Analysis
-
max time kernel
42s -
max time network
81s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
14-11-2024 22:29
Static task
static1
Behavioral task
behavioral1
Sample
Unlock_Tool.zip
Resource
win10v2004-20241007-en
General
-
Target
Unlock_Tool.zip
-
Size
49.4MB
-
MD5
c97087524507b9008457ab7897888594
-
SHA1
24c40594b212e722c2a5c002468dc431b02e1d32
-
SHA256
726bea2f32c83d55448328b564b105fab5ef5632b0c74090c98e330b8ea633f2
-
SHA512
428e05cde055f0aca94545ae431eda9bc3a10f098f1b66aa16d2448f31a7f257bc43192a82ca9565b37c9441147b1efa47a59177e7792e91b7778961741ab8bb
-
SSDEEP
1572864:R+B9ONqY9Qhi1An/EfsU+m8NaBaX7a0rhbF:RIOkTi1AnABg79v
Malware Config
Extracted
vidar
11.7
4b05932e298d86a233eec0514ef2c4f6
https://t.me/m07mbk
https://steamcommunity.com/profiles/76561199801589826
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6
Signatures
-
Detect Vidar Stealer 34 IoCs
resource yara_rule behavioral1/memory/1984-628-0x0000000000400000-0x0000000000659000-memory.dmp family_vidar_v7 behavioral1/memory/1984-632-0x0000000000400000-0x0000000000659000-memory.dmp family_vidar_v7 behavioral1/memory/1984-631-0x0000000000400000-0x0000000000659000-memory.dmp family_vidar_v7 behavioral1/memory/1984-650-0x0000000000400000-0x0000000000659000-memory.dmp family_vidar_v7 behavioral1/memory/1984-651-0x0000000000400000-0x0000000000659000-memory.dmp family_vidar_v7 behavioral1/memory/1984-664-0x0000000000400000-0x0000000000659000-memory.dmp family_vidar_v7 behavioral1/memory/1984-665-0x0000000000400000-0x0000000000659000-memory.dmp family_vidar_v7 behavioral1/memory/1984-927-0x0000000000400000-0x0000000000659000-memory.dmp family_vidar_v7 behavioral1/memory/1984-973-0x0000000000400000-0x0000000000659000-memory.dmp family_vidar_v7 behavioral1/memory/1984-980-0x0000000000400000-0x0000000000659000-memory.dmp family_vidar_v7 behavioral1/memory/1984-984-0x0000000000400000-0x0000000000659000-memory.dmp family_vidar_v7 behavioral1/memory/1984-985-0x0000000000400000-0x0000000000659000-memory.dmp family_vidar_v7 behavioral1/memory/1984-987-0x0000000000400000-0x0000000000659000-memory.dmp family_vidar_v7 behavioral1/memory/1984-988-0x0000000000400000-0x0000000000659000-memory.dmp family_vidar_v7 behavioral1/memory/1984-989-0x0000000000400000-0x0000000000659000-memory.dmp family_vidar_v7 behavioral1/memory/1984-1020-0x0000000000400000-0x0000000000659000-memory.dmp family_vidar_v7 behavioral1/memory/1984-1021-0x0000000000400000-0x0000000000659000-memory.dmp family_vidar_v7 behavioral1/memory/1984-1028-0x0000000000400000-0x0000000000659000-memory.dmp family_vidar_v7 behavioral1/memory/1984-1032-0x0000000000400000-0x0000000000659000-memory.dmp family_vidar_v7 behavioral1/memory/1984-1033-0x0000000000400000-0x0000000000659000-memory.dmp family_vidar_v7 behavioral1/memory/1984-1035-0x0000000000400000-0x0000000000659000-memory.dmp family_vidar_v7 behavioral1/memory/1984-1053-0x0000000000400000-0x0000000000659000-memory.dmp family_vidar_v7 behavioral1/memory/1984-1055-0x0000000000400000-0x0000000000659000-memory.dmp family_vidar_v7 behavioral1/memory/1984-1074-0x0000000000400000-0x0000000000659000-memory.dmp family_vidar_v7 behavioral1/memory/1984-1075-0x0000000000400000-0x0000000000659000-memory.dmp family_vidar_v7 behavioral1/memory/1984-1076-0x0000000000400000-0x0000000000659000-memory.dmp family_vidar_v7 behavioral1/memory/1984-1077-0x0000000000400000-0x0000000000659000-memory.dmp family_vidar_v7 behavioral1/memory/456-1090-0x0000000000400000-0x0000000000659000-memory.dmp family_vidar_v7 behavioral1/memory/5108-1089-0x0000000000400000-0x0000000000659000-memory.dmp family_vidar_v7 behavioral1/memory/456-1091-0x0000000000400000-0x0000000000659000-memory.dmp family_vidar_v7 behavioral1/memory/5108-1092-0x0000000000400000-0x0000000000659000-memory.dmp family_vidar_v7 behavioral1/memory/5108-1099-0x0000000000400000-0x0000000000659000-memory.dmp family_vidar_v7 behavioral1/memory/456-1106-0x0000000000400000-0x0000000000659000-memory.dmp family_vidar_v7 behavioral1/memory/5108-1107-0x0000000000400000-0x0000000000659000-memory.dmp family_vidar_v7 -
