Overview
overview
10Static
static
BHC-PR/BHC...an.exe
windows7_x64
10BHC-PR/BHC...an.exe
windows10_x64
10BHC-PR/Bri...on.exe
windows7_x64
10BHC-PR/Bri...on.exe
windows10_x64
10BHC-PR/Bri...20.exe
windows7_x64
10BHC-PR/Bri...20.exe
windows10_x64
10BHC-PR/Bri...ts.exe
windows7_x64
10BHC-PR/Bri...ts.exe
windows10_x64
10BHC-PR/Bri...ls.exe
windows7_x64
10BHC-PR/Bri...ls.exe
windows10_x64
10BHC-PR/Bri...20.exe
windows7_x64
10BHC-PR/Bri...20.exe
windows10_x64
10Analysis
-
max time kernel
158s -
max time network
158s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
21-01-2022 23:00
Static task
static1
Behavioral task
behavioral1
Sample
BHC-PR/BHC PR - British Airways Restarts Flights to Pakistan.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
BHC-PR/BHC PR - British Airways Restarts Flights to Pakistan.exe
Resource
win10-en-20211208
Behavioral task
behavioral3
Sample
BHC-PR/British High Commission Peter Emmerson.exe
Resource
win7-en-20211208
Behavioral task
behavioral4
Sample
BHC-PR/British High Commission Peter Emmerson.exe
Resource
win10-en-20211208
Behavioral task
behavioral5
Sample
BHC-PR/British High Commission Press Release - GREAT Debate Islamabad 2020.exe
Resource
win7-en-20211208
Behavioral task
behavioral6
Sample
BHC-PR/British High Commission Press Release - GREAT Debate Islamabad 2020.exe
Resource
win10-en-20211208
Behavioral task
behavioral7
Sample
BHC-PR/British High Commission Rhinnon Mills receipts.exe
Resource
win7-en-20211208
Behavioral task
behavioral8
Sample
BHC-PR/British High Commission Rhinnon Mills receipts.exe
Resource
win10-en-20211208
Behavioral task
behavioral9
Sample
BHC-PR/British High Commission Rhinnon Mills.exe
Resource
win7-en-20211208
Behavioral task
behavioral10
Sample
BHC-PR/British High Commission Rhinnon Mills.exe
Resource
win10-en-20211208
Behavioral task
behavioral11
Sample
BHC-PR/British High Commission Urdu Press Release - GREAT Debate Islamabad 2020.exe
Resource
win7-en-20211208
Behavioral task
behavioral12
Sample
BHC-PR/British High Commission Urdu Press Release - GREAT Debate Islamabad 2020.exe
Resource
win10-en-20211208
General
-
Target
BHC-PR/British High Commission Rhinnon Mills.exe
-
Size
687KB
-
MD5
41120771530675f31125936f630d7a67
-
SHA1
9f55015e9bfbb65f0a5b2ad8deaea1df67660fec
-
SHA256
1bf6dc9af6dd730120f598d02f139f5a7776993afe29679f83a3d2fda3599736
-
SHA512
62c4c55cf8b9c987c064300210ce746242565d4e3b0ff0008cbcf5fac4668e4cc14d007caa697dcb3774fb1ec679646cb4bff3f012ef0e104870277fcd5f7e58
Malware Config
Signatures
-
CrimsonRAT Main Payload 2 IoCs
Processes:
resource yara_rule C:\ProgramData\Hanthavra\rnthiavesa.exe family_crimsonrat C:\ProgramData\Hanthavra\rnthiavesa.exe family_crimsonrat -
CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
-
Executes dropped EXE 1 IoCs
Processes:
rnthiavesa.exepid process 652 rnthiavesa.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
AcroRd32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe -
Processes:
AcroRd32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Modifies registry class 1 IoCs
Processes:
British High Commission Rhinnon Mills.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings British High Commission Rhinnon Mills.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
AcroRd32.exepid process 4288 AcroRd32.exe 4288 AcroRd32.exe 4288 AcroRd32.exe 4288 AcroRd32.exe 4288 AcroRd32.exe 4288 AcroRd32.exe 4288 AcroRd32.exe 4288 AcroRd32.exe 4288 AcroRd32.exe 4288 AcroRd32.exe 4288 AcroRd32.exe 4288 AcroRd32.exe 4288 AcroRd32.exe 4288 AcroRd32.exe 4288 AcroRd32.exe 4288 AcroRd32.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
