6da536f1b13a75b6af9d5ecda9b8fdcef4ef2a510ff04a1b5b756aafc5dfab50

Analysis

max time kernel
150s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
30/10/2022, 02:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6da536f1b13a75b6af9d5ecda9b8fdcef4ef2a510ff04a1b5b756aafc5dfab50.exe
Size

637KB
MD5

a3554f723c2a1340932c53bed5352110
SHA1

b9f184948c9ad804ad6912c32b3a8f146872eb91
SHA256

6da536f1b13a75b6af9d5ecda9b8fdcef4ef2a510ff04a1b5b756aafc5dfab50
SHA512

d7e53bbb8464418198f71252a88177a6fa365ab4edcad3c5e7041c6b2e54f87e2aa686a713e301522fb4ad6718176a8ef3d43d66aa3546a694542c5a87f7a8f7
SSDEEP

12288:2rEbA5SpqJCoh/TZAZuHF9h2yQ12h2uLJT3HDR/2brjUJJK:98TOZ89h2yQ1O2wt2brjUrK

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
3636	logahost.exe
1280	Checskey.exe
392	~CD76.tmp

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	6da536f1b13a75b6af9d5ecda9b8fdcef4ef2a510ff04a1b5b756aafc5dfab50.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\prinange = "C:\\Users\\Admin\\AppData\\Roaming\\convcurl\\logahost.exe"	6da536f1b13a75b6af9d5ecda9b8fdcef4ef2a510ff04a1b5b756aafc5dfab50.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Checskey.exe	6da536f1b13a75b6af9d5ecda9b8fdcef4ef2a510ff04a1b5b756aafc5dfab50.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	6da536f1b13a75b6af9d5ecda9b8fdcef4ef2a510ff04a1b5b756aafc5dfab50.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3636	logahost.exe
3636	logahost.exe
3064	Explorer.EXE
3064	Explorer.EXE
1280	Checskey.exe
1280	Checskey.exe
3064	Explorer.EXE
3064	Explorer.EXE
1280	Checskey.exe
1280	Checskey.exe
3064	Explorer.EXE
3064	Explorer.EXE
1280	Checskey.exe
1280	Checskey.exe
3064	Explorer.EXE
3064	Explorer.EXE
1280	Checskey.exe
1280	Checskey.exe
3064	Explorer.EXE
3064	Explorer.EXE
1280	Checskey.exe
1280	Checskey.exe
3064	Explorer.EXE
3064	Explorer.EXE
1280	Checskey.exe
1280	Checskey.exe
3064	Explorer.EXE
3064	Explorer.EXE
1280	Checskey.exe
1280	Checskey.exe
3064	Explorer.EXE
3064	Explorer.EXE
1280	Checskey.exe
1280	Checskey.exe
3064	Explorer.EXE
3064	Explorer.EXE
1280	Checskey.exe
1280	Checskey.exe
3064	Explorer.EXE
3064	Explorer.EXE
1280	Checskey.exe
1280	Checskey.exe
3064	Explorer.EXE
3064	Explorer.EXE
1280	Checskey.exe
1280	Checskey.exe
3064	Explorer.EXE
3064	Explorer.EXE
1280	Checskey.exe
1280	Checskey.exe
3064	Explorer.EXE
3064	Explorer.EXE
1280	Checskey.exe
1280	Checskey.exe
3064	Explorer.EXE
3064	Explorer.EXE
1280	Checskey.exe
1280	Checskey.exe
3064	Explorer.EXE
3064	Explorer.EXE
1280	Checskey.exe
1280	Checskey.exe
3064	Explorer.EXE
3064	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3064	Explorer.EXE
Token: SeCreatePagefilePrivilege	3064	Explorer.EXE
Token: SeShutdownPrivilege	3064	Explorer.EXE
Token: SeCreatePagefilePrivilege	3064	Explorer.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2064	AcroRd32.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2064	AcroRd32.exe
2064	AcroRd32.exe
2064	AcroRd32.exe
2064	AcroRd32.exe
2064	AcroRd32.exe
2064	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3816 wrote to memory of 3636	3816	6da536f1b13a75b6af9d5ecda9b8fdcef4ef2a510ff04a1b5b756aafc5dfab50.exe	83
PID 3816 wrote to memory of 3636	3816	6da536f1b13a75b6af9d5ecda9b8fdcef4ef2a510ff04a1b5b756aafc5dfab50.exe	83
PID 3816 wrote to memory of 3636	3816	6da536f1b13a75b6af9d5ecda9b8fdcef4ef2a510ff04a1b5b756aafc5dfab50.exe	83
