vidar | 5c652ae8bb4fe83f367c0aa8766cad27079a5b690313bc9fe7466cf7124f5aa5

Analysis

max time kernel
80s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
10-10-2024 15:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

link.txt
Size

139B
MD5

c60c22715cb29a8310b0d0712b395733
SHA1

c01d25e0cd6118d77e80b69e84ced4699db498ed
SHA256

5c652ae8bb4fe83f367c0aa8766cad27079a5b690313bc9fe7466cf7124f5aa5
SHA512

8562de8bb49e98d3e8908d1ee5c65f54058eb4ad2acc792e83b67c3e4c3f30ad578c385c253a0917dbbb1725baf32a0500ba4a13768586e8d3307c9ff561dd4d

Score

10^/10

vidar 23a142269e47ce1692ccc9fb68473bc2 discovery stealer

Malware Config

Extracted

Family

vidar

Version

11.1

Botnet

23a142269e47ce1692ccc9fb68473bc2

https://steamcommunity.com/profiles/76561199786602107

https://t.me/lpnjoke

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0

Signatures

Detect Vidar Stealer 21 IoCs

stealer

resource	yara_rule
behavioral1/memory/3020-769-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/3020-766-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/3020-764-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/3020-762-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/3020-770-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/3020-914-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/3020-933-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/3020-961-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/3020-980-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/3020-986-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/3020-1005-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/3020-1009-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/3020-1042-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/3020-1170-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/3020-1189-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/3020-1232-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/3020-1251-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/3048-1431-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/3048-1450-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/3048-1476-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/3048-1496-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Program crash 3 IoCs

pid	pid_target	Process	procid_target
580	3024	WerFault.exe	57
2992	1432	WerFault.exe	65
540	1260	WerFault.exe	70

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1732	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Opens file in notepad (likely ransom note) 3 IoCs

ransomware

pid	Process
1984	NOTEPAD.EXE
1040	NOTEPAD.EXE
1932	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1708	chrome.exe
1708	chrome.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe

Suspicious use of FindShellTrayWindow 48 IoCs

pid	Process
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 2224	1708	chrome.exe	32
PID 1708 wrote to memory of 2224	1708	chrome.exe	32
PID 1708 wrote to memory of 2224	1708	chrome.exe	32
PID 1708 wrote to memory of 1784	1708	chrome.exe	34
PID 1708 wrote to memory of 1784	1708	chrome.exe	34
PID 1708 wrote to memory of 1784	1708	chrome.exe	34
PID 1708 wrote to memory of 1784	1708	chrome.exe	34
PID 1708 wrote to memory of 1784	1708	chrome.exe	34
PID 1708 wrote to memory of 1784	1708	chrome.exe	34
PID 1708 wrote to memory of 1784	1708	chrome.exe	34
PID 1708 wrote to memory of 1784	1708	chrome.exe	34
PID 1708 wrote to memory of 1784	1708	chrome.exe	34
PID 1708 wrote to memory of 1784	1708	chrome.exe	34
PID 1708 wrote to memory of 1784	1708	chrome.exe	34
PID 1708 wrote to memory of 1784	1708	chrome.exe	34
PID 1708 wrote to memory of 1784	1708	chrome.exe	34
PID 1708 wrote to memory of 1784	1708	chrome.exe	34
PID 1708 wrote to memory of 1784	1708	chrome.exe	34
PID 1708 wrote to memory of 1784	1708	chrome.exe	34
PID 1708 wrote to memory of 1784	1708	chrome.exe	34
PID 1708 wrote to memory of 1784	1708	chrome.exe	34
PID 1708 wrote to memory of 1784	1708	chrome.exe	34
PID 1708 wrote to memory of 1784	1708	chrome.exe	34
PID 1708 wrote to memory of 1784	1708	chrome.exe	34
PID 1708 wrote to memory of 1784	1708	chrome.exe	34
PID 1708 wrote to memory of 1784	1708	chrome.exe	34
PID 1708 wrote to memory of 1784	1708	chrome.exe	34
PID 1708 wrote to memory of 1784	1708	chrome.exe	34
PID 1708 wrote to memory of 1784	1708	chrome.exe	34
PID 1708 wrote to memory of 1784	1708	chrome.exe	34
PID 1708 wrote to memory of 1784	1708	chrome.exe	34
PID 1708 wrote to memory of 1784	1708	chrome.exe	34
PID 1708 wrote to memory of 1784	1708	chrome.exe	34
PID 1708 wrote to memory of 1784	1708	chrome.exe	34
PID 1708 wrote to memory of 1784	1708	chrome.exe	34
PID 1708 wrote to memory of 1784	1708	chrome.exe	34
PID 1708 wrote to memory of 1784	1708	chrome.exe	34
PID 1708 wrote to memory of 1784	1708	chrome.exe	34
PID 1708 wrote to memory of 1784	1708	chrome.exe	34
PID 1708 wrote to memory of 1784	1708	chrome.exe	34
PID 1708 wrote to memory of 1784	1708	chrome.exe	34
PID 1708 wrote to memory of 1784	1708	chrome.exe	34
PID 1708 wrote to memory of 2640	1708	chrome.exe	35
PID 1708 wrote to memory of 2640	1708	chrome.exe	35
PID 1708 wrote to memory of 2640	1708	chrome.exe	35
PID 1708 wrote to memory of 2672	1708	chrome.exe	36
PID 1708 wrote to memory of 2672	1708	chrome.exe	36
PID 1708 wrote to memory of 2672	1708	chrome.exe	36
PID 1708 wrote to memory of 2672	1708	chrome.exe	36
PID 1708 wrote to memory of 2672	1708	chrome.exe	36
PID 1708 wrote to memory of 2672	1708	chrome.exe	36
PID 1708 wrote to memory of 2672	1708	chrome.exe	36
PID 1708 wrote to memory of 2672	1708	chrome.exe	36
PID 1708 wrote to memory of 2672	1708	chrome.exe	36
PID 1708 wrote to memory of 2672	1708	chrome.exe	36
PID 1708 wrote to memory of 2672	1708	chrome.exe	36
PID 1708 wrote to memory of 2672	1708	chrome.exe	36
PID 1708 wrote to memory of 2672	1708	chrome.exe	36
PID 1708 wrote to memory of 2672	1708	chrome.exe	36
PID 1708 wrote to memory of 2672	1708	chrome.exe	36
PID 1708 wrote to memory of 2672	1708	chrome.exe	36
PID 1708 wrote to memory of 2672	1708	chrome.exe	36
PID 1708 wrote to memory of 2672	1708	chrome.exe	36
PID 1708 wrote to memory of 2672	1708	chrome.exe	36

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\link.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1984

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7469758,0x7fef7469768,0x7fef7469778
  2⤵
  PID:2224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1164 --field-trial-handle=1252,i,10769666937866127439,779236822138571083,131072 /prefetch:2
  2⤵
  PID:1784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1524 --field-trial-handle=1252,i,10769666937866127439,779236822138571083,131072 /prefetch:8
  2⤵
  PID:2640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1592 --field-trial-handle=1252,i,10769666937866127439,779236822138571083,131072 /prefetch:8
  2⤵
  PID:2672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2296 --field-trial-handle=1252,i,10769666937866127439,779236822138571083,131072 /prefetch:1
  2⤵
  PID:1236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2356 --field-trial-handle=1252,i,10769666937866127439,779236822138571083,131072 /prefetch:1
  2⤵
  PID:1312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1496 --field-trial-handle=1252,i,10769666937866127439,779236822138571083,131072 /prefetch:2
  2⤵
  PID:692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3048 --field-trial-handle=1252,i,10769666937866127439,779236822138571083,131072 /prefetch:1
  2⤵
  PID:680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3464 --field-trial-handle=1252,i,10769666937866127439,779236822138571083,131072 /prefetch:8
  2⤵
  PID:1948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3468 --field-trial-handle=1252,i,10769666937866127439,779236822138571083,131072 /prefetch:8
  2⤵
  PID:844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3560 --field-trial-handle=1252,i,10769666937866127439,779236822138571083,131072 /prefetch:8
  2⤵
  PID:580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3992 --field-trial-handle=1252,i,10769666937866127439,779236822138571083,131072 /prefetch:1
  2⤵
  PID:2268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3068 --field-trial-handle=1252,i,10769666937866127439,779236822138571083,131072 /prefetch:8
  2⤵
  PID:2588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4036 --field-trial-handle=1252,i,10769666937866127439,779236822138571083,131072 /prefetch:8
  2⤵
  PID:1472

