Overview

overview

10

Static

static

10

002.7z

windows11-21h2-x64

10

Resubmissions

14-02-2025 20:11

250214-yypxmsyjf1 10

05-02-2025 09:01

250205-kyy9eszjft 10

15-10-2024 03:47

241015-ecgjlashrh 10

05-08-2024 04:49

240805-ffygys1eke 10

05-08-2024 03:50

240805-eee4jszepd 10

Analysis

  • max time kernel
    230s
  • max time network
    210s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250210-en
  • resource tags

    arch:x64arch:x86image:win11-20250210-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    14-02-2025 20:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    002.7z

  • Size

    11.2MB

  • MD5

    82180da2d9ecde4947a618ff1a37fdad

  • SHA1

    ae327ea9229498e86afb337b87cf6d6f4caaa309

  • SHA256

    cc65535243dfd3cd54a9c5ecfcb93c7f918a87c725e9c52925017ab92effe278

  • SHA512

    606ddfb833eb38952403ae10e9eec694d45e3fb2df326d5825f93257d605552868343e80fd6e3a497d690dabe8ed1493b60843118f1aa5412be8cc55a66335a3

  • SSDEEP

    196608:nYcNyJpHBLBc6gKWYZzbK26sqaddXpgPxydfcNQChzHayMxpJ51LipiFe5TZD0B:n5yJ1pB+KWYtbK26sq25GyxcR6yMt51L

Score
10/10
chaosadwaredefense_evasiondiscoveryevasionexecutionimpactpersistenceprivilege_escalationransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\Documents\Fucking_it.txt

Ransom Note
----> Us Nexus Hackers . Translate your note to any language <---- All of your files have been encrypted Your computer was infected with a ransomware virus. Your files have been encrypted and you won't be able to decrypt them without our help.What can I do to get my files back?You can buy our special decryption software, this software will allow you to recover all of your data and remove the ransomware from your computer.The price for the software is $1,500. Payment can be made in Bitcoin only. How do I pay, where do I get Bitcoin? Purchasing Bitcoin varies from country to country, you are best advised to do a quick google search yourself to find out how to buy Bitcoin. Many of our customers have reported these sites to be fast and reliable: Coinmama - hxxps://www.coinmama.com Bitpanda - hxxps://www.bitpanda.com (Your Systeam Hacked By Us Nexus Hackers White Force) ------- Contact Telegram Group The Virus Upload On Your Mother Board Bios Systeam Or Gpu Bios - (-Warning Dont Reset-Factory You Will Reset Your PC Will Be Crash Burn You Cpu Shell-) Contact ---- Gmail- [email protected] ----- Telegram- https://t.me/usnexushacker ----- Telegram-id Hide Contact Gmail Credit White Hackers -------------------- Cyber Security -------------------- Defance All War ---------------------- Website https://www.propub3r6espa33w.onion Dont Visit The Site Payment informationAmount: 0.3 BTC Bitcoin Wallet: 3LrDFbp6fRqkXE45bLipnrQNg9wMKyTR5S
Wallets

3LrDFbp6fRqkXE45bLipnrQNg9wMKyTR5S

URLs

https://t.me/usnexushacker

https://www.propub3r6espa33w.onion

Signatures

  • Chaos

    Ransomware family first seen in June 2021.

