vidar | hxxps://www[.]dropbox[.]com/scl/fi/56blt3d0860v1uhbbybdl/Unlock_Tool[.]zip?rlkey=b64ioeyp70sp9vgmjg1qe4top&st=ts5zyjii&dl=1

Analysis

max time kernel
62s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25-09-2024 23:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.dropbox.com/scl/fi/56blt3d0860v1uhbbybdl/Unlock_Tool.zip?rlkey=b64ioeyp70sp9vgmjg1qe4top&st=ts5zyjii&dl=1

Score

10^/10

vidar 962abdb0b49579401d25d63a1f697be6 discovery spyware stealer

Malware Config

Extracted

Family

vidar

Version

Botnet

962abdb0b49579401d25d63a1f697be6

https://steamcommunity.com/profiles/76561199780418869

https://t.me/ae5ed

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0

Signatures

Detect Vidar Stealer 21 IoCs

stealer

resource	yara_rule
behavioral1/memory/5588-722-0x0000000000400000-0x0000000000675000-memory.dmp	family_vidar_v7
behavioral1/memory/5588-724-0x0000000000400000-0x0000000000675000-memory.dmp	family_vidar_v7
behavioral1/memory/5588-726-0x0000000000400000-0x0000000000675000-memory.dmp	family_vidar_v7
behavioral1/memory/5588-735-0x0000000000400000-0x0000000000675000-memory.dmp	family_vidar_v7
behavioral1/memory/5588-736-0x0000000000400000-0x0000000000675000-memory.dmp	family_vidar_v7
behavioral1/memory/5588-751-0x0000000000400000-0x0000000000675000-memory.dmp	family_vidar_v7
behavioral1/memory/5588-752-0x0000000000400000-0x0000000000675000-memory.dmp	family_vidar_v7
behavioral1/memory/5588-763-0x0000000000400000-0x0000000000675000-memory.dmp	family_vidar_v7
behavioral1/memory/5588-770-0x0000000000400000-0x0000000000675000-memory.dmp	family_vidar_v7
behavioral1/memory/5588-764-0x0000000000400000-0x0000000000675000-memory.dmp	family_vidar_v7
behavioral1/memory/5588-771-0x0000000000400000-0x0000000000675000-memory.dmp	family_vidar_v7
behavioral1/memory/5588-775-0x0000000000400000-0x0000000000675000-memory.dmp	family_vidar_v7
behavioral1/memory/5588-778-0x0000000000400000-0x0000000000675000-memory.dmp	family_vidar_v7
behavioral1/memory/5588-817-0x0000000000400000-0x0000000000675000-memory.dmp	family_vidar_v7
behavioral1/memory/5588-818-0x0000000000400000-0x0000000000675000-memory.dmp	family_vidar_v7
behavioral1/memory/5588-825-0x0000000000400000-0x0000000000675000-memory.dmp	family_vidar_v7
behavioral1/memory/5588-826-0x0000000000400000-0x0000000000675000-memory.dmp	family_vidar_v7
behavioral1/memory/5444-878-0x0000000000400000-0x0000000000675000-memory.dmp	family_vidar_v7
behavioral1/memory/6116-879-0x0000000000400000-0x0000000000675000-memory.dmp	family_vidar_v7
behavioral1/memory/5444-880-0x0000000000400000-0x0000000000675000-memory.dmp	family_vidar_v7
behavioral1/memory/6116-881-0x0000000000400000-0x0000000000675000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
2060	Unlock_Tool_6.4.exe
5924	Unlock_Tool_6.4.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2060 set thread context of 5588	2060	Unlock_Tool_6.4.exe	118
PID 5924 set thread context of 6116	5924	Unlock_Tool_6.4.exe	123

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unlock_Tool_6.4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unlock_Tool_6.4.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2100	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings	msedge.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
676	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4908	msedge.exe
4908	msedge.exe
2652	msedge.exe
2652	msedge.exe
828	identity_helper.exe
828	identity_helper.exe
4880	msedge.exe
4880	msedge.exe
5588	RegAsm.exe
5588	RegAsm.exe
5588	RegAsm.exe
5588	RegAsm.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	5364	7zG.exe
Token: 35	5364	7zG.exe
Token: SeSecurityPrivilege	5364	7zG.exe
Token: SeSecurityPrivilege	5364	7zG.exe

