: SeCreatePagefilePrivilege 3956 chrome.exe Token: SeShutdownPrivilege 3956 chrome.exe Token: SeCreatePagefilePrivilege 3956 chrome.exe Token: SeShutdownPrivilege 3956 chrome.exe Token: SeCreatePagefilePrivilege 3956 chrome.exe Token: SeShutdownPrivilege 3956 chrome.exe Token: SeCreatePagefilePrivilege 3956 chrome.exe Token: SeShutdownPrivilege 3956 chrome.exe Token: SeCreatePagefilePrivilege 3956 chrome.exe Token: SeShutdownPrivilege 3956 chrome.exe Token: SeCreatePagefilePrivilege 3956 chrome.exe Token: SeShutdownPrivilege 3956 chrome.exe Token: SeCreatePagefilePrivilege 3956 chrome.exe Token: SeShutdownPrivilege 3956 chrome.exe Token: SeCreatePagefilePrivilege 3956 chrome.exe Token: SeShutdownPrivilege 3956 chrome.exe Token: SeCreatePagefilePrivilege 3956 chrome.exe Token: SeRestorePrivilege 1388 7zFM.exe Token: 35 1388 7zFM.exe Token: SeShutdownPrivilege 3956 chrome.exe Token: SeCreatePagefilePrivilege 3956 chrome.exe Token: SeShutdownPrivilege 3956 chrome.exe Token: SeCreatePagefilePrivilege 3956 chrome.exe Token: SeShutdownPrivilege 3956 chrome.exe Token: SeCreatePagefilePrivilege 3956 chrome.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 3956 chrome.exe 3956 chrome.exe 3956 chrome.exe 3956 chrome.exe 3956 chrome.exe 3956 chrome.exe 3956 chrome.exe 3956 chrome.exe 3956 chrome.exe 3956 chrome.exe 3956 chrome.exe 3956 chrome.exe 3956 chrome.exe 3956 chrome.exe 3956 chrome.exe 3956 chrome.exe 3956 chrome.exe 3956 chrome.exe 3956 chrome.exe 3956 chrome.exe 3956 chrome.exe 3956 chrome.exe 3956 chrome.exe 3956 chrome.exe 3956 chrome.exe 3956 chrome.exe 3956 chrome.exe 3956 chrome.exe 3956 chrome.exe 3956 chrome.exe 3956 chrome.exe 3956 chrome.exe 3956 chrome.exe 3956 chrome.exe 3956 chrome.exe 3956 chrome.exe 3956 chrome.exe 3956 chrome.exe 3956 chrome.exe 3956 chrome.exe 3956 chrome.exe 3956 chrome.exe 3956 chrome.exe 3956 chrome.exe 3956 chrome.exe 3956 chrome.exe 3956 chrome.exe 3956 chrome.exe 3956 chrome.exe 3956 chrome.exe 3956 chrome.exe 3956 chrome.exe 3956 chrome.exe 3956 chrome.exe 3956 chrome.exe 3956 chrome.exe 3956 chrome.exe 3956 chrome.exe 3956 chrome.exe 3956 chrome.exe 1388 7zFM.exe 3956 chrome.exe 1388 7zFM.exe 1304 taskmgr.exe -
Suspicious use of SendNotifyMessage 57 IoCs
pid Process 3956 chrome.exe 3956 chrome.exe 3956 chrome.exe 3956 chrome.exe 3956 chrome.exe 3956 chrome.exe 3956 chrome.exe 3956 chrome.exe 3956 chrome.exe 3956 chrome.exe 3956 chrome.exe 3956 chrome.exe 3956 chrome.exe 3956 chrome.exe 3956 chrome.exe 3956 chrome.exe 3956 chrome.exe 3956 chrome.exe 3956 chrome.exe 3956 chrome.exe 3956 chrome.exe 3956 chrome.exe 3956 chrome.exe 3956 chrome.exe 1304 taskmgr.exe 1304 taskmgr.exe 1304 taskmgr.exe 1304 taskmgr.exe 1304 taskmgr.exe 1304 taskmgr.exe 1304 taskmgr.exe 1304 taskmgr.exe 1304 taskmgr.exe 1304 taskmgr.exe 1304 taskmgr.exe 1304 taskmgr.exe 1304 taskmgr.exe 1304 taskmgr.exe 1304 taskmgr.exe 1304 taskmgr.exe 1304 taskmgr.exe 1304 taskmgr.exe 1304 taskmgr.exe 1304 taskmgr.exe 1304 taskmgr.exe 1304 taskmgr.exe 1304 taskmgr.exe 1304 taskmgr.exe 1304 taskmgr.exe 1304 taskmgr.exe 1304 taskmgr.exe 1304 taskmgr.exe 1304 taskmgr.exe 1304 taskmgr.exe 1304 taskmgr.exe 1304 taskmgr.exe 1304 taskmgr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3956 wrote to memory of 4868 3956 chrome.exe 84 PID 3956 wrote to memory of 4868 3956 chrome.exe 84 PID 3956 wrote to memory of 1560 3956 chrome.exe 85 PID 3956 wrote to memory of 1560 3956 chrome.exe 85 PID 3956 wrote to memory of 1560 3956 chrome.exe 85 PID 3956 wrote to memory of 1560 3956 chrome.exe 85 PID 3956 wrote to memory of 1560 3956 chrome.exe 85 PID 3956 wrote to memory of 1560 3956 chrome.exe 85 PID 