    ransomwarechaos
  • Chaos Ransomware 2 IoCs
  • Chaos family
    chaos
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 7 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Downloads MZ/PE file 1 IoCs
  • Drops startup file 3 IoCs
  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation
  • Executes dropped EXE 12 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops desktop.ini file(s) 34 IoCs
  • Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Drops file in System32 directory 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 36 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Internet Explorer settings 1 TTPs 25 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 64 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 61 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 57 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SetWindowsHookEx 15 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 4 IoCs
    defense_evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\002.7z"
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2424
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:3588
    • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RTExMjBFRTQtNzc1OS00NjA5LUI1OTUtNzkwQzAxMkRBNDkyfSIgdXNlcmlkPSJ7OTlBRjJGMUMtMTVCMC00N0M1LUJFMDItMjA0OTkxQUZFQTFGfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7MUE0NkI5MEQtMDFCNC00MUFCLUFENjMtRTIzNDcyRURDRERFfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4yMjAwMC40OTMiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7RSt4YkF6Nlk2c1UxMjg5YlM2cWw0VlJMYmtqZkJVR1RNSnNqckhyNDRpST0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNjLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iMTIzLjAuNjMxMi4xMjMiIG5leHR2ZXJzaW9uPSIiIGxhbmc9ImVuIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjQiIGluc3RhbGxkYXRldGltZT0iMTczOTE4NDcxMiIgb29iZV9pbnN0YWxsX3RpbWU9IjEzMzgzNjU1NjY2MDQzMDAwMCI-PGV2ZW50IGV2ZW50dHlwZT0iMzEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjIxNzk4NjIiIHN5c3RlbV91cHRpbWVfdGlja3M9IjUwMzg3MDQzNjgiLz48L2FwcD48L3JlcXVlc3Q-
      1⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      PID:3248
    • C:\Users\Admin\Documents\1b4d73a9a7c6d2163e7378c97f01fed223be9daa6acb71c81b11491907473f89.exe
      "C:\Users\Admin\Documents\1b4d73a9a7c6d2163e7378c97f01fed223be9daa6acb71c81b11491907473f89.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:644
      • C:\Users\Admin\AppData\Roaming\svchost.exe
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        2⤵
        • Drops startup file
        • Executes dropped EXE
        • Drops desktop.ini file(s)
        • Sets desktop wallpaper using registry
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2532
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3128
          • C:\Windows\system32\vssadmin.exe
            vssadmin delete shadows /all /quiet
            4⤵
            • Interacts with shadow copies
            PID:2228
          • C:\Windows\System32\Wbem\WMIC.exe
            wmic shadowcopy delete
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2844
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2200
          • C:\Windows\system32\bcdedit.exe
            bcdedit /set {default} bootstatuspolicy ignoreallfailures
            4⤵
            • Modifies boot configuration data using bcdedit
            PID:5060
          • C:\Windows\system32\bcdedit.exe
            bcdedit /set {default} recoveryenabled no
            4⤵
            • Modifies boot configuration data using bcdedit
            PID:4760
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3792
          • C:\Windows\system32\wbadmin.exe
            wbadmin delete catalog -quiet
            4⤵
            • Deletes backup catalog
            PID:672
        • C:\Windows\system32\NOTEPAD.EXE
          "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\Fucking_it.txt
          3⤵
          • Opens file in notepad (likely ransom note)
          PID:1480
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2024
    • C:\Windows\system32\wbengine.exe
      "C:\Windows\system32\wbengine.exe"
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4228
    • C:\Windows\System32\vdsldr.exe
      C:\Windows\System32\vdsldr.exe -Embedding
      1⤵
        PID:1608
      • C:\Windows\System32\vds.exe
        C:\Windows\System32\vds.exe
        1⤵
        • Checks SCSI registry key(s)
        PID:3468
      • C:\Windows\system32\OpenWith.exe
        C:\Windows\system32\OpenWith.exe -Embedding
        1⤵
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4060
        • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
          "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\File Explorer.lnk.e1ni"
          2⤵
          • System Location Discovery: System Language Discovery
          • Checks processor information in registry
          • Modifies Internet Explorer settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4256
          • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
            "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
            3⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2812
            • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
              "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=FB5CC2FDDBA4D2C2126C08DB2D41F70C --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=FB5CC2FDDBA4D2C2126C08DB2D41F70C --renderer-client-id=2 --mojo-platform-channel-handle=1768 --allow-no-sandbox-job /prefetch:1
              4⤵
              • System Location Discovery: System Language Discovery
              PID:3124
            • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
              "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=F069FC32469561A28D0F7C31F02B0F64 --mojo-platform-channel-handle=1776 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
              4⤵
