Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
10-11-2024 21:34
General
-
Target
https://github.com/subscratitkow30/Epic-Pen-Pro
Malware Config
Extracted
vidar
https://t.me/gos90t
https://steamcommunity.com/profiles/76561199800374635
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6
Signatures
-
Detect Vidar Stealer 3 IoCs
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Vidar family
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 64 IoCs
-
Opens file in notepad (likely ransom note) 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 28 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of SetWindowsHookEx 16 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/subscratitkow30/Epic-Pen-Pro1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc1d5946f8,0x7ffc1d594708,0x7ffc1d5947182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2252,11455439983188058673,1273123738711543340,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2268 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2252,11455439983188058673,1273123738711543340,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2252,11455439983188058673,1273123738711543340,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2576 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,11455439983188058673,1273123738711543340,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,11455439983188058673,1273123738711543340,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2252,11455439983188058673,1273123738711543340,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5268 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2252,11455439983188058673,1273123738711543340,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5268 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,11455439983188058673,1273123738711543340,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,11455439983188058673,1273123738711543340,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,11455439983188058673,1273123738711543340,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5640 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2252,11455439983188058673,1273123738711543340,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5996 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,11455439983188058673,1273123738711543340,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6004 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2252,11455439983188058673,1273123738711543340,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6212 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,11455439983188058673,1273123738711543340,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6012 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,11455439983188058673,1273123738711543340,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6460 /prefetch:12⤵
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\link.txt2⤵
- Opens file in notepad (likely ransom note)
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,11455439983188058673,1273123738711543340,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5812 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,11455439983188058673,1273123738711543340,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6532 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,11455439983188058673,1273123738711543340,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2252,11455439983188058673,1273123738711543340,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5664 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,11455439983188058673,1273123738711543340,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,11455439983188058673,1273123738711543340,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,11455439983188058673,1273123738711543340,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,11455439983188058673,1273123738711543340,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5920 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,11455439983188058673,1273123738711543340,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6472 