Vidar family
-
Downloads MZ/PE file
-
Uses browser remote debugging 2 TTPs 10 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
pid Process 6016 msedge.exe 4036 msedge.exe 4688 chrome.exe 2484 chrome.exe 2652 chrome.exe 5584 msedge.exe 920 chrome.exe 6008 msedge.exe 2392 msedge.exe 1120 chrome.exe -
Executes dropped EXE 4 IoCs
pid Process 3080 Unlock_Tool_v2.6.1.exe 1984 Unlock_Tool_v2.6.1.exe 3016 Unlock_Tool_v2.6.1.exe 5108 Unlock_Tool_v2.6.1.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3080 set thread context of 1984 3080 Unlock_Tool_v2.6.1.exe 112 PID 3016 set thread context of 5108 3016 Unlock_Tool_v2.6.1.exe 118 -
Program crash 3 IoCs
pid pid_target Process procid_target 3720 3080 WerFault.exe 107 1392 3016 WerFault.exe 116 5516 812 WerFault.exe 153 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Unlock_Tool_v2.6.1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Unlock_Tool_v2.6.1.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Unlock_Tool_v2.6.1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Unlock_Tool_v2.6.1.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 5040 timeout.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 1608 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1984 Unlock_Tool_v2.6.1.exe 1984 Unlock_Tool_v2.6.1.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4376 7zFM.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeRestorePrivilege 4376 7zFM.exe Token: 35 4376 7zFM.exe Token: SeSecurityPrivilege 4376 7zFM.exe Token: SeSecurityPrivilege 4376 7zFM.exe Token: SeRestorePrivilege 4580 7zG.exe Token: 35 4580 7zG.exe Token: SeSecurityPrivilege 4580 7zG.exe Token: SeSecurityPrivilege 4580 7zG.exe Token: SeRestorePrivilege 972 7zG.exe Token: 35 972 7zG.exe Token: SeSecurityPrivilege 972 7zG.exe Token: SeSecurityPrivilege 972 7zG.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
pid Process 4376 7zFM.exe 4376 7zFM.exe 4376 7zFM.exe 4376 7zFM.exe 4580 7zG.exe 972 7zG.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 3080 wrote to memory of 1984 3080 Unlock_Tool_v2.6.1.exe 112 PID 3080 wrote to memory of 1984 3080 Unlock_Tool_v2.6.1.exe 112 PID 3080 wrote to memory of 1984 3080 Unlock_Tool_v2.6.1.exe 112 PID 3080 wrote to memory of 1984 3080 Unlock_Tool_v2.6.1.exe 112 PID 3080 wrote to memory of 1984 3080 Unlock_Tool_v2.6.1.exe 112 PID 3080 wrote to memory of 1984 3080 Unlock_Tool_v2.6.1.exe 112 PID 3080 wrote to memory of 1984 3080 Unlock_Tool_v2.6.1.exe 112 PID 3080 wrote to memory of 1984 3080 Unlock_Tool_v2.6.1.exe 112 PID 3080 wrote to memory of 1984 3080 Unlock_Tool_v2.6.1.exe 112 PID 3080 wrote to memory of 1984 3080 Unlock_Tool_v2.6.1.exe 112 PID 3016 wrote to memory of 5108 3016 Unlock_Tool_v2.6.1.exe 118 PID 3016 wrote to memory of 5108 3016 Unlock_Tool_v2.6.1.exe 118 PID 3016 wrote to memory of 5108 3016 Unlock_Tool_v2.6.1.exe 118 PID 3016 wrote to memory of 5108 3016 Unlock_Tool_v2.6.1.exe 118 PID 3016 wrote to memory of 5108 3016 Unlock_Tool_v2.6.1.exe 118 PID 3016 wrote to memory of 5108 3016 Unlock_Tool_v2.6.1.exe 118 PID 3016 wrote to memory of 5108 3016 Unlock_Tool_v2.6.1.exe 118 PID 3016 wrote to memory of 5108 3016 Unlock_Tool_v2.6.1.exe 118 PID 3016 wrote to memory of 5108 3016 Unlock_Tool_v2.6.1.exe 118 PID 3016 wrote to memory of 5108 3016 Unlock_Tool_v2.6.1.exe 118
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Unlock_Tool.zip"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4376
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap15683:94:7zEvent233331⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4580
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Password.txt1⤵
- Opens file in notepad (likely ransom note)
PID:1608
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap26644:94:7zEvent54191⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:972
-
C:\Users\Admin\Desktop\Unlock_Tool_v2.6.1.exe"C:\Users\Admin\Desktop\Unlock_Tool_v2.6.1.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3080 -
C:\Users\Admin\Desktop\Unlock_Tool_v2.6.1.exe"C:\Users\Admin\Desktop\Unlock_Tool_v2.6.1.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1984 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"3⤵
- Uses browser remote debugging
PID:4688 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffa085fcc40,0x7ffa085fcc4c,0x7ffa085fcc584⤵PID:456
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1916,i,6598118716260922393,5047786466604895953,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1912 /prefetch:24⤵PID:2964
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2156,i,6598118716260922393,5047786466604895953,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2160 /prefetch:34⤵PID:5040
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2212,i,6598118716260922393,5047786466604895953,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2236 /prefetch:84⤵PID:972
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3128,i,6598118716260922393,5047786466604895953,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3140 /prefetch:14⤵
- Uses browser remote debugging
PID:2484
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3172,i,6598118716260922393,5047786466604895953,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3284 /prefetch:14⤵
- Uses browser remote debugging
PID:920
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4428,i,6598118716260922393,5047786466604895953,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4448 /prefetch:14⤵
- Uses browser remote debugging
PID:2652
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4828,i,6598118716260922393,5047786466604895953,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4816 /prefetch:84⤵PID:1864
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4984,i,6598118716260922393,5047786466604895953,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4992 /prefetch:84⤵PID:3148
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5040,i,6598118716260922393,5047786466604895953,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5000 /prefetch:84⤵PID:2372
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5008,i,6598118716260922393,5047786466604895953,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4568 /prefetch:84⤵PID:664
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3708,i,6598118716260922393,5047786466604895953,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3688 /prefetch:84⤵PID:3988
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5420,i,6598118716260922393,5047786466604895953,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4992 /prefetch:84⤵PID:2108
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"3⤵
- Uses browser remote debugging
PID:5584 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa086046f8,0x7ffa08604708,0x7ffa086047184⤵PID:5596
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,7261057731001561619,3255042624510681386,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:24⤵PID:5824
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,7261057731001561619,3255042624510681386,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:34⤵PID:5832
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,7261057731001561619,3255042624510681386,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2724 /prefetch:84⤵PID:5860
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2160,7261057731001561619,3255042624510681386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:14⤵
- Uses browser remote debugging
PID:6008
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2160,7261057731001561619,3255042624510681386,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:14⤵
- Uses browser remote debugging
PID:6016
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2160,7261057731001561619,3255042624510681386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4808 /prefetch:14⤵
- Uses browser remote debugging
PID:4036
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2160,7261057731001561619,3255042624510681386,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4768 /prefetch:14⤵
- Uses browser remote debugging
PID:2392
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\GCBKECAKFBGC" & exit3⤵PID:464
-
C:\Windows\SysWOW64\timeout.exetimeout /t 104⤵
- Delays execution with timeout.exe
PID:5040
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3080 -s 2562⤵
- Program crash
PID:3720
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3080 -ip 30801⤵PID:2248
-
C:\Users\Admin\Desktop\Unlock_Tool_v2.6.1.exe"C:\Users\Admin\Desktop\Unlock_Tool_v2.6.1.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Users\Admin\Desktop\Unlock_Tool_v2.6.1.exe"C:\Users\Admin\Desktop\Unlock_Tool_v2.6.1.exe"2⤵
- Executes dropped EXE
PID:5108 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"3⤵
- Uses browser remote debugging
PID:1120 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd8,0x104,0x7ffa085fcc40,0x7ffa085fcc4c,0x7ffa085fcc584⤵PID:1148
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 2362⤵
- Program crash
PID:1392
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3016 -ip 30161⤵PID:4444
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:3720
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:5052
-
C:\Users\Admin\Desktop\Unlock_Tool_v2.6.1.exe"C:\Users\Admin\Desktop\Unlock_Tool_v2.6.1.exe"1⤵PID:812
-
C:\Users\Admin\Desktop\Unlock_Tool_v2.6.1.exe"C:\Users\Admin\Desktop\Unlock_Tool_v2.6.1.exe"2⤵PID:456
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 812 -s 2282⤵
- Program crash
PID:5516
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 812 -ip 8121⤵PID:1692
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
717B
MD5822467b728b7a66b081c91795373789a
SHA1d8f2f02e1eef62485a9feffd59ce837511749865
SHA256af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9
SHA512bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771
Filesize2KB
MD5cf25edff5a09b99e190edf418235e4e1
SHA11c8e97a7e0f19fd5e1cea2b40e19b4a6cf03c505
SHA2561f93b66563c3a04fc89868466654a5075d084b593d9600fc13c7bad2c956ed1e
SHA5124d07b121ae4b291f249bb99d5920237db20009aab069bea4d05c0cb51a9bb50da4347464ec43905e69de0e540c9f2718a2d5c2983da9dfe0ee9b43d824c1b6b8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4E3D1101CFA1A79AF305FD7C55E37649_A8EAC700FEE71EDD327E06BEAA0C7F96
Filesize2KB
MD5eed953a6abef822ea1bfe9c0b7415431
SHA1a86f7ab04b0151a339d12e18e7400c9f2d9b8e3e
SHA256d8c492f5938db187287e9fb87d4065e2f8743ef0be8f665b3da066a9cea972d5
SHA51285feb0c6704df0b4534638057617b86a619654c0db76f0d5a51f5bd8978b8e6f37818d24a1af80fe02ec3a89cc14925fd14bbc2cd2fec9458b7896d8b97ffd1a
-
Filesize
346B
MD53a89390792d75e3c3f6c566e0c6437eb
SHA160520c0e37e716505c3fa6347ec4c82a34d42879
SHA256012eab57023b1481c10a89130b29ad2216853a7720a596adc07746d6ee63667e
SHA5126ae50a4da1f874eb55f813281a33ad9dc4d93743e2d9dad258f3de6141cce8340286937fcdf6fe3df35f0cf32b9d8d6749c3f2ccc352845564bb2b6520f0265c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D
Filesize1KB
MD5a81ab6fa24c704e5ab1bbb7d1b3c4720
SHA1e8cfc34ec3ed7b36fc516f5c6407314472a3190f
SHA25694085408defd77b6cb3b9d7e59a0b3a72c253302cb37e4d3baeb4e0bf3504c19
SHA512635b41ef9908d4a0636f36d874d187bb8608c07b0b2cf76a33fa104b2d81c2f38e41f7401bdf53b3445b068a75d85c6d2d3e7edb43f06ac26905389b8e370d52
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
Filesize192B
MD5e9585fdc6a34b828f828cea0d872e9d3
SHA127a76bf44537671930ceb368d97aa1ec5eb92735
SHA2561c54d4c3181db2887aea5801967687f0ba71d24acb5a0294ab5b68fb97afa865
SHA512edc649e0c4ced31b039736018ca6db643207e824123294250d9933f92cd510c223d88940d410c4828088b5d2914b3ae59ed4337425fc6ca80766ec5da5953d09
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771
Filesize450B
MD51062769467035a702a6c36b415888c5d
SHA1fd7c11f6a0fe42fd5340b8e145657f02f5585823
SHA256b5e8cc805395ec5cab8c8246e85289821e4a0bbb25c6ee8d04b9a3fd3f19096c
SHA512947b66a63742c9ad0705b6b378e8c4a6ef667e193dd4580ee69671eec3be86cc027a600798b7e0e6de51f1f5eb871352e7e56e2ba9aa4510151cc2f3c449816d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4E3D1101CFA1A79AF305FD7C55E37649_A8EAC700FEE71EDD327E06BEAA0C7F96
Filesize474B
MD59dcb09db2a3d774cb9e850d5c6b5607b
SHA1da934556b4993614a00beb71cadd7a139762a792
SHA2564911388905d9d194357ef7500020ca66b92194de27f9fc94006802cb20492c38
SHA5124aa7a95c75c01eba1fbe1bb67e195f02639054754dab0946f4a3e891d6a726f9a46f1a60672b1d439a27e614d122ecfb8841e4c1b8c360325fa6241d3dba72cb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6323E360128EE7688FF20BEC4B2C46B6
Filesize540B
MD55ca8ae706c7b666601f8388e9de93e42
SHA1a501a812d594dba52a2117f6a8bb3d4553189073
SHA25694f5fd8e77848abe08b5d9ea1f0f18049266746b12687b70137e382158391612
SHA512bbf375750a7aa80050969e4985cd07a6d215a6b2152fdd56a3aebf83f3cff4178d291c961494ede1d59efdc4a45ece7c88bf6ae16f1256c27a73c5240d06321d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D
Filesize458B
MD581c9fe17dcfd7e79ccaf3659a24c136c
SHA19031ad71d2dd5809eb496cbcd0e2e83ba7fa4d3d
SHA2567523176798ad85af3e2f6b16618c1227a5651d7c51c04345b0af5fb240ae0292
SHA51242842247295ce00344004f6451cba1943d83d344d1d66f08bc97b5559fa44685a663423d38e0046b82c444f8eb448501fb2ef72a299699b6ba78d72314500aca
-
Filesize
40B
MD5186ccc6761714f7e88de1fff069b95fb
SHA1c7dec1fff5e2f359cccf94875265f96757865b34
SHA256abb5c7113a03fa5d3a4d6d25007f875d5189c85054252a03a3c9d2cc64a5f59e
SHA5125f346abd0068d56df1bc7236a8f8ae6e0397cd35c7e8a6554f90724bc4936ed6a1f127aef797391d34ab458ba9ff3337bade05334155aae7473e6c463b0499c9
-
Filesize
649B
MD5835cbc6f0ef94e95b5952ab469842450
SHA121ade77dccb6c507788146bd493e59b5348be52e
SHA256b0a6537707a5a16242e2b0dc3a82cd4337bd8a186366436a9f367c2be050b4d2
SHA512bdf20e3b5123c77a8926c11918ee4665ea22884bbfa62753e4e7e10e705c3c2577dc60d444bafc155eccf3c57b92caa668c08c15fcb2f4512808ca54ea5bb7b5
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
86B
MD5f732dbed9289177d15e236d0f8f2ddd3
SHA153f822af51b014bc3d4b575865d9c3ef0e4debde
SHA2562741df9ee9e9d9883397078f94480e9bc1d9c76996eec5cfe4e77929337cbe93
SHA512b64e5021f32e26c752fcba15a139815894309b25644e74ceca46a9aa97070bca3b77ded569a9bfd694193d035ba75b61a8d6262c8e6d5c4d76b452b38f5150a4
-
Filesize
152B
MD58749e21d9d0a17dac32d5aa2027f7a75
SHA1a5d555f8b035c7938a4a864e89218c0402ab7cde
SHA256915193bd331ee9ea7c750398a37fbb552b8c5a1d90edec6293688296bda6f304
SHA512c645a41180ed01e854f197868283f9b40620dbbc813a1c122f6870db574ebc1c4917da4d320bdfd1cc67f23303a2c6d74e4f36dd9d3ffcfa92d3dfca3b7ca31a
-
Filesize
152B
MD534d2c4f40f47672ecdf6f66fea242f4a
SHA14bcad62542aeb44cae38a907d8b5a8604115ada2
SHA256b214e3affb02a2ea4469a8bbdfa8a179e7cc57cababd83b4bafae9cdbe23fa33
SHA51250fba54ec95d694211a005d0e3e6cf5b5677efa16989cbf854207a1a67e3a139f32b757c6f2ce824a48f621440b93fde60ad1dc790fcec4b76edddd0d92a75d6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\5350f568-96b8-4ca3-af39-04a71e3083a9.tmp
Filesize1B
MD55058f1af8388633f609cadb75a75dc9d
SHA13a52ce780950d4d969792a2559cd519d7ee8c727
SHA256cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA5120b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21
-
Filesize
5KB
MD5aa897f51b61bd4a33bb1eed5d9242945
SHA17055bfa829744bfecf1ed8c3ad5475edf9e3c22f
SHA25600f5b95e4a2a5ac4e01d951ed2d71273a093a06c6e4e820ecd799a80d784d6b8
SHA512995900d06cd7751c5c751f1b1f20cbd90d5339242646b5a5a700d826a680e775025a01583337e5c14b515203cf3b4e3cb016845089e8838a758ffe9927087441
-
Filesize
132KB
MD5da75bb05d10acc967eecaac040d3d733
SHA195c08e067df713af8992db113f7e9aec84f17181
SHA25633ae9b8f06dc777bb1a65a6ba6c3f2a01b25cd1afc291426b46d1df27ea6e7e2
SHA51256533de53872f023809a20d1ea8532cdc2260d40b05c5a7012c8e61576ff092f006a197f759c92c6b8c429eeec4bb542073b491ddcfd5b22cd4ecbe1a8a7c6ef
-
Filesize
711B
MD5558659936250e03cc14b60ebf648aa09
SHA132f1ce0361bbfdff11e2ffd53d3ae88a8b81a825
SHA2562445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b
SHA5121632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727
-
Filesize
94B
MD540d2bba2661f32bec508886f1d097cef
SHA1006afae44254592c4bf3ff8ab989dcc6c3e535dc
SHA256310fbc255888e9d09afe844b5523cd3377eb8df64c04efe0bbf0f69e26440c8b
SHA5129af0b4b27d6841913dc6e3ed55f685e737d96af67ed142082478ea4353b941eba1f92fd0011fe41877c50c1ba3618db430ac209f5d7c4502b25a99ccb6921fa6
-
Filesize
845KB
MD54f48c7dec023cc517c0bea95ff778d09
SHA1f845785421cb9bf77c7be18b7d36a687556a7ee7
SHA256c737ccf7ad83531a2734cd1ca0d960047a686c53c00724ef0272d682802ce92b
SHA5129d81a074656f86fc7e576c6571631bd3773f3b459f0a5b03550f830e591d139d108c6b2b11092afb91962441e2722128fd405643ce38270c64470b9e7a035df9
-
Filesize
49.4MB
MD5e417a57339c09395de364368456d01d2
SHA19e33f93ea796c16212f69fa1776f081f5b16193b
SHA256ae2bbead2ef17edd5d15382a671676acc39f862aa07caf08fee3ca78653216a1
SHA512b51fe9809424ae4eab90a1e80e93bb8e1a42b843845db231af8eb121b2eb3b359c3234789c0e6542a1fdf72e7c9518e5bce2101e228a4b028dde85cb62d1d5eb
-
Filesize
128KB
MD564d183ad524dfcd10a7c816fbca3333d
SHA15a180d5c1f42a0deaf475b7390755b3c0ecc951c
SHA2565a666340f42f0f985772024d90a83d15c9a241a68d58205cd4afbb1a31f1621a
SHA5123cab59dff09981f49d1070fba06a781439bb1ea2dae0cfcb937d9875bbe9e866be2c951cfc6a3ca4a92aea79dd3e9c4792a765f5a06f230a57dabcab2f0b3c1e
-
Filesize
691KB
MD5c5c99144e2e1589628e14999ba59ad73
SHA19c80f8de6b5cdaf38677d5368b5287bacb9e465a
SHA25690e35de89ab5e5f9290e4ff1bbadcf221a82b2aa0d9b922187dc980adff3c831
SHA5120bcb99953397c6604d8e08bf2ba89248ee82f92436c2dcc779157b65227b0e1350927273a1b6d150a9db914d0a8830680df05ef651ee291b40657a3025a721c5