Overview
overview
10Static
static
BHC-PR/BHC...an.exe
windows7_x64
10BHC-PR/BHC...an.exe
windows10_x64
10BHC-PR/Bri...on.exe
windows7_x64
10BHC-PR/Bri...on.exe
windows10_x64
10BHC-PR/Bri...20.exe
windows7_x64
10BHC-PR/Bri...20.exe
windows10_x64
10BHC-PR/Bri...ts.exe
windows7_x64
10BHC-PR/Bri...ts.exe
windows10_x64
10BHC-PR/Bri...ls.exe
windows7_x64
10BHC-PR/Bri...ls.exe
windows10_x64
10BHC-PR/Bri...20.exe
windows7_x64
10BHC-PR/Bri...20.exe
windows10_x64
10Analysis
-
max time kernel
115s -
max time network
152s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
21-01-2022 23:00
Static task
static1
Behavioral task
behavioral1
Sample
BHC-PR/BHC PR - British Airways Restarts Flights to Pakistan.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
BHC-PR/BHC PR - British Airways Restarts Flights to Pakistan.exe
Resource
win10-en-20211208
Behavioral task
behavioral3
Sample
BHC-PR/British High Commission Peter Emmerson.exe
Resource
win7-en-20211208
Behavioral task
behavioral4
Sample
BHC-PR/British High Commission Peter Emmerson.exe
Resource
win10-en-20211208
Behavioral task
behavioral5
Sample
BHC-PR/British High Commission Press Release - GREAT Debate Islamabad 2020.exe
Resource
win7-en-20211208
Behavioral task
behavioral6
Sample
BHC-PR/British High Commission Press Release - GREAT Debate Islamabad 2020.exe
Resource
win10-en-20211208
Behavioral task
behavioral7
Sample
BHC-PR/British High Commission Rhinnon Mills receipts.exe
Resource
win7-en-20211208
Behavioral task
behavioral8
Sample
BHC-PR/British High Commission Rhinnon Mills receipts.exe
Resource
win10-en-20211208
Behavioral task
behavioral9
Sample
BHC-PR/British High Commission Rhinnon Mills.exe
Resource
win7-en-20211208
Behavioral task
behavioral10
Sample
BHC-PR/British High Commission Rhinnon Mills.exe
Resource
win10-en-20211208
Behavioral task
behavioral11
Sample
BHC-PR/British High Commission Urdu Press Release - GREAT Debate Islamabad 2020.exe
Resource
win7-en-20211208
Behavioral task
behavioral12
Sample
BHC-PR/British High Commission Urdu Press Release - GREAT Debate Islamabad 2020.exe
Resource
win10-en-20211208
General
-
Target
BHC-PR/British High Commission Rhinnon Mills receipts.exe
-
Size
706KB
-
MD5
b3ec999208c86b7a635cc3d2474793ec
-
SHA1
091603e621eb2f30a38464fae3a758be39f5beb8
-
SHA256
93f2358f631d4bf5a1f16b40c5bb9479dbda492d6e96c2fd9760854d219faab1
-
SHA512
74eda3e3b410e44773ac6ad4e54938bab9f306f1a1036c93e8d509a7419d400e0974dd585b4b7ee5e640477231fe1e73f24957662f12b98d6109478ab9b4cdf4
Malware Config
Signatures
-
CrimsonRAT Main Payload 2 IoCs
Processes:
resource yara_rule C:\ProgramData\Hanthavra\rnthiavesa.exe family_crimsonrat C:\ProgramData\Hanthavra\rnthiavesa.exe family_crimsonrat -
CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
-
Executes dropped EXE 1 IoCs
Processes:
rnthiavesa.exepid process 1452 rnthiavesa.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
AcroRd32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe -
Processes:
AcroRd32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Modifies registry class 1 IoCs
Processes:
British High Commission Rhinnon Mills receipts.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings British High Commission Rhinnon Mills receipts.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
AcroRd32.exepid process 2792 AcroRd32.exe 2792 AcroRd32.exe 2792 AcroRd32.exe 2792 AcroRd32.exe 2792 AcroRd32.exe 2792 AcroRd32.exe 2792 AcroRd32.exe 2792 AcroRd32.exe 2792 AcroRd32.exe 2792 AcroRd32.exe 2792 AcroRd32.exe 2792 AcroRd32.exe 2792 AcroRd32.exe 2792 AcroRd32.exe 2792 AcroRd32.exe 2792 AcroRd32.exe 2792 AcroRd32.exe 2792 AcroRd32.exe 2792 AcroRd32.exe 2792 AcroRd32.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
AcroRd32.exepid process 2792 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