3956 wrote to memory of 1560 3956 chrome.exe 85 PID 3956 wrote to memory of 1560 3956 chrome.exe 85 PID 3956 wrote to memory of 1560 3956 chrome.exe 85 PID 3956 wrote to memory of 1560 3956 chrome.exe 85 PID 3956 wrote to memory of 1560 3956 chrome.exe 85 PID 3956 wrote to memory of 1560 3956 chrome.exe 85 PID 3956 wrote to memory of 1560 3956 chrome.exe 85 PID 3956 wrote to memory of 1560 3956 chrome.exe 85 PID 3956 wrote to memory of 1560 3956 chrome.exe 85 PID 3956 wrote to memory of 1560 3956 chrome.exe 85 PID 3956 wrote to memory of 1560 3956 chrome.exe 85 PID 3956 wrote to memory of 1560 3956 chrome.exe 85 PID 3956 wrote to memory of 1560 3956 chrome.exe 85 PID 3956 wrote to memory of 1560 3956 chrome.exe 85 PID 3956 wrote to memory of 1560 3956 chrome.exe 85 PID 3956 wrote to memory of 1560 3956 chrome.exe 85 PID 3956 wrote to memory of 1560 3956 chrome.exe 85 PID 3956 wrote to memory of 1560 3956 chrome.exe 85 PID 3956 wrote to memory of 1560 3956 chrome.exe 85 PID 3956 wrote to memory of 1560 3956 chrome.exe 85 PID 3956 wrote to memory of 1560 3956 chrome.exe 85 PID 3956 wrote to memory of 1560 3956 chrome.exe 85 PID 3956 wrote to memory of 1560 3956 chrome.exe 85 PID 3956 wrote to memory of 1560 3956 chrome.exe 85 PID 3956 wrote to memory of 2784 3956 chrome.exe 86 PID 3956 wrote to memory of 2784 3956 chrome.exe 86 PID 3956 wrote to memory of 1972 3956 chrome.exe 87 PID 3956 wrote to memory of 1972 3956 chrome.exe 87 PID 3956 wrote to memory of 1972 3956 chrome.exe 87 PID 3956 wrote to memory of 1972 3956 chrome.exe 87 PID 3956 wrote to memory of 1972 3956 chrome.exe 87 PID 3956 wrote to memory of 1972 3956 chrome.exe 87 PID 3956 wrote to memory of 1972 3956 chrome.exe 87 PID 3956 wrote to memory of 1972 3956 chrome.exe 87 PID 3956 wrote to memory of 1972 3956 chrome.exe 87 PID 3956 wrote to memory of 1972 3956 chrome.exe 87 PID 3956 wrote to memory of 1972 3956 chrome.exe 87 PID 3956 wrote to memory of 1972 3956 chrome.exe 87 PID 3956 wrote to memory of 1972 3956 chrome.exe 87 PID 3956 wrote to memory of 1972 3956 chrome.exe 87 PID 3956 wrote to memory of 1972 3956 chrome.exe 87 PID 3956 wrote to memory of 1972 3956 chrome.exe 87 PID 3956 wrote to memory of 1972 3956 chrome.exe 87 PID 3956 wrote to memory of 1972 3956 chrome.exe 87 PID 3956 wrote to memory of 1972 3956 chrome.exe 87 PID 3956 wrote to memory of 1972 3956 chrome.exe 87 PID 3956 wrote to memory of 1972 3956 chrome.exe 87 PID 3956 wrote to memory of 1972 3956 chrome.exe 87 PID 3956 wrote to memory of 1972 3956 chrome.exe 87 PID 3956 wrote to memory of 1972 3956 chrome.exe 87 PID 3956 wrote to memory of 1972 3956 chrome.exe 87 PID 3956 wrote to memory of 1972 3956 chrome.exe 87 PID 3956 wrote to memory of 1972 3956 chrome.exe 87 PID 3956 wrote to memory of 1972 3956 chrome.exe 87 PID 3956 wrote to memory of 1972 3956 chrome.exe 87 PID 3956 wrote to memory of 1972 3956 chrome.exe 87
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://www.mediafire.com/folder/jowz4gde73ba7/launcher.3.1.7.v2.rar1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3956 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffedab8cc40,0x7ffedab8cc4c,0x7ffedab8cc582⤵PID:4868
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2276,i,17024897160900060760,4205571406001290643,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=2284 /prefetch:22⤵PID:1560
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1864,i,17024897160900060760,4205571406001290643,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=2308 /prefetch:32⤵PID:2784
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1984,i,17024897160900060760,4205571406001290643,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=2312 /prefetch:82⤵PID:1972