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,11455439983188058673,1273123738711543340,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3096 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,11455439983188058673,1273123738711543340,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,11455439983188058673,1273123738711543340,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6696 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,11455439983188058673,1273123738711543340,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5060 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,11455439983188058673,1273123738711543340,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7100 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,11455439983188058673,1273123738711543340,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,11455439983188058673,1273123738711543340,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2040 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,11455439983188058673,1273123738711543340,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6076 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,11455439983188058673,1273123738711543340,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7276 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,11455439983188058673,1273123738711543340,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7024 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,11455439983188058673,1273123738711543340,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2196 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2252,11455439983188058673,1273123738711543340,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7656 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2252,11455439983188058673,1273123738711543340,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4684 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,11455439983188058673,1273123738711543340,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2284 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2252,11455439983188058673,1273123738711543340,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5780 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Temp1_Unlock_Tool.zip\Password.txt1⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Downloads\Unlock_Tool_v2.5.7 (extract.me)\Unlock_Tool_v2.5.7.exe"C:\Users\Admin\Downloads\Unlock_Tool_v2.5.7 (extract.me)\Unlock_Tool_v2.5.7.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\Downloads\Unlock_Tool_v2.5.7 (extract.me)\Unlock_Tool_v2.5.7.exe"C:\Users\Admin\Downloads\Unlock_Tool_v2.5.7 (extract.me)\Unlock_Tool_v2.5.7.exe"2⤵
-
-
C:\Users\Admin\Downloads\Unlock_Tool_v2.5.7 (extract.me)\Unlock_Tool_v2.5.7.exe"C:\Users\Admin\Downloads\Unlock_Tool_v2.5.7 (extract.me)\Unlock_Tool_v2.5.7.exe"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5924 -s 3202⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5924 -ip 59241⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD556a4f78e21616a6e19da57228569489b
SHA121bfabbfc294d5f2aa1da825c5590d760483bc76
SHA256d036661e765ee8fd18978a2b5501e8df6b220e4bca531d9860407555294c96fb
SHA512c2c3cd1152bb486028fe75ab3ce0d0bc9d64c4ca7eb8860ddd934b2f6e0140d2c913af4fa082b88e92a6a6d20fd483a1cb9813209f371a0f56374bc97d7f863b
-
Filesize
152B
MD5e443ee4336fcf13c698b8ab5f3c173d0
SHA19bf70b16f03820cbe3158e1f1396b07b8ac9d75a
SHA25679e277da2074f9467e0518f0f26ca2ba74914bee82553f935a0ccf64a0119e8b
SHA512cbf6f6aa0ea69b47f51592296da2b7be1180e7b483c61b4d17ba9ee1a2d3345cbe0987b96f4e25de1438b553db358f330aad8a26e8522601f055c3d5a8313cdd
-
Filesize
62KB
MD5c3c0eb5e044497577bec91b5970f6d30
SHA1d833f81cf21f68d43ba64a6c28892945adc317a6
SHA256eb48be34490ec9c4f9402b882166cd82cd317b51b2a49aae75cdf9ee035035eb
SHA51283d3545a4ed9eed2d25f98c4c9f100ae0ac5e4bc8828dccadee38553b7633bb63222132df8ec09d32eb37d960accb76e7aab5719fc08cc0a4ef07b053f30cf38
-
Filesize
70KB
MD5807dda2eb77b3df60f0d790fb1e4365e
