vidar | hxxps://www[.]dropbox[.]com/scl/fi/67epyl2uw2x9t8y93bkch/Unlock_Tool[.]zip?rlkey=g0dmjtoajve5wofhntuxo673o&st=ibvvsshl&dl=1

Analysis

max time kernel
130s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-11-2024 15:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.dropbox.com/scl/fi/67epyl2uw2x9t8y93bkch/Unlock_Tool.zip?rlkey=g0dmjtoajve5wofhntuxo673o&st=ibvvsshl&dl=1

Score

10^/10

vidar 4b05932e298d86a233eec0514ef2c4f6 discovery stealer

Malware Config

Extracted

Family

vidar

Version

11.7

Botnet

4b05932e298d86a233eec0514ef2c4f6

https://t.me/m07mbk

https://steamcommunity.com/profiles/76561199801589826

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6

Signatures

Detect Vidar Stealer 3 IoCs

stealer

resource	yara_rule
behavioral1/memory/5832-1006-0x0000000000400000-0x0000000000659000-memory.dmp	family_vidar_v7
behavioral1/memory/5832-1008-0x0000000000400000-0x0000000000659000-memory.dmp	family_vidar_v7
behavioral1/memory/5832-1010-0x0000000000400000-0x0000000000659000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

Executes dropped EXE 5 IoCs

pid	Process
2664	Unlock_Tool_v2.5.9.exe
5808	Unlock_Tool_v2.5.9.exe
5832	Unlock_Tool_v2.5.9.exe
5888	Unlock_Tool_v2.5.9.exe
5924	Unlock_Tool_v2.5.9.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2664 set thread context of 5832	2664	Unlock_Tool_v2.5.9.exe	130
PID 5808 set thread context of 5924	5808	Unlock_Tool_v2.5.9.exe	133

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Program crash 5 IoCs

pid	pid_target	Process	procid_target
4596	2664	WerFault.exe	127
2144	5808	WerFault.exe	129
2300	5888	WerFault.exe	131
3576	5984	WerFault.exe	134
4620	4388	WerFault.exe	140

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unlock_Tool_v2.5.9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unlock_Tool_v2.5.9.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
5504	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4192	msedge.exe
4192	msedge.exe
1288	msedge.exe
1288	msedge.exe
4776	identity_helper.exe
4776	identity_helper.exe
5072	msedge.exe
5072	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeRestorePrivilege	5376	7zG.exe
Token: 35	5376	7zG.exe
Token: SeSecurityPrivilege	5376	7zG.exe
Token: SeSecurityPrivilege	5376	7zG.exe
Token: SeRestorePrivilege	5836	7zG.exe
Token: 35	5836	7zG.exe
Token: SeSecurityPrivilege	5836	7zG.exe
Token: SeSecurityPrivilege	5836	7zG.exe

Suspicious use of FindShellTrayWindow 47 IoCs

pid	Process
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
5376	7zG.exe
5836	7zG.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe

Suspicious use of SendNotifyMessage 26 IoCs

pid	Process
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1288 wrote to memory of 3588	1288	msedge.exe	83
PID 1288 wrote to memory of 3588	1288	msedge.exe	83
PID 1288 wrote to memory of 5108	1288	msedge.exe	84
PID 1288 wrote to memory of 5108	1288	msedge.exe	84
PID 1288 wrote to memory of 5108	1288	msedge.exe	84
PID 1288 wrote to memory of 5108	1288	msedge.exe	84
PID 1288 wrote to memory of 5108	1288	msedge.exe	84
PID 1288 wrote to memory of 5108	1288	msedge.exe	84
PID 1288 wrote to memory of 5108	1288	msedge.exe	84
PID 1288 wrote to memory of 5108	1288	msedge.exe	84
PID 1288 wrote to memory of 5108	1288	msedge.exe	84
PID 1288 wrote to memory of 5108	1288	msedge.exe	84
PID 1288 wrote to memory of 5108	1288	msedge.exe	84
PID 1288 wrote to memory of 5108	1288	msedge.exe	84
PID 1288 wrote to memory of 5108	1288	msedge.exe	84
PID 1288 wrote to memory of 5108	1288	msedge.exe	84
PID 1288 wrote to memory of 5108	1288	msedge.exe	84
PID 1288 wrote to memory of 5108	1288	msedge.exe	84
PID 1288 wrote to memory of 5108	1288	msedge.exe	84
PID 1288 wrote to memory of 5108	1288	msedge.exe	84
PID 1288 wrote to memory of 5108	1288	msedge.exe	84
PID 1288 wrote to memory of 5108	1288	msedge.exe	84
PID 1288 wrote to memory of 5108	1288	msedge.exe	84
PID 1288 wrote to memory of 5108	1288	msedge.exe	84
PID 1288 wrote to memory of 5108	1288	msedge.exe	84
PID 1288 wrote to memory of 5108	1288	msedge.exe	84
PID 1288 wrote to memory of 5108	1288	msedge.exe	84
PID 1288 wrote to memory of 5108	1288	msedge.exe	84
PID 1288 wrote to memory of 5108	1288	msedge.exe	84
PID 1288 wrote to memory of 5108	1288	msedge.exe	84
PID 1288 wrote to memory of 5108	1288	msedge.exe	84
PID 1288 wrote to memory of 5108	1288	msedge.exe	84
PID 1288 wrote to memory of 5108	1288	msedge.exe	84
PID 1288 wrote to memory of 5108	1288	msedge.exe	84
PID 1288 wrote to memory of 5108	1288	msedge.exe	84
PID 1288 wrote to memory of 5108	1288	msedge.exe	84
PID 1288 wrote to memory of 5108	1288	msedge.exe	84
PID 1288 wrote to memory of 5108	1288	msedge.exe	84
PID 1288 wrote to memory of 5108	1288	msedge.exe	84
PID 1288 wrote to memory of 5108	1288	msedge.exe	84
PID 1288 wrote to memory of 5108	1288	msedge.exe	84
PID 1288 wrote to memory of 5108	1288	msedge.exe	84
PID 1288 wrote to memory of 4192	1288	msedge.exe	85
PID 1288 wrote to memory of 4192	1288	msedge.exe	85
PID 1288 wrote to memory of 1552	1288	msedge.exe	86
PID 1288 wrote to memory of 1552	1288	msedge.exe	86
PID 1288 wrote to memory of 1552	1288	msedge.exe	86
PID 1288 wrote to memory of 1552	1288	msedge.exe	86
PID 1288 wrote to memory of 1552	1288	msedge.exe	86
PID 1288 wrote to memory of 1552	1288	msedge.exe	86
PID 1288 wrote to memory of 1552	1288	msedge.exe	86
PID 1288 wrote to memory of 1552	1288	msedge.exe	86
PID 1288 wrote to memory of 1552	1288	msedge.exe	86
PID 1288 wrote to memory of 1552	1288	msedge.exe	86
PID 1288 wrote to memory of 1552	1288	msedge.exe	86
PID 1288 wrote to memory of 1552	1288	msedge.exe	86
PID 1288 wrote to memory of 1552	1288	msedge.exe	86
PID 1288 wrote to memory of 1552	1288	msedge.exe	86
PID 1288 wrote to memory of 1552	1288	msedge.exe	86
PID 1288 wrote to memory of 1552	1288	msedge.exe	86
PID 1288 wrote to memory of 1552	1288	msedge.exe	86
PID 1288 wrote to memory of 1552	1288	msedge.exe	86
PID 1288 wrote to memory of 1552	1288	msedge.exe	86
PID 1288 wrote to memory of 1552	1288	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://www.dropbox.com/scl/fi/67epyl2uw2x9t8y93bkch/Unlock_Tool.zip?rlkey=g0dmjtoajve5wofhntuxo673o&st=ibvvsshl&dl=1
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffba3c646f8,0x7ffba3c64708,0x7ffba3c64718
  2⤵
  PID:3588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2032,14015638036638473420,10109063126518341294,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
  2⤵
  PID:5108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2032,14015638036638473420,10109063126518341294,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2032,14015638036638473420,10109063126518341294,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2652 /prefetch:8
  2⤵
  PID:1552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,14015638036638473420,10109063126518341294,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,14015638036638473420,10109063126518341294,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:4468
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2032,14015638036638473420,10109063126518341294,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5304 /prefetch:8
  2⤵
  PID:2664
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2032,14015638036638473420,10109063126518341294,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5304 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,14015638036638473420,10109063126518341294,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4248 /prefetch:1
  2⤵
  PID:2144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2032,14015638036638473420,10109063126518341294,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4700 /prefetch:8
  2⤵
  PID:3524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2032,14015638036638473420,10109063126518341294,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5648 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,14015638036638473420,10109063126518341294,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6012 /prefetch:1
  2⤵
  PID:1812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,14015638036638473420,10109063126518341294,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5996 /prefetch:1
  2⤵
  PID:1344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,14015638036638473420,10109063126518341294,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6072 /prefetch:1
  2⤵
  PID:2684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,14015638036638473420,10109063126518341294,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5404 /prefetch:1
  2⤵
  PID:4312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,14015638036638473420,10109063126518341294,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1
  2⤵
  PID:220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,14015638036638473420,10109063126518341294,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:1
  2⤵
  PID:4812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,14015638036638473420,10109063126518341294,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6180 /prefetch:1
  2⤵
  PID:4636

