vidar | hxxps://www[.]youtube[.]com/redirect?event=video_description&redir_token=QUFFLUhqbWczak1xUGVYMERZWVF1WHBVYkRqV2Zid0JQUXxBQ3Jtc0traHNMcmVWMHdwbjEtMkpFY1cwZXM2VTB1OGFUQ0ZuNGJhNUVJX19GZ2U2RFE2akNDMWRqWG1vUU1BLVZHQkh5eGtsc2xyWW9BVS1CSjJhSnJmR0ZaV1BZZ2JfWEJMcDdHb0JWS01PWFFuakpHWURWMA&q=https%3A%2F%2Fwww[.]mediafire[.]com%2Ffolder%2F3is42kz6mwjhj%2FFiles&v=S4PddgL0Gm0

Analysis

max time kernel
120s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/10/2024, 20:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbWczak1xUGVYMERZWVF1WHBVYkRqV2Zid0JQUXxBQ3Jtc0traHNMcmVWMHdwbjEtMkpFY1cwZXM2VTB1OGFUQ0ZuNGJhNUVJX19GZ2U2RFE2akNDMWRqWG1vUU1BLVZHQkh5eGtsc2xyWW9BVS1CSjJhSnJmR0ZaV1BZZ2JfWEJMcDdHb0JWS01PWFFuakpHWURWMA&q=https%3A%2F%2Fwww.mediafire.com%2Ffolder%2F3is42kz6mwjhj%2FFiles&v=S4PddgL0Gm0

Score

10^/10

vidar 346a77fbabba142b23c256004b5a7c5d discovery stealer

Malware Config

Extracted

Family

vidar

Version

Botnet

346a77fbabba142b23c256004b5a7c5d

https://steamcommunity.com/profiles/76561199780418869

https://t.me/ae5ed

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0

Signatures

Detect Vidar Stealer 14 IoCs

stealer

resource	yara_rule
behavioral1/memory/5392-699-0x0000000000800000-0x0000000000A75000-memory.dmp	family_vidar_v7
behavioral1/memory/5392-701-0x0000000000800000-0x0000000000A75000-memory.dmp	family_vidar_v7
behavioral1/memory/5392-708-0x0000000000800000-0x0000000000A75000-memory.dmp	family_vidar_v7
behavioral1/memory/5392-709-0x0000000000800000-0x0000000000A75000-memory.dmp	family_vidar_v7
behavioral1/memory/5392-724-0x0000000000800000-0x0000000000A75000-memory.dmp	family_vidar_v7
behavioral1/memory/5392-725-0x0000000000800000-0x0000000000A75000-memory.dmp	family_vidar_v7
behavioral1/memory/5392-736-0x0000000000800000-0x0000000000A75000-memory.dmp	family_vidar_v7
behavioral1/memory/5392-737-0x0000000000800000-0x0000000000A75000-memory.dmp	family_vidar_v7
behavioral1/memory/5392-742-0x0000000000800000-0x0000000000A75000-memory.dmp	family_vidar_v7
behavioral1/memory/5392-745-0x0000000000800000-0x0000000000A75000-memory.dmp	family_vidar_v7
behavioral1/memory/5392-743-0x0000000000800000-0x0000000000A75000-memory.dmp	family_vidar_v7
behavioral1/memory/5392-746-0x0000000000800000-0x0000000000A75000-memory.dmp	family_vidar_v7
behavioral1/memory/5392-750-0x0000000000800000-0x0000000000A75000-memory.dmp	family_vidar_v7
behavioral1/memory/5392-751-0x0000000000800000-0x0000000000A75000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
912	S0FTWARE.exe
2544	S0FTWARE.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 912 set thread context of 5392	912	S0FTWARE.exe	131

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	S0FTWARE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	S0FTWARE.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	BitLockerToGo.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	BitLockerToGo.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
5832	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2836	msedge.exe
2836	msedge.exe
2076	msedge.exe
2076	msedge.exe
1056	identity_helper.exe
1056	identity_helper.exe
3180	msedge.exe
3180	msedge.exe
5392	BitLockerToGo.exe
5392	BitLockerToGo.exe
5392	BitLockerToGo.exe
5392	BitLockerToGo.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 19 IoCs

pid	Process
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	1576	7zG.exe
Token: 35	1576	7zG.exe
Token: SeSecurityPrivilege	1576	7zG.exe
Token: SeSecurityPrivilege	1576	7zG.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe

