Analysis

  • max time kernel
    660s
  • max time network
    615s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240319-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-03-2024 07:53

General

  • Target

    Robux (1).exe

  • Size

    274KB

  • MD5

    b3dca103204683157780d5562579d100

  • SHA1

    61a249df0a3ce1849b7047e252a323c9f26e44c4

  • SHA256

    8077c458cca5d446d5699c86d18cd2ed03507f59ab09582a1147e17291f33c65

  • SHA512

    89c4335aafa72a286b34460790abe4aa9e035db269f9b5e451a85c98326aa87b31d60a6742125011a54f421283e11cc5cf56d7fccfdcdff95d36dac21abec556

  • SSDEEP

    6144:Af+BLtABPDOpJTNN6eTSUdZ/pOlYeJqlA1D0FkB:ppYSSUdZ/olYet1DHB

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/915691701547446283/wUW0ZMfS9Ea3nfJC3GBW1nyVurXzKmQnFhIAcuEwGucZF2JJhh8YakLcl2RpJb6iFOek

Signatures

  • 44Caliber

    An open source infostealer written in C#.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Modifies registry class 27 IoCs
  • Opens file in notepad (likely ransom note) 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Robux (1).exe
    "C:\Users\Admin\AppData\Local\Temp\Robux (1).exe"
    1⤵
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:4832
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:4004
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3688 --field-trial-handle=2244,i,11986678581565715302,451159359636456336,262144 --variations-seed-version /prefetch:8
      1⤵
        PID:4572
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost
        1⤵
          PID:3700
        • C:\Windows\system32\OpenWith.exe
          C:\Windows\system32\OpenWith.exe -Embedding
          1⤵
          • Modifies registry class
          • Suspicious use of SetWindowsHookEx
          PID:4932
        • C:\Windows\system32\OpenWith.exe
          C:\Windows\system32\OpenWith.exe -Embedding
          1⤵
          • Modifies registry class
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4372
          • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
            "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Windows\Temp\_9518F460-9046-46F8-83CA-1B3FF0C13CEB\WindowsUpdate.20240319.182046.007.1.etl"
            2⤵
            • Checks processor information in registry
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:3252
            • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
              "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:3100
              • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=C2DA03B4C7B591EAA1CFC8C93A744FE8 --mojo-platform-channel-handle=1760 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                4⤵
                  PID:2308
                • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=C59836F59C05310635896DB68189A889 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=C59836F59C05310635896DB68189A889 --renderer-client-id=2 --mojo-platform-channel-handle=1788 --allow-no-sandbox-job /prefetch:1
                  4⤵
                    PID:3872
                  • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=946D549122C940617DECC92DE8350C64 --mojo-platform-channel-handle=2180 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                    4⤵
                      PID:3752
                    • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=6C293973C26ABF4785F83097E424D025 --mojo-platform-channel-handle=2412 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                      4⤵
                        PID:1512
                      • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=7417068F315CDBCFE6715DCBFCEB1750 --mojo-platform-channel-handle=1692 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                        4⤵
                          PID:5104
                  • C:\Windows\System32\CompPkgSrv.exe
                    C:\Windows\System32\CompPkgSrv.exe -Embedding
                    1⤵
                      PID:5116
                    • C:\Windows\system32\OpenWith.exe
                      C:\Windows\system32\OpenWith.exe -Embedding
                      1⤵
                      • Modifies registry class
                      • Suspicious use of SetWindowsHookEx
                      PID:5008
                      • C:\Windows\system32\NOTEPAD.EXE
                        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\SuspendClose.eps
                        2⤵
                        • Opens file in notepad (likely ransom note)
                        PID:4912
                    • C:\Windows\system32\OpenWith.exe
                      C:\Windows\system32\OpenWith.exe -Embedding
                      1⤵
                      • Modifies registry class
                      • Suspicious use of SetWindowsHookEx
                      PID:3632
                    • C:\Windows\system32\OpenWith.exe
                      C:\Windows\system32\OpenWith.exe -Embedding
                      1⤵
                      • Modifies registry class
                      • Suspicious use of SetWindowsHookEx
                      PID:4036
                      • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
                        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Downloads\SuspendClose.eps"
                        2⤵
                        • Checks processor information in registry
                        • Modifies Internet Explorer settings
                        • Suspicious use of SetWindowsHookEx
                        PID:3084
                        • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                          "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
                          3⤵
                            PID:4872
                            • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                              "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=619FFB9353A1080B1DE556BBD7C99758 --mojo-platform-channel-handle=1720 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                              4⤵
                                PID:3140
                              • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=87840DF7ACEC5FC83A24ADCEB992744A --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=87840DF7ACEC5FC83A24ADCEB992744A --renderer-client-id=2 --mojo-platform-channel-handle=1712 --allow-no-sandbox-job /prefetch:1
                                4⤵
                                  PID:4380
                                • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=16C8354D038976545A21329544BCAB1E --mojo-platform-channel-handle=2136 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                                  4⤵
                                    PID:2264
                                  • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E1C655672E6087E3FEC779BF60E9C7D0 --mojo-platform-channel-handle=1948 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                                    4⤵
                                      PID:408
                                    • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=DDF2BB2CCFB9CEEE8882F6E5BB4AC2CA --mojo-platform-channel-handle=2252 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                                      4⤵
                                        PID:2152
                                • C:\Windows\system32\OpenWith.exe
                                  C:\Windows\system32\OpenWith.exe -Embedding
                                  1⤵
                                  • Modifies registry class
                                  • Suspicious use of SetWindowsHookEx
                                  PID:2060
                                  • C:\Windows\system32\NOTEPAD.EXE
                                    "C:\Windows\system32\NOTEPAD.EXE" C:\libsmartscreen.dll
                                    2⤵
                                    • Opens file in notepad (likely ransom note)
                                    PID:3436
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault02bca0e0hf6cbh4252h97b9h86a86aa9d716
                                  1⤵
                                    PID:4076
                                  • C:\Windows\system32\SystemSettingsAdminFlows.exe
                                    "C:\Windows\system32\SystemSettingsAdminFlows.exe" TurnOffDevicePortal
                                    1⤵
                                      PID:944
                                    • C:\Windows\system32\SystemSettingsAdminFlows.exe
                                      "C:\Windows\system32\SystemSettingsAdminFlows.exe" TurnOffDevicePortal
                                      1⤵
                                        PID:2712
                                      • C:\Windows\system32\taskmgr.exe
                                        "C:\Windows\system32\taskmgr.exe" /7
                                        1⤵
                                        • Checks SCSI registry key(s)
                                        • Checks processor information in registry
                                        • Modifies registry class
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious behavior: GetForegroundWindowSpam
                                        • Suspicious use of AdjustPrivilegeToken
                                        • Suspicious use of FindShellTrayWindow
                                        • Suspicious use of SendNotifyMessage
                                        PID:3632
                                      • C:\Windows\System32\k5s4ad.exe
                                        "C:\Windows\System32\k5s4ad.exe"
                                        1⤵
                                          PID:3084
                                        • C:\Windows\system32\OpenWith.exe
                                          C:\Windows\system32\OpenWith.exe -Embedding
                                          1⤵
                                          • Modifies registry class
                                          PID:548
                                          • C:\Windows\system32\NOTEPAD.EXE
                                            "C:\Windows\system32\NOTEPAD.EXE" C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_LogResource\en-US\MSFT_LogResource.schema.mfl
                                            2⤵
                                            • Opens file in notepad (likely ransom note)
                                            PID:3336
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=756 --field-trial-handle=2244,i,11986678581565715302,451159359636456336,262144 --variations-seed-version /prefetch:8
                                          1⤵
                                            PID:2620
                                          • C:\Windows\system32\OpenWith.exe
                                            C:\Windows\system32\OpenWith.exe -Embedding
                                            1⤵
                                            • Modifies registry class
                                            PID:3332
                                            • C:\Windows\system32\NOTEPAD.EXE
                                              "C:\Windows\system32\NOTEPAD.EXE" C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_LogResource\MSFT_LogResource.schema.mof
                                              2⤵
                                              • Opens file in notepad (likely ransom note)
                                              PID:4076
                                          • C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE
                                            "C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Windows\System32\WDI\LogFiles\StartupInfo\S-1-5-21-817259280-2658881748-983986378-1000_StartupInfo1.xml"
                                            1⤵
                                              PID:5028
                                            • C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE
                                              "C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Windows\System32\WDI\LogFiles\StartupInfo\S-1-5-21-817259280-2658881748-983986378-1000_StartupInfo2.xml"
                                              1⤵
                                                PID:2884
                                              • C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE
                                                "C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Windows\System32\WDI\LogFiles\StartupInfo\S-1-5-21-817259280-2658881748-983986378-1000_StartupInfo2.xml"
                                                1⤵
                                                  PID:4720
                                                • C:\Windows\system32\NOTEPAD.EXE
                                                  "C:\Windows\system32\NOTEPAD.EXE" C:\Windows\System32\WDI\LogFiles\StartupInfo\S-1-5-21-817259280-2658881748-983986378-1000_StartupInfo2.xml
                                                  1⤵
                                                    PID:2920
                                                  • C:\Windows\system32\OpenWith.exe
                                                    C:\Windows\system32\OpenWith.exe -Embedding
                                                    1⤵
                                                    • Modifies registry class
                                                    PID:3572
                                                    • C:\Windows\system32\NOTEPAD.EXE
                                                      "C:\Windows\system32\NOTEPAD.EXE" C:\Windows\System32\WDI\LogFiles\BootPerfDiagLogger.etl
                                                      2⤵
                                                      • Opens file in notepad (likely ransom note)
                                                      PID:1468
                                                  • C:\Windows\system32\OpenWith.exe
                                                    C:\Windows\system32\OpenWith.exe -Embedding
                                                    1⤵
                                                    • Modifies registry class
                                                    PID:660
                                                    • C:\Windows\system32\NOTEPAD.EXE
                                                      "C:\Windows\system32\NOTEPAD.EXE" C:\Windows\System32\WDI\LogFiles\WdiContextLog.etl.001
                                                      2⤵
                                                      • Opens file in notepad (likely ransom note)
                                                      PID:5044

                                                  Network

                                                  MITRE ATT&CK Matrix ATT&CK v13

                                                  Defense Evasion

                                                  Modify Registry

                                                  1
                                                  T1112

                                                  Credential Access

                                                  Unsecured Credentials

                                                  2
                                                  T1552

                                                  Credentials In Files

                                                  2
                                                  T1552.001

                                                  Discovery

                                                  Query Registry

                                                  2
                                                  T1012

                                                  Peripheral Device Discovery

                                                  1
                                                  T1120

                                                  System Information Discovery

                                                  2
                                                  T1082

                                                  Collection

                                                  Data from Local System

                                                  2
                                                  T1005

                                                  Replay Monitor

                                                  Loading Replay Monitor...

                                                  Downloads

                                                  • C:\ProgramData\44\Process.txt
                                                    Filesize

                                                    1KB

                                                    MD5

                                                    e09da96c9a5db54a25bf7eafb4ba99b8

                                                    SHA1

                                                    56542c52f405d72e9f7f01a5bfcf0eab6382de03

                                                    SHA256

                                                    7885148c8d032467f20efbc3cf9338ca790420619ce186e69c01eea97c4b989a

                                                    SHA512

                                                    4a33e32618fec2077c4da7ff019944334db535470508f633e28711650e8ec74cfd17c8d2bf314fec5d262526c0f638ef873a49ae56ed3a79609f669385e2912a

                                                  • C:\Users\Admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Cache\data_1
                                                    Filesize

                                                    264KB

                                                    MD5

                                                    cd0f173769c8f49e75c732d9edf1415a

                                                    SHA1

                                                    ce7e0d96bebd5f48eacfa0d9730298a4a9c008f1

                                                    SHA256

                                                    54b3677b20fa80d677d170c8754b5184d0603c31ac4f3a816e12cc8e2b01a73b

                                                    SHA512

                                                    5caa7dc71927579a32fd3e9c96c053944dfb42b3c11aa6ce6a3e3889ac41183ee2b06b567413054a802fb1639404068055ec3afece6acc4a60a1a201eb4c9ddd

                                                  • C:\Users\Admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Visited Links
                                                    Filesize

                                                    128KB

                                                    MD5

                                                    747d85fe6d7e00eea0370d58b3a19d0a

                                                    SHA1

                                                    a24a5f52cd97316a3c5e5d93d41c6839c68433de

                                                    SHA256

                                                    279acc84de96cf580ba652fd60ae23c80828992211e2cedacf2244187777c8a9

                                                    SHA512

                                                    bf7212d5f60d0bc99111f76c7115308ceb693e1a2a49b382eb036ece1ca741f8890ded31cc534dd8f0fc660960b77f9e5b33a6b9252fc025b1a8a898ce1f437d

                                                  • C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\IconCacheRdr65536.dat
                                                    Filesize

                                                    145KB

                                                    MD5

                                                    0ca92e00a9ce4375a3638046691b4bc9

                                                    SHA1

                                                    5a157e36bc4f2d9e92603360272114bdc0c05a6f

                                                    SHA256

                                                    d4438f7c878c75f83cb468efcf7c34f76c7db8e04a90a40314785addf2227151

                                                    SHA512

                                                    bf22570e1899f239c117a4e3bd1f46f6e656ee3615490c45157c8dfc18bc3021f6b7a75afba908c2c31850c4f5db7fb56e08059eeb36552720a7aa5d9f7c23c7

                                                  • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\ES_session_store
                                                    Filesize

                                                    10KB

                                                    MD5

                                                    19cfa6de6fe7c739d836a168cc98ab50

                                                    SHA1

                                                    979a0862258b113e08f6627b7e27200ecc92ee52

                                                    SHA256

                                                    78876cb9004c11ce8a2924005afae083bfb04d26d4a24f77a88eed0a8bd6f8b7

                                                    SHA512

                                                    0020a209321769ed858010a27c42b1fa4dd525746c8dba171b0c0a0b29d1121a52ea57d8f4565021cf0533d1b646b97acd9f1056c3103646f7a9de26c6ed67e1

                                                  • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\ES_session_storei
                                                    Filesize

                                                    23KB

                                                    MD5

                                                    dc999f8f0ab71850334f3cc7d33d81a0

                                                    SHA1

                                                    580fbe0bd82ac3b970fde9c1a865a524cebf4776

                                                    SHA256

                                                    393a717012fcd3e78946aedbac45cade2b1c87cbba9e19e0de6539b06d92a5d2

                                                    SHA512

                                                    61e276198d2a190a9cf9ff519772b763a5c137e55fe405cf7183b1071a6d53026a5d6436a1efef1b390db3674155df98ffb88309cdb6d8a35de2c0c292b0c4e8

                                                  • memory/2884-230-0x00007FF8C1C10000-0x00007FF8C1E05000-memory.dmp
                                                    Filesize

                                                    2.0MB

                                                  • memory/2884-226-0x00007FF8BF3B0000-0x00007FF8BF679000-memory.dmp
                                                    Filesize

                                                    2.8MB

                                                  • memory/2884-225-0x00007FF8C1C10000-0x00007FF8C1E05000-memory.dmp
                                                    Filesize

                                                    2.0MB

                                                  • memory/3632-212-0x000001497D310000-0x000001497D311000-memory.dmp
                                                    Filesize

                                                    4KB

                                                  • memory/3632-214-0x000001497D310000-0x000001497D311000-memory.dmp
                                                    Filesize

                                                    4KB

                                                  • memory/3632-204-0x000001497D310000-0x000001497D311000-memory.dmp
                                                    Filesize

                                                    4KB

                                                  • memory/3632-205-0x000001497D310000-0x000001497D311000-memory.dmp
                                                    Filesize

                                                    4KB

                                                  • memory/3632-209-0x000001497D310000-0x000001497D311000-memory.dmp
                                                    Filesize

                                                    4KB

                                                  • memory/3632-210-0x000001497D310000-0x000001497D311000-memory.dmp
                                                    Filesize

                                                    4KB

                                                  • memory/3632-211-0x000001497D310000-0x000001497D311000-memory.dmp
                                                    Filesize

                                                    4KB

                                                  • memory/3632-203-0x000001497D310000-0x000001497D311000-memory.dmp
                                                    Filesize

                                                    4KB

                                                  • memory/3632-213-0x000001497D310000-0x000001497D311000-memory.dmp
                                                    Filesize

                                                    4KB

                                                  • memory/3632-215-0x000001497D310000-0x000001497D311000-memory.dmp
                                                    Filesize

                                                    4KB

                                                  • memory/4720-231-0x00007FF8C1C10000-0x00007FF8C1E05000-memory.dmp
                                                    Filesize

                                                    2.0MB

                                                  • memory/4720-229-0x00007FF8BF3B0000-0x00007FF8BF679000-memory.dmp
                                                    Filesize

                                                    2.8MB

                                                  • memory/4720-228-0x00007FF8C1C10000-0x00007FF8C1E05000-memory.dmp
                                                    Filesize

                                                    2.0MB

                                                  • memory/4832-127-0x00007FF8A21B0000-0x00007FF8A2C71000-memory.dmp
                                                    Filesize

                                                    10.8MB

                                                  • memory/4832-0-0x000001A5470F0000-0x000001A54713A000-memory.dmp
                                                    Filesize

                                                    296KB

                                                  • memory/4832-20-0x00007FF8A21B0000-0x00007FF8A2C71000-memory.dmp
                                                    Filesize

                                                    10.8MB

                                                  • memory/4832-29-0x000001A561690000-0x000001A5616A0000-memory.dmp
                                                    Filesize

                                                    64KB

                                                  • memory/5028-217-0x00007FF881C90000-0x00007FF881CA0000-memory.dmp
                                                    Filesize

                                                    64KB

                                                  • memory/5028-223-0x00007FF8C1C10000-0x00007FF8C1E05000-memory.dmp
                                                    Filesize

                                                    2.0MB

                                                  • memory/5028-222-0x00007FF881C90000-0x00007FF881CA0000-memory.dmp
                                                    Filesize

                                                    64KB

                                                  • memory/5028-221-0x00007FF8BF3B0000-0x00007FF8BF679000-memory.dmp
                                                    Filesize

                                                    2.8MB

                                                  • memory/5028-220-0x00007FF8C1C10000-0x00007FF8C1E05000-memory.dmp
                                                    Filesize

                                                    2.0MB

                                                  • memory/5028-219-0x00007FF8C1C10000-0x00007FF8C1E05000-memory.dmp
                                                    Filesize

                                                    2.0MB

                                                  • memory/5028-218-0x00007FF8C1C10000-0x00007FF8C1E05000-memory.dmp
                                                    Filesize

                                                    2.0MB