PID 3636 wrote to memory of 392	3636	logahost.exe	85
PID 3636 wrote to memory of 392	3636	logahost.exe	85
PID 392 wrote to memory of 3064	392	~CD76.tmp	40
PID 3816 wrote to memory of 2064	3816	6da536f1b13a75b6af9d5ecda9b8fdcef4ef2a510ff04a1b5b756aafc5dfab50.exe	88
PID 3816 wrote to memory of 2064	3816	6da536f1b13a75b6af9d5ecda9b8fdcef4ef2a510ff04a1b5b756aafc5dfab50.exe	88
PID 3816 wrote to memory of 2064	3816	6da536f1b13a75b6af9d5ecda9b8fdcef4ef2a510ff04a1b5b756aafc5dfab50.exe	88
PID 2064 wrote to memory of 4844	2064	AcroRd32.exe	91
PID 2064 wrote to memory of 4844	2064	AcroRd32.exe	91
PID 2064 wrote to memory of 4844	2064	AcroRd32.exe	91
PID 4844 wrote to memory of 2368	4844	RdrCEF.exe	93
PID 4844 wrote to memory of 2368	4844	RdrCEF.exe	93
PID 4844 wrote to memory of 2368	4844	RdrCEF.exe	93
PID 4844 wrote to memory of 2368	4844	RdrCEF.exe	93
PID 4844 wrote to memory of 2368	4844	RdrCEF.exe	93
PID 4844 wrote to memory of 2368	4844	RdrCEF.exe	93
PID 4844 wrote to memory of 2368	4844	RdrCEF.exe	93
PID 4844 wrote to memory of 2368	4844	RdrCEF.exe	93
PID 4844 wrote to memory of 2368	4844	RdrCEF.exe	93
PID 4844 wrote to memory of 2368	4844	RdrCEF.exe	93
PID 4844 wrote to memory of 2368	4844	RdrCEF.exe	93
PID 4844 wrote to memory of 2368	4844	RdrCEF.exe	93
PID 4844 wrote to memory of 2368	4844	RdrCEF.exe	93
PID 4844 wrote to memory of 2368	4844	RdrCEF.exe	93
PID 4844 wrote to memory of 2368	4844	RdrCEF.exe	93
PID 4844 wrote to memory of 2368	4844	RdrCEF.exe	93
PID 4844 wrote to memory of 2368	4844	RdrCEF.exe	93
PID 4844 wrote to memory of 2368	4844	RdrCEF.exe	93
PID 4844 wrote to memory of 2368	4844	RdrCEF.exe	93
PID 4844 wrote to memory of 2368	4844	RdrCEF.exe	93
PID 4844 wrote to memory of 2368	4844	RdrCEF.exe	93
PID 4844 wrote to memory of 2368	4844	RdrCEF.exe	93
PID 4844 wrote to memory of 2368	4844	RdrCEF.exe	93
PID 4844 wrote to memory of 2368	4844	RdrCEF.exe	93
PID 4844 wrote to memory of 2368	4844	RdrCEF.exe	93
PID 4844 wrote to memory of 2368	4844	RdrCEF.exe	93
PID 4844 wrote to memory of 2368	4844	RdrCEF.exe	93
PID 4844 wrote to memory of 2368	4844	RdrCEF.exe	93
PID 4844 wrote to memory of 2368	4844	RdrCEF.exe	93
PID 4844 wrote to memory of 2368	4844	RdrCEF.exe	93
PID 4844 wrote to memory of 2368	4844	RdrCEF.exe	93
PID 4844 wrote to memory of 2368	4844	RdrCEF.exe	93
PID 4844 wrote to memory of 2368	4844	RdrCEF.exe	93
PID 4844 wrote to memory of 2368	4844	RdrCEF.exe	93
PID 4844 wrote to memory of 2368	4844	RdrCEF.exe	93
PID 4844 wrote to memory of 2368	4844	RdrCEF.exe	93
PID 4844 wrote to memory of 2368	4844	RdrCEF.exe	93
PID 4844 wrote to memory of 2368	4844	RdrCEF.exe	93
PID 4844 wrote to memory of 2368	4844	RdrCEF.exe	93
PID 4844 wrote to memory of 2368	4844	RdrCEF.exe	93
PID 4844 wrote to memory of 2368	4844	RdrCEF.exe	93
PID 4844 wrote to memory of 60	4844	RdrCEF.exe	94
PID 4844 wrote to memory of 60	4844	RdrCEF.exe	94
PID 4844 wrote to memory of 60	4844	RdrCEF.exe	94
PID 4844 wrote to memory of 60	4844	RdrCEF.exe	94
PID 4844 wrote to memory of 60	4844	RdrCEF.exe	94
PID 4844 wrote to memory of 60	4844	RdrCEF.exe	94
PID 4844 wrote to memory of 60	4844	RdrCEF.exe	94
PID 4844 wrote to memory of 60	4844	RdrCEF.exe	94
PID 4844 wrote to memory of 60	4844	RdrCEF.exe	94
PID 4844 wrote to memory of 60	4844	RdrCEF.exe	94
PID 4844 wrote to memory of 60	4844	RdrCEF.exe	94

