eb20f5d033c7d52669b1788f38d73081102a7921c764609a3ea7a04abc42ef7a

Analysis

max time kernel
150s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2022 09:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eb20f5d033c7d52669b1788f38d73081102a7921c764609a3ea7a04abc42ef7a.exe
Size

242KB
MD5

300332204048c626edab9c9d8d0f5ae0
SHA1

ec9a84810e5eeed7140b6f5b396dd0f7697ebbec
SHA256

eb20f5d033c7d52669b1788f38d73081102a7921c764609a3ea7a04abc42ef7a
SHA512

8bfd808aa805c3088adc293e9a7996e26c7cc09341ba793f68292ab84c5f7bbe8fac7388bc106c1e5215dbda7e82c687e4c0e0bd0725ea67fc74d5f375aee8cf
SSDEEP

6144:RK5ArKjbAxXSaegUqGeGpBohM4Uj3ZmPMXwk:9rEbA5SpqJCohGNm6D

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
3352	credhost.exe
4688	Credasks.exe
4976	~6E10.tmp

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	eb20f5d033c7d52669b1788f38d73081102a7921c764609a3ea7a04abc42ef7a.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dfrgvate = "C:\\Users\\Admin\\AppData\\Roaming\\certgini\\credhost.exe"	eb20f5d033c7d52669b1788f38d73081102a7921c764609a3ea7a04abc42ef7a.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Credasks.exe	eb20f5d033c7d52669b1788f38d73081102a7921c764609a3ea7a04abc42ef7a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	eb20f5d033c7d52669b1788f38d73081102a7921c764609a3ea7a04abc42ef7a.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3352	credhost.exe
3352	credhost.exe
2020	Explorer.EXE
2020	Explorer.EXE
4688	Credasks.exe
4688	Credasks.exe
2020	Explorer.EXE
2020	Explorer.EXE
4688	Credasks.exe
4688	Credasks.exe
2020	Explorer.EXE
2020	Explorer.EXE
4688	Credasks.exe
4688	Credasks.exe
2020	Explorer.EXE
4688	Credasks.exe
2020	Explorer.EXE
4688	Credasks.exe
2020	Explorer.EXE
4688	Credasks.exe
4688	Credasks.exe
2020	Explorer.EXE
4688	Credasks.exe
2020	Explorer.EXE
4688	Credasks.exe
2020	Explorer.EXE
2020	Explorer.EXE
4688	Credasks.exe
2020	Explorer.EXE
4688	Credasks.exe
2020	Explorer.EXE
2020	Explorer.EXE
4688	Credasks.exe
4688	Credasks.exe
4688	Credasks.exe
4688	Credasks.exe
2020	Explorer.EXE
2020	Explorer.EXE
2020	Explorer.EXE
2020	Explorer.EXE
4688	Credasks.exe
4688	Credasks.exe
2020	Explorer.EXE
2020	Explorer.EXE
4688	Credasks.exe
4688	Credasks.exe
2020	Explorer.EXE
2020	Explorer.EXE
4688	Credasks.exe
4688	Credasks.exe
2020	Explorer.EXE
2020	Explorer.EXE
4688	Credasks.exe
4688	Credasks.exe
2020	Explorer.EXE
2020	Explorer.EXE
4688	Credasks.exe
4688	Credasks.exe
2020	Explorer.EXE
2020	Explorer.EXE
4688	Credasks.exe
4688	Credasks.exe
2020	Explorer.EXE
2020	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2020	Explorer.EXE
Token: SeCreatePagefilePrivilege	2020	Explorer.EXE
Token: SeShutdownPrivilege	2020	Explorer.EXE
Token: SeCreatePagefilePrivilege	2020	Explorer.EXE
Token: SeShutdownPrivilege	2020	Explorer.EXE
Token: SeCreatePagefilePrivilege	2020	Explorer.EXE
Token: SeShutdownPrivilege	2020	Explorer.EXE
Token: SeCreatePagefilePrivilege	2020	Explorer.EXE