              • System Location Discovery: System Language Discovery
              PID:1020
            • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
              "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=2D340E21E3AF6ACAA154B53E5AF6AF39 --mojo-platform-channel-handle=2324 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
              4⤵
              • System Location Discovery: System Language Discovery
              PID:2068
            • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
              "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=485A3528098A055CD192E821E367CE87 --mojo-platform-channel-handle=2052 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
              4⤵
              • System Location Discovery: System Language Discovery
              PID:3492
            • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
              "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=D99FDDB8715B72B2462C4D49C4FA6FBC --mojo-platform-channel-handle=1772 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
              4⤵
              • System Location Discovery: System Language Discovery
              PID:2872
      • C:\Windows\system32\BackgroundTransferHost.exe
        "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
        1⤵
        • Modifies registry class
        PID:4616
      • C:\Windows\System32\CompPkgSrv.exe
        C:\Windows\System32\CompPkgSrv.exe -Embedding
        1⤵
          PID:4796
        • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{5E45A3A4-60C4-407E-993D-31BE53D8A4D2}\MicrosoftEdge_X64_133.0.3065.59.exe
          "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{5E45A3A4-60C4-407E-993D-31BE53D8A4D2}\MicrosoftEdge_X64_133.0.3065.59.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
          1⤵
            PID:4712
            • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{5E45A3A4-60C4-407E-993D-31BE53D8A4D2}\EDGEMITMP_FF5F8.tmp\setup.exe
              "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{5E45A3A4-60C4-407E-993D-31BE53D8A4D2}\EDGEMITMP_FF5F8.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{5E45A3A4-60C4-407E-993D-31BE53D8A4D2}\MicrosoftEdge_X64_133.0.3065.59.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
              2⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Installs/modifies Browser Helper Object
              • Drops file in Program Files directory
              • Drops file in Windows directory
              • Modifies Internet Explorer settings
              • Modifies registry class
              • Suspicious use of AdjustPrivilegeToken
              • System policy modification
              PID:2212
              • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{5E45A3A4-60C4-407E-993D-31BE53D8A4D2}\EDGEMITMP_FF5F8.tmp\setup.exe
                "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{5E45A3A4-60C4-407E-993D-31BE53D8A4D2}\EDGEMITMP_FF5F8.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{5E45A3A4-60C4-407E-993D-31BE53D8A4D2}\EDGEMITMP_FF5F8.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff747ae6a68,0x7ff747ae6a74,0x7ff747ae6a80
                3⤵
                • Executes dropped EXE
                • Drops file in Windows directory
                PID:4864
              • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{5E45A3A4-60C4-407E-993D-31BE53D8A4D2}\EDGEMITMP_FF5F8.tmp\setup.exe
                "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{5E45A3A4-60C4-407E-993D-31BE53D8A4D2}\EDGEMITMP_FF5F8.tmp\setup.exe" --msedge --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1
                3⤵
                • Executes dropped EXE
                • Drops file in System32 directory
                • Drops file in Windows directory
                • Modifies data under HKEY_USERS
                PID:1368
                • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{5E45A3A4-60C4-407E-993D-31BE53D8A4D2}\EDGEMITMP_FF5F8.tmp\setup.exe
                  "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{5E45A3A4-60C4-407E-993D-31BE53D8A4D2}\EDGEMITMP_FF5F8.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{5E45A3A4-60C4-407E-993D-31BE53D8A4D2}\EDGEMITMP_FF5F8.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff747ae6a68,0x7ff747ae6a74,0x7ff747ae6a80
                  4⤵
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  PID:1572
              • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --msedge --channel=stable --register-package-identity --verbose-logging --system-level
                3⤵
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious behavior: EnumeratesProcesses
                PID:1200
                • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff659d36a68,0x7ff659d36a74,0x7ff659d36a80
                  4⤵
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  PID:3064
              • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --msedge --channel=stable --remove-deprecated-packages --verbose-logging --system-level
                3⤵
                • Executes dropped EXE
                • Drops file in Program Files directory
                • Drops file in Windows directory
                PID:4948
                • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff659d36a68,0x7ff659d36a74,0x7ff659d36a80
                  4⤵
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  PID:3028
              • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --msedge --channel=stable --update-game-assist-package --verbose-logging --system-level
                3⤵
                • Executes dropped EXE
                • Drops file in Windows directory
                PID:200
                • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff659d36a68,0x7ff659d36a74,0x7ff659d36a80
                  4⤵
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  PID:3124