AcroRd32.exepid process 4288 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
AcroRd32.exepid process 4288 AcroRd32.exe 4288 AcroRd32.exe 4288 AcroRd32.exe 4288 AcroRd32.exe 4288 AcroRd32.exe 4288 AcroRd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
British High Commission Rhinnon Mills.exeAcroRd32.exeRdrCEF.exedescription pid process target process PID 3440 wrote to memory of 4288 3440 British High Commission Rhinnon Mills.exe AcroRd32.exe PID 3440 wrote to memory of 4288 3440 British High Commission Rhinnon Mills.exe AcroRd32.exe PID 3440 wrote to memory of 4288 3440 British High Commission Rhinnon Mills.exe AcroRd32.exe PID 3440 wrote to memory of 652 3440 British High Commission Rhinnon Mills.exe rnthiavesa.exe PID 3440 wrote to memory of 652 3440 British High Commission Rhinnon Mills.exe rnthiavesa.exe PID 4288 wrote to memory of 1772 4288 AcroRd32.exe RdrCEF.exe PID 4288 wrote to memory of 1772 4288 AcroRd32.exe RdrCEF.exe PID 4288 wrote to memory of 1772 4288 AcroRd32.exe RdrCEF.exe PID 1772 wrote to memory of 5020 1772 RdrCEF.exe RdrCEF.exe PID 1772 wrote to memory of 5020 1772 RdrCEF.exe RdrCEF.exe PID 1772 wrote to memory of 5020 1772 RdrCEF.exe RdrCEF.exe PID 1772 wrote to memory of 5020 1772 RdrCEF.exe RdrCEF.exe PID 1772 wrote to memory of 5020 1772 RdrCEF.exe RdrCEF.exe PID 1772 wrote to memory of 5020 1772 RdrCEF.exe RdrCEF.exe PID 1772 wrote to memory of 5020 1772 RdrCEF.exe RdrCEF.exe PID 1772 wrote to memory of 5020 1772 RdrCEF.exe RdrCEF.exe PID 1772 wrote to memory of 5020 1772 RdrCEF.exe RdrCEF.exe PID 1772 wrote to memory of 5020 1772 RdrCEF.exe RdrCEF.exe PID 1772 wrote to memory of 5020 1772 RdrCEF.exe RdrCEF.exe PID 1772 wrote to memory of 5020 1772 RdrCEF.exe RdrCEF.exe PID 1772 wrote to memory of 5020 1772 RdrCEF.exe RdrCEF.exe PID 1772 wrote to memory of 5020 1772 RdrCEF.exe RdrCEF.exe PID 1772 wrote to memory of 5020 1772 RdrCEF.exe RdrCEF.exe PID 1772 wrote to memory of 5020 1772 RdrCEF.exe RdrCEF.exe PID 1772 wrote to memory of 5020 1772 RdrCEF.exe RdrCEF.exe PID 1772 wrote to memory of 5020 1772 RdrCEF.exe RdrCEF.exe PID 1772 wrote to memory of 5020 1772 RdrCEF.exe RdrCEF.exe PID 1772 wrote to memory of 5020 1772 RdrCEF.exe RdrCEF.exe PID 1772 wrote to memory of 5020 1772 RdrCEF.exe RdrCEF.exe PID 1772 wrote to memory of 5020 1772 RdrCEF.exe RdrCEF.exe PID 1772 wrote to memory of 5020 1772 RdrCEF.exe RdrCEF.exe PID 1772 wrote to memory of 5020 1772 RdrCEF.exe RdrCEF.exe PID 1772 wrote to memory of 5020 1772 RdrCEF.exe RdrCEF.exe PID 1772 wrote to memory of 5020 1772 RdrCEF.exe RdrCEF.exe PID 1772 wrote to memory of 5020 1772 RdrCEF.exe RdrCEF.exe PID 1772 wrote to memory of 5020 1772 RdrCEF.exe RdrCEF.exe PID 1772 wrote to memory of 5020 1772 RdrCEF.exe RdrCEF.exe PID 1772 wrote to memory of 5020 1772 RdrCEF.exe RdrCEF.exe PID 1772 wrote to memory of 5020 1772 RdrCEF.exe RdrCEF.exe PID 1772 wrote to memory of 5020 1772 RdrCEF.exe RdrCEF.exe PID 1772 wrote to memory of 5020 1772 RdrCEF.exe RdrCEF.exe PID 1772 wrote to memory of 5020 1772 RdrCEF.exe RdrCEF.exe PID 1772 wrote to memory of 5020 1772 RdrCEF.exe RdrCEF.exe PID 1772 wrote to memory of 5020 1772 RdrCEF.exe RdrCEF.exe PID 1772 wrote to memory of 5020 1772 RdrCEF.exe RdrCEF.exe PID 1772 wrote to memory of 5020 1772 RdrCEF.exe RdrCEF.exe PID 1772 wrote to memory of 5020 1772 RdrCEF.exe RdrCEF.exe PID 1772 wrote to memory of 5020 1772 RdrCEF.exe RdrCEF.exe PID 1772 wrote to memory of 5020 1772 RdrCEF.exe RdrCEF.exe PID 1772 wrote to memory of 5020 1772 RdrCEF.exe RdrCEF.exe PID 1772 wrote to memory of 5020 1772 