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3332	AcroRd32.exe
2020	Explorer.EXE
2020	Explorer.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3332	AcroRd32.exe
3332	AcroRd32.exe
3332	AcroRd32.exe
3332	AcroRd32.exe
3332	AcroRd32.exe
3332	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4536 wrote to memory of 3352	4536	eb20f5d033c7d52669b1788f38d73081102a7921c764609a3ea7a04abc42ef7a.exe	81
PID 4536 wrote to memory of 3352	4536	eb20f5d033c7d52669b1788f38d73081102a7921c764609a3ea7a04abc42ef7a.exe	81
PID 4536 wrote to memory of 3352	4536	eb20f5d033c7d52669b1788f38d73081102a7921c764609a3ea7a04abc42ef7a.exe	81
PID 3352 wrote to memory of 4976	3352	credhost.exe	83
PID 3352 wrote to memory of 4976	3352	credhost.exe	83
PID 4976 wrote to memory of 2020	4976	~6E10.tmp	47
PID 4536 wrote to memory of 3332	4536	eb20f5d033c7d52669b1788f38d73081102a7921c764609a3ea7a04abc42ef7a.exe	84
PID 4536 wrote to memory of 3332	4536	eb20f5d033c7d52669b1788f38d73081102a7921c764609a3ea7a04abc42ef7a.exe	84
PID 4536 wrote to memory of 3332	4536	eb20f5d033c7d52669b1788f38d73081102a7921c764609a3ea7a04abc42ef7a.exe	84
PID 3332 wrote to memory of 796	3332	AcroRd32.exe	85
PID 3332 wrote to memory of 796	3332	AcroRd32.exe	85
PID 3332 wrote to memory of 796	3332	AcroRd32.exe	85
PID 796 wrote to memory of 940	796	RdrCEF.exe	88
PID 796 wrote to memory of 940	796	RdrCEF.exe	88
PID 796 wrote to memory of 940	796	RdrCEF.exe	88
PID 796 wrote to memory of 940	796	RdrCEF.exe	88
PID 796 wrote to memory of 940	796	RdrCEF.exe	88
PID 796 wrote to memory of 940	796	RdrCEF.exe	88
PID 796 wrote to memory of 940	796	RdrCEF.exe	88
PID 796 wrote to memory of 940	796	RdrCEF.exe	88
PID 796 wrote to memory of 940	796	RdrCEF.exe	88
PID 796 wrote to memory of 940	796	RdrCEF.exe	88
PID 796 wrote to memory of 940	796	RdrCEF.exe	88
PID 796 wrote to memory of 940	796	RdrCEF.exe	88
PID 796 wrote to memory of 940	796	RdrCEF.exe	88
PID 796 wrote to memory of 940	796	RdrCEF.exe	88
PID 796 wrote to memory of 940	796	RdrCEF.exe	88
PID 796 wrote to memory of 940	796	RdrCEF.exe	88
PID 796 wrote to memory of 940	796	RdrCEF.exe	88
PID 796 wrote to memory of 940	796	RdrCEF.exe	88
PID 796 wrote to memory of 940	796	RdrCEF.exe	88
PID 796 wrote to memory of 940	796	RdrCEF.exe	88
PID 796 wrote to memory of 940	796	RdrCEF.exe	88
PID 796 wrote to memory of 940	796	RdrCEF.exe	88
PID 796 wrote to memory of 940	796	RdrCEF.exe	88
PID 796 wrote to memory of 940	796	RdrCEF.exe	88
PID 796 wrote to memory of 940	796	RdrCEF.exe	88
PID 796 wrote to memory of 940	796	RdrCEF.exe	88
PID 796 wrote to memory of 940	796	RdrCEF.exe	88
PID 796 wrote to memory of 940	796	RdrCEF.exe	88
PID 796 wrote to memory of 940	796	RdrCEF.exe	88
PID 796 wrote to memory of 940	796	RdrCEF.exe	88
PID 796 wrote to memory of 940	796	RdrCEF.exe	88
PID 796 wrote to memory of 940	796	RdrCEF.exe	88
PID 796 wrote to memory of 940	796	RdrCEF.exe	88
PID 796 wrote to memory of 940	796	RdrCEF.exe	88
PID 796 wrote to memory of 940	796	RdrCEF.exe	88
PID 796 wrote to memory of 940	796	RdrCEF.exe	88
PID 796 wrote to memory of 940	796	RdrCEF.exe	88
PID 796 wrote to memory of 940	796	RdrCEF.exe	88
PID 796 wrote to memory of 940	796	RdrCEF.exe	88
PID 796 wrote to memory of 940	796	RdrCEF.exe	88
PID 796 wrote to memory of 940	796	RdrCEF.exe	88
PID 796 wrote to memory of 1648	796	RdrCEF.exe	89
PID 796 wrote to memory of 1648	796	RdrCEF.exe	89
PID 796 wrote to memory of 1648	796	RdrCEF.exe	89
PID 796 wrote to memory of 1648	796	RdrCEF.exe	89
PID 796 wrote to memory of 1648	796	RdrCEF.exe	89
PID 796 wrote to memory of 1648	796	RdrCEF.exe	89
PID 796 wrote to memory of 1648	796	RdrCEF.exe	89
PID 796 wrote to memory of 1648	796	RdrCEF.exe	89
PID 796 wrote to memory of 1648	796	RdrCEF.exe	89
PID 796 wrote to memory of 1648	796	RdrCEF.exe	89
PID 796 wrote to memory of 1648	796	RdrCEF.exe	89