Suspicious use of FindShellTrayWindow 40 IoCs

pid	Process
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
5364	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2652 wrote to memory of 4760	2652	msedge.exe	82
PID 2652 wrote to memory of 4760	2652	msedge.exe	82
PID 2652 wrote to memory of 1044	2652	msedge.exe	83
PID 2652 wrote to memory of 1044	2652	msedge.exe	83
PID 2652 wrote to memory of 1044	2652	msedge.exe	83
PID 2652 wrote to memory of 1044	2652	msedge.exe	83
PID 2652 wrote to memory of 1044	2652	msedge.exe	83
PID 2652 wrote to memory of 1044	2652	msedge.exe	83
PID 2652 wrote to memory of 1044	2652	msedge.exe	83
PID 2652 wrote to memory of 1044	2652	msedge.exe	83
PID 2652 wrote to memory of 1044	2652	msedge.exe	83
PID 2652 wrote to memory of 1044	2652	msedge.exe	83
PID 2652 wrote to memory of 1044	2652	msedge.exe	83
PID 2652 wrote to memory of 1044	2652	msedge.exe	83
PID 2652 wrote to memory of 1044	2652	msedge.exe	83
PID 2652 wrote to memory of 1044	2652	msedge.exe	83
PID 2652 wrote to memory of 1044	2652	msedge.exe	83
PID 2652 wrote to memory of 1044	2652	msedge.exe	83
PID 2652 wrote to memory of 1044	2652	msedge.exe	83
PID 2652 wrote to memory of 1044	2652	msedge.exe	83
PID 2652 wrote to memory of 1044	2652	msedge.exe	83
PID 2652 wrote to memory of 1044	2652	msedge.exe	83
PID 2652 wrote to memory of 1044	2652	msedge.exe	83
PID 2652 wrote to memory of 1044	2652	msedge.exe	83
PID 2652 wrote to memory of 1044	2652	msedge.exe	83
PID 2652 wrote to memory of 1044	2652	msedge.exe	83
PID 2652 wrote to memory of 1044	2652	msedge.exe	83
PID 2652 wrote to memory of 1044	2652	msedge.exe	83
PID 2652 wrote to memory of 1044	2652	msedge.exe	83
PID 2652 wrote to memory of 1044	2652	msedge.exe	83
PID 2652 wrote to memory of 1044	2652	msedge.exe	83
PID 2652 wrote to memory of 1044	2652	msedge.exe	83
PID 2652 wrote to memory of 1044	2652	msedge.exe	83
PID 2652 wrote to memory of 1044	2652	msedge.exe	83
PID 2652 wrote to memory of 1044	2652	msedge.exe	83
PID 2652 wrote to memory of 1044	2652	msedge.exe	83
PID 2652 wrote to memory of 1044	2652	msedge.exe	83
PID 2652 wrote to memory of 1044	2652	msedge.exe	83
PID 2652 wrote to memory of 1044	2652	msedge.exe	83
PID 2652 wrote to memory of 1044	2652	msedge.exe	83
PID 2652 wrote to memory of 1044	2652	msedge.exe	83
PID 2652 wrote to memory of 1044	2652	msedge.exe	83
PID 2652 wrote to memory of 4908	2652	msedge.exe	84
PID 2652 wrote to memory of 4908	2652	msedge.exe	84
PID 2652 wrote to memory of 412	2652	msedge.exe	85
PID 2652 wrote to memory of 412	2652	msedge.exe	85
PID 2652 wrote to memory of 412	2652	msedge.exe	85
PID 2652 wrote to memory of 412	2652	msedge.exe	85
PID 2652 wrote to memory of 412	2652	msedge.exe	85
PID 2652 wrote to memory of 412	2652	msedge.exe	85
PID 2652 wrote to memory of 412	2652	msedge.exe	85
PID 2652 wrote to memory of 412	2652	msedge.exe	85
PID 2652 wrote to memory of 412	2652	msedge.exe	85
PID 2652 wrote to memory of 412	2652	msedge.exe	85
PID 2652 wrote to memory of 412	2652	msedge.exe	85
PID 2652 wrote to memory of 412	2652	msedge.exe	85
PID 2652 wrote to memory of 412	2652	msedge.exe	85
PID 2652 wrote to memory of 412	2652	msedge.exe	85
PID 2652 wrote to memory of 412	2652	msedge.exe	85
PID 2652 wrote to memory of 412	2652	msedge.exe	85
PID 2652 wrote to memory of 412	2652	msedge.exe	85
PID 2652 wrote to memory of 412	2652	msedge.exe	85
PID 2652 wrote to memory of 412	2652	msedge.exe	85
PID 2652 wrote to memory of 412	2652	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.dropbox.com/scl/fi/56blt3d0860v1uhbbybdl/Unlock_Tool.zip?rlkey=b64ioeyp70sp9vgmjg1qe4top&st=ts5zyjii&dl=1
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffc86946f8,0x7fffc8694708,0x7fffc8694718
  2⤵
  PID:4760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2044,5053404665624439537,424741945374130305,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2052 /prefetch:2
  2⤵
  PID:1044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2044,5053404665624439537,424741945374130305,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2456 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2044,5053404665624439537,424741945374130305,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2788 /prefetch:8
  2⤵
  PID:412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,5053404665624439537,424741945374130305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
  2⤵
  PID:3648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,5053404665624439537,424741945374130305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:1040
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,5053404665624439537,424741945374130305,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4872 /prefetch:8
  2⤵
  PID:4848
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,5053404665624439537,424741945374130305,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4872 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2044,5053404665624439537,424741945374130305,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5192 /prefetch:8
  2⤵
  PID:1760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,5053404665624439537,424741945374130305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:1
  2⤵
  PID:4284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2044,5053404665624439537,424741945374130305,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5660 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,5053404665624439537,424741945374130305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5936 /prefetch:1
  2⤵
  PID:1456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,5053404665624439537,424741945374130305,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5900 /prefetch:1
  2⤵
  PID:1228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,5053404665624439537,424741945374130305,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:1
  2⤵
  PID:3328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,5053404665624439537,424741945374130305,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:1
  2⤵
  PID:2040

