Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
06/10/2024, 20:44
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbWczak1xUGVYMERZWVF1WHBVYkRqV2Zid0JQUXxBQ3Jtc0traHNMcmVWMHdwbjEtMkpFY1cwZXM2VTB1OGFUQ0ZuNGJhNUVJX19GZ2U2RFE2akNDMWRqWG1vUU1BLVZHQkh5eGtsc2xyWW9BVS1CSjJhSnJmR0ZaV1BZZ2JfWEJMcDdHb0JWS01PWFFuakpHWURWMA&q=https%3A%2F%2Fwww.mediafire.com%2Ffolder%2F3is42kz6mwjhj%2FFiles&v=S4PddgL0Gm0
Resource
win10v2004-20240802-en
General
-
Target
https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbWczak1xUGVYMERZWVF1WHBVYkRqV2Zid0JQUXxBQ3Jtc0traHNMcmVWMHdwbjEtMkpFY1cwZXM2VTB1OGFUQ0ZuNGJhNUVJX19GZ2U2RFE2akNDMWRqWG1vUU1BLVZHQkh5eGtsc2xyWW9BVS1CSjJhSnJmR0ZaV1BZZ2JfWEJMcDdHb0JWS01PWFFuakpHWURWMA&q=https%3A%2F%2Fwww.mediafire.com%2Ffolder%2F3is42kz6mwjhj%2FFiles&v=S4PddgL0Gm0
Malware Config
Extracted
vidar
11
346a77fbabba142b23c256004b5a7c5d
https://steamcommunity.com/profiles/76561199780418869
https://t.me/ae5ed
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
Signatures
-
Detect Vidar Stealer 14 IoCs
resource yara_rule behavioral1/memory/5392-699-0x0000000000800000-0x0000000000A75000-memory.dmp family_vidar_v7 behavioral1/memory/5392-701-0x0000000000800000-0x0000000000A75000-memory.dmp family_vidar_v7 behavioral1/memory/5392-708-0x0000000000800000-0x0000000000A75000-memory.dmp family_vidar_v7 behavioral1/memory/5392-709-0x0000000000800000-0x0000000000A75000-memory.dmp family_vidar_v7 behavioral1/memory/5392-724-0x0000000000800000-0x0000000000A75000-memory.dmp family_vidar_v7 behavioral1/memory/5392-725-0x0000000000800000-0x0000000000A75000-memory.dmp family_vidar_v7 behavioral1/memory/5392-736-0x0000000000800000-0x0000000000A75000-memory.dmp family_vidar_v7 behavioral1/memory/5392-737-0x0000000000800000-0x0000000000A75000-memory.dmp family_vidar_v7 behavioral1/memory/5392-742-0x0000000000800000-0x0000000000A75000-memory.dmp family_vidar_v7 behavioral1/memory/5392-745-0x0000000000800000-0x0000000000A75000-memory.dmp family_vidar_v7 behavioral1/memory/5392-743-0x0000000000800000-0x0000000000A75000-memory.dmp family_vidar_v7 behavioral1/memory/5392-746-0x0000000000800000-0x0000000000A75000-memory.dmp family_vidar_v7 behavioral1/memory/5392-750-0x0000000000800000-0x0000000000A75000-memory.dmp family_vidar_v7 behavioral1/memory/5392-751-0x0000000000800000-0x0000000000A75000-memory.dmp family_vidar_v7 -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
pid Process 912 S0FTWARE.exe 2544 S0FTWARE.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 912 set thread context of 5392 912 S0FTWARE.exe 131 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language S0FTWARE.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BitLockerToGo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language S0FTWARE.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 BitLockerToGo.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString BitLockerToGo.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 5832 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 2836 msedge.exe 2836 msedge.exe 2076 msedge.exe 2076 msedge.exe 1056 identity_helper.exe 1056 identity_helper.exe 3180 msedge.exe 3180 msedge.exe 5392 BitLockerToGo.exe 5392 BitLockerToGo.exe 5392 BitLockerToGo.exe 5392 BitLockerToGo.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 19 IoCs