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3064
- C:\Users\Admin\AppData\Local\Temp\6da536f1b13a75b6af9d5ecda9b8fdcef4ef2a510ff04a1b5b756aafc5dfab50.exe
  "C:\Users\Admin\AppData\Local\Temp\6da536f1b13a75b6af9d5ecda9b8fdcef4ef2a510ff04a1b5b756aafc5dfab50.exe"
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3816
- - C:\Users\Admin\AppData\Roaming\convcurl\logahost.exe
    "C:\Users\Admin\AppData\Roaming\convcurl\logahost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3636
  - - C:\Users\Admin\AppData\Local\Temp\~CD76.tmp
      "C:\Users\Admin\AppData\Local\Temp\~CD76.tmp"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:392
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\~CDA5.tmp.pdf"
    3⤵
    - Checks processor information in registry
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2064
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4844
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=3BABF13D4FEEA9E3D987AD750F2C307C --mojo-platform-channel-handle=1724 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        
        PID:2368
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=7AADD5D47D1C46145D4373B22EE705B2 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=7AADD5D47D1C46145D4373B22EE705B2 --renderer-client-id=2 --mojo-platform-channel-handle=1744 --allow-no-sandbox-job /prefetch:1
        5⤵
        
        PID:60
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=BCD6CC61EFDF448AFA3340AFF970ABBC --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=BCD6CC61EFDF448AFA3340AFF970ABBC --renderer-client-id=4 --mojo-platform-channel-handle=2264 --allow-no-sandbox-job /prefetch:1
        5⤵
        
        PID:656
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=91DBDA6FDE6B5835EC811353F4218617 --mojo-platform-channel-handle=2416 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        
        PID:976
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=CF6651491E7FF32660797011D0F70366 --mojo-platform-channel-handle=2592 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        
        PID:4712
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=BD1FA69D89D90A4A48F5A0CB677EDBF1 --mojo-platform-channel-handle=1712 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        
        PID:4272

C:\Windows\SysWOW64\Checskey.exe
C:\Windows\SysWOW64\Checskey.exe -k
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1280

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4236

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~CD76.tmp

Filesize
6KB

MD5
86ec57501ae96e12ffd85b939896fc2c

SHA1
c2966c1af4eec5fba0fd7043c725a9b18b523939

SHA256
3ac160bf5205385317cb88fd70a0cae360cb0141577c76983b256fea8f75e297

SHA512
fc18305bdc9ad67e17f0af23158a1090b45f2a94edb388595755c89a62ea1b44eac205a3a0d16e993e7588fa12d26cba17cee793733f64f1e6b9ad2dd733c51e