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1996

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2144

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3940

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Unlock_Tool\" -spe -an -ai#7zMap29195:84:7zEvent11316
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5376

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Unlock_Tool\Password.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:5504

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Unlock_Tool\Unlock_Tool_v2.5.9\" -spe -an -ai#7zMap23787:122:7zEvent11048
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5836

C:\Users\Admin\Desktop\Unlock_Tool_v2.5.9.exe
"C:\Users\Admin\Desktop\Unlock_Tool_v2.5.9.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2664
- C:\Users\Admin\Desktop\Unlock_Tool_v2.5.9.exe
  "C:\Users\Admin\Desktop\Unlock_Tool_v2.5.9.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5832
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 296
  2⤵
  - Program crash
  PID:4596

C:\Users\Admin\Desktop\Unlock_Tool_v2.5.9.exe
"C:\Users\Admin\Desktop\Unlock_Tool_v2.5.9.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5808
- C:\Users\Admin\Desktop\Unlock_Tool_v2.5.9.exe
  "C:\Users\Admin\Desktop\Unlock_Tool_v2.5.9.exe"
  2⤵
  - Executes dropped EXE
  PID:5924
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5808 -s 252
  2⤵
  - Program crash
  PID:2144

C:\Users\Admin\Desktop\Unlock_Tool_v2.5.9.exe
"C:\Users\Admin\Desktop\Unlock_Tool_v2.5.9.exe"
1⤵
- Executes dropped EXE
PID:5888
- C:\Users\Admin\Desktop\Unlock_Tool_v2.5.9.exe
  "C:\Users\Admin\Desktop\Unlock_Tool_v2.5.9.exe"
  2⤵
  PID:6020
- C:\Users\Admin\Desktop\Unlock_Tool_v2.5.9.exe
  "C:\Users\Admin\Desktop\Unlock_Tool_v2.5.9.exe"
  2⤵
  PID:6060
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5888 -s 272
  2⤵
  - Program crash
  PID:2300

C:\Users\Admin\Desktop\Unlock_Tool_v2.5.9.exe
"C:\Users\Admin\Desktop\Unlock_Tool_v2.5.9.exe"
1⤵
PID:5984
- C:\Users\Admin\Desktop\Unlock_Tool_v2.5.9.exe
  "C:\Users\Admin\Desktop\Unlock_Tool_v2.5.9.exe"
  2⤵
  PID:4312
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5984 -s 248
  2⤵
  - Program crash
  PID:3576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2664 -ip 2664
1⤵
PID:6000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5808 -ip 5808
1⤵
PID:6016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 5888 -ip 5888
1⤵
PID:6136

C:\Users\Admin\Desktop\Unlock_Tool_v2.5.9.exe
"C:\Users\Admin\Desktop\Unlock_Tool_v2.5.9.exe"
1⤵
PID:4388
- C:\Users\Admin\Desktop\Unlock_Tool_v2.5.9.exe
  "C:\Users\Admin\Desktop\Unlock_Tool_v2.5.9.exe"
  2⤵
  PID:4948
- C:\Users\Admin\Desktop\Unlock_Tool_v2.5.9.exe
  "C:\Users\Admin\Desktop\Unlock_Tool_v2.5.9.exe"
  2⤵
  PID:1360
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 260
  2⤵
  - Program crash
  PID:4620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5984 -ip 5984
1⤵
PID:1884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4388 -ip 4388
1⤵
PID:736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6960857d16aadfa79d36df8ebbf0e423

SHA1
e1db43bd478274366621a8c6497e270d46c6ed4f

SHA256
f40b812ce44e391423eb66602ac0af138a1e948aa8c4116045fef671ef21cd32

SHA512
6deb2a63055a643759dd0ae125fb2f68ec04a443dbf8b066a812b42352bbcfa4517382ed0910c190c986a864559c3453c772e153ee2e9432fb2de2e1e49ca7fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f426165d1e5f7df1b7a3758c306cd4ae