Suspicious use of SendNotifyMessage 26 IoCs

pid	Process
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2076 wrote to memory of 1136	2076	msedge.exe	82
PID 2076 wrote to memory of 1136	2076	msedge.exe	82
PID 2076 wrote to memory of 1428	2076	msedge.exe	83
PID 2076 wrote to memory of 1428	2076	msedge.exe	83
PID 2076 wrote to memory of 1428	2076	msedge.exe	83
PID 2076 wrote to memory of 1428	2076	msedge.exe	83
PID 2076 wrote to memory of 1428	2076	msedge.exe	83
PID 2076 wrote to memory of 1428	2076	msedge.exe	83
PID 2076 wrote to memory of 1428	2076	msedge.exe	83
PID 2076 wrote to memory of 1428	2076	msedge.exe	83
PID 2076 wrote to memory of 1428	2076	msedge.exe	83
PID 2076 wrote to memory of 1428	2076	msedge.exe	83
PID 2076 wrote to memory of 1428	2076	msedge.exe	83
PID 2076 wrote to memory of 1428	2076	msedge.exe	83
PID 2076 wrote to memory of 1428	2076	msedge.exe	83
PID 2076 wrote to memory of 1428	2076	msedge.exe	83
PID 2076 wrote to memory of 1428	2076	msedge.exe	83
PID 2076 wrote to memory of 1428	2076	msedge.exe	83
PID 2076 wrote to memory of 1428	2076	msedge.exe	83
PID 2076 wrote to memory of 1428	2076	msedge.exe	83
PID 2076 wrote to memory of 1428	2076	msedge.exe	83
PID 2076 wrote to memory of 1428	2076	msedge.exe	83
PID 2076 wrote to memory of 1428	2076	msedge.exe	83
PID 2076 wrote to memory of 1428	2076	msedge.exe	83
PID 2076 wrote to memory of 1428	2076	msedge.exe	83
PID 2076 wrote to memory of 1428	2076	msedge.exe	83
PID 2076 wrote to memory of 1428	2076	msedge.exe	83
PID 2076 wrote to memory of 1428	2076	msedge.exe	83
PID 2076 wrote to memory of 1428	2076	msedge.exe	83
PID 2076 wrote to memory of 1428	2076	msedge.exe	83
PID 2076 wrote to memory of 1428	2076	msedge.exe	83
PID 2076 wrote to memory of 1428	2076	msedge.exe	83
PID 2076 wrote to memory of 1428	2076	msedge.exe	83
PID 2076 wrote to memory of 1428	2076	msedge.exe	83
PID 2076 wrote to memory of 1428	2076	msedge.exe	83
PID 2076 wrote to memory of 1428	2076	msedge.exe	83
PID 2076 wrote to memory of 1428	2076	msedge.exe	83
PID 2076 wrote to memory of 1428	2076	msedge.exe	83
PID 2076 wrote to memory of 1428	2076	msedge.exe	83
PID 2076 wrote to memory of 1428	2076	msedge.exe	83
PID 2076 wrote to memory of 1428	2076	msedge.exe	83
PID 2076 wrote to memory of 1428	2076	msedge.exe	83
PID 2076 wrote to memory of 2836	2076	msedge.exe	84
PID 2076 wrote to memory of 2836	2076	msedge.exe	84
PID 2076 wrote to memory of 1608	2076	msedge.exe	85
PID 2076 wrote to memory of 1608	2076	msedge.exe	85
PID 2076 wrote to memory of 1608	2076	msedge.exe	85
PID 2076 wrote to memory of 1608	2076	msedge.exe	85
PID 2076 wrote to memory of 1608	2076	msedge.exe	85
PID 2076 wrote to memory of 1608	2076	msedge.exe	85
PID 2076 wrote to memory of 1608	2076	msedge.exe	85
PID 2076 wrote to memory of 1608	2076	msedge.exe	85
PID 2076 wrote to memory of 1608	2076	msedge.exe	85
PID 2076 wrote to memory of 1608	2076	msedge.exe	85
PID 2076 wrote to memory of 1608	2076	msedge.exe	85
PID 2076 wrote to memory of 1608	2076	msedge.exe	85
PID 2076 wrote to memory of 1608	2076	msedge.exe	85
PID 2076 wrote to memory of 1608	2076	msedge.exe	85
PID 2076 wrote to memory of 1608	2076	msedge.exe	85
PID 2076 wrote to memory of 1608	2076	msedge.exe	85
PID 2076 wrote to memory of 1608	2076	msedge.exe	85
PID 2076 wrote to memory of 1608	2076	msedge.exe	85
PID 2076 wrote to memory of 1608	2076	msedge.exe	85
PID 2076 wrote to memory of 1608	2076	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbWczak1xUGVYMERZWVF1WHBVYkRqV2Zid0JQUXxBQ3Jtc0traHNMcmVWMHdwbjEtMkpFY1cwZXM2VTB1OGFUQ0ZuNGJhNUVJX19GZ2U2RFE2akNDMWRqWG1vUU1BLVZHQkh5eGtsc2xyWW9BVS1CSjJhSnJmR0ZaV1BZZ2JfWEJMcDdHb0JWS01PWFFuakpHWURWMA&q=https%3A%2F%2Fwww.mediafire.com%2Ffolder%2F3is42kz6mwjhj%2FFiles&v=S4PddgL0Gm0
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9da7946f8,0x7ff9da794708,0x7ff9da794718
  2⤵
  PID:1136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,4533235006125426600,15392490484125010504,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:2
  2⤵
  PID:1428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,4533235006125426600,15392490484125010504,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2072,4533235006125426600,15392490484125010504,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2680 /prefetch:8