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2020
- C:\Users\Admin\AppData\Local\Temp\eb20f5d033c7d52669b1788f38d73081102a7921c764609a3ea7a04abc42ef7a.exe
  "C:\Users\Admin\AppData\Local\Temp\eb20f5d033c7d52669b1788f38d73081102a7921c764609a3ea7a04abc42ef7a.exe"
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4536
- - C:\Users\Admin\AppData\Roaming\certgini\credhost.exe
    "C:\Users\Admin\AppData\Roaming\certgini\credhost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3352
  - - C:\Users\Admin\AppData\Local\Temp\~6E10.tmp
      "C:\Users\Admin\AppData\Local\Temp\~6E10.tmp"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4976
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\~6E30.tmp.pdf"
    3⤵
    - Checks processor information in registry
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3332
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
      4⤵
      Suspicious use of WriteProcessMemory
      PID:796
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=A18041023E5B1B04A087AC4CD8A2DD34 --mojo-platform-channel-handle=1728 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        
        PID:940
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=994E4D6C4EC1A1CF388843E8D6D227E6 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=994E4D6C4EC1A1CF388843E8D6D227E6 --renderer-client-id=2 --mojo-platform-channel-handle=1736 --allow-no-sandbox-job /prefetch:1
        5⤵
        
        PID:1648
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=6737F2BD694C4AF67855682D4870219B --mojo-platform-channel-handle=2160 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        
        PID:4292
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=03AA7D61D654E692302578FF3240646B --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=03AA7D61D654E692302578FF3240646B --renderer-client-id=5 --mojo-platform-channel-handle=2288 --allow-no-sandbox-job /prefetch:1
        5⤵
        
        PID:4368
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=0509BC98BA4EDB43623AEC63DE72C620 --mojo-platform-channel-handle=2416 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        
        PID:4464
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=98F842C68CA03DB6BAC5D205BA6C91A3 --mojo-platform-channel-handle=2176 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        
        PID:2000

C:\Windows\SysWOW64\Credasks.exe
C:\Windows\SysWOW64\Credasks.exe -k
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4688

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~6E10.tmp

Filesize
6KB

MD5
9940e6fcfa6a5f304a3d0b7e7a6f22ba

SHA1
f7b04a02052bc72492c1df5e228150872489d0ef

SHA256
b8c05f8101c7307b26a30ee0df435bf8f164e76f0da5a342db9dabde5c58861f

SHA512
0e61d46895ccb3a6f2b5b3474eefcd8db9f0b7cc9360dc5a61c92c3c58c65e14f65bcfc7ccc179021dde1e2dc1f783a933409a8bab50ea724b0506362c405033

Download Submit
C:\Users\Admin\AppData\Local\Temp\~6E10.tmp

Filesize
6KB

MD5
9940e6fcfa6a5f304a3d0b7e7a6f22ba

SHA1
f7b04a02052bc72492c1df5e228150872489d0ef

SHA256
b8c05f8101c7307b26a30ee0df435bf8f164e76f0da5a342db9dabde5c58861f

SHA512
0e61d46895ccb3a6f2b5b3474eefcd8db9f0b7cc9360dc5a61c92c3c58c65e14f65bcfc7ccc179021dde1e2dc1f783a933409a8bab50ea724b0506362c405033