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3108,i,17024897160900060760,4205571406001290643,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3144 /prefetch:12⤵PID:2920
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3116,i,17024897160900060760,4205571406001290643,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3180 /prefetch:12⤵PID:3964
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4908,i,17024897160900060760,4205571406001290643,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4944 /prefetch:82⤵PID:2684
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=5060,i,17024897160900060760,4205571406001290643,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4960 /prefetch:12⤵PID:4996
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=5232,i,17024897160900060760,4205571406001290643,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=5324 /prefetch:12⤵PID:1248
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4956,i,17024897160900060760,4205571406001290643,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=5424 /prefetch:12⤵PID:1656
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=4936,i,17024897160900060760,4205571406001290643,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3212 /prefetch:12⤵PID:3312
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5008,i,17024897160900060760,4205571406001290643,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=5028 /prefetch:12⤵PID:1828
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=5512,i,17024897160900060760,4205571406001290643,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3264 /prefetch:12⤵PID:1328
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5688,i,17024897160900060760,4205571406001290643,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=5672 /prefetch:12⤵PID:2364
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5700,i,17024897160900060760,4205571406001290643,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=5692 /prefetch:12⤵PID:3844
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4628,i,17024897160900060760,4205571406001290643,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=5140 /prefetch:82⤵PID:1416
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"1⤵PID:4528
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:3584
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2684
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\launcher.3.1.7.v2.rar"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1388
-
C:\Users\Admin\Desktop\launcher.3.1.7.v2\installer.exe"C:\Users\Admin\Desktop\launcher.3.1.7.v2\installer.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:116 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:1652
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\launcher.3.1.7.v2\instruction.txt1⤵
- Opens file in notepad (likely ransom note)
PID:2072
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1304
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
40B
MD51722ea4f718ec55186e8a63a3cce46fe
SHA174965ea5307533fc950cf6b5506ecc45bed836da
SHA2569fed7af284b40d61b45bb5cb23087d55e45fa1de917dc8271cc645b8a6eeb9e6
SHA512eea6599beb7237dfc1fe8386c1b048d27826373fa35376bdc4cebf73f4f5319b1d0b16c5feda6fada6b087b48eb10d7af3856fe46ffb96a1cce44ad30183419a
-
Filesize
2KB
MD5da23ce0b0fac33d5523562b50af42a5d
SHA1910f89199885a0b26628e217696234319f1f30d4
SHA256a642870a016c8baff66b0bfe2a1ecea290a62dc0789b7656d55dfd3f9f803ee7
SHA512cfd8d658554ad761f35a7a78fe2f65ddb49de331b4b2d21a8674ffce3c4bab688b14c544f1ee58fe8913a681d9afa12e0fb9dd4eeb21409bc5b21dade13f1dc9
-
Filesize
264KB