RdrCEF.exe RdrCEF.exe PID 1772 wrote to memory of 2856 1772 RdrCEF.exe RdrCEF.exe PID 1772 wrote to memory of 2856 1772 RdrCEF.exe RdrCEF.exe PID 1772 wrote to memory of 2856 1772 RdrCEF.exe RdrCEF.exe PID 1772 wrote to memory of 2856 1772 RdrCEF.exe RdrCEF.exe PID 1772 wrote to memory of 2856 1772 RdrCEF.exe RdrCEF.exe PID 1772 wrote to memory of 2856 1772 RdrCEF.exe RdrCEF.exe PID 1772 wrote to memory of 2856 1772 RdrCEF.exe RdrCEF.exe PID 1772 wrote to memory of 2856 1772 RdrCEF.exe RdrCEF.exe PID 1772 wrote to memory of 2856 1772 RdrCEF.exe RdrCEF.exe PID 1772 wrote to memory of 2856 1772 RdrCEF.exe RdrCEF.exe PID 1772 wrote to memory of 2856 1772 RdrCEF.exe RdrCEF.exe PID 1772 wrote to memory of 2856 1772 RdrCEF.exe RdrCEF.exe PID 1772 wrote to memory of 2856 1772 RdrCEF.exe RdrCEF.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\BHC-PR\British High Commission Rhinnon Mills.exe"C:\Users\Admin\AppData\Local\Temp\BHC-PR\British High Commission Rhinnon Mills.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3440 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Documents\British High Commission Rhinnon Mills-03-.pdf"2⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4288 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140433⤵
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=3826FF37FC486521C7B42CFD563A3347 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=3826FF37FC486521C7B42CFD563A3347 --renderer-client-id=2 --mojo-platform-channel-handle=1644 --allow-no-sandbox-job /prefetch:14⤵PID:5020
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=FBF68C48FC127312367DCA5C6A1869EE --mojo-platform-channel-handle=1792 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵PID:2856
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=41D3186009B3F087028DF55360B918A6 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=41D3186009B3F087028DF55360B918A6 --renderer-client-id=4 --mojo-platform-channel-handle=2080 --allow-no-sandbox-job /prefetch:14⤵PID:668
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=00E0A9C19A59A98652C12ECB9A3FB0F5 --mojo-platform-channel-handle=2204 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵PID:4636
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=4C1BF3C77DEF198A8257D3CA1136FC6D --mojo-platform-channel-handle=2468 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵PID:2152
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=5AACA2B2D2DAC3E73DE876CC362427B4 --mojo-platform-channel-handle=2244 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵PID:1412
-
C:\ProgramData\Hanthavra\rnthiavesa.exe"C:\ProgramData\Hanthavra\rnthiavesa.exe"2⤵
- Executes dropped EXE
PID:652
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
93e588df26c62a47d3564e58ec988368
SHA1fcd11555531f636245d4c03f151dceb62ba72f6e
SHA2566cecd33e717c607ce578942e35c020d7571a7db67ce9270f9dcff30018a666cc
SHA5120f1f527eed767036dd6323fb5bfbf3e83fc7c2ef842c6d297742d536f8b1ae5b0b54a8ef83fe26f42916656feb0752badb6a39e63067a7dc6fe3e0797738a8ef
-
MD5
93e588df26c62a47d3564e58ec988368
SHA1fcd11555531f636245d4c03f151dceb62ba72f6e
SHA2566cecd33e717c607ce578942e35c020d7571a7db67ce9270f9dcff30018a666cc
SHA5120f1f527eed767036dd6323fb5bfbf3e83fc7c2ef842c6d297742d536f8b1ae5b0b54a8ef83fe26f42916656feb0752badb6a39e63067a7dc6fe3e0797738a8ef
-
MD5
a96410ba91ef5bd64dbce071231038c2
SHA193c8ad8b0fee63f0e32bf8ddd88eae16c9d79457
SHA2566e586f96cfb66b2f05d27cdded7086563c62f9c32ba46c3273a22ec3a5bb23ff
SHA5126b97e6e42e4bdaa752334814153d5b4639388e4c6832be77ae562ce86fb4ef5e35c88ea3966a0560c664af8be191f9cc29a4ad7d12e5fa41c894cca4b404d58a