AcroRd32.exepid process 2792 AcroRd32.exe 2792 AcroRd32.exe 2792 AcroRd32.exe 2792 AcroRd32.exe 2792 AcroRd32.exe 2792 AcroRd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
British High Commission Rhinnon Mills receipts.exeAcroRd32.exeRdrCEF.exedescription pid process target process PID 2700 wrote to memory of 2792 2700 British High Commission Rhinnon Mills receipts.exe AcroRd32.exe PID 2700 wrote to memory of 2792 2700 British High Commission Rhinnon Mills receipts.exe AcroRd32.exe PID 2700 wrote to memory of 2792 2700 British High Commission Rhinnon Mills receipts.exe AcroRd32.exe PID 2700 wrote to memory of 1452 2700 British High Commission Rhinnon Mills receipts.exe rnthiavesa.exe PID 2700 wrote to memory of 1452 2700 British High Commission Rhinnon Mills receipts.exe rnthiavesa.exe PID 2792 wrote to memory of 2068 2792 AcroRd32.exe RdrCEF.exe PID 2792 wrote to memory of 2068 2792 AcroRd32.exe RdrCEF.exe PID 2792 wrote to memory of 2068 2792 AcroRd32.exe RdrCEF.exe PID 2792 wrote to memory of 2080 2792 AcroRd32.exe RdrCEF.exe PID 2792 wrote to memory of 2080 2792 AcroRd32.exe RdrCEF.exe PID 2792 wrote to memory of 2080 2792 AcroRd32.exe RdrCEF.exe PID 2068 wrote to memory of 2580 2068 RdrCEF.exe RdrCEF.exe PID 2068 wrote to memory of 2580 2068 RdrCEF.exe RdrCEF.exe PID 2068 wrote to memory of 2580 2068 RdrCEF.exe RdrCEF.exe PID 2068 wrote to memory of 2580 2068 RdrCEF.exe RdrCEF.exe PID 2068 wrote to memory of 2580 2068 RdrCEF.exe RdrCEF.exe PID 2068 wrote to memory of 2580 2068 RdrCEF.exe RdrCEF.exe PID 2068 wrote to memory of 2580 2068 RdrCEF.exe RdrCEF.exe PID 2068 wrote to memory of 2580 2068 RdrCEF.exe RdrCEF.exe PID 2068 wrote to memory of 2580 2068 RdrCEF.exe RdrCEF.exe PID 2068 wrote to memory of 2580 2068 RdrCEF.exe RdrCEF.exe PID 2068 wrote to memory of 2580 2068 RdrCEF.exe RdrCEF.exe PID 2068 wrote to memory of 2580 2068 RdrCEF.exe RdrCEF.exe PID 2068 wrote to memory of 2580 2068 RdrCEF.exe RdrCEF.exe PID 2068 wrote to memory of 2580 2068 RdrCEF.exe RdrCEF.exe PID 2068 wrote to memory of 2580 2068 RdrCEF.exe RdrCEF.exe PID 2068 wrote to memory of 2580 2068 RdrCEF.exe RdrCEF.exe PID 2068 wrote to memory of 2580 2068 RdrCEF.exe RdrCEF.exe PID 2068 wrote to memory of 2580 2068 RdrCEF.exe RdrCEF.exe PID 2068 wrote to memory of 2580 2068 RdrCEF.exe RdrCEF.exe PID 2068 wrote to memory of 2580 2068 RdrCEF.exe RdrCEF.exe PID 2068 wrote to memory of 2580 2068 RdrCEF.exe RdrCEF.exe PID 2068 wrote to memory of 2580 2068 RdrCEF.exe RdrCEF.exe PID 2068 wrote to memory of 2580 2068 RdrCEF.exe RdrCEF.exe PID 2068 wrote to memory of 2580 2068 RdrCEF.exe RdrCEF.exe PID 2068 wrote to memory of 2580 2068 RdrCEF.exe RdrCEF.exe PID 2068 wrote to memory of 2580 2068 RdrCEF.exe RdrCEF.exe PID 2068 wrote to memory of 2580 2068 RdrCEF.exe RdrCEF.exe PID 2068 wrote to memory of 2580 2068 RdrCEF.exe RdrCEF.exe PID 2068 wrote to memory of 2580 2068 RdrCEF.exe RdrCEF.exe PID 2068 wrote to memory of 2580 2068 RdrCEF.exe RdrCEF.exe PID 2068 wrote to memory of 2580 2068 RdrCEF.exe RdrCEF.exe PID 2068 wrote to memory of 2580 2068 RdrCEF.exe RdrCEF.exe PID 2068 wrote to memory of 2580 2068 RdrCEF.exe RdrCEF.exe PID 2068 wrote to memory of 2580 2068 RdrCEF.exe RdrCEF.exe PID 2068 wrote to memory of 2580 2068 RdrCEF.exe RdrCEF.exe PID 2068 wrote to memory of 2580 2068 RdrCEF.exe RdrCEF.exe PID 2068 wrote to memory of 2580 2068 RdrCEF.exe RdrCEF.exe PID 2068 wrote to memory of 2580 2068 RdrCEF.exe RdrCEF.exe PID 2068 wrote to memory of 2580 2068 RdrCEF.exe RdrCEF.exe PID 2068 wrote to memory of 2580 2068 RdrCEF.exe RdrCEF.exe PID 2068 wrote to memory of 2580 2068 RdrCEF.exe RdrCEF.exe PID 2068 wrote to memory of 1800 2068 RdrCEF.exe RdrCEF.exe PID 2068 wrote to memory of 1800 2068 RdrCEF.exe RdrCEF.exe PID 2068 wrote to memory of 1800 2068 RdrCEF.exe RdrCEF.exe PID 2068 wrote to memory of 1800 2068 RdrCEF.exe RdrCEF.exe PID 2068 wrote to memory of 1800 2068 RdrCEF.exe RdrCEF.exe PID 2068 wrote to memory of 1800 2068 RdrCEF.exe RdrCEF.exe PID 2068 wrote to memory of 1800 2068 RdrCEF.exe RdrCEF.exe PID 2068 wrote to memory of 1800 2068 RdrCEF.exe RdrCEF.exe PID 2068 wrote to memory of 1800 2068 RdrCEF.exe RdrCEF.exe PID 2068 wrote to memory of 1800 2068 RdrCEF.exe RdrCEF.exe PID 2068 wrote to memory of 1800 2068 RdrCEF.exe RdrCEF.exe PID 2068 wrote to memory of 1800 2068 RdrCEF.exe RdrCEF.