pid Process 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeRestorePrivilege 1576 7zG.exe Token: 35 1576 7zG.exe Token: SeSecurityPrivilege 1576 7zG.exe Token: SeSecurityPrivilege 1576 7zG.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe -
Suspicious use of SendNotifyMessage 26 IoCs
pid Process 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2076 wrote to memory of 1136 2076 msedge.exe 82 PID 2076 wrote to memory of 1136 2076 msedge.exe 82 PID 2076 wrote to memory of 1428 2076 msedge.exe 83 PID 2076 wrote to memory of 1428 2076 msedge.exe 83 PID 2076 wrote to memory of 1428 2076 msedge.exe 83 PID 2076 wrote to memory of 1428 2076 msedge.exe 83 PID 2076 wrote to memory of 1428 2076 msedge.exe 83 PID 2076 wrote to memory of 1428 2076 msedge.exe 83 PID 2076 wrote to memory of 1428 2076 msedge.exe 83 PID 2076 wrote to memory of 1428 2076 msedge.exe 83 PID 2076 wrote to memory of 1428 2076 msedge.exe 83 PID 2076 wrote to memory of 1428 2076 msedge.exe 83 PID 2076 wrote to memory of 1428 2076 msedge.exe 83 PID 2076 wrote to memory of 1428 2076 msedge.exe 83 PID 2076 wrote to memory of 1428 2076 msedge.exe 83 PID 2076 wrote to memory of 1428 2076 msedge.exe 83 PID 2076 wrote to memory of 1428 2076 msedge.exe 83 PID 2076 wrote to memory of 1428 2076 msedge.exe 83 PID 2076 wrote to memory of 1428 2076 msedge.exe 83 PID 2076 wrote to memory of 1428 2076 msedge.exe 83 PID 2076 wrote to memory of 1428 2076 msedge.exe 83 PID 2076 wrote to memory of 1428 2076 msedge.exe 83 PID 2076 wrote to memory of 1428 2076 msedge.exe 83 PID 2076 wrote to memory of 1428 2076 msedge.exe 83 PID 2076 wrote to memory of 1428 2076 msedge.exe 83 PID 2076 wrote to memory of 1428 2076 msedge.exe 83 PID 2076 wrote to memory of 1428 2076 msedge.exe 83 PID 2076 wrote to memory of 1428 2076 msedge.exe 83 PID 2076 wrote to memory of 1428 2076 msedge.exe 83 PID 2076 wrote to memory of 1428 2076 msedge.exe 83 PID 2076 wrote to memory of 1428 2076 msedge.exe 83 PID 2076 wrote to memory of 1428 2076 msedge.exe 83 PID 2076 wrote to memory of 1428 2076 msedge.exe 83 PID 2076 wrote to memory of 1428 2076 msedge.exe 83 PID 2076 wrote to memory of 1428 2076 msedge.exe 83 PID 2076 wrote to memory of 1428 2076 msedge.exe 83 PID 2076 wrote to memory of 1428 2076 msedge.exe 83 PID 2076 wrote to memory of 1428 2076 msedge.exe 83 PID 2076 wrote to memory of 1428 2076 msedge.exe 83 PID 2076 wrote to memory of 1428 2076 msedge.exe 83 PID 2076 wrote to memory of 1428 2076 msedge.exe 83 PID 2076 wrote to memory of 1428 2076 msedge.exe 83 PID 2076 wrote to memory of 2836 2076 msedge.exe 84 PID 2076 wrote to memory of 2836 2076 msedge.exe 84 PID 2076 wrote to memory of 1608 2076 msedge.exe 85 PID 2076 wrote to memory of 1608 2076 msedge.exe 85 PID 2076 wrote to memory of 1608 2076 msedge.exe 85 PID 2076 wrote to memory of 1608 2076 msedge.exe 85 PID 2076 wrote to memory of 1608 2076 msedge.exe 85 PID 2076 wrote to memory of 1608 2076 msedge.exe 85 PID 2076 wrote to memory of 1608 2076 msedge.exe 85 PID 2076 wrote to memory of 1608 2076 msedge.exe 85 PID 2076 wrote to memory of 1608 2076 msedge.exe 85 PID 2076 wrote to memory