Analysis
-
max time kernel
328s -
max time network
444s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
19-10-2024 13:10
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://www.mediafire.com/folder/3is42kz6mwjhj/Files
Resource
win11-20241007-en
General
-
Target
https://www.mediafire.com/folder/3is42kz6mwjhj/Files
Malware Config
Extracted
vidar
11.1
467d1313a0fbcd97b65a6f1d261c288f
https://steamcommunity.com/profiles/76561199786602107
https://t.me/lpnjoke
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
Signatures
-
Detect Vidar Stealer 15 IoCs
resource yara_rule behavioral1/memory/888-502-0x0000000000400000-0x0000000000D78000-memory.dmp family_vidar_v7 behavioral1/memory/888-510-0x0000000000400000-0x0000000000D78000-memory.dmp family_vidar_v7 behavioral1/memory/888-525-0x0000000000400000-0x0000000000D78000-memory.dmp family_vidar_v7 behavioral1/memory/888-526-0x0000000000400000-0x0000000000D78000-memory.dmp family_vidar_v7 behavioral1/memory/5652-535-0x0000000000400000-0x0000000000D78000-memory.dmp family_vidar_v7 behavioral1/memory/5652-558-0x0000000000400000-0x0000000000D78000-memory.dmp family_vidar_v7 behavioral1/memory/888-565-0x0000000000400000-0x0000000000D78000-memory.dmp family_vidar_v7 behavioral1/memory/4296-573-0x0000000000400000-0x0000000000D78000-memory.dmp family_vidar_v7 behavioral1/memory/888-604-0x0000000000400000-0x0000000000D78000-memory.dmp family_vidar_v7 behavioral1/memory/4296-606-0x0000000000400000-0x0000000000D78000-memory.dmp family_vidar_v7 behavioral1/memory/888-635-0x0000000000400000-0x0000000000D78000-memory.dmp family_vidar_v7 behavioral1/memory/888-659-0x0000000000400000-0x0000000000D78000-memory.dmp family_vidar_v7 behavioral1/memory/2196-675-0x0000000000400000-0x0000000000D78000-memory.dmp family_vidar_v7 behavioral1/memory/888-680-0x0000000000400000-0x0000000000D78000-memory.dmp family_vidar_v7 behavioral1/memory/2196-692-0x0000000000400000-0x0000000000D78000-memory.dmp family_vidar_v7 -
Downloads MZ/PE file
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 95 bitbucket.org 222 bitbucket.org -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language S0FTWARE.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 S0FTWARE.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString S0FTWARE.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\MuiCache MiniSearchHost.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\S0FTWARE.zip:Zone.Identifier msedge.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
pid Process 4744 msedge.exe 4744 msedge.exe 5840 msedge.exe 5840 msedge.exe 1336 msedge.exe 1336 msedge.exe 1020 identity_helper.exe 1020 identity_helper.exe 2984 msedge.exe 2984 msedge.exe 2984 msedge.exe 2984 msedge.exe 5788 msedge.exe 5788 msedge.exe 888 S0FTWARE.exe 888 S0FTWARE.exe 888 S0FTWARE.exe 888 S0FTWARE.exe 888 S0FTWARE.exe 888 S0FTWARE.exe 888 S0FTWARE.exe 888 S0FTWARE.exe 5652 S0FTWARE.exe 5652 S0FTWARE.exe 5652 S0FTWARE.exe 5652 S0FTWARE.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs
pid Process 5840 msedge.exe 5840 msedge.exe 5840 msedge.exe 5840 msedge.exe 5840 msedge.exe 5840 msedge.exe 5840 msedge.exe 5840 msedge.exe 5840 msedge.exe 5840 msedge.exe 5840 msedge.exe 5840 msedge.exe 5840 msedge.exe 5840 msedge.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 5840 msedge.exe 5840 msedge.exe 5840 msedge.exe 5840 msedge.exe 5840 msedge.exe 5840 msedge.exe 5840 msedge.exe 5840 msedge.exe 5840 msedge.exe 5840 msedge.exe 5840 msedge.exe 5840 msedge.exe 5840 msedge.exe 5840 msedge.exe 5840 msedge.exe 5840 msedge.exe 5840 msedge.exe 5840 msedge.exe 5840 msedge.exe 5840 msedge.exe 5840 msedge.exe 5840 msedge.exe 5840 msedge.exe 5840 msedge.exe 5840 msedge.exe 5840 msedge.exe 5840 msedge.exe 5840 msedge.exe 5840 msedge.exe 5840 msedge.exe 5840 msedge.exe 5840 msedge.exe 5840 msedge.exe 5840 msedge.exe 5840 msedge.exe 5840 msedge.exe 5840 msedge.exe 5840 msedge.exe 5840 msedge.exe 5840 msedge.exe 5840 msedge.exe 5840 msedge.exe 5840 msedge.exe 5840 msedge.exe 5840 msedge.exe 5840 msedge.exe 5840 msedge.exe 5840 msedge.exe 5840 msedge.exe 5840 msedge.exe 5840 msedge.exe 5840 msedge.exe 5840 msedge.exe 5840 msedge.exe 5840 msedge.exe 5840 msedge.exe 5840 msedge.exe 5840 msedge.exe 5840 msedge.exe 5840 msedge.exe 5840 msedge.exe 5840 msedge.exe 5840 msedge.exe 5840 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 5840 msedge.exe 5840 msedge.exe 5840 msedge.exe 5840 msedge.exe 5840 msedge.exe 5840 msedge.exe 5840 msedge.exe 5840 msedge.exe 5840 msedge.exe 5840 msedge.exe 5840 msedge.exe 5840 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 6120 MiniSearchHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5840 wrote to memory of 5780 5840 msedge.exe 77 PID 5840 wrote to memory of 5780 5840 msedge.exe 77 PID 5840 wrote to memory of 3344 5840 msedge.exe 78 PID 5840 wrote to memory of 3344 5840 msedge.exe 78 PID 5840 wrote to memory of 3344 5840 msedge.exe 78 PID 5840 wrote to memory of 3344 5840 msedge.exe 78 PID 5840 wrote to memory of 3344 5840 msedge.exe 78 PID 5840 wrote to memory of 3344 5840 msedge.exe 78 PID 5840 wrote to memory of 3344 5840 msedge.exe 78 PID 5840 wrote to memory of 3344 5840 msedge.exe 78 PID 5840 wrote to memory of 3344 5840 msedge.exe 78 PID 5840 wrote to memory of 3344 5840 msedge.exe 78 PID 5840 wrote to memory of 3344 5840 msedge.exe 78 PID 5840 wrote to memory of 3344 5840 msedge.exe 78 PID 5840 wrote to memory of 3344 5840 msedge.exe 78 PID 5840 wrote to memory of 3344 5840 msedge.exe 78 PID 5840 wrote to memory of 3344 5840 msedge.exe 78 PID 5840 wrote to memory of 3344 5840 msedge.exe 78 PID 5840 wrote to memory of 3344 5840 msedge.exe 78 PID 5840 wrote to memory of 3344 5840 msedge.exe 78 PID 5840 wrote to memory of 3344 5840 msedge.exe 78 PID 5840 wrote to memory of 3344 5840 msedge.exe 78 PID 5840 wrote to memory of 3344 5840 msedge.exe 78 PID 5840 wrote to memory of 3344 5840 msedge.exe 78 PID 5840 wrote to memory of 3344 5840 msedge.exe 78 PID 5840 wrote to memory of 3344 5840 msedge.exe 78 PID 5840 wrote to memory of 3344 5840 msedge.exe 78 PID 5840 wrote to memory of 3344 5840 msedge.exe 78 PID 5840 wrote to memory of 3344 5840 msedge.exe 78 PID 5840 wrote to memory of 3344 5840 msedge.exe 78 PID 5840 wrote to memory of 3344 5840 msedge.exe 78 PID 5840 wrote to memory of 3344 5840 msedge.exe 78 PID 5840 wrote to memory of 3344 5840 msedge.exe 78 PID 5840 wrote to memory of 3344 5840 msedge.exe 78 PID 5840 wrote to memory of 3344 5840 msedge.exe 78 PID 5840 wrote to memory of 3344 5840 msedge.exe 78 PID 5840 wrote to memory of 3344 5840 msedge.exe 78 PID 5840 wrote to memory of 3344 5840 msedge.exe 78 PID 5840 wrote to memory of 3344 5840 msedge.exe 78 PID 5840 wrote to memory of 3344 5840 msedge.exe 78 PID 5840 wrote to memory of 3344 5840 msedge.exe 78 PID 5840 wrote to memory of 3344 5840 msedge.exe 78 PID 5840 wrote to