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2592

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3460

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4488

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Unlock_Tool\Unlock_Tool_6.4\" -ad -an -ai#7zMap3163:116:7zEvent1342
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5364

C:\Users\Admin\Downloads\Unlock_Tool\Unlock_Tool_6.4\Unlock_Tool_6.4.exe
"C:\Users\Admin\Downloads\Unlock_Tool\Unlock_Tool_6.4\Unlock_Tool_6.4.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2060
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:5588
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\JEHIIDGCFHIE" & exit
    3⤵
    PID:5140
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 10
      4⤵
      Delays execution with timeout.exe
      PID:2100

C:\Users\Admin\Downloads\Unlock_Tool\Unlock_Tool_6.4\Unlock_Tool_6.4.exe
"C:\Users\Admin\Downloads\Unlock_Tool\Unlock_Tool_6.4\Unlock_Tool_6.4.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:5924
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:6092
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:6100
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6116

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Unlock_Tool\Unlock_Tool_6.4\Readme.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:676

C:\Users\Admin\Downloads\Unlock_Tool\Unlock_Tool_6.4\Unlock_Tool_6.4.exe
"C:\Users\Admin\Downloads\Unlock_Tool\Unlock_Tool_6.4\Unlock_Tool_6.4.exe"
1⤵
PID:3460
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:5200

C:\Users\Admin\Downloads\Unlock_Tool\Unlock_Tool_6.4\Unlock_Tool_6.4.exe
"C:\Users\Admin\Downloads\Unlock_Tool\Unlock_Tool_6.4\Unlock_Tool_6.4.exe"
1⤵
PID:3764
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:5444

C:\Users\Admin\Downloads\Unlock_Tool\Unlock_Tool_6.4\Unlock_Tool_6.4.exe
"C:\Users\Admin\Downloads\Unlock_Tool\Unlock_Tool_6.4\Unlock_Tool_6.4.exe"
1⤵
PID:3056
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:5516
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:5196
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:5556