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\BHC-PR\British High Commission Rhinnon Mills receipts.exe"C:\Users\Admin\AppData\Local\Temp\BHC-PR\British High Commission Rhinnon Mills receipts.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Documents\British High Commission Rhinnon Mills receipts-03-.pdf"2⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140433⤵
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=0E1B01CEDEB2F3ACBECAF9E8CAE891A9 --mojo-platform-channel-handle=1624 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵PID:2580
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=4D329FC28F74575712BF42CB0877685F --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=4D329FC28F74575712BF42CB0877685F --renderer-client-id=2 --mojo-platform-channel-handle=1712 --allow-no-sandbox-job /prefetch:14⤵PID:1800
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140433⤵PID:2080
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140433⤵PID:3264
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=48CB2D2CB99D2911C6D06968FADF0AA1 --mojo-platform-channel-handle=1632 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵PID:1264
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=85B4967236B9A8210E1832F979E5A34B --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=85B4967236B9A8210E1832F979E5A34B --renderer-client-id=2 --mojo-platform-channel-handle=1624 --allow-no-sandbox-job /prefetch:14⤵PID:952
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=EC7A528885854DEF81C9A73F77C23D97 --mojo-platform-channel-handle=2060 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵PID:1704
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=18DA896C82B04B326F0F6D9C648CB20D --mojo-platform-channel-handle=1892 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵PID:2968
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=4B6F128717CF2E5823070F7AD74637F2 --mojo-platform-channel-handle=1636 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵PID:3284
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=2DB0CDCED1ECD94393E5116D42508B50 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=2DB0CDCED1ECD94393E5116D42508B50 --renderer-client-id=8 --mojo-platform-channel-handle=2148 --allow-no-sandbox-job /prefetch:14⤵PID:2080
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140433⤵PID:2176
-
C:\ProgramData\Hanthavra\rnthiavesa.exe"C:\ProgramData\Hanthavra\rnthiavesa.exe"2⤵
- Executes dropped EXE
PID:1452
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
93e588df26c62a47d3564e58ec988368
SHA1fcd11555531f636245d4c03f151dceb62ba72f6e
SHA2566cecd33e717c607ce578942e35c020d7571a7db67ce9270f9dcff30018a666cc
SHA5120f1f527eed767036dd6323fb5bfbf3e83fc7c2ef842c6d297742d536f8b1ae5b0b54a8ef83fe26f42916656feb0752badb6a39e63067a7dc6fe3e0797738a8ef
-
MD5
93e588df26c62a47d3564e58ec988368
SHA1fcd11555531f636245d4c03f151dceb62ba72f6e
SHA2566cecd33e717c607ce578942e35c020d7571a7db67ce9270f9dcff30018a666cc
SHA5120f1f527eed767036dd6323fb5bfbf3e83fc7c2ef842c6d297742d536f8b1ae5b0b54a8ef83fe26f42916656feb0752badb6a39e63067a7dc6fe3e0797738a8ef
-
MD5
e2c57ebe26729f9bd50b7338fe60b4c2
SHA1bd0f0eae8d26da6bc61b167d2e71843524e8785b
SHA25636527efca902242b058e77be936dbe382b1822a505de66596f118af382916a4e
SHA5126583c07fe4355b502197510d1bd62ab45e8bd543195118f49074b7dff59743fbaa18b0db71a4b993adba60a59c2c70ac9d0628657397a6838479bd74e7d7ec8c