memory of 4744 5840 msedge.exe 79 PID 5840 wrote to memory of 4744 5840 msedge.exe 79 PID 5840 wrote to memory of 3160 5840 msedge.exe 80 PID 5840 wrote to memory of 3160 5840 msedge.exe 80 PID 5840 wrote to memory of 3160 5840 msedge.exe 80 PID 5840 wrote to memory of 3160 5840 msedge.exe 80 PID 5840 wrote to memory of 3160 5840 msedge.exe 80 PID 5840 wrote to memory of 3160 5840 msedge.exe 80 PID 5840 wrote to memory of 3160 5840 msedge.exe 80 PID 5840 wrote to memory of 3160 5840 msedge.exe 80 PID 5840 wrote to memory of 3160 5840 msedge.exe 80 PID 5840 wrote to memory of 3160 5840 msedge.exe 80 PID 5840 wrote to memory of 3160 5840 msedge.exe 80 PID 5840 wrote to memory of 3160 5840 msedge.exe 80 PID 5840 wrote to memory of 3160 5840 msedge.exe 80 PID 5840 wrote to memory of 3160 5840 msedge.exe 80 PID 5840 wrote to memory of 3160 5840 msedge.exe 80 PID 5840 wrote to memory of 3160 5840 msedge.exe 80 PID 5840 wrote to memory of 3160 5840 msedge.exe 80 PID 5840 wrote to memory of 3160 5840 msedge.exe 80 PID 5840 wrote to memory of 3160 5840 msedge.exe 80 PID 5840 wrote to memory of 3160 5840 msedge.exe 80
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.mediafire.com/folder/3is42kz6mwjhj/Files1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5840 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb23ba3cb8,0x7ffb23ba3cc8,0x7ffb23ba3cd82⤵PID:5780
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1848,13691689298194684550,17104788695903159858,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1940 /prefetch:22⤵PID:3344
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1848,13691689298194684550,17104788695903159858,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4744
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1848,13691689298194684550,17104788695903159858,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2844 /prefetch:82⤵PID:3160
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,13691689298194684550,17104788695903159858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:12⤵PID:5036
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,13691689298194684550,17104788695903159858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:12⤵PID:5512
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1848,13691689298194684550,17104788695903159858,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5192 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1336
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1848,13691689298194684550,17104788695903159858,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5676 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1020
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,13691689298194684550,17104788695903159858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4616 /prefetch:12⤵PID:4688
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,13691689298194684550,17104788695903159858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:12⤵PID:3176
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,13691689298194684550,17104788695903159858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6260 /prefetch:12⤵PID:5252
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,13691689298194684550,17104788695903159858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6460 /prefetch:12⤵PID:860
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,13691689298194684550,17104788695903159858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6372 /prefetch:12⤵PID:844
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,13691689298194684550,17104788695903159858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6904 /prefetch:12⤵PID:5216
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,13691689298194684550,17104788695903159858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:12⤵PID:4560
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,13691689298194684550,17104788695903159858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6460 /prefetch:12⤵PID:4052
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,13691689298194684550,17104788695903159858,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6648 /prefetch:12⤵PID:1308
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,13691689298194684550,17104788695903159858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5036 /prefetch:12⤵PID:4452
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,13691689298194684550,17104788695903159858,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:12⤵PID:1520
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1848,13691689298194684550,17104788695903159858,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4696 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:2984
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,13691689298194684550,17104788695903159858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6900 /prefetch:12⤵PID:2872
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1848,13691689298194684550,17104788695903159858,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6960 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:5788
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5404
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4320
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5936
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6120
-
C:\Windows\System32\DataExchangeHost.exeC:\Windows\System32\DataExchangeHost.exe -Embedding1⤵PID:680
-
C:\Users\Admin\Desktop\S0FTWARE.exe"C:\Users\Admin\Desktop\S0FTWARE.exe"1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:888 -
C:\ProgramData\DHCAAEBKEG.exe"C:\ProgramData\DHCAAEBKEG.exe"2⤵PID:4436
-
-
C:\Users\Admin\Desktop\S0FTWARE.exe"C:\Users\Admin\Desktop\S0FTWARE.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
PID:5652
-
C:\Users\Admin\Desktop\S0FTWARE_(password_1234)\S0FTWARE.exe"C:\Users\Admin\Desktop\S0FTWARE_(password_1234)\S0FTWARE.exe"1⤵PID:4296
-
C:\Users\Admin\Desktop\S0FTWARE_(password_1234)\S0FTWARE.exe"C:\Users\Admin\Desktop\S0FTWARE_(password_1234)\S0FTWARE.exe"1⤵PID:2196
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
23KB
MD55e54cb9759d1a9416f51ac1e759bbccf
SHA11a033a7aae7c294967b1baba0b1e6673d4eeefc6
SHA256f7e5cae32e2ec2c35346954bfb0b7352f9a697c08586e52494a71ef00e40d948
SHA51232dcca4432ec0d2a8ad35fe555f201fef828b2f467a2b95417b42ff5b5149aee39d626d244bc295dca8a00cd81ef33a20f9e681dd47eb6ee47932d5d8dd2c664
-
Filesize
91B
MD552634c07628a6587397d4dda3b4a715c
SHA13d2770aaff6fed652c58d6cb336e966507633cf4
SHA256b8fd7c9710958ecc43f0550087884107f066df7fd7e8cc1d1024faa8389b091d
SHA5121188057387054ce85f587baede54fbd0e0624b3648c3146ab9d24a08cfb70f7655f497fb1e0112aede7d543893b5c021aa1dc0fe9a700626b93437d125a7de14
-
Filesize
5.8MB
MD5c441be4f7fd0f07fdcf94657c624c3da
SHA1bedd1f5d2feb959599b370590f62f02cbb3d2d3f
SHA25647c6484dde4d9ca23a7667b1b71c5ed88d7cdd3dccf57485333ceda0153e5684