Download Submit
C:\Users\Admin\AppData\Local\Temp\~6E30.tmp.pdf

Filesize
37KB

MD5
86eaf14cc099c122ec553ac3db99adcc

SHA1
b016f90dfce7b1a06078ff32863fb05e7b6e097c

SHA256
e850cc05e17f6998a31ea7f07a400e67e7135400eff388df2e1dd87016e6f6ca

SHA512
d0524df2c8ef78fa5cc6554d3798f49ca663a955f83f3b76d82dc8168e2d88ae28a227a4b06796622fdff2cabbf9f4fd6a04df9a47998e851ea4ed3e25e8d780

Download Submit
C:\Users\Admin\AppData\Roaming\certgini\credhost.exe

Filesize
172KB

MD5
19355475ebb599252b7d5e415527c0d8

SHA1
91f725e94ab49612c9ec88113232d8a560fa9353

SHA256
566af7edae3b93bce20cddad133965b3eee2bf78a7f0180f546032b4e0aab33a

SHA512
acea47e23a18ae5cbebe5dddfa86d9cb8152ebacf7fb60b6856190365ee34849edada17fc3b0ea57b129475c03175ca777667280dea4a5a765219d06f118ffa1

Download Submit
C:\Users\Admin\AppData\Roaming\certgini\credhost.exe

Filesize
172KB

MD5
19355475ebb599252b7d5e415527c0d8

SHA1
91f725e94ab49612c9ec88113232d8a560fa9353

SHA256
566af7edae3b93bce20cddad133965b3eee2bf78a7f0180f546032b4e0aab33a

SHA512
acea47e23a18ae5cbebe5dddfa86d9cb8152ebacf7fb60b6856190365ee34849edada17fc3b0ea57b129475c03175ca777667280dea4a5a765219d06f118ffa1

Download Submit
C:\Windows\SysWOW64\Credasks.exe

Filesize
242KB

MD5
300332204048c626edab9c9d8d0f5ae0

SHA1
ec9a84810e5eeed7140b6f5b396dd0f7697ebbec

SHA256
eb20f5d033c7d52669b1788f38d73081102a7921c764609a3ea7a04abc42ef7a

SHA512
8bfd808aa805c3088adc293e9a7996e26c7cc09341ba793f68292ab84c5f7bbe8fac7388bc106c1e5215dbda7e82c687e4c0e0bd0725ea67fc74d5f375aee8cf

Download Submit
C:\Windows\SysWOW64\Credasks.exe

Filesize
242KB

MD5
300332204048c626edab9c9d8d0f5ae0

SHA1
ec9a84810e5eeed7140b6f5b396dd0f7697ebbec

SHA256
eb20f5d033c7d52669b1788f38d73081102a7921c764609a3ea7a04abc42ef7a

SHA512
8bfd808aa805c3088adc293e9a7996e26c7cc09341ba793f68292ab84c5f7bbe8fac7388bc106c1e5215dbda7e82c687e4c0e0bd0725ea67fc74d5f375aee8cf

Download Submit
memory/796-146-0x0000000000000000-mapping.dmp

Download
memory/940-148-0x0000000000000000-mapping.dmp

Download
memory/1648-151-0x0000000000000000-mapping.dmp

Download
memory/2000-167-0x0000000000000000-mapping.dmp

Download
memory/2020-144-0x0000000002BF0000-0x0000000002C31000-memory.dmp

Filesize
260KB

Download
memory/3332-143-0x0000000000000000-mapping.dmp

Download
memory/3352-139-0x0000000001060000-0x000000000109E000-memory.dmp

Filesize
248KB

Download
memory/3352-133-0x0000000000000000-mapping.dmp

Download
memory/4292-156-0x0000000000000000-mapping.dmp

Download
memory/4368-159-0x0000000000000000-mapping.dmp

Download
memory/4464-164-0x0000000000000000-mapping.dmp

Download
memory/4536-132-0x0000000000BD0000-0x0000000000C1F000-memory.dmp

Filesize
316KB

Download
memory/4688-142-0x0000000000BA0000-0x0000000000BEF000-memory.dmp

Filesize
316KB

Download
memory/4976-137-0x0000000000000000-mapping.dmp

Download