  2⤵
  PID:1608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4533235006125426600,15392490484125010504,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:4352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4533235006125426600,15392490484125010504,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:3040
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,4533235006125426600,15392490484125010504,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4956 /prefetch:8
  2⤵
  PID:2336
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,4533235006125426600,15392490484125010504,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4956 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4533235006125426600,15392490484125010504,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:1
  2⤵
  PID:3508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4533235006125426600,15392490484125010504,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5716 /prefetch:1
  2⤵
  PID:3212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4533235006125426600,15392490484125010504,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:1
  2⤵
  PID:5004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4533235006125426600,15392490484125010504,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2652 /prefetch:1
  2⤵
  PID:2176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4533235006125426600,15392490484125010504,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:1
  2⤵
  PID:1296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4533235006125426600,15392490484125010504,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3720 /prefetch:1
  2⤵
  PID:4484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4533235006125426600,15392490484125010504,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6156 /prefetch:1
  2⤵
  PID:2768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4533235006125426600,15392490484125010504,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6572 /prefetch:1
  2⤵
  PID:1620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4533235006125426600,15392490484125010504,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6596 /prefetch:1
  2⤵
  PID:3628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4533235006125426600,15392490484125010504,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6916 /prefetch:1
  2⤵
  PID:4596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4533235006125426600,15392490484125010504,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7048 /prefetch:1
  2⤵
  PID:4548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4533235006125426600,15392490484125010504,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:1
  2⤵
  PID:4656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4533235006125426600,15392490484125010504,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6540 /prefetch:1
  2⤵
  PID:5280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4533235006125426600,15392490484125010504,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2260 /prefetch:1
  2⤵
  PID:5380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2072,4533235006125426600,15392490484125010504,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=7428 /prefetch:8
  2⤵
  PID:5636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4533235006125426600,15392490484125010504,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6436 /prefetch:1
  2⤵
  PID:5644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4533235006125426600,15392490484125010504,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6624 /prefetch:1
  2⤵
  PID:5688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4533235006125426600,15392490484125010504,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7352 /prefetch:1
  2⤵
  PID:5836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2072,4533235006125426600,15392490484125010504,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3084 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3180