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2024

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1292

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Unlock_Tool\Password.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1040

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Unlock_Tool\" -an -ai#7zMap3976:120:7zEvent2821
1⤵
PID:2308

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Unlock_Tool\Readme.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1932

C:\Users\Admin\Downloads\Unlock_Tool\Unlock_Tool_2.1.4.exe
"C:\Users\Admin\Downloads\Unlock_Tool\Unlock_Tool_2.1.4.exe"
1⤵
PID:3024
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:3020
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\JDGCFBAFBFHJ" & exit
    3⤵
    PID:1760
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 10
      4⤵
      Delays execution with timeout.exe
      PID:1732
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 52
  2⤵
  - Program crash
  PID:580

C:\Users\Admin\Downloads\Unlock_Tool\Unlock_Tool_2.1.4.exe
"C:\Users\Admin\Downloads\Unlock_Tool\Unlock_Tool_2.1.4.exe"
1⤵
PID:1432
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:3004
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:3048
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1432 -s 72
  2⤵
  - Program crash
  PID:2992

C:\Users\Admin\Downloads\Unlock_Tool\Unlock_Tool_2.1.4.exe
"C:\Users\Admin\Downloads\Unlock_Tool\Unlock_Tool_2.1.4.exe"
1⤵
PID:1260
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:2704
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:1656
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:1704
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1260 -s 80
  2⤵
  - Program crash
  PID:540

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619

Filesize
471B

MD5
a650d9d8991fb8d9cb64617324df9a62

SHA1
5e0cc14d0d9b16c7bae4a1941b7ef5639909ef80

SHA256
ce169c43f28da46a26a4058ea0a251538c96d672dcadc3e7202db9f3f55fde00

SHA512
f6e064566198e6f288641f3187d53435e839b6e20fe54b51134f3442e9f1693057b5695b34211a9b1e7c458f72de6b7a1e63fc76ed76499dfb5948cb1d2523a8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
48a612b4474c63f7f74ce19de9fd0166

SHA1
c45bd4df6d0f6e040ebca65fe6bc57954479844f

SHA256
547298de8eafafcdbad80d43e8dcdfb4f3ee68f7e3e18fe8a8eb8e5cbebe14c6

SHA512
e2b557cd1c3db3b12e4dbdef198f61e0b9c43c073c0ef2cb6c4a9c0d5429cf8479f86851ef3abbc98059e88997d2fdec0cbe261c6fe9972eec9117df580024b2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c81b50243f52a531b44654c29ee80d7a

SHA1
80ea66f33a14973cc6464ab9ccd69eef8c3f2cf0

SHA256
88ce55b1d9518dd3813693253be1930a63dac11862cd2c996be9c60345d923fb

SHA512
20344097109956ae42ea317fe293b67f68ab07f65d93b53b1fa1ac5fc9329832643a5b579a1c29dd6cd65eaaca2dfd0f59974114dd26b06ad32d1eb8845efcc1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619