of 1608 2076 msedge.exe 85 PID 2076 wrote to memory of 1608 2076 msedge.exe 85 PID 2076 wrote to memory of 1608 2076 msedge.exe 85 PID 2076 wrote to memory of 1608 2076 msedge.exe 85 PID 2076 wrote to memory of 1608 2076 msedge.exe 85 PID 2076 wrote to memory of 1608 2076 msedge.exe 85 PID 2076 wrote to memory of 1608 2076 msedge.exe 85 PID 2076 wrote to memory of 1608 2076 msedge.exe 85 PID 2076 wrote to memory of 1608 2076 msedge.exe 85 PID 2076 wrote to memory of 1608 2076 msedge.exe 85 PID 2076 wrote to memory of 1608 2076 msedge.exe 85
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbWczak1xUGVYMERZWVF1WHBVYkRqV2Zid0JQUXxBQ3Jtc0traHNMcmVWMHdwbjEtMkpFY1cwZXM2VTB1OGFUQ0ZuNGJhNUVJX19GZ2U2RFE2akNDMWRqWG1vUU1BLVZHQkh5eGtsc2xyWW9BVS1CSjJhSnJmR0ZaV1BZZ2JfWEJMcDdHb0JWS01PWFFuakpHWURWMA&q=https%3A%2F%2Fwww.mediafire.com%2Ffolder%2F3is42kz6mwjhj%2FFiles&v=S4PddgL0Gm01⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9da7946f8,0x7ff9da794708,0x7ff9da7947182⤵PID:1136
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,4533235006125426600,15392490484125010504,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:22⤵PID:1428
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,4533235006125426600,15392490484125010504,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:2836
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2072,4533235006125426600,15392490484125010504,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2680 /prefetch:82⤵PID:1608
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4533235006125426600,15392490484125010504,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:12⤵PID:4352
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4533235006125426600,15392490484125010504,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:12⤵PID:3040
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,4533235006125426600,15392490484125010504,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4956 /prefetch:82⤵PID:2336
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,4533235006125426600,15392490484125010504,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4956 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1056
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4533235006125426600,15392490484125010504,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:12⤵PID:3508
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4533235006125426600,15392490484125010504,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5716 /prefetch:12⤵PID:3212
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4533235006125426600,15392490484125010504,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:12⤵PID:5004
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4533235006125426600,15392490484125010504,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2652 /prefetch:12⤵PID:2176
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4533235006125426600,15392490484125010504,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:12⤵PID:1296
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4533235006125426600,15392490484125010504,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3720 /prefetch:12⤵PID:4484