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2632

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3724

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1200

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\S0FTWARE\" -ad -an -ai#7zMap5520:78:7zEvent13743
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1576

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\S0FTWARE\Readme.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:5832

C:\Users\Admin\Downloads\S0FTWARE\S0FTWARE.exe
"C:\Users\Admin\Downloads\S0FTWARE\S0FTWARE.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:912
- C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
  "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:5392

C:\Users\Admin\Downloads\S0FTWARE\S0FTWARE.exe
"C:\Users\Admin\Downloads\S0FTWARE\S0FTWARE.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2544
- C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
  "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
  2⤵
  PID:6124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9b008261dda31857d68792b46af6dd6d

SHA1
e82dc88e2d1da2df7cb19d79a0346b9bb90d52b3

SHA256
9ac598d4f8170f7e475d84103aead9e3c23d5f2d292741a7f56a17bde8b6f7da

SHA512
78853091403a06beeec4998e2e3a4342111895ffd485f7f7cd367741a4883f7a25864cba00a6c86f27dc0c9ce9d04f08011ecc40c8ae9383d33274739ac39f10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0446fcdd21b016db1f468971fb82a488

SHA1
726b91562bb75f80981f381e3c69d7d832c87c9d

SHA256
62c5dc18b25e758f3508582a7c58bb46b734a774d97fc0e8a20614235caa8222

SHA512
1df7c085042266959f1fe0aedc5f6d40ceba485b54159f51f0c38f17bb250b79ea941b735e1b6faf219f23fe8ab65ac4557f545519d52d5416b89ad0f9047a31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
fe0c9309d83ad2a50e51d64a75469b8f

SHA1
788f4681baadb7d66439c50254b535060a8e92e1

SHA256
89f527b2c4c5c8e889b2503ca48ea992286f9914fe9e72ede4c9fa30dc2e3294

SHA512
f2120becacf7c7ea538f7dd4f64b4103b06aa51067c73944df32014bff9d00134797135cfe2b1a363c3703d95e5645218be613322d7c67105630a87deefa7a52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
36KB

MD5
b215e4264ec10fd19686896bec43207b

SHA1
a611be8079cdf43ddab4b2d071b495a00b08bb4e

SHA256
352518055eb5eb2d03a6058bc8a393227f60a582f2f66252d0b9bd68e005694f

SHA512
0b8e2700f4a71f4cd505ecbd6b33079c0cb6c8497bfa41c23436259af401b8c94c5520fd064b7d962b8f24602ddbc237b7a93e209b180b0f30c33677cccf1e2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
140KB

MD5
36ff3f4ac357db94c66041a7dbc2fc99

SHA1
31fa34b35ab2b06c0ca1b40bdaa965f39773761d

SHA256
78de79c6f9728c8f7bc5047d082feb69621102af168beb7ab266fb823ffd78d1

SHA512
157b750319855d6f42b74767e81cbda1759c841a483202865ac4f19a9872a67550415d1924aaf18c34f69f91a572d1c8345f2fbc194c506455da55a162baf8a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
9KB

MD5
e70e389939dc02e679d3433a0fc07d52

SHA1
f49412a5bb923f5506713f9fb9a207893dc20a1b

SHA256
939847e500ad270486f0302e70986be53b1dbbc7f5830a88cea92e78be1c5969

SHA512
7f4cbcc03e37dd15c8fd9305653757d473002b7c03fe7d935f851698605d14575aeae28d97936cec93ab07fc2dc38f9e4c25cf106221dc678e594619b5bd3bf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e646eb4d059b01e7358242e67bd1aca3

SHA1
d9206287fa0c4829542cfe787eadd877916fa964

SHA256
3a474d732d17a1112028649e48f52d01fee08d75249027bf0d7045f05ddd8c5b

SHA512
ae0f474b12c0a83f00a5b3abe8acaaecde6d80770381f59a589bdcdd30ece4673d116a752a843cb366226d8e98da6bebb1cdfd3208c419ac9757bdcb3829a7cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2ac8e17922e8ebded40cc0accbaa9541

SHA1
9ecdd1be4409e94e507142f544d68e7264315465

SHA256
6e71ada2fe187d3941fbc101d7ff3792ea76441f7518bb41553846e58f984b03

SHA512
4e4f42112de21da0a321752a9adf9d23e8a90a30afeb0140ecae27295469910e6671db3e0dab0762d4446c64fdc4539572af737b1558572df641afa05115a8e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
9e7b368b02cfcc5b66caf4123d2aa818

SHA1
6a484b20a3d6e9ca5c5755cbeb4fecef5e1fea56

SHA256
d632f9bb467ef0ce674f78f1019783e5e7eeedaaf3d5cfb32eb2e12b5d9cbe9d

SHA512
d730ce5c0d0e63d45bec3dcd546f72b09fc04ce3a6e1281b5ffbd2ed477e3bcbc881c7f754af83f7b92e28695d10448d493688fea736e09599e17837bd66d89b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
12KB