C:\Users\Admin\Downloads\Unlock_Tool\Unlock_Tool_6.4\Unlock_Tool_6.4.exe
"C:\Users\Admin\Downloads\Unlock_Tool\Unlock_Tool_6.4\Unlock_Tool_6.4.exe"
1⤵
PID:5564
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:5764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619

Filesize
471B

MD5
3d0514f5227d0ba8f91af3531108aa9e

SHA1
e785caa409acb468d4cc46790320a54f1ff99db6

SHA256
aac8c93892fef76efc9790da21d518ed553e974256217b4244b34d73bdd0f8ee

SHA512
2990a16921b56e0e00ef40e01c6a5d8ab425475de36fad0228d5f9d31643e476de620f594063fd5a253b47219c10e0de1094aeeea215be00225c7cb79fbc3eac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619

Filesize
400B

MD5
9ca2ba39563fa3630039886f2979266b

SHA1
39b6da9cafc828c0e5d75f1f30de20c1719d7e56

SHA256
3afb3fe307813af9739bf3533a8ddd009d83dde21cb2f055ea833aad08a3da21

SHA512
06553bcec3f9bcc3a4e3352fc8105e1befff8e4f4ed469219d6d2ab8b3ae027da05952a71fe5983f6c4bcbe34d12eb251cd835d01b04b731c754f27be1a0b1be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Unlock_Tool_6.4.exe.log

Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9b008261dda31857d68792b46af6dd6d

SHA1
e82dc88e2d1da2df7cb19d79a0346b9bb90d52b3

SHA256
9ac598d4f8170f7e475d84103aead9e3c23d5f2d292741a7f56a17bde8b6f7da

SHA512
78853091403a06beeec4998e2e3a4342111895ffd485f7f7cd367741a4883f7a25864cba00a6c86f27dc0c9ce9d04f08011ecc40c8ae9383d33274739ac39f10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0446fcdd21b016db1f468971fb82a488

SHA1
726b91562bb75f80981f381e3c69d7d832c87c9d

SHA256
62c5dc18b25e758f3508582a7c58bb46b734a774d97fc0e8a20614235caa8222

SHA512
1df7c085042266959f1fe0aedc5f6d40ceba485b54159f51f0c38f17bb250b79ea941b735e1b6faf219f23fe8ab65ac4557f545519d52d5416b89ad0f9047a31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
20KB

MD5
88e83fba5f5db7c7a45bb13be7e24051

SHA1
ea3f43dd69959a96a20a76fefef863af2915a0d0

SHA256
ca0e1aa3dfe26995c0f130cc3f6b62a1d3cd8e2db0320cd1655ab6d5dc4e188c

SHA512
72363ed26091871be5f6b936c0a0241d1b52b768f8d1d2ee4f8552badc5a1a55fe4550a3e7eb71724fd3c1f23d5054d605bbdbeb938b2f6310b45a24186eb0c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
05deedb4bb84dd583b271e4d67f2bd20

SHA1
13822f278ad4f5da44e4b07a90181dc09048d821

SHA256
6287620ecd02c8642c48b28b973e4ab9b012e42dbc9032653d4272a6c485ad3c

SHA512
9d0fef479ba8f93be00d5640f9e19bf74ee3ad1901b475c75da282a5defe731d7f045efcc5c5afb59190c5057af2cf1f1ceda5ad84278b27cde8b8a2646e5c92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
295B

MD5
f3d475bb621a8c0985ac79df42f62794

SHA1
190b845c448ea165803052a6b673b8600f2d2f9d

SHA256
7cad7221c617effc4b973cbbdbefc00d33d3436a6c3492fcbcf6c468e1037c8c

SHA512
2f7c75c9753d6201fc1ab51bf43fd17d4f422287248e2d27129a4a82b8be8a80fc9b82560951e74131c6e104385ba14457fcc4c6b4d1d710a2934101f755e04e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
47fcbbff721c242df972ef1a4be5718b