Filesize
400B

MD5
14e429b4e71727bdbe7efcfff490c480

SHA1
d3d0fa7d1c12d4ba93e9f909d735e40d17857013

SHA256
72608d9cb9534d690d96c1035ca4ac3507464acb1de2a138f438a2fb21dbbc9e

SHA512
063faec158f9dd170115dd5fb53ab07e0880d9e7d20ce3265b3883805d1273644a92ecfc71d761537f22b7aeb36d6ec9f2f830eeaf565f28e1cb6563903c0427

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History

Filesize
148KB

MD5
a3f642991bbd07444b80903e46c01b07

SHA1
2a4a393e79676e68be3c60b685f3288752fb3e8b

SHA256
01e663d8e3de396aaa6256b1f95f697ddd4d588ab08c0ce9120ea13357e920c8

SHA512
8d2c310f0585309f0a0efb600be0176d10775e212fcdeeb2a151ae7881620ec70608834e7f29e8e96e64d1d361dff067a5abdf944b0ac6cdde7f06b9a15617a6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies

Filesize
20KB

MD5
9ec96ecda73886049c12301b8d35e4ca

SHA1
069959d99fa0a4b9e1c25e91beea38bd866535ac

SHA256
2ebf81fedf08898623b1530b8578cf1c20d7d59bc0eb28a3f41fdae21977a7a1

SHA512
21488906a932f5aeed13d7e7e0090dcd5be42f41bd769a04644297b6aaa208a1adefa2b3dbfb09da82b3a4aa126992f31fb2ad8c679e1dfcd47f216e5a068469

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
526B

MD5
e92fd90f2195c60ed83f0b06c4616cfc

SHA1
cb0bf23ade06422672cceaaa562ed5616884218f

SHA256
04a4e4c2d1be86ab408535ac2d4a5578871855e9f35d000869028620a84c93cb

SHA512
b8350b72af317d9452d1099ed7c9f3429e41b30cc3b3f8e0677caecc3093858d71ce7d5f64ca4f91651098dbbdcf98b9dee79bc68d1cba034133aebc5482ffa0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
052f9a09371ad79b4eb61a500abc0810

SHA1
09b788ff5b86f98069f7b60c84b80a57fe9795c0

SHA256
c5d83611faafd262684c65e5a1f16ef93d3bae2fe67039798589ce7fd8e966e3

SHA512
adc65162bab6c7636857ac9e0211c4b197b78ac02db67ba3ae920b9391a4716be96b02469a600e418b44acc86c2fa826930ac74a9caa4201271348031856d64d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
5d852e5ce7ccfe23efac7487cf93c897

SHA1
4f7b3935d78e0e2fbb3c2347bac8f9fe9c48fb61

SHA256
1f6be6a29b56ddf9e2564181dca95eefc9e183c81a1662612e1125ae2ed43ccc

SHA512
a23c49806e5175b863e03a4e70c79477f18c236510f68b091229d16cf4a2917326d7a469a404b4f78970a0b8a7d46f8b366e626ab4a08502ca83a5e5ecc73ec1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
edbd946d356365f272b9463bcaea117b

SHA1
fb8315ce0ac63f9b968618dbcc033c2b16a4dcc7

SHA256
42776436522b1faf8518a762c8db4e926b546553cbf5ec372edd904c473c2cee

SHA512
9357c96b5412e38d0887dd0ee528685ad6d5ca558709401cb23fb0461700608b48b490dc50031e9e3f57eea3564369aae1994fd3a41a53d8b286bb36a72e3525

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
341KB

MD5
e8cabf68fa7db23f4a74dfeb53f63522

SHA1
7b92736f2dea821be2603696fbf97d9ae7a25a38

SHA256
f2a39e72937688f410a06da0142e8bde9d053b6d1d639f8499e068de038c5f6c

SHA512
a7c66bf599708e8d24ba180383edd2a354f8f4499af4c6cb0a12f1590199ba443a83d0a8b6a3c9098be5bd801fb7c5b42a3e5ab2a454b1319b771c6fd1b812ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8452S9S3\76561199786602107[1].htm

Filesize
34KB

MD5
54d737da00f27c996bbb711e73065620

SHA1
031e5c5805c1e830f864748d9ae9bc5b3d733916

SHA256
487c416d4fb2566a09aae595c6276ad4a27dd86aabb5e9fd962e89f32e9ed410

SHA512
9f8c25e369febd02b06a816bea70e169c32b9103710c658f81fc008b2c32d840724f68c0c4dd884592cea5af82edd54ad97814882bf76eaf21ab62f2df7ce95d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K3VL8XEP\76561199786602107[1].htm

Filesize
34KB

MD5
15a29bd3881557f165c1b97c85b3f686

SHA1
7807209098f91229f2f339f089b9ccf384e45c9f

SHA256
f0e46afce1e5a8d36c10b453d8102e078a4c92cc0d48b9f699e61c2a59649bf9

SHA512
404edbd02353cdf2fad608cc1098c7a41a5074199646ccbf170d9144db074bb524cde88b51b4197548a3df82bbc9000a589b4a58124f8360f3114b60a4a71a37

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5775.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar57A7.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\Downloads\Unlock_Tool\Readme.txt

Filesize
104B

MD5
956778aaed448e373f09cb6ec4d951d5

SHA1
55bef0c24d5bdc548aef95f38ea7fe4e21ffd8ed

SHA256
0e595cd0abf87cc5ecf3f28c14a52fa885b44948898833804d0d2161812fbc8c

SHA512
1899f9ccc020db482df84bbb04001b81a8dc146c5f2191f95664e1a90c8aec1a929c3e78df50bedaefae0eb56a6f53dfbe8de64233df9bad1b50351812c3587c

Download Submit
C:\Users\Admin\Downloads\Unlock_Tool\Unlock_Tool_2.1.4.exe

Filesize
593KB

MD5
4e6b4807bf9282c074e0242e978ba716

SHA1
d207de2b5199957faba2835a291dc6ae17e1d98e

SHA256
5f5039f0ba15ceece070d87486aca31e680fb7afdd5bcf26bc0a17fe15644672

SHA512
135c6a56dd2ef58f68de0a302c73cc3b5ae27a6d6a4c26e1b5aa7d2a5f436ff5ffe4ac0aaba75276de6ed1a69d5ef115a35569b19bb4798f32c04e6adc341cd0

Download Submit
C:\Users\Admin\Downloads\Unlock_Tool\locales\resources\Data\level4.resS

Filesize
128KB

MD5
64d183ad524dfcd10a7c816fbca3333d

SHA1
5a180d5c1f42a0deaf475b7390755b3c0ecc951c

SHA256
5a666340f42f0f985772024d90a83d15c9a241a68d58205cd4afbb1a31f1621a

SHA512
3cab59dff09981f49d1070fba06a781439bb1ea2dae0cfcb937d9875bbe9e866be2c951cfc6a3ca4a92aea79dd3e9c4792a765f5a06f230a57dabcab2f0b3c1e

Download Submit
\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
memory/2720-1657-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2720-1658-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/3020-766-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3020-1251-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3020-961-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3020-986-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3020-1005-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3020-1009-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3020-953-0x00000000202E0000-0x000000002053F000-memory.dmp

Filesize
2.4MB

Download
memory/3020-1042-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3020-933-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3020-914-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3020-1170-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3020-1189-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3020-1232-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3020-980-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3020-756-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3020-770-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3020-758-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3020-760-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3020-762-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3020-769-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3020-768-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/3020-764-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3048-1476-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3048-1496-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3048-1470-0x00000000204A0000-0x00000000206FF000-memory.dmp

Filesize
2.4MB

Download
memory/3048-1450-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3048-1431-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3048-1319-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download