SHA1e313de651b857963c9ab70154b0074edb0335ef4
SHA25675677b9722d58a0a288f7931cec8127fd786512bd49bfba9d7dcc0b8ef2780fc
SHA51236578c5aedf03f9a622f3ff0fdc296aa1c2d3074aaea215749b04129e9193c4c941c8a07e2dbbf2f64314b59babb7e58dfced2286d157f240253641c018b8eda
-
Filesize
19KB
MD576a3f1e9a452564e0f8dce6c0ee111e8
SHA111c3d925cbc1a52d53584fd8606f8f713aa59114
SHA256381396157ed5e8021dd8e660142b35eb71a63aecd33062a1103ce9c709c7632c
SHA512a1156a907649d6f2c3f7256405d9d5c62a626b8d4cd717fa2f29d2fbe91092a2b3fdd0716f8f31e59708fe12274bc2dea6c9ae6a413ea290e70ddf921fe7f274
-
Filesize
63KB
MD5710d7637cc7e21b62fd3efe6aba1fd27
SHA18645d6b137064c7b38e10c736724e17787db6cf3
SHA256c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b
SHA51219aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44
-
Filesize
1KB
MD52b2344750e17c2bc4102fc91f00d7a03
SHA1cd0b769cf30974c0420a97b2be62bd99a8606c1e
SHA256bcf4b83c1c968c6c944636175a21937649ac2a9de3ecd53840a7a543db61803a
SHA51290c8a0a9956e88c53177e1c37f649b3601a55f33dbf9944bdc77dfd73222ef972b52c295c2151120e46782da4f9300153f4670c08bbc349316927905962bb743
-
Filesize
3KB
MD5f4bc9f619e781f661e09c905099ec873
SHA102cc54cb207fe7e6014cb85a026b0acc24369c4d
SHA2560ce3a062aa2043c7d02da9a213565c27b9e51bafded74c94210252f053f7d14f
SHA512acfbcc6702c3389e77fcd556be5eee0bd9cba5fc5ff9bef38c535cb62bf5c07f362eda68fda2fe2d901b55765b3a954f25973a526e5d86d60e32c7dde2dd4420
-
Filesize
1KB
MD525ad511ebff63bdb9e4182a41987f207
SHA136f2f475bea5bb9da96c7951bdaa80799f61581f
SHA2566b513d81d74ba1b3208c45f558ddc1e0a0dce5c8b740c6e22cd16f4e71320c9a
SHA51285a76fd82fd160d964ef5bda2354bbf54b47a0c0ccb71edeb33e85f69df27f5233c5265adabc2e74fd56812785711ab233e1ee110b813ec86ee0bf88f9f3c63e
-
Filesize
4KB
MD5640f080a166438e2ffbf55a5353d8c09
SHA16dfc2c4da55537308741ff72f18106b3bf8fec8a
SHA256f4c9ca4d8aa1ba33329e6e372e5ac9cf5e3dad61e114d4ff16d35a93e83f56b5
SHA512f9dcdf78beea37ac96ab78a5d7fcf6c9c440e83fcd1c65b1a0ff8628d572d045e7d923052634ee0a1276955574d2507e0c977b450def3f18167404b3788598c8
-
Filesize
6KB
MD55cfdfa4bb1008eeae820769e04d40f1f
SHA1a7134b0be5718af70e9ddf0d9df4471ff5da0a38
SHA256b3d618d48975a974edca2e83278e8dfde20d28b745e2c24624845771689c34eb
SHA5129394c2e57f0949532edd10d3e9a409766be8abb13be1b8a1e925de54d1aebc9bcbf21928301fa430040f74ea209878c0c1b8571d8e1ed48178d96b41fb6b5b2a
-
Filesize
7KB
MD5969ebe94fdcfedbe4f0adc62189b473d
SHA17f740ba5d8c54b267c425b5ce0292cbd11466386
SHA256cba84c83f47d67233fe1d09b9aeaa935c5dcb9a899d4161b7ba85a2518e9897c
SHA5128133d523883bdeaa4e03e341dbb44bef6c40b6d72c25b7bfaf05a2297ef8a550c2b47257ffc9db0043e68e9e731111cb8294f5e107e37eec9de4f15a66b0d0e8
-
Filesize
5KB
MD5c4a980ab270f6c56e30638d4bd6ece5a
SHA142a6e50f166643d2f63b341e2020ef8f6dc5e6de
SHA256ad20c167737c9414eb6a764547ede835ace673c036bbfead85d632277c4341de
SHA51221942f7a4c0900509adc208dd0e8e475f55b4d903863a77b79b9dde5c6e34f98747772b7db928c10d10fe0c8c9b7eb84958b586c24f81912dfb27a0d5559ccc6
-
Filesize
6KB
MD5ac40a0c3f0effbbce4aef8facf7cda7e
SHA11e2efc3bc8c8aeb68be7100e66354605599c8428
SHA256cc72cf1db098c2141339985c1086b7df0fd23619ed5417b13ad7be3739e9afc0
SHA5124e738f8ed9d0f6676e0aad2492e2016dd5bde7dd1fe545f1a063ffb4325d77e794b3a769062724a30902d2482df72628301959b2f3cfb00e3d37b1ed357f3bef
-
Filesize
8KB
MD51bfcb40972aceb10fa66ca4820dbf067
SHA1c06631e77ccc78d843fb8ab0cd00b806864a49b6
SHA256586514037f22e30f18afc3bf6abd81890c65d001c3b049e87a82da971de8a476
SHA512377e89bfe4a4afe798c3472424ba317a5ffc4f462bbb1b1a2aaf21dfd4c775fb237e5ca529fd288b0c3ec48192d745655a19774c68352be3d20dd06f20f40b13
-
Filesize
6KB
MD5686a8710a009666e3deb51836c76ea77
SHA15badf86d76e9732259f9be3880169ebd2ec1c51f
SHA2566194b4f30e1a060b69125d22308b514da3a6f1c76a9ab1a75ddc76f521331a2b
SHA5125630dab37d9799510a060057cab0821c7f1dac1f7661314e8e3de4bc3167406c39baf7c09708d0b19457010e3e9c9aeb8e451009049239f0b8a73bdd4c35cf9d
-
Filesize
72B
MD5a223521cb90f01b08cdb48a2df670243
SHA1f43889928caf68609b69bc0b024b1891f6829a06
SHA25612677782c446b1a40dbdb5f163de400e2fbdd45f16abb44fd909729321bf9a69
SHA512b85afe71ed69aba72a9e2897e320bde262c0ce3e3bb5bcb2a8a58fce2134c75e318dfd80e879a772011cf6438d2db42d57f792e0efed1aee3ee33a1602cd9f32