SHA512c753bfa2b84ea5dfc47dbe25b807af6dd7d79e53a780ef693052f0c5c774767ef5b277671b07c539132af11a56546de3dd18790ce3fb3c4f66ca63c6c17fd8ad
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
152B
MD5003b92b33b2eb97e6c1a0929121829b8
SHA16f18e96c7a2e07fb5a80acb3c9916748fd48827a
SHA2568001f251d5932a62bfe17b0ba3686ce255ecf9adb95a06ecb954faa096be3e54
SHA51218005c6c07475e6dd1ec310fe511353381cf0f15d086cf20dc6ed8825c872944185c767f80306e56fec9380804933aa37a8f12c720398b4b3b42cb216b41cf77
-
Filesize
152B
MD5051a939f60dced99602add88b5b71f58
SHA1a71acd61be911ff6ff7e5a9e5965597c8c7c0765
SHA2562cff121889a0a77f49cdc4564bdd1320cf588c9dcd36012dbc3669cf73015d10
SHA512a9c72ed43b895089a9e036aba6da96213fedd2f05f0a69ae8d1fa07851ac8263e58af86c7103ce4b4f9cfe92f9c9d0a46085c066a54ce825ef53505fdb988d1f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\7290c6d4-5dd3-45e9-8835-e66580dd299f.tmp
Filesize9KB
MD549d0e4d79df7061a975217692b19987a
SHA135d7577cf15a1c8874b26de8dba773f0ec1cca59
SHA25639647f8886e967a4a07eceba36209a7161b626c87f4f9229d49b5880c11cf9be
SHA512a7a8cb660c36ea87026011f2d09ef96cdab38db4a780e4b2963438a769119daeb2da285377c6087bd553ef4b9a3ae8941ea06effae55c70f3cfa96f0c701aad3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD5d0913540e3877df6e434bf5dd8c637aa
SHA1c58336e4257b57aed5fb4d0abf617f17cc211c41
SHA25643a4a6da6e4f42c5098636fbee115a728c4b4784597027f0231173ed4aba9d90
SHA5125092b31c3cffb6c51756b23550db0d28e69548624d67a56158ddce9c5ad1d22fa9abf140f16b29261f7ccb371706b3ad10e16f744d5ed0fd8d181caf12505fe3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD5a4060b2f254aaef7d56ed009b803d672
SHA1e2ff5d9b0ed1e7c3b50a081eed4f566511ef749c
SHA2561a01fc88d2dc8804ccfada022b21a7afb9e59b6eb5be7b703005c1d39aabb87d
SHA512f06d5d2edf29ebb38a7e0d6410cb519b10421c7172fe3c17b50e47059ee45103852b6760578940cd08e1c8015c63909887071291b84e8f3854636ac9a208b959
-
Filesize
36KB
MD51c9e97bcb0544f055157472af83978b1
SHA17599826fa8692bd88f185f52c5b4ee786c61c98f
SHA256459cbe2f54012e126b7b6715eeed635ab91d02cd9c713685374774a944ddb5c2
SHA512761d466aa01b771af0dc2141ca743d4f66fe9327f086bdea1d2475d368c51e2a770207745ae8c71fc24a9fbeafc168248a95453f36dabb97c65b5cbd41e8e576
-
Filesize
124KB
MD5ad1bcba6f36eecaea7bc4cac7e5402c4
SHA1043a7efafbf59eb6bdb9144188dff30c290786e6
SHA256783fb180849b8a520f75aeebcc06ebe1375818923ad9f9cdf2b552a408f94f39
SHA512baf22b32fe265ea64ea627b95f233bf8953c218744a9e6dd30954d4064392e09899ededb4843a2f48df83752303db47ef7cd75ee631550d884ecd8957bbdf170
-
Filesize
9KB
MD5413abb15e582f98f621208b38ec625ae
SHA12f8f3ea5b96822843ec51d29b4446f7d857fb1cb
SHA2569fe86c276008190b0e2d94b545f69f0dd1091e31b813f49d32b430873e0ced0b
SHA51265211a17a5974784c64293c7496794b68be692648c4b8597a48ff9ce5542456062c79a92f18d03083696c0adbb2bb455a7f51b69a69ba9af25e02b3c70f27baa
-
Filesize
7KB
MD5dbfcf79ae689ca36bf3f5472f1e9c72c
SHA198bc09d2e10b88b3f3bbc2d089fb2002d80f77fa
SHA2569c5ea0ab0ee5906f277e355b7c5f60dddd0aa81aeef21b4cf30bf3cf75a74426
SHA51241b578f258373e373893a9a7021a588de1cfb239aa089d72e4c53ec3b1ba4ec920770059af786a5412793d9258c3270a8d49dae6b8eb34d7781f2d69cafc603f
-
Filesize
10KB
MD57ca9947fcd75397af8374195a0ec20fa
SHA16d07cfcb3addb1a3cf6086619c79108b4244ee2a
SHA256d7ddaa7d29b8f08a451720df98683dd9fa268fd14313698a59d59fb63b7eb7f5
SHA512b14f57c1b0a4028d552f48b052aecae578748ac0956e5000834266579a38ed34ee9f355a4b17efc81ea7e878048e652a1ef5f7711f2b4b76dc32882c9c43743c
-
Filesize
10KB
MD5eeb4d9cb7dba3e5651a10302d1ad92a3