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4533235006125426600,15392490484125010504,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6156 /prefetch:12⤵PID:2768
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4533235006125426600,15392490484125010504,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6572 /prefetch:12⤵PID:1620
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4533235006125426600,15392490484125010504,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6596 /prefetch:12⤵PID:3628
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4533235006125426600,15392490484125010504,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6916 /prefetch:12⤵PID:4596
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4533235006125426600,15392490484125010504,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7048 /prefetch:12⤵PID:4548
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4533235006125426600,15392490484125010504,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:12⤵PID:4656
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4533235006125426600,15392490484125010504,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6540 /prefetch:12⤵PID:5280
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4533235006125426600,15392490484125010504,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2260 /prefetch:12⤵PID:5380
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2072,4533235006125426600,15392490484125010504,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=7428 /prefetch:82⤵PID:5636
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4533235006125426600,15392490484125010504,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6436 /prefetch:12⤵PID:5644
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4533235006125426600,15392490484125010504,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6624 /prefetch:12⤵PID:5688
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4533235006125426600,15392490484125010504,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7352 /prefetch:12⤵PID:5836
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2072,4533235006125426600,15392490484125010504,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3084 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3180
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2632
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3724
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1200
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\S0FTWARE\" -ad -an -ai#7zMap5520:78:7zEvent137431⤵
- Suspicious use of AdjustPrivilegeToken
PID:1576
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\S0FTWARE\Readme.txt1⤵
- Opens file in notepad (likely ransom note)
PID:5832
-
C:\Users\Admin\Downloads\S0FTWARE\S0FTWARE.exe"C:\Users\Admin\Downloads\S0FTWARE\S0FTWARE.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:912 -
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"2⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:5392
-
-
C:\Users\Admin\Downloads\S0FTWARE\S0FTWARE.exe"C:\Users\Admin\Downloads\S0FTWARE\S0FTWARE.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2544 -
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"2⤵PID:6124