MD5
ffece1e2b75b6653413448ece3dabdc5

SHA1
f9dcc082bfb2b088fd741fef98f58f0f197a44c0

SHA256
04a9445814c1abe5ca8678504aa9eef8086c2ee5fa7cd72361bdd2f111e78efd

SHA512
dfeb881954a27eb5847248381d46d64bde9626a9bba3e8fc12bf4b76528386f64cb620d9f4b62e1356f83475156e1e824aed321d5060f29fdc383593ae9d3a8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
f6c49957957f48f1302f3b94adcc9c4a

SHA1
8f7744993115b29298272efbdac32f7476771487

SHA256
fadf9da17f80897bff8f3134f038a796b0c557f77697dc100a98760efdf8999c

SHA512
769c0a878a27e55ad860bf037a5bf3ef50ae3c95dae9a031b78b17c7d6592edf7ac71a2ee85fd3f96ab0d55cc63fb1969c4c2f10caf77b887540c6d91b989fd0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
865a2fcee4757c72bb79c78edd203e02

SHA1
0afe0229bd9732f9c2038bd68bb18dc717775050

SHA256
694de34ea6a40c476c7f84d490eb22d9a75e79ad0fb404558c844a40096e6f02

SHA512
f0e52ecf6a8a2bb9ff4d9a40c9c5fe76881dd978f70d6033963af94027d9b0e9f22d57938f9578859f47055c29fd5f95970a68f3d59db5324326e187a7073ede

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
8a91899bcc89572b85dfb55a7d8076e9

SHA1
3f81cf2670ae3b9a9c6600b46506e5d5017e10df

SHA256
a267a0624991a6672be712ef1eb3660cbda2b4d13af00d4663dfc8f3659ddf72

SHA512
c63b4df8401eaaa4a232a7fddf5202e0a6ed9cda0413bf5b18992223abb63eb191448ed517de9f244bbe52dbb1b9d5e3c6567f7383d47fd92e3ab7743a59bd62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
6688f9e0822908f62bfddb3eb7f7b831

SHA1
b4cb537f66c9fa0d29dd5c8cbff9ccd89a6fc4a3

SHA256
c0e78c3759badc2b8085856cb0302ef8940a70459079fb5973d4e39a3da209ca

SHA512
0671182bb5784d1c121a2138faa9b502aa27a656aa4bcd4f0ee127e3501233b5edb20e4a4a5784f499277a50d32c4ab526da1d337ec04ee5c830e13f8eb3f809

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe580b26.TMP

Filesize
698B

MD5
2b42f412d8ab069c614272f79ddcafed

SHA1
13b7249782bf88922785c15aedca93f181b57d1a

SHA256
2271a0d117117443b5b7915fe49bf44f830dcac416e182258213a9fcc7f70d51

SHA512
12c5e116d1ae5e7d17e3929f8ae2cdde967adbe11ff496306d353ee05dd89e165be0141057ffebe355a25c3d0b8874416ebb7ae6d78b3915320ea0a5ab6ba5db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
29783cc5922df211954b7e29fe361b5a

SHA1
e51f155fc3f3a183062baac95a91c8dd116e0d5f

SHA256
bb57c85a674b2ff829cf9ad078b2c0a38cf2671267a4b315c65cb15ccd900a50

SHA512
0a369ab3eab66c6ae0efb605083bfd9d13f8d7aff0093b253b4231fee69a3ed05e70066da9739b57ebbbe1aca56d7dc7fa7d62f7cc4cd74f530712f8966da969

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
e822b2fb07b9582f7dc0397fc4e5b195

SHA1
09c9b6c891fa5005907c13b9442ce601745a5e7c

SHA256
0b469bab869042d8a4c80b3a10e88ae3af86ef3a8292392cfc36e53984e3bc08

SHA512
1c318529e9767cacbf8a13f3289acd38a9d7b49b20fc478f1f876c303ee26b68b95e2eada6e7022d47d7c36a1dd3ff8f2e10c2c8871fcdc1feddd3f7acbc0e19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
1e820c9bbd25dc0c7f3aa79fa2132cab