SHA1
12d3f94b9fffa561143cdeda0a8eeb5d2a8cad5c

SHA256
17c600f5feb7fcbdea9da02e9d8a1e80dcbfec6b92164b5122962a4a9a9e7c11

SHA512
c465e046e53377762dd8a7a077e5dcef09563fce63760a2cc8f80e552223b9a96a95694a194359b57586a648b7a112582a911306d3b92c4a6bad118c536920dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
735502a1ec8fcad1c1c732dd8ff09a69

SHA1
998dbdb7a8ee2e3aa2f71b12e125ca29a363324f

SHA256
923aff975385e4d67940f3d945b6e9b264d4faf5340f6596e82b0d25d12d129f

SHA512
e212613788ec14351c79b9ba977dcbffe272c5db976b3f13fd9bfda1f33f7a565c0c07d02eb044d063e1a24495d430c521539ad6e93c41e16eb9753513540574

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
aa201e4196324bf2c9f9191255111ed4

SHA1
e2a955f976a55de7f388d46c8cc4ea2b445f154d

SHA256
2734d82bb921a9d8c40dc4ff087fc0003a9f388f2f552d4a5bdccb4898a0c9e9

SHA512
1f697a6832b2cab94852ea9a3498cb90269cf4556a326d617983e649c984a0154c125a28959eb8ed7f1e4c5944ea6b2d756d98a001fe22e69d069fdc65b7dd2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
e19f337d1d225c4c796120b1e61459cd

SHA1
33276da16b14678fb764e7a18b907e62d82511b2

SHA256
db7fdc6df163944cdabd7e38af02970cb423653fc40bea53ab208f3e71ccbe2d

SHA512
c4a1a90e744a51c77fd226dee954274ffd9e686a9f2a5325b031624cdb0cb42e2d5fa8a2e54bcbc163cafb16a3cf6cff1faa465842ecb92ffb7030021d76b942

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
c37967c65719e5dba35027a58af8efca

SHA1
34912054075989fda80579fc707a67b2b2f5e5b8

SHA256
bfbc4539f7be439a3f7af5187166c82c8c3340bba8d4a5cd91b5e0b85d906048

SHA512
9a6975378f9976e1e0899ac315a2dc4f935804abe3e918872957e81736786b7090694ea239c69d873a6feaa435c787a1ee24a08dd7b126f75699a4688f1e8998

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\T1CTRFUW\76561199780418869[1].htm

Filesize
33KB

MD5
0a6f1783e5a8f91199a9713a72ae7093

SHA1
48d536285216311bcef40708eb037296244705a5

SHA256
e4cbc642ae31c53dcf1c7d1dc89721c87e5b81ba0e6652369d0dc4d5c5a247f5

SHA512
1e7dceb7917c35de5092a8107310b8d8450b17bc5e63bca36e244bcc357f49e0c0c6eec26c74f3ed7ca3ce4d5dcfce9f3eaa29fea530118c9189ba0a8655dc88

Download Submit
C:\Users\Admin\Downloads\Unlock_Tool.zip

Filesize
43.5MB

MD5
c5988c46ce87644a8879c09881cdbf42

SHA1
a6448bac746865ddeef854e15634ce956716c9c7

SHA256
5daa4bbf026a13948cc8b222a6041952b3646c3ef1cab491e39bfafe16896f65

SHA512
48f137223ed34728751ba5cc5049261975f613923ffb254107817a8f9fe0c63e0e75e0d4ec5b3eb60fe506cf2f47f2ce1fa60ab7f18095adeb80a0f1296e36e8

Download Submit
C:\Users\Admin\Downloads\Unlock_Tool\Unlock_Tool_6.4\Readme.txt

Filesize
102B

MD5
7a5ff631ed5fec46d824bf32c5b42a02

SHA1
61048f7695f43e88e58ecc9b75adac3095c3b10d

SHA256
8f94af2bfd89e00e189780521e729871c1c6104117734573e8583f12f2007c26

SHA512
d591abefe3e5f24504802a0f06c0735d51769144ee019906114c0207566ccabfd1c9e64d6b2ef9519bd22f93fcbb20d0bd0a916b84e72e03798288b72106e621