          Network

          MITRE ATT&CK Enterprise v15

          Reconnaissance

          Resource Development

          Initial Access

          Execution

          Command and Scripting Interpreter

          1
          T1059

          Windows Management Instrumentation

          1
          T1047

          Persistence

          Boot or Logon Autostart Execution

          1
          T1547

          Active Setup

          1
          T1547.014

          Browser Extensions

          1
          T1176

          Event Triggered Execution

          1
          T1546

          Component Object Model Hijacking

          1
          T1546.015

          Privilege Escalation

          Boot or Logon Autostart Execution

          1
          T1547

          Active Setup

          1
          T1547.014

          Event Triggered Execution

          1
          T1546

          Component Object Model Hijacking

          1
          T1546.015

          Defense Evasion

          Direct Volume Access

          1
          T1006

          Indicator Removal

          3
          T1070

          File Deletion

          3
          T1070.004

          Modify Registry

          5
          T1112

          Credential Access

          Credentials from Password Stores

          1
          T1555

          Credentials from Web Browsers

          1
          T1555.003

          Unsecured Credentials

          1
          T1552

          Credentials In Files

          1
          T1552.001

          Discovery

          Peripheral Device Discovery

          1
          T1120

          Query Registry

          4
          T1012

          System Information Discovery

          3
          T1082

          System Location Discovery

          1
          T1614

          System Language Discovery

          1
          T1614.001

          System Network Configuration Discovery

          1
          T1016

          Internet Connection Discovery

          1
          T1016.001

          Lateral Movement

          Collection

          Data from Local System

          1
          T1005

          Command and Control

          Exfiltration

          Impact

          Defacement

          1
          T1491

          Inhibit System Recovery

          4
          T1490

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{5E45A3A4-60C4-407E-993D-31BE53D8A4D2}\EDGEMITMP_FF5F8.tmp\setup.exe
            Filesize

            6.8MB

            MD5

            1b3e9c59f9c7a134ec630ada1eb76a39

            SHA1

            a7e831d392e99f3d37847dcc561dd2e017065439

            SHA256

            ce78ccfb0c9cdb06ea61116bc57e50690650b6b5cf37c1aebfb30c19458ee4ae

            SHA512

            c0e50410dc92d80ff7bc854907774fc551564e078a8d38ca6421f15cea50282c25efac4f357b52b066c4371f9b8d4900fa8122dd80ab06ecbd851c6e049f7a3e

            Download Submit

          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            Filesize

            3.9MB

            MD5

            ad5f7dc7ca3e67dce70c0a89c04519e0

            SHA1

            a10b03234627ca8f3f8034cd5637cda1b8246d83

            SHA256

            663fe0f4e090583e6aa5204b9a80b7a76f677259066e56a7345aebc6bc3e7d31

            SHA512

            ad5490e9865caa454c47ec2e96364b9c566b553e64801da60c295acd570017747be1aff6f22ca6c20c6eee6f6d05a058af72569fd6e656f66e48010978c7fd51

            Download Submit

          • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\7e0a3ae2-8d82-49cb-ad36-81e4b3aabc31.down_data
            Filesize

            555KB

            MD5

            5683c0028832cae4ef93ca39c8ac5029

            SHA1

            248755e4e1db552e0b6f8651b04ca6d1b31a86fb

            SHA256

            855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

            SHA512

            aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\File Explorer.lnk.e1ni
            Filesize

            756B

            MD5

            ff41976db059f15d532ec25010ae6446

            SHA1

            6323eb0110902f63acf7944d33b7d6ae33e18625

            SHA256

            e9d3b893f1c8c45bcbe639ec26adcc54833ebef129c9f61203af736361a05916

            SHA512

            2cf9af25032161e5e08c1a13879c8cdf7df557f9d3b806207e4f0a7327428f42b6bec56a0d78916b3ddf4e7a127499f6a6b82cca7156b65e8acb204a67c53e75