-
Filesize
48B
MD55bded109d4576b71bddb90032b1bd6ab
SHA1bd9768329e608116b7cafd40488519fd97cea098
SHA2562c67227f07487fd8ec90d81877c87187bc8a6ca198ad683897ba92ebf19d073b
SHA512f772ff4be2c6515f48a148ab53beaf166841a101c82388984def5d1ec7223b2c1ca507ca6f73e051c57fe670d7078284df83b5eaf13f48ab8523d4f7fda9aa41
-
Filesize
2KB
MD55f33a6eb19e36a208a8ad6ba2288b449
SHA10325c4f53878b2a1757d858934118e1be152c5fd
SHA256cb3fde02f4ecaf655d84c9671ffa2f11caa047bb01d92cd52aba4307d27920c2
SHA5129b9d0ecd87c4ee857ca4cc69b1e1a1d4efb86471b362b01bcb5fd603fb17e8d7b6abeaab24aad0ff7f929a32cc813de7461600b83f83d43a114513f21031600a
-
Filesize
2KB
MD56a8298a5589ee47a0c8ba1d001fe609a
SHA17ffd360ceefefe4624aa17b2690d4cc936002c88
SHA256aab6050acc6e9dd030919eccee5029c1dabfedc903ecf6f2f5132f9b52a1ae80
SHA5120e3574aa7d54d45598a9cf53f3aa737ce418c602c403753a9cfded5ef8f00a67f66601686a4f0f454791e9f0b8503fceb4307f41b7f9965516fd6ba3c7b4b07e
-
Filesize
2KB
MD5ce7b9925b513abd2bc11337cb68d0534
SHA167753a1ff0f47df509960f54fdf49958bb052357
SHA2569156465162b332bf501c7c22f60327671b6a73cfc1ea5e8acbc07c5718fce1f2
SHA512347b3bf258a799adfc040e3155dd27efd1f4bf7f817d876ff471dd9a1590358a4756b0fc34878843233b39f5a7ce25a2a65ed0eb1dfa9bc44957583eb9b71bed
-
Filesize
2KB
MD5e19b96b924847b78f4d0753b2177bdb2
SHA12e6bed0749c4864c627b4549fb7a4aefdde6e389
SHA25693675bc96032cf4ea62d48ee5a15251a3a11b5718c806b72fe3adf82bd60ca90
SHA512c161c3c383a79d8a90e154856feed32e90e2dc13d275fae1b8a70c743d56a10be61e8aef472a29ca32d492cddc591ba75928595c7ed7cffeb6ac3da16d222ebb
-
Filesize
1KB
MD5559feac3ef23575a25bc938f209eb8e0
SHA1d688114fdc22ab9710643f0d76ae6562dae96029
SHA256bd481614fc88f67a8d9386ba3b33dfb2674b5e1ca69d81518141f54c8bba20e2
SHA5127687c61b15b3eea3c7c7c8cf54c304315898e5a07a16dbc3accc332723388e2adfe35a90aebd5e8a1424bd7888c049e31b5f7eaf20f609b03cd5d02e25edf9e9
-
Filesize
1KB
MD52ed6f96eb9847a4ef4cef67f3e2656f1
SHA1ae6ca798b20562b37a006f6f66e153aee32d0990
SHA2565cfe1851dbd0fba8d5a1ce7752963f5d8ab4b752dde5cbb5eb2d1de57dd02c45
SHA51258bcca2e59ba7197f667e0ab014c1a686103287780db4e386169e1190957f9b02091ba7e89b9b85b6498249e750d05365538a53d66d6006397bb77b8966b3ad3
-
Filesize
1KB
MD53c467b0c5fd6b650eb532ecd772b4a39
SHA179b3d5f6aa0f75eb86453b8e756b385ef38ff80d
SHA256e3df74f351a5d4c616bda71cb05fc2be93132410ea2e6b47151693bed1a2c78c
SHA5124dd1b9923c2c8701411e983fa1bf8d95b127777169a347ea771843c082d73571ef9496818aea791226df1397730564f126dbeed415be305f2b04ed72b2414657
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
11KB
MD53bc4a9e384093f451c218b7a48a02985
SHA1ef5b74b5d949e23785c769f787dfaa654a5b966c
SHA256bcff0424d45131c4556597720a2eee5cc6954d50acf24e54bbc495bf21554cd4
SHA51246205054471a265259ab72550680552ffc8ba1e4188e74ac3bfcba38338a8d1e7f8b3e66a26bec86fd79b1976f1e962ec6c9d9882e9e3ca97d2329a767eb15f4
-
Filesize
10KB
MD5b63d0cf5383d79394a7f9cf42fe13fb9
SHA147deda1001f980c3e252f7238b7de9d4ef01444e
SHA2560544825a4a6b097416506ed55d1a9232d31886cd12bcbaf5e00a2bd0dcafad46
SHA5126650b4ee75bb02659e1b70d8c816cddfaf9e46380c416be3b67e535e5c7b58a57017cd5bd49ee20cb668774cae491ed8bd997bf4528cdc92043372e582b77b4e
-
Filesize
10KB
MD5c832f331271d00e27e94c0ef5502d022
SHA14ab25a1ab66ce183902b3888fed896de55db95db
SHA25666ced592c0afbabddd2d766b18cd6f3590f2025b0233a22ccf1901bd83a637c7
SHA5122dea512f4980bedcab8b52f871a1efd35cdec15673d0bb71e5b004032e585e1b541190d0811978817d9dcbe4a52dc86c7ccbdecbc195ecaff2aee06a0b3ba646
-
Filesize
49.8MB
MD53e764a11cc7e54241418fdecb82a8555
SHA1518b10ea749956f57a496f5abda3ec4b0e1a1967
SHA256913f8c5ffbea634951eb3a0eba953e9ab562a00de5585b6fba25a2de10ed3be6
SHA5124de16f5d572ff00fbcd4fbc9256396dabe7374350d94af1848655479ab8ff2d8e6dc3cfdef600750052cd0dabc7cef9368f6a8fc9d81ca0645267d3fef0499b9
-
Filesize
139B
MD5b158f6f6f236146dbb84f01382f7b288
SHA16044e94429a90711f51626f628a3a9d51d4afd60
SHA256ac87f8dd3c4ffb6ebfebe7e23be8ec298263cb5103bdd180e156997db328c85c
SHA5129f52cd6d10066c7033c239494c513698ada42881768d23ad52785a3f787c53bbaafbc51e66806753e7b104c5d23c2a46eeed6d4740b5a0a9420bbbed85edefe9
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB