Analysis
-
max time kernel
240s -
max time network
243s -
platform
windows11-21h2_x64 -
resource
win11-20240419-en -
resource tags
-
submitted
02/05/2024, 23:39
General
-
Target
https://github.com/bludmoonakirisu676/Discord-nitro
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 14 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 13 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Modifies registry class 21 IoCs
-
NTFS ADS 3 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of FindShellTrayWindow 51 IoCs
-
Suspicious use of SendNotifyMessage 12 IoCs
-
Suspicious use of SetWindowsHookEx 31 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/bludmoonakirisu676/Discord-nitro1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffefc0f3cb8,0x7ffefc0f3cc8,0x7ffefc0f3cd82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,18302130138894144096,8960458637122302644,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1928 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1892,18302130138894144096,8960458637122302644,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2388 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1892,18302130138894144096,8960458637122302644,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2872 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,18302130138894144096,8960458637122302644,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,18302130138894144096,8960458637122302644,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1892,18302130138894144096,8960458637122302644,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5252 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,18302130138894144096,8960458637122302644,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,18302130138894144096,8960458637122302644,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,18302130138894144096,8960458637122302644,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,18302130138894144096,8960458637122302644,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1892,18302130138894144096,8960458637122302644,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5356 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,18302130138894144096,8960458637122302644,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1996 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1892,18302130138894144096,8960458637122302644,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5844 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,18302130138894144096,8960458637122302644,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4932 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,18302130138894144096,8960458637122302644,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,18302130138894144096,8960458637122302644,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6476 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,18302130138894144096,8960458637122302644,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,18302130138894144096,8960458637122302644,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6600 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1892,18302130138894144096,8960458637122302644,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4948 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1892,18302130138894144096,8960458637122302644,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6412 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,18302130138894144096,8960458637122302644,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,18302130138894144096,8960458637122302644,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6628 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,18302130138894144096,8960458637122302644,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5964 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,18302130138894144096,8960458637122302644,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6408 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1892,18302130138894144096,8960458637122302644,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6992 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1892,18302130138894144096,8960458637122302644,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5284 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\Downloads\7z2404.exe"C:\Users\Admin\Downloads\7z2404.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,18302130138894144096,8960458637122302644,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5992 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Downloads\Git_Installer_v1.4.6_latest.7z"2⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140433⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=EE73B7CBE4FE035A46040A59D4B84EAB --mojo-platform-channel-handle=1768 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=19A3CB39CA5C3096AFF724BF115212E7 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=19A3CB39CA5C3096AFF724BF115212E7 --renderer-client-id=2 --mojo-platform-channel-handle=1792 --allow-no-sandbox-job /prefetch:14⤵
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=45A43B500E2BF7AF661B5E0C9F4AEB81 --mojo-platform-channel-handle=2364 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=2AD99A32599BA3797FDBA0C1A53C8987 --mojo-platform-channel-handle=1956 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=3286A743052993A7EBF6AFCF57C900F6 --mojo-platform-channel-handle=2472 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Git_Installer_v1.4.6_latest\" -ad -an -ai#7zMap26593:114:7zEvent94231⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\Downloads\Git_Installer_v1.4.6_latest\Setup.exe"C:\Users\Admin\Downloads\Git_Installer_v1.4.6_latest\Setup.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
-
C:\Users\Admin\Downloads\Git_Installer_v1.4.6_latest\Setup.exe"C:\Users\Admin\Downloads\Git_Installer_v1.4.6_latest\Setup.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
-
C:\Users\Admin\Downloads\Git_Installer_v1.4.6_latest\Setup.exe"C:\Users\Admin\Downloads\Git_Installer_v1.4.6_latest\Setup.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
-
C:\Users\Admin\Downloads\Git_Installer_v1.4.6_latest\Setup.exe"C:\Users\Admin\Downloads\Git_Installer_v1.4.6_latest\Setup.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
-
C:\Users\Admin\Downloads\Git_Installer_v1.4.6_latest\Setup.exe"C:\Users\Admin\Downloads\Git_Installer_v1.4.6_latest\Setup.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
-
C:\Users\Admin\Downloads\Git_Installer_v1.4.6_latest\Setup.exe"C:\Users\Admin\Downloads\Git_Installer_v1.4.6_latest\Setup.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
-
C:\Users\Admin\Downloads\Git_Installer_v1.4.6_latest\Setup.exe"C:\Users\Admin\Downloads\Git_Installer_v1.4.6_latest\Setup.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
-
C:\Users\Admin\Downloads\Git_Installer_v1.4.6_latest\Setup.exe"C:\Users\Admin\Downloads\Git_Installer_v1.4.6_latest\Setup.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
-
C:\Users\Admin\Downloads\Git_Installer_v1.4.6_latest\Setup.exe"C:\Users\Admin\Downloads\Git_Installer_v1.4.6_latest\Setup.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
-
C:\Users\Admin\Downloads\Git_Installer_v1.4.6_latest\Setup.exe"C:\Users\Admin\Downloads\Git_Installer_v1.4.6_latest\Setup.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Downloads\Git_Installer_v1.4.6_latest\Setup.exe"C:\Users\Admin\Downloads\Git_Installer_v1.4.6_latest\Setup.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
-
C:\Users\Admin\Downloads\Git_Installer_v1.4.6_latest\Setup.exe"C:\Users\Admin\Downloads\Git_Installer_v1.4.6_latest\Setup.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Git_Installer_v1.4.6_latest\password-2024.txt1⤵
- Opens file in notepad (likely ransom note)
-
C:\Users\Admin\Downloads\Git_Installer_v1.4.6_latest\Setup.exe"C:\Users\Admin\Downloads\Git_Installer_v1.4.6_latest\Setup.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD56e498afe43878690d3c18fab2dd375a5
SHA1b53f3ccbfe03a300e6b76a7c453bacb8ca9e13bd
SHA256beb39e9a246495e9dd2971224d23c511b565a72a6f02315c9f9bf1dcfae7df78
SHA5123bf8a2dd797e7f41377267ad26bde717b5b3839b835fe7b196e748fec775ffd39346dba154bb5d8bda4e6568133daaa7fefa3a0d2a05e035c7210bb3c60041a7
-
Filesize
152B
MD5b8b53ef336be1e3589ad68ef93bbe3a7
SHA1dec5c310225cab7d871fe036a6ed0e7fc323cf56
SHA256fe5c2fb328310d7621d8f5af5af142c9ce10c80f127c4ab63171738ad34749e1
SHA512a9081a5a909d9608adfc2177d304950b700b654e397cf648ed90ecac8ac44b860b2cf55a6d65e4dfa84ef79811543abf7cb7f6368fd3914e138dfdd7a9c09537
-
Filesize
1KB
MD5cb2bf2edaed6a73e65a0bbe4831f5c15
SHA176d122d3a5ded24545c35cdf8891d19d00e849ae
SHA2561d6c36bef79dd4ae2203fc720e9cc6043a576dad7b3678cef5b44d28c932b44b
SHA512d6aae480ec10e1272213935e3710d3d75611579cdac201daac5b0a9f66336a507fcc2c211471b9c4ca2303ffb15018fc2d02ca07bb251ce7d00ee4811cb6a28f
-
Filesize
3KB
MD598e60098e958829e25ad3ac1c84a45d7
SHA1f98ec19d2f8976bbe0524aedacaf311bdd5a4c0b
SHA256271ac78e4896c58c003c9e61c5733d8bf906c6aa799056e038a9e2112d2d7b36
SHA512e46a66851a92e22073fb245040e04eed4e54e3fef65be3e917084c5fdce0dc54f7c897468c67048e84ea7cf35bc39f36e696015c3c8c93608323d694225dcafd
-
Filesize
1KB
MD5520776c22c87afb740842001f47fec14
SHA1608d958de554a39e1a421eee79eca891880aa734
SHA2561eb87296d1686a9c7d7717ace906bde9391f4ef193c070c8657bd029a3904acf
SHA512e05054ba31bfca756de59564fe60b8556d585e53fc8f377cb22c013734f2e66f0ace4b36d3f777528cb7e48f194c2242caae3c1fe355f2407832daf6b1f54bef
-
Filesize
883B
MD55d6751cbf1d89d9288cdac7fa1612102
SHA1012ee613487b907f8dfcf9da9c1e070dca0c5765
SHA256a65264fa508c3651b70cc900f93690e50159834975964850cf90ae6794144db3
SHA512eff01524d60e5a1b15e5d18c4f0553ea0cc9db3549c269cd2d0b3377254ff45b49f0568aa8968e5a53919ea862310ad5c8e4ad889f9f9606479dbdee3197f754
-
Filesize
595B
MD525bc65b7047971f0e7733ed4d18aee23
SHA1be895e7bccbfeb02f7c125a4a76d04b3271257d1
SHA2560c7a286410bde2cc698b902459310fdf2083325d59345efc260215d20ca218ab
SHA51213dff52b17360c5740c5789b1eb1ab70297a1349a0fa47e96161c1970fae8340610098d8e5fa90fb69d2ee89628028e89747d6078982540fcf2e2249e86fb01d
-
Filesize
5KB
MD5d221ac08d77dfb1065a13627eb14e37b
SHA1c0df1c21cd38df9cf9dbd5e9d8f37d99eedc1087
SHA2568d92ce62507194a36ec37a236671f3c7df7b8d0ded4c3e0076c45d84d2b502e5
SHA512087320d1dd7915a180f5dc39b70428bc1601d68dd0d3b76a9f772bc0052849c3a279709a904b149add16b18ab5f07cb8d72ed1da8227514087692427617d1ddd
-
Filesize
6KB
MD5c59d35d9872e731e909bfea185d8776c
SHA15855e35fe1027aba629af7c6fc886bffce831145
SHA256b3bbec624806c5c6a8c614d49f48b2cd6c3ba5e3fd8a12d63ac7cc971475f666
SHA512cff37fc73d447c3ec9b9a2d920c65a002357d086806099b2e52723a379970b254d28d588f21336b973afdffc1d2037fe3765e5756eef4173f502b69f300fe8ed
-
Filesize
6KB
MD5957052400a4909557148df3bd90ff709
SHA114cd788c5c6200ccef0bc078c91fba063f92f5b9
SHA256c75993415a1642bb1448ef19888db43daaa92eb71b33b2e578e2aa5203f95c75
SHA512aa529405378bc9f7ed9bd66e1b26a1b349a791349c447290d360b35b8f20d820bdfaed238142438e55eec0f93504787fd75be6c60a943bb90a186b3657b00dc1
-
Filesize
6KB
MD5398440d88e5ce277615ff3cb5e0001aa
SHA146cf6165615f440f8584a47ddafd10ef8cad4d16
SHA256f0e2cb0cfbe64c25a02b850ce4a587bdf6716a35d2317d904b19a7bc52b54a5d
SHA512e7326b7e409e298abc2fe916d7fe5855b2101808887c039a0b7b8fd812c8200d0cc0d999cdbcd16df8a827b94f31bbfa8f7d18782c3ef0626d3b29fcca8d5a63