Download Submit
C:\Users\Admin\AppData\Local\Temp\~CD76.tmp

Filesize
6KB

MD5
86ec57501ae96e12ffd85b939896fc2c

SHA1
c2966c1af4eec5fba0fd7043c725a9b18b523939

SHA256
3ac160bf5205385317cb88fd70a0cae360cb0141577c76983b256fea8f75e297

SHA512
fc18305bdc9ad67e17f0af23158a1090b45f2a94edb388595755c89a62ea1b44eac205a3a0d16e993e7588fa12d26cba17cee793733f64f1e6b9ad2dd733c51e

Download Submit
C:\Users\Admin\AppData\Local\Temp\~CDA5.tmp.pdf

Filesize
336KB

MD5
db089ea9084f8fccc7cfb0a064be7dc6

SHA1
9831a0f6c56277563fdbb34ec28fcd6655a0cb9c

SHA256
b1fabddbd4781e19f8299e88b18eb3b27285b491db188d31722031e3afe063be

SHA512
873d7c6397a34c16dd1a9ba5c0623c838717985ac77c49f88d2209882001305a9bb7930983e2a7d1ce7aaa8b18e6e20a6330040da392c6be3ff4adb99935700b

Download Submit
C:\Users\Admin\AppData\Roaming\convcurl\logahost.exe

Filesize
172KB

MD5
08ca31d35b536dcb004b1d5e27be12a9

SHA1
90c685d139606cf7ba14fd7a91146551de2d5e28

SHA256
794fdd82c9408fca72189b537f366b78414a0a6ac63ab98124de1e85fceb5fff

SHA512
00f573937027911fc496151e4f95662de5e7324b66119ec3ea14d3c3a3b3791592b52ed80492fbeb014c0d290774e0c5eaf1e8611622062db495ab5d8878a5f7

Download Submit
C:\Users\Admin\AppData\Roaming\convcurl\logahost.exe

Filesize
172KB

MD5
08ca31d35b536dcb004b1d5e27be12a9

SHA1
90c685d139606cf7ba14fd7a91146551de2d5e28

SHA256
794fdd82c9408fca72189b537f366b78414a0a6ac63ab98124de1e85fceb5fff

SHA512
00f573937027911fc496151e4f95662de5e7324b66119ec3ea14d3c3a3b3791592b52ed80492fbeb014c0d290774e0c5eaf1e8611622062db495ab5d8878a5f7

Download Submit
C:\Windows\SysWOW64\Checskey.exe

Filesize
637KB

MD5
a3554f723c2a1340932c53bed5352110

SHA1
b9f184948c9ad804ad6912c32b3a8f146872eb91

SHA256
6da536f1b13a75b6af9d5ecda9b8fdcef4ef2a510ff04a1b5b756aafc5dfab50

SHA512
d7e53bbb8464418198f71252a88177a6fa365ab4edcad3c5e7041c6b2e54f87e2aa686a713e301522fb4ad6718176a8ef3d43d66aa3546a694542c5a87f7a8f7

Download Submit
C:\Windows\SysWOW64\Checskey.exe

Filesize
637KB

MD5
a3554f723c2a1340932c53bed5352110

SHA1
b9f184948c9ad804ad6912c32b3a8f146872eb91

SHA256
6da536f1b13a75b6af9d5ecda9b8fdcef4ef2a510ff04a1b5b756aafc5dfab50

SHA512
d7e53bbb8464418198f71252a88177a6fa365ab4edcad3c5e7041c6b2e54f87e2aa686a713e301522fb4ad6718176a8ef3d43d66aa3546a694542c5a87f7a8f7

Download Submit
memory/1280-142-0x0000000000EA0000-0x0000000000F52000-memory.dmp

Filesize
712KB

Download
memory/3064-143-0x0000000002690000-0x00000000026D1000-memory.dmp

Filesize
260KB

Download
memory/3816-132-0x00000000013D0000-0x0000000001482000-memory.dmp

Filesize
712KB

Download