Download Submit
C:\Users\Admin\Downloads\Unlock_Tool\Unlock_Tool_6.4\Unlock_Tool_6.4.exe

Filesize
392KB

MD5
bc401490c6e8c8dd5d5251cb8f3338cc

SHA1
04599c6125cad9f4ef6d04c510e909596334aac1

SHA256
6bf08e72f7b98072ef8b48acf24fd402903cbbdce5f32621e2e12c5801d8c3fa

SHA512
f43a05163e50bd03b860b0ad5aa46df33c622784df928950f954840481fa696b10e54113ed800b3d712cf0bfd3e3dac7af17d7830c5eeec93a42c7ba00fbc5c8

Download Submit
C:\Users\Admin\Downloads\Unlock_Tool\Unlock_Tool_6.4\locales\resources\Data\level4.resS

Filesize
128KB

MD5
64d183ad524dfcd10a7c816fbca3333d

SHA1
5a180d5c1f42a0deaf475b7390755b3c0ecc951c

SHA256
5a666340f42f0f985772024d90a83d15c9a241a68d58205cd4afbb1a31f1621a

SHA512
3cab59dff09981f49d1070fba06a781439bb1ea2dae0cfcb937d9875bbe9e866be2c951cfc6a3ca4a92aea79dd3e9c4792a765f5a06f230a57dabcab2f0b3c1e

Download Submit
memory/2060-720-0x0000000000680000-0x00000000006E8000-memory.dmp

Filesize
416KB

Download
memory/5444-878-0x0000000000400000-0x0000000000675000-memory.dmp

Filesize
2.5MB

Download
memory/5444-880-0x0000000000400000-0x0000000000675000-memory.dmp

Filesize
2.5MB

Download
memory/5588-818-0x0000000000400000-0x0000000000675000-memory.dmp

Filesize
2.5MB

Download
memory/5588-825-0x0000000000400000-0x0000000000675000-memory.dmp

Filesize
2.5MB

Download
memory/5588-775-0x0000000000400000-0x0000000000675000-memory.dmp

Filesize
2.5MB

Download
memory/5588-752-0x0000000000400000-0x0000000000675000-memory.dmp

Filesize
2.5MB

Download
memory/5588-778-0x0000000000400000-0x0000000000675000-memory.dmp

Filesize
2.5MB

Download
memory/5588-751-0x0000000000400000-0x0000000000675000-memory.dmp

Filesize
2.5MB

Download
memory/5588-737-0x0000000022290000-0x00000000224EF000-memory.dmp

Filesize
2.4MB

Download
memory/5588-817-0x0000000000400000-0x0000000000675000-memory.dmp

Filesize
2.5MB

Download
memory/5588-763-0x0000000000400000-0x0000000000675000-memory.dmp

Filesize
2.5MB

Download
memory/5588-771-0x0000000000400000-0x0000000000675000-memory.dmp

Filesize
2.5MB

Download
memory/5588-826-0x0000000000400000-0x0000000000675000-memory.dmp

Filesize
2.5MB

Download
memory/5588-736-0x0000000000400000-0x0000000000675000-memory.dmp

Filesize
2.5MB

Download
memory/5588-735-0x0000000000400000-0x0000000000675000-memory.dmp

Filesize
2.5MB

Download
memory/5588-726-0x0000000000400000-0x0000000000675000-memory.dmp

Filesize
2.5MB

Download
memory/5588-724-0x0000000000400000-0x0000000000675000-memory.dmp

Filesize
2.5MB

Download
memory/5588-722-0x0000000000400000-0x0000000000675000-memory.dmp

Filesize
2.5MB

Download
memory/5588-764-0x0000000000400000-0x0000000000675000-memory.dmp

Filesize
2.5MB

Download
memory/5588-770-0x0000000000400000-0x0000000000675000-memory.dmp

Filesize
2.5MB

Download
memory/6116-879-0x0000000000400000-0x0000000000675000-memory.dmp

Filesize
2.5MB

Download
memory/6116-881-0x0000000000400000-0x0000000000675000-memory.dmp

Filesize
2.5MB

Download