-
Filesize
1KB
MD5a79f971ca8f7b6eb6d71b0b95200299f
SHA175f6854c07269aee0aa9bd7fc72beff227834e73
SHA256435c414547e68dfdfc725767dde03cef34d4848247c771504f87a8a3fa856910
SHA512fc98a4b74ce6772a7b4ab74392c4a50e07eb287c738656b397e7e235e09885d0f2b99e19c2894cad43f039965c36d549d1796766f4a9142fe968f27c2375d05f
-
Filesize
1KB
MD589ee7eee2c50ee14d7b687cd5f5a940c
SHA1caebb6c828659ddf0d9b9830dd281b9811bc1d9c
SHA2564c025d2feb80364af1ff9c6e3955e8accc3131c9dbd205eda4f839b89f61be0a
SHA512512ecf40dc27641205c1de026effded42d917b0ebcd83ee97d29ca88499d9f986bce4241f82456c9f3a36d91e1dd6447c311b9f679a88547753c7c6dbaed2f71
-
Filesize
1KB
MD5b1186a950385c4a5371f6b4fa7874698
SHA18ed38525878a128c30b01e26691877bb242ce305
SHA2568ff10443f0893824e3ae12cb1fc0972e26d91bd26a9cb6915f67fb15f640351b
SHA5126622447eaffbfb0cfd5a15bfcb0eb2c5f27381cc3cae46fa7d775a2bdda7a65dc9735002653efc8755c82b7a4d65cb47cf0af3170ffdb15817daf8d65d7bbf61
-
Filesize
1KB
MD5dc74894d0205b91093b0a993dd25eb3c
SHA1d4ba7b4bcc0c5d335d426c8556e607ea2da92745
SHA2560472298827895844b39edd1f001bef6178f4893befc72ff7d77ffed299855a51
SHA51243b78fae68bdb5058e30f5c7bae3791efc2805852c81d2d3f0c48a4b00c0788da8a7dfe33568c3782fe9325a8ecd51c96cc622151008a242eebebac7ae0dbad6
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD53f3b91326b47340ce6c336f0b30ecbe7
SHA1e4008760bf4e1d214eab1ebf56fbf27b7dd63904
SHA2560145d0e4e66de1e640ddb6119f5d910eede64544eb291d988f760dae0ba64ed6
SHA5128f4c5fdd5b602913f815b2d4cd1a0f145b7c3e63cd3e98adbf6d9e59bf7236cfbd010bf5e8929f03b233c1456a527a26ec7cf0827d8d4570ae0e818d74a71843
-
Filesize
11KB
MD568651027612b1e2e1ddcfe5fcb3453a0
SHA1443169fac7cd9cfb15581b540176de1daf3c6d36
SHA256700fc6a836f3dc57e57284cffbcf46961ff75d1d191fb4a7e00f1275a2ac622b
SHA5123b8b31cf94ff7e9a394237fc99473568ac85d3cf54e4d10e395f9a742d79145b04480cc16931d987863b3e8992c6dc922a755e3fb200c8f6a3a5c594bd9cc024
-
Filesize
12KB
MD532d370e85d5a34418de6aa0306ba9448
SHA16bfa7a3f91dd9df14861651a96e95fa592fa83ea
SHA2564b2c5407e521af62f385857af1f654eae6ab91e47190fe29fd36419edd2a9458
SHA51278c30c3b5d817d6a52ad1000f3a22e7e9f5c7ffaa53007bc5ff93c06772f1456a1b7b78d519c010fcbd95fe8e67d02593bb41d906b93532c53f3c576ef702d0d
-
Filesize
28KB
MD5c7ead5a82f6490899d132f8a890eeb2c
SHA19e63617e574bf99816c75733ff5d90373be7afc8
SHA256f8a33ff6b6c14a5703f99025be62f807eedace59bb0517eeae0c0ed4264f4d4c
SHA5127c2721c2ae5e4f831857b8a33f33b3cdd00f00556bfd4505073e07412a4151a0fb6b5d8af52b7416c1907f8899c79dbfd125eb57129a562a149d4d7854c5808f
-
Filesize
119B
MD5deacb632eb8974c144abc5e263a31212
SHA15b51299b3161392638af230573f6a1fd7a448d6b
SHA256e9e0866dff4b7468db6384297c95386b76134e576a79608bcbf7981e84aa349d
SHA5129ffe48729a52c0778d078f554e48c89a3ca02281e123179e23742d2393a4aa9114de03ecfe33c43478a3db748e00efc76f72eaa6d07cb419d49ccf87c1620344
-
Filesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
Filesize
501KB
MD5bebd1f333122c1bdb66a60ed8db8b47a
SHA1543d51bccadbc65bcc54e6620ec1ba7ae8285734
SHA25637e18d58f48a9bae5d7e1549d0a30855a035cbaaf1b5f7a3f84253a8c3060467
SHA512676e6b3b8b6b5975098070c2a093eb2272e27eb7fc1259c1de3dc188eab3e786d0d7e794079e8bc7633de74d6f1f4d26e2df9b552c1fd4a62d31628dd49e415b
-
Filesize
24.8MB
MD5a74e3f2f1a3c439106da641a91578122
SHA183291ec0b8a2a3a1baa711666169d88a50b3493c
SHA25696f3e148d5f368085819891b3271f5bcf5fa11848c7e873fe8bfea2c8a3fc552
SHA512d850e3db457b18a37c37daf78295299c40bb2ab8cf4dccf7860db8c702a433f4346057ade4fe02609a8b85bb790a7b0a112fc010f43bac2f972c8bec5612f025
-
Filesize
1.3MB
MD53e738d0862a9dcc6ca3debff8f0efec5
SHA1a366fc70ebb36eaab0112ebe26dad3499e36b0c7
SHA256d0c8fbf5d726e41d85e51559234b5b3945522e84208df5239ed25f02ef63eff3
SHA512e009410f4a7ddcecf76bcaf207317a28737adee4ff14caeda1876d88bc899d30fd2f9d5f0d8a26ba2d22182fc0143e2c777271924ce9e3dd3bb9b39502e50633
-
Filesize
356KB
-
Filesize
356KB