MD58122f72613ea7afd1dc3d3db1ff7565a
SHA1c2687f8abb3f3611cc389edb4526a789e669171d
SHA2561003f71f1ea5a1c07e98b213b984ffc9cf158bce3de76fa71f6a4bfbd499c15f
SHA51227ce52c7cd360910548c6aaea6ee3335ae7b0b258464bb031b4e3914609e13244e1b7e0720cbd2b4925639f4a7f72241a5b581ebd25b3cf6ac399ead214cfc54
-
Filesize
18KB
MD5612491997237c2f9577ec15ef7d186ca
SHA1677b619507fde6639edf2a6948543b09ddf7993e
SHA256b1c79aa68bae6547a505a9fb9e4b3e0360e0fc143c466314dd6275ac4c7e2233
SHA5121493c31f4e7cd43b4790afc4e28f46fe3fbecba0888b6fe504118063522e34604f8f43919c90f9e9180a73a84f1cf7973b127644a078745e020487238621d295
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
1KB
MD5abbceb3157aff86d23cb4d646ec3cc62
SHA1110b74092e75af9b117b0e00e25c12c89a014787
SHA256a9709bdfc61441b715f40d95fc9054a834c8b13e6c172d08ad4d124b049a1b36
SHA512856194337c9ebbb1549d90f9a459728fd3c0243bc1ea02ed41ab235b2a8a58d20174718c0f1ba638d3048068910a9bccf99f50a263622fad57b8e74f47fe6d04
-
Filesize
2KB
MD5aeb5da67ab3f1efb4e794adb7dda7b1a
SHA1f304cce0e5d68151c572028fee36d820bf3f3a37
SHA256e54c77eab1ef67591eea1e00c159c9b2aa12563e1317d02cb3ee9f81e5c6bc40
SHA51244dbb022182522d4b5983027a8a207ac0cef9b6791a298accd5a6ea3fe1bd266bc5033e824fcd7807c44cbb10ee0718dfc2129da223b8f899ec31595d70b6056
-
Filesize
8KB
MD5d46327764941a4df1e70e4e5accee3b3
SHA138e51fc0260e7740c65d39cb06120e80ace75f27
SHA25601ceb8d4937a30e33cdc0b8880385bdebf0788aa786b5eb0076a7d3f62a3b05b
SHA512bafa812418bb2312dbb9359be896812111dfafc9e7ead1915c9cf478b501a3512160d89e35df325b8f49fea1d3cb58dfaeee1c89a1e70e58c110a62c369cebfa
-
Filesize
9KB
MD5dea1a4e651b319abf8c37c654ab30abd
SHA1cbf35e0c94e90720e7a8b3c57fee7aa14c98350a
SHA256f7b3e032e7648c9bfc38ffb4cacab480c6e901bc4a9a1c6d8cfec8bc34f50886
SHA512dfc3bd7718354696d416436e6d621a2bfc3f3b3c7a208448e9741d50ae99ebf03882a6a12cfcd22a2262028534341970e3b15983310ad9e7b5e5951c42393b23
-
Filesize
10KB
MD5d185bd0e42096c556055e1dce85712da
SHA11a39f0eb6ab26758eec65b7e1fa6d1cba73f025b
SHA25630c1a173d36197b095883e66710f8feca51dbbc52c6e260d4277775358241746
SHA5126fc5bf928384d9be749b9f44c3dcbba09689fb0b793cac9f4dd2e73e79c71723bce4a2175dc08ee32f4e7c275cf0a17e1d6b7a422b7c94583e1a442ba6d2b763
-
Filesize
93KB
MD56ad96d738fa9e2794bcd79d23a6023a5
SHA1e2a3f3d9dafe7b5c0882ec33f69f8a5193834070
SHA2567776699893f863c17eecbfd4718b0bc3591b2c4201f1a44d55670737ac6fbb54
SHA51213294d9d80c467d47a8d4346ee4736052f2ebd9dee8c433fe4518de8ff54272f8b1a3881ab170aedc0ecb992b512e026e7fc235f8c83acf2bc885ede2b07ca2b
-
Filesize
93KB
MD50f6fbc0217de83e2356c96537c02f95c
SHA11e183073ae1563a13ac2963cb2fe39f93eab2fd9
SHA2568647bda681e093b129d5644edf0f290c42f3061ada0a5e98410ba8dd444e903e
SHA512fa652ef889fb279346c1f3a5df17de4ea307d1353432ac181d4d7f3c46c22b248c8594c0af689c368fa22f797d3c1ef27cc798a9a9e778f6f61794af78b59a8d
-
Filesize
522KB
MD5e04a6be48e315642447bbcbdc179fdcc
SHA1015242788d370573beb71f11304e2979f925a5d6
SHA25654999eb940a9c1d42f6a3496a290a36532c634d42beb59c97e43d916369b0931
SHA51202fee50a7abe22ab2ea4275f590ffec3e75debe49d8d0e805d63a6795679b63d6e9299f6b596ee5b6da8874925ba00c973bf2dc42fdd07b90c5f6c482c840cb6
-
Filesize
49B
MD5c7f1453da202c50b6ab52567e34b75a9
SHA1e5d4d605be0a7fe9ae1fb9c1a2f8a459e16f7b89
SHA256133952b8a8abba01ca1779b1f628e6da27d9ed8624baff1325c23b9e487180b4
SHA512c4bb21a42c3333230ec0fd46ee7035e32556b697d56bd6f1f9e10ea1cdd76499401b94aad3510e8cb0d06894d6f7b152679a14c0f61a0114208c236388922c2e
-
Filesize
408KB
MD5d406885300769eacfdb5ee06da21dc05
SHA1265f7e92745cf8683f98717956720b7e3ea0601c
SHA2563c1454b42f82fbed409252edd30fffb4cf1350df87f2b180a3623c7d7ccd194c
SHA512b61551a9ca8f71f9b65e44143af8a0684af4fb4fe623e73644356718a80f89ca59528ad6489060f0b13796360486a2f69e8b3b095d63a6b9e951848f5c30966a