SHA1
59ef728fbbb5c4197600f61daec48556fec651c1

SHA256
b68dfc21866d0abe5c75d70acc54670421fa9b26baf98af852768676a901b841

SHA512
8d437fcb85acb0705bf080141e7a021740901248985a76299ea8c43e46ad78fb88c738322cf302f6a550caa5e79d85b36827e9b329b1094521b17cf638c015b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
864B

MD5
8e73057e1010ca3e4665d8684aa5cb27

SHA1
0ca566c7ad7989fbc18c776a3fba50efad8f1d4a

SHA256
d85e29689cd211d3cd266baca7738ffd200e2ac07f24b3aaa75940e274f10e7b

SHA512
48b7d189e431bd565fefbae5ac1060401e4401bb11a5e4dfdd2d8c925212abf2180936bee8712a70f30728250b31a2016a20abede0d2d1cbfc405c8eb14242ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
504B

MD5
0d8f6daadc72fa35f025629a44db3bcc

SHA1
ab1e60ca41cd02cde57db909d5c274f595de750a

SHA256
b8ea3507ded8c4f15d4920877001850c0b5e88a5b687b7595ff736e1195f0598

SHA512
e17664b448713f82814b9bc6b109905a3bdae5579eb38b4c5d6c82805cf4eda6b9b03b1db0757bdab101444be6821a2639733ccdf5c8a9e0a5b7b99a1fac4457

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
680B

MD5
a7f653dec373fd7e6277411103c5f7ae

SHA1
7f7f0cb96564b97ce59136237978d389f9e9ed01

SHA256
4949b1af26effa9d2df3dc24f8f66f128b22dbe4a9e5d4cd194e499ccda3b4b1

SHA512
91ee0a32774ce2f77bbe89e34dbc95cbee6d1a1f6f72dcf3f6d7d7c16d288d92502e7bbfd5c0c09839484671d47591444754eb269e8646f57e61af4ffc2519bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
680B

MD5
ebd95dfe4def75ddfe6e23d2fdf14928

SHA1
f25655e3511f2ec769a32e68f6e748a7b1b6ad7f

SHA256
1400aa4a44eb81b3bf967a19afe97e9bcba5def94d1fd5a0060aed1f7c9aca1b

SHA512
8a17fb35753c5f97468b87599d9b5b2b9b37e63acf8c4758f5aa70c97657d97197bdc76290689f1e3bd93bb3d4668425e5f8554d7ad4c63855e98fa4ce3802ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
85f58e243d68f4b8dd302e86fad24338

SHA1
a85f62ae7ac3a8392a4496d213fe90534c4ec658

SHA256
5b12dcab8bcaca58f52c924d0e246890dda84b33405d084b34e93ddc497a6dcc

SHA512
98aaf1386537df1b9c9c56489b9c6f6281860cb730b9097d29688116b825037ea7a75c78c97be45d24be36794979a4ef8b538c6ab5b6e83b11aebdfdefdd0762

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7f41bae04b4fbd135730e83e4fc66dbc

SHA1
c29c0cd74ccacb9035fb9a272a56437a9cd24afb

SHA256
64dabdc20327bf955b02a600b9c897fe84d6d37d4bddd98ca6abb554b814f04d

SHA512
a70005e6c8aabe63934b5fdd32b90d826a5e5dfa7a461dfcb23b3fdd63eb7bec237593e8a06a60c2c80dfe25a59ec49ed2dcfc6eb04254354a4b98276b9010f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f27281f7a5fd8fd530de0f693e7048f1

SHA1
4ca5c2a3a2740e732f6f5c3f366202b21a05bc19

SHA256
38bde68d9f24cbd7e4f0e252c4b99ee724a46ad5389ae0181edf8960066b94be

SHA512
5520a3a3f1b64f2d07542bd9eb2670bc4c1595095a5d667647fe9c7c6f171cff378ea743ac98611617abe575e7eb034a849738b2e07b40f45114d65f2e04607a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7c2daef1f300f525d1a5ea3e8cd3cf55

SHA1
722eb5d530bc00dcc7b2423e38c7f60bffb24c3e

SHA256
d6e90851be8b09dc3858c73a190fdfe8c54fc5908178bf44bcb57d07c701cf5e

SHA512
2c99f4cbeb81651222dccea7d7490197a10510da8933b36969573a96cbea76afa8466398194d6a8b8ed6eca26d21337831c30649496a5ceda3f367d862d9febf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
700B

MD5
75136eee89da75e65b7ef14c448a608f

SHA1
203baa89914f4bef846838d6d21d715d01bf2918

SHA256
a3690ea3ad0db44e837c48dfdf46164c66b5f816695d77970e02db9004566024

SHA512
c8484d5cc99eeb5e2c01b41ac75a8e1fbf70040cbb499482eb8bfa7fea101469c536a48a440d60f0260faf68c1c31fcbd59a29c568673084d2134abf8312d6e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
698B

MD5
6f013fb38e42f3b34880842f3a18da36

SHA1
760a0fb008ddf91b852e4729e7e411e848c6fd58

SHA256
c3dcad9df9e8c65b6d0b435b0311b546d6aab0c0bb7d57cc93c825fc9bf959f0

SHA512
21c84e823f3a3c214cf1fa6e1bad0e63f7c14bf7c6fca2ba2aae6d299f0070e10ee3932e63210e5725b354a2b85b1aedcb04dc145afe664cf1418bae43f47690

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57de2b.TMP

Filesize
366B

MD5
4065d605ede7b8077f1ac1f26a62c358

SHA1
f05a3412a1b992a48c1362a9632253da8c941f6e

SHA256
3a8ddb7cfdb9608cfec688762e1ce2c9b039d7b942c2511678b85c1c2d5560e2

SHA512
c0c79d698d92039337be8a8ea63a4c885a31e28620c5e7a5b2289886ace0bca1b649ab4767231e57c267e325da677b471e8f3461fb11f550bbf3b2738165ddff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
612f593fcafd27b4d96eef573f0ac745

SHA1
2538adf5de896135330cbd927a18187272e616b9

SHA256
0c39fd52b602ce8221a0b34d2b76dbc43d80fd59ca94c6fb02946cd943ab5422

SHA512
c480f730e0b48519a4f0b4fc4d39e4493f9697fd35f9e9325a167c34f03c5d2ec764fc58954bbe8b21863e41216e2ba2fab6d7e70ada92166f886eb729ccd404

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
62a7b426cc150889d08d493ae4dc8b31

SHA1
0012fa67df21dc3f358c2c55e691f60279590329

SHA256
9416d85f4014f1401fedc4bb523144a8ccda07b8d861c61b01953dde40212e0f

SHA512
b5130ffc5571aacda572e47a21ba7c2fb2e46f4805409d517375973b9ce8b5d4c2c05f91a035483b8b9d73150a7ef44bd3b486802e695e363da54a3c4f5821bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
219d98ce510dd15b440260bf6d0d266b

SHA1
4d0ae23c4748cd531fea874b787dcdb1976d8acc

SHA256
df19c76cbc2e8316c130680d8de2b7174dba72a7d1c6b3bdaed488d5e2e283ed

SHA512
c4f06d2f14610fd7fd1bb140e39c2d5e35d00aa16a6ddbdd72c1eac813416352f0799174471858fc06c9ebcd2440bdcdd965a4694e0ac9f3b3da2f677b32277c

Download Submit
C:\Users\Admin\AppData\Local\Temp\delays.tmp

Filesize
1023KB

MD5
1a193683dc74337cbe008b244ae86358

SHA1
926e6b7e6c2c26d65f028e50b7c41d9a8c4dfa92

SHA256
458eb5faa7e902a906b649529b45f806c8fab7b480db06ff8f0e033d2ed08608

SHA512
752f20331e34e9c864bff13fde9333148d235b0c1564a9d18f9a0f873f627b5e04b6bd24c763f64fdc1e8281e3701782e8d754a54bc2a6cef47ef230d97770c0

Download Submit
C:\Users\Admin\Desktop\Unlock_Tool_v2.5.9.exe

Filesize
2.4MB

MD5
ffb4471226b35c2c0786116e96ce847f

SHA1
ac13b87354771880715acfa93a807cf675b25d05

SHA256
1cff3c013ac5769bdb2a892135bed19b5aa58e94bcf1e48a63c63e62948604d8

SHA512
b07cfb4e72ebff238ff66952d826d3076c2f0a60dfcdaec412b2476b064739cb1bc0f27be466e12c01be7167d2166e023ef0766be550244194d26a1568781826

Download Submit
C:\Users\Admin\Desktop\Unlock_Tool_v2.5.9.exe

Filesize
2.6MB

MD5
02667fd4801618e851c2aa0b89236692

SHA1
2d5ed412d924908a455ac70fa280c430079d555a

SHA256
c688ab98b3ce475a30d73be4bb2ba7b3e1c0d43b98e55a946b2ad75fe4127888

SHA512
bbac9c0b89238c8c8385e8c4d422bb8457a08b9672197b0a8aa231c3d7e0a76011e078662b61f36ec40d57c0527c44b4984bb9565089be8eeab12f7087253a60

Download Submit
C:\Users\Admin\Desktop\Unlock_Tool_v2.5.9.exe

Filesize
2.6MB

MD5
1736b099d03923213471ab745472a9cd

SHA1
fe4ab5f1fb86b6dd73fce9c95878c58056526950

SHA256
0669dcfae99c920ae35197a45ba0a362d9b3828c74685d4d27751ea6ebfd75e0

SHA512
500e06cd3951cb3838eb5681343816683471ec3d13b4978c80df5ecbf204540e6a3999aa0ffcf1466f0ebc4bfa2ba1b25471c9ef59aa6707c4c8bbd0fdf08fa4

Download Submit
C:\Users\Admin\Desktop\Unlock_Tool_v2.5.9.exe

Filesize
1.7MB

MD5
eb4a412aa8d5c9c7e4c489f685688075

SHA1
3a4c3c99ceaf4608eba404e5870a9d033e6c9912

SHA256
095d005b613228c7306f68cc0b617a62768266fcf298433ab0be01e9f94a56c3

SHA512
459f3fdf8f883efc21ddfe06030fa2ef66a17a49008e55799603f1fa043eeb32f906c0e0a2aad4e48081442c2895fe465d9110cb2ee2c35aebb00bdf494ee573

Download Submit
C:\Users\Admin\Desktop\Unlock_Tool_v2.5.9.exe

Filesize
1024KB

MD5
debb713ff875e66ccd03f34df8ce807f

SHA1
305ca23d2931e375b13a09a0f48aac5eddbb299c

SHA256
409e78124545fe7c99da07a29cd8b2ffc267605affa4d281e8036efd773049b6

SHA512
2263c19dacfa57c6b8dcca1395890dc630bef55961ff979bc2a7d575f9ea2d316fb0b5fe52b4b5e7efacc94e601cc753b5a4fdf7d65af1b8fcbba823539a3c6e

Download Submit
C:\Users\Admin\Downloads\Unlock_Tool\Password.txt

Filesize
94B

MD5
40d2bba2661f32bec508886f1d097cef

SHA1
006afae44254592c4bf3ff8ab989dcc6c3e535dc

SHA256
310fbc255888e9d09afe844b5523cd3377eb8df64c04efe0bbf0f69e26440c8b

SHA512
9af0b4b27d6841913dc6e3ed55f685e737d96af67ed142082478ea4353b941eba1f92fd0011fe41877c50c1ba3618db430ac209f5d7c4502b25a99ccb6921fa6

Download Submit
C:\Users\Admin\Downloads\Unlock_Tool\Unlock_Tool_v2.5.9\Unlock_Tool_v2.5.9.exe

Filesize
2.7MB

MD5
e66371441b6223c517e381cfbe8e1864

SHA1
2ac93eca52938e19c086550807923a85800e97a1

SHA256
736ff6e041158ab21fae0f3dc2f2389f2d1baf9186e60d75900c2a71552de95b

SHA512
8aa02d9df0ee8ab6c43c8d7883a9ecfebb1f0957bb61a1101d6331324c28e0496f0c654be548ce34f9f76a08a0c102b3239c6c4b4f0457e708ba980c488d6e3c

Download Submit
C:\Users\Admin\Downloads\Unlock_Tool\Unlock_Tool_v2.5.9\locales\resources\Data\level4.resS

Filesize
128KB

MD5
64d183ad524dfcd10a7c816fbca3333d

SHA1
5a180d5c1f42a0deaf475b7390755b3c0ecc951c

SHA256
5a666340f42f0f985772024d90a83d15c9a241a68d58205cd4afbb1a31f1621a

SHA512
3cab59dff09981f49d1070fba06a781439bb1ea2dae0cfcb937d9875bbe9e866be2c951cfc6a3ca4a92aea79dd3e9c4792a765f5a06f230a57dabcab2f0b3c1e

Download Submit
memory/5832-1010-0x0000000000400000-0x0000000000659000-memory.dmp

Filesize
2.3MB

Download
memory/5832-1008-0x0000000000400000-0x0000000000659000-memory.dmp

Filesize
2.3MB

Download
memory/5832-1006-0x0000000000400000-0x0000000000659000-memory.dmp

Filesize
2.3MB

Download