            Download Submit

          • C:\Users\Admin\Documents\1a8f35d0f2b1a11a5b30e6f05ee5c9e93542fc2f559f8e66cf67f2a1b6ccbeb9.exe
            Filesize

            92KB

            MD5

            a23219bddf6b154ca2f5afa89cb2b0c3

            SHA1

            0d63eb57023770b53b6b31f669a03bbdb7a2465b

            SHA256

            1a8f35d0f2b1a11a5b30e6f05ee5c9e93542fc2f559f8e66cf67f2a1b6ccbeb9

            SHA512

            65583cfa9c2d77330e15a5bfce430831b53bf1b018757fa8778618bef44b87b15d20a9bbcd80a1526bb6c582df3b8ff55f0cc7b002c4a1655c3f1ace01d54172

            Download Submit

          • C:\Users\Admin\Documents\1b4d73a9a7c6d2163e7378c97f01fed223be9daa6acb71c81b11491907473f89.exe
            Filesize

            490KB

            MD5

            2d23c83d6941cf484da19d4367c02df0

            SHA1

            b63dd1f2e35d8944dee745321643f06037dfe95e

            SHA256

            1b4d73a9a7c6d2163e7378c97f01fed223be9daa6acb71c81b11491907473f89

            SHA512

            28a5d2df80e9a1c5eeb65938479b7b96f754feff28244f91304361bd4c238d533f01d37598eedc95c6549c9066c8f15b2ce16262e02ce944dd47ed6e123ef797

            Download Submit

          • C:\Users\Admin\Documents\Fucking_it.txt
            Filesize

            1KB

            MD5

            65be09f680bae0e52ba74b45d94b1415

            SHA1

            e4c7a68e87f2d460ed9cd925e60f2c56b335d7f2

            SHA256

            a318e1070f4dbf17a17ca1eca5a86ec8ecb414526387ea0aeca17b8921dbe41b

            SHA512

            1402f0c863c7c71a9e5aaf8e9b6108d0b3a4ce4d14aa20f482b805642220990515ad38f254392ac42fc6aeb9c6532c9e6cca2a20d4133b56d86c05be52cce14e

            Download Submit

          • C:\Windows\SystemTemp\msedge_installer.log
            Filesize

            74KB

            MD5

            d462993f2e793f5d65f3f6821d8ea2f7

            SHA1

            9043945b93d365c4c69117b15f322b83e128f12a

            SHA256

            8df86503b1003ff4ee6207c830e195e7a4c6226e71e8f3ba2516623e546a042c

            SHA512

            1cafcda348bc00b80ab7689abf1f85b43de97880068f41fcdc38ad54fea6f09d9e57ee0e1bb0d5c8a0dfb7f126524b90bad6a43cc4b4091c036044c37d924ca6

            Download Submit

          • C:\Windows\SystemTemp\msedge_installer.log
            Filesize

            107KB

            MD5

            3dec11abed5ab1f52aada57524828994

            SHA1

            c6291001255afd7eee074f44ca863aa2090c6ce0

            SHA256

            1794dbc7801172c56afe2d88adf041f0b6bbbfcfdbb20cf3ec2d439c9a5753f8

            SHA512

            e9af9445bbd344aedc9916a8e02117bc94a6567c5d207a525499cd4843184fdd173f7fc30e9cac4305f566653c93c49ae30748f71564b3a2206f57378889af89

            Download Submit

          • C:\Windows\SystemTemp\msedge_installer.log
            Filesize

            107KB

            MD5

            054cfe298e5aabcbfa8e889231e7aea7

            SHA1

            1591e46daaf31ec70b789f9722fde6d2016d08ad

            SHA256

            48e4823f4459d400063a0f81d0c3c2de09d881f32e69ad51e6d68836169af8d2

            SHA512

            611c26de09882af02af8f7b521925b6d6fe35af3c932bfc7b2bc86b6d8c99573a3dae558b1fbf4fbdb88844ae9853aff98428736f9077e438c0cbdc7445d61d3

            Download Submit

          • memory/644-67-0x0000000000E10000-0x0000000000E90000-memory.dmp

            Filesize

            512KB

            Download