SHA179c76a08222e983c3ee5ff26b49a40eadeca2a13
SHA2567f867b69de108019773001fb6f2e50b9b3bffc4c04c65a9d8c6b77ecd920b862
SHA5129b42078138d473397ced24979fd194532a398947ca422ec72dd42a4e2c089dc0a936e31d7860685e3d300f68411432a310ebca9758ab60c181782167d9ddb332
-
Filesize
5KB
MD51325707dbc83123c15ccbad2a58c3281
SHA14cc6277e4db2a7e041e5ab7891d156613dff7bed
SHA256ea76ebb504bc72c0bd3a1babccde441b4ebafa75e89d4bc2097f1324ec1d4e02
SHA5128bad5866b6ace39405d3477bf2f2c4ec8af5ec1293ffe58a92a511bcc9d7b7fc022884db3fbb2a45eb26091e0275ab789c0b51f673580741bbdcd194698ad980
-
Filesize
2KB
MD5f5739629a8acfcd984cb1ba57541e8cc
SHA1ef16952c4e4030f85fd16c390b0a1a5df8661e87
SHA2561a55e3ad8bea0bf5ef2ce9ceb68426303a2a3f9ea8f6e911b390910796f4954e
SHA512918ead00335507fff763221da080219f0aad7f085d8406479e37b45a0f7d4eeb87080648ca76cd9d334d21020ff52b22e1d92eda37e97b3299e53f6e9ab0acb2
-
Filesize
2KB
MD581b7918a58bbb11693d9beadf27ebc17
SHA10bc35260000f6bcfa50221db5b7b2da56e0ee8f9
SHA2568ffbe51d7ac9fce676870daf907dd4704fa82dc06fe36401e7b0ccff7559069f
SHA5128011c12dc95632237db4ae638a067b322b6f2750e9fc6d2879851b818a6cb9e426a72ee8f780ff95c2181b1175890155003e5f309100aeaf02994134a1b76daa
-
Filesize
2KB
MD53c51af93faa40cda60e0bc3832b2407c
SHA16dc672d42bef9abb110e5b7ec2444efe63d45022
SHA2562d3b6a874233ecfdc64427cd319dd2e83b0064d90e6cf207b071a605b32f150f
SHA51230613e2cc7016dcc0c3ea4665d69b8c99bc8ea26ee9da002919e7ae7633d320d1c2c12cacf3ac8df001a5b7496e3dcb90c0c53cb484beccd166a43dccd27f7bd
-
Filesize
1KB
MD501156a2cf1475e7809f1749c2fd1c759
SHA16694224bd05441b2ff619a08afab36cdf81b4bcc
SHA256b3b999f5f447da36ba45ee82c165106f54f0a275db6307f1e5bcaee5fd224564
SHA512e49033fde171864fa285a189cd0bd5c8c56e8810423c0fab62c0ad045d43fd4a1b88ca9f61e135e93ef08126458926a2e6182dc2da8ab1084abc011ab633ce96
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
10KB
MD5aa91c8f207c78bc94cd98e9642687d0a
SHA1e947617928b7df34a262d82f0c7ac649277fe17a
SHA25644bfe21ccf16a29b384c3aafcfa4d86457305b09fe3c04d8b8cdc460d07ed0ff
SHA512b55d53bd50597551773eb27224197b1320e3698b9060748381ab7de969cd7fb9779eee34e4bd559c7602417890393bef4202b31558cbe5250f0df93bb09b6f50
-
Filesize
11KB
MD51e5ceed2806475dd0b130ebd1f198f36
SHA1e2f7cc7192eea848cc219e7f30daa1d93e9ac6b4
SHA2562891526742b108600da1e1bd9ad14794a2183b691db58097ed74c1a808951b68
SHA512401790b69ff83e4f1d611963b2b01165b088b92aae26a2885176babcd08ac04e692c2943053322b7d1e1a55deaa94283691d9d20cf9f450797c6ba7f26935bac
-
Filesize
11KB
MD59cf12fe11da5ce817bf43e6e6853e236
SHA14e81580ba28b548cb78ffda546005785ed03b2da
SHA256bfa884b8201cdd1c6bce87c2aab866fd8ca62a760c6cec8f0adb99fa71a8324b
SHA512d4aede45e0ef064a9972e208c6eded3199357013310e6f3d612c34a1e614c0bec90496d0b32af1bf63dcf34a45e183f4accdb8b6f10aaf7757d216d6c38aabea
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
Filesize10KB
MD5b7443e89f0cb29d51ee6a257750e54d2
SHA184127eebf275e781d5276af6fc4d09c5a6bfb7b9
SHA2568226877d6ab2e4834aea6bc71bd9865b28d0bd1ec2e8b4c23b8acf0301c56f26
SHA512446cfe25d82f3bbf7badd324cae691ad62e13bd7469e415f47b9141bddf30679219c672937f4f6768796c2936c3b9c557fabbda1fb51c5edbb7c1964bffa17be
-
Filesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
Filesize
3KB
MD500930b40cba79465b7a38ed0449d1449
SHA14b25a89ee28b20ba162f23772ddaf017669092a5
SHA256eda1aae2c8fce700e3bdbe0186cf3db88400cf0ac13ec736e84dacba61628a01
SHA512cbe4760ec041e7da7ab86474d5c82969cfccb8ccc5dbdac9436862d5b1b86210ab90754d3c8da5724176570d8842e57a716a281acba8719e90098a6f61a17c62