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD59b008261dda31857d68792b46af6dd6d
SHA1e82dc88e2d1da2df7cb19d79a0346b9bb90d52b3
SHA2569ac598d4f8170f7e475d84103aead9e3c23d5f2d292741a7f56a17bde8b6f7da
SHA51278853091403a06beeec4998e2e3a4342111895ffd485f7f7cd367741a4883f7a25864cba00a6c86f27dc0c9ce9d04f08011ecc40c8ae9383d33274739ac39f10
-
Filesize
152B
MD50446fcdd21b016db1f468971fb82a488
SHA1726b91562bb75f80981f381e3c69d7d832c87c9d
SHA25662c5dc18b25e758f3508582a7c58bb46b734a774d97fc0e8a20614235caa8222
SHA5121df7c085042266959f1fe0aedc5f6d40ceba485b54159f51f0c38f17bb250b79ea941b735e1b6faf219f23fe8ab65ac4557f545519d52d5416b89ad0f9047a31
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD5fe0c9309d83ad2a50e51d64a75469b8f
SHA1788f4681baadb7d66439c50254b535060a8e92e1
SHA25689f527b2c4c5c8e889b2503ca48ea992286f9914fe9e72ede4c9fa30dc2e3294
SHA512f2120becacf7c7ea538f7dd4f64b4103b06aa51067c73944df32014bff9d00134797135cfe2b1a363c3703d95e5645218be613322d7c67105630a87deefa7a52
-
Filesize
36KB
MD5b215e4264ec10fd19686896bec43207b
SHA1a611be8079cdf43ddab4b2d071b495a00b08bb4e
SHA256352518055eb5eb2d03a6058bc8a393227f60a582f2f66252d0b9bd68e005694f
SHA5120b8e2700f4a71f4cd505ecbd6b33079c0cb6c8497bfa41c23436259af401b8c94c5520fd064b7d962b8f24602ddbc237b7a93e209b180b0f30c33677cccf1e2d
-
Filesize
140KB
MD536ff3f4ac357db94c66041a7dbc2fc99
SHA131fa34b35ab2b06c0ca1b40bdaa965f39773761d
SHA25678de79c6f9728c8f7bc5047d082feb69621102af168beb7ab266fb823ffd78d1
SHA512157b750319855d6f42b74767e81cbda1759c841a483202865ac4f19a9872a67550415d1924aaf18c34f69f91a572d1c8345f2fbc194c506455da55a162baf8a4
-
Filesize
9KB
MD5e70e389939dc02e679d3433a0fc07d52
SHA1f49412a5bb923f5506713f9fb9a207893dc20a1b
SHA256939847e500ad270486f0302e70986be53b1dbbc7f5830a88cea92e78be1c5969
SHA5127f4cbcc03e37dd15c8fd9305653757d473002b7c03fe7d935f851698605d14575aeae28d97936cec93ab07fc2dc38f9e4c25cf106221dc678e594619b5bd3bf5
-
Filesize
5KB
MD5e646eb4d059b01e7358242e67bd1aca3
SHA1d9206287fa0c4829542cfe787eadd877916fa964
SHA2563a474d732d17a1112028649e48f52d01fee08d75249027bf0d7045f05ddd8c5b
SHA512ae0f474b12c0a83f00a5b3abe8acaaecde6d80770381f59a589bdcdd30ece4673d116a752a843cb366226d8e98da6bebb1cdfd3208c419ac9757bdcb3829a7cb
-
Filesize
6KB
MD52ac8e17922e8ebded40cc0accbaa9541
SHA19ecdd1be4409e94e507142f544d68e7264315465
SHA2566e71ada2fe187d3941fbc101d7ff3792ea76441f7518bb41553846e58f984b03
SHA5124e4f42112de21da0a321752a9adf9d23e8a90a30afeb0140ecae27295469910e6671db3e0dab0762d4446c64fdc4539572af737b1558572df641afa05115a8e9
-
Filesize
7KB
MD59e7b368b02cfcc5b66caf4123d2aa818
SHA16a484b20a3d6e9ca5c5755cbeb4fecef5e1fea56
SHA256d632f9bb467ef0ce674f78f1019783e5e7eeedaaf3d5cfb32eb2e12b5d9cbe9d
SHA512d730ce5c0d0e63d45bec3dcd546f72b09fc04ce3a6e1281b5ffbd2ed477e3bcbc881c7f754af83f7b92e28695d10448d493688fea736e09599e17837bd66d89b
-
Filesize
12KB
MD5ffece1e2b75b6653413448ece3dabdc5
SHA1f9dcc082bfb2b088fd741fef98f58f0f197a44c0
SHA25604a9445814c1abe5ca8678504aa9eef8086c2ee5fa7cd72361bdd2f111e78efd
SHA512dfeb881954a27eb5847248381d46d64bde9626a9bba3e8fc12bf4b76528386f64cb620d9f4b62e1356f83475156e1e824aed321d5060f29fdc383593ae9d3a8a
-
Filesize
11KB
MD5f6c49957957f48f1302f3b94adcc9c4a
SHA18f7744993115b29298272efbdac32f7476771487
SHA256fadf9da17f80897bff8f3134f038a796b0c557f77697dc100a98760efdf8999c