SHA1
c8e179e981daea969b0680d2167dcc76a31dc924

SHA256
04a5de7b8fb5ba93c6a76fff652e85f31863492e1b8717fdeffa6e249b904a41

SHA512
0f9d6cc36fb721aec1ae2304aa4c7693b8fdaf45a9f161e80788e345011cefb2b7bc61f882452c7d33d12b3050c7961eea0d6af544c35ee4e650e8c1c61b958c

Download Submit
C:\Users\Admin\Downloads\S0FTWARE.rar

Filesize
37.1MB

MD5
db649d904a2dad5af13d9db51369ee18

SHA1
7ea01c25155490278cc5c02bf0d3bfa05c6a1bdc

SHA256
383f10704e0d2f14ab2e9cfe0d30262187d1f037c99077130c3960207a82e7aa

SHA512
790804e1951c072e76cef3b336c09b28add4714b0c7b6ff39cba5b8ccd11227421bb45214559e753c2f432a1ec7a9a849e42bbb408560769b95e9b4d050471f4

Download Submit
C:\Users\Admin\Downloads\S0FTWARE\Readme.txt

Filesize
244B

MD5
82d0a343d06f3aaa16c594284d6b1f6d

SHA1
9294bb014a3a8be3fc5c533f525ac7270b09bf51

SHA256
1a0655b5aa5b6d037e25893bd191323091025f1df92e6f8b4392b1889171da10

SHA512
de024359f7c3e247dfd61b3ef3be0f3bc65855e4863966345bfe99a9e7c21659e2d0e08ba50ee46cccd0e569633b4edf68e30050c8956005adb56500d263ad53

Download Submit
C:\Users\Admin\Downloads\S0FTWARE\S0FTWARE.exe

Filesize
17.5MB

MD5
1603ae955d010896283442534a8ad39c

SHA1
90101b5164c138f227d7add871c1f629bd6d083d

SHA256
34d99b2a6ed62e5080c9448ab3728066c6db5f997212ef71bd2705c79b19fc09

SHA512
e1c8d2ba780d98ff7a845543d35fdf7a2f2092d66295d82cfa07a0d6b64dda58db913967e4f595538f43ac94e88d97e3bfb762205f5588a675ba9abd2ceadb9e

Download Submit
memory/5392-710-0x000000001F900000-0x000000001FB5F000-memory.dmp

Filesize
2.4MB

Download
memory/5392-736-0x0000000000800000-0x0000000000A75000-memory.dmp

Filesize
2.5MB

Download
memory/5392-699-0x0000000000800000-0x0000000000A75000-memory.dmp

Filesize
2.5MB

Download
memory/5392-724-0x0000000000800000-0x0000000000A75000-memory.dmp

Filesize
2.5MB

Download
memory/5392-725-0x0000000000800000-0x0000000000A75000-memory.dmp

Filesize
2.5MB

Download
memory/5392-696-0x0000000000800000-0x0000000000A75000-memory.dmp

Filesize
2.5MB

Download
memory/5392-708-0x0000000000800000-0x0000000000A75000-memory.dmp

Filesize
2.5MB

Download
memory/5392-709-0x0000000000800000-0x0000000000A75000-memory.dmp

Filesize
2.5MB

Download
memory/5392-701-0x0000000000800000-0x0000000000A75000-memory.dmp

Filesize
2.5MB

Download
memory/5392-737-0x0000000000800000-0x0000000000A75000-memory.dmp

Filesize
2.5MB

Download
memory/5392-742-0x0000000000800000-0x0000000000A75000-memory.dmp

Filesize
2.5MB

Download
memory/5392-745-0x0000000000800000-0x0000000000A75000-memory.dmp

Filesize
2.5MB

Download
memory/5392-743-0x0000000000800000-0x0000000000A75000-memory.dmp

Filesize
2.5MB

Download
memory/5392-746-0x0000000000800000-0x0000000000A75000-memory.dmp

Filesize
2.5MB

Download
memory/5392-750-0x0000000000800000-0x0000000000A75000-memory.dmp

Filesize
2.5MB

Download
memory/5392-751-0x0000000000800000-0x0000000000A75000-memory.dmp

Filesize
2.5MB

Download