SHA512769c0a878a27e55ad860bf037a5bf3ef50ae3c95dae9a031b78b17c7d6592edf7ac71a2ee85fd3f96ab0d55cc63fb1969c4c2f10caf77b887540c6d91b989fd0
-
Filesize
2KB
MD5865a2fcee4757c72bb79c78edd203e02
SHA10afe0229bd9732f9c2038bd68bb18dc717775050
SHA256694de34ea6a40c476c7f84d490eb22d9a75e79ad0fb404558c844a40096e6f02
SHA512f0e52ecf6a8a2bb9ff4d9a40c9c5fe76881dd978f70d6033963af94027d9b0e9f22d57938f9578859f47055c29fd5f95970a68f3d59db5324326e187a7073ede
-
Filesize
1KB
MD58a91899bcc89572b85dfb55a7d8076e9
SHA13f81cf2670ae3b9a9c6600b46506e5d5017e10df
SHA256a267a0624991a6672be712ef1eb3660cbda2b4d13af00d4663dfc8f3659ddf72
SHA512c63b4df8401eaaa4a232a7fddf5202e0a6ed9cda0413bf5b18992223abb63eb191448ed517de9f244bbe52dbb1b9d5e3c6567f7383d47fd92e3ab7743a59bd62
-
Filesize
2KB
MD56688f9e0822908f62bfddb3eb7f7b831
SHA1b4cb537f66c9fa0d29dd5c8cbff9ccd89a6fc4a3
SHA256c0e78c3759badc2b8085856cb0302ef8940a70459079fb5973d4e39a3da209ca
SHA5120671182bb5784d1c121a2138faa9b502aa27a656aa4bcd4f0ee127e3501233b5edb20e4a4a5784f499277a50d32c4ab526da1d337ec04ee5c830e13f8eb3f809
-
Filesize
698B
MD52b42f412d8ab069c614272f79ddcafed
SHA113b7249782bf88922785c15aedca93f181b57d1a
SHA2562271a0d117117443b5b7915fe49bf44f830dcac416e182258213a9fcc7f70d51
SHA51212c5e116d1ae5e7d17e3929f8ae2cdde967adbe11ff496306d353ee05dd89e165be0141057ffebe355a25c3d0b8874416ebb7ae6d78b3915320ea0a5ab6ba5db
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD529783cc5922df211954b7e29fe361b5a
SHA1e51f155fc3f3a183062baac95a91c8dd116e0d5f
SHA256bb57c85a674b2ff829cf9ad078b2c0a38cf2671267a4b315c65cb15ccd900a50
SHA5120a369ab3eab66c6ae0efb605083bfd9d13f8d7aff0093b253b4231fee69a3ed05e70066da9739b57ebbbe1aca56d7dc7fa7d62f7cc4cd74f530712f8966da969
-
Filesize
10KB
MD5e822b2fb07b9582f7dc0397fc4e5b195
SHA109c9b6c891fa5005907c13b9442ce601745a5e7c
SHA2560b469bab869042d8a4c80b3a10e88ae3af86ef3a8292392cfc36e53984e3bc08
SHA5121c318529e9767cacbf8a13f3289acd38a9d7b49b20fc478f1f876c303ee26b68b95e2eada6e7022d47d7c36a1dd3ff8f2e10c2c8871fcdc1feddd3f7acbc0e19
-
Filesize
11KB
MD51e820c9bbd25dc0c7f3aa79fa2132cab
SHA1c8e179e981daea969b0680d2167dcc76a31dc924
SHA25604a5de7b8fb5ba93c6a76fff652e85f31863492e1b8717fdeffa6e249b904a41
SHA5120f9d6cc36fb721aec1ae2304aa4c7693b8fdaf45a9f161e80788e345011cefb2b7bc61f882452c7d33d12b3050c7961eea0d6af544c35ee4e650e8c1c61b958c
-
Filesize
37.1MB
MD5db649d904a2dad5af13d9db51369ee18
SHA17ea01c25155490278cc5c02bf0d3bfa05c6a1bdc
SHA256383f10704e0d2f14ab2e9cfe0d30262187d1f037c99077130c3960207a82e7aa
SHA512790804e1951c072e76cef3b336c09b28add4714b0c7b6ff39cba5b8ccd11227421bb45214559e753c2f432a1ec7a9a849e42bbb408560769b95e9b4d050471f4
-
Filesize
244B
MD582d0a343d06f3aaa16c594284d6b1f6d
SHA19294bb014a3a8be3fc5c533f525ac7270b09bf51
SHA2561a0655b5aa5b6d037e25893bd191323091025f1df92e6f8b4392b1889171da10
SHA512de024359f7c3e247dfd61b3ef3be0f3bc65855e4863966345bfe99a9e7c21659e2d0e08ba50ee46cccd0e569633b4edf68e30050c8956005adb56500d263ad53
-
Filesize
17.5MB
MD51603ae955d010896283442534a8ad39c
SHA190101b5164c138f227d7add871c1f629bd6d083d
SHA25634d99b2a6ed62e5080c9448ab3728066c6db5f997212ef71bd2705c79b19fc09
SHA512e1c8d2ba780d98ff7a845543d35fdf7a2f2092d66295d82cfa07a0d6b64dda58db913967e4f595538f43ac94e88d97e3bfb762205f5588a675ba9abd2ceadb9e