Analysis Overview
SHA256
633d5f336758fb117aa71edf1871c393c9fe3313abe61bec31974638ed9d7ce8
Threat Level: Known bad
The file Leonardo_Al.zip was found to be: Known bad.
Malicious Activity Summary
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
Malformed or missing cross-reference table in PDF
Unsigned PE
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Checks processor information in registry
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-03 19:54
Signatures
Malformed or missing cross-reference table in PDF
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-03 19:53
Reported
2024-04-03 19:59
Platform
win10v2004-20240319-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 2684 created 2888 | N/A | C:\Users\Admin\AppData\Local\Temp\Leonardo_Al\LeonardoAl_Setup.exe | C:\Windows\system32\svchost.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\Leonardo_Al\LeonardoAl_Setup.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\Leonardo_Al\LeonardoAl_Setup.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Leonardo_Al\LeonardoAl_Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Leonardo_Al\LeonardoAl_Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Leonardo_Al\LeonardoAl_Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Leonardo_Al\LeonardoAl_Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2684 wrote to memory of 4660 | N/A | C:\Users\Admin\AppData\Local\Temp\Leonardo_Al\LeonardoAl_Setup.exe | C:\Windows\SysWOW64\dialer.exe |
| PID 2684 wrote to memory of 4660 | N/A | C:\Users\Admin\AppData\Local\Temp\Leonardo_Al\LeonardoAl_Setup.exe | C:\Windows\SysWOW64\dialer.exe |
| PID 2684 wrote to memory of 4660 | N/A | C:\Users\Admin\AppData\Local\Temp\Leonardo_Al\LeonardoAl_Setup.exe | C:\Windows\SysWOW64\dialer.exe |
| PID 2684 wrote to memory of 4660 | N/A | C:\Users\Admin\AppData\Local\Temp\Leonardo_Al\LeonardoAl_Setup.exe | C:\Windows\SysWOW64\dialer.exe |
| PID 2684 wrote to memory of 4660 | N/A | C:\Users\Admin\AppData\Local\Temp\Leonardo_Al\LeonardoAl_Setup.exe | C:\Windows\SysWOW64\dialer.exe |
Processes
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Users\Admin\AppData\Local\Temp\Leonardo_Al\LeonardoAl_Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Leonardo_Al\LeonardoAl_Setup.exe"
C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2684 -ip 2684
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2684 -s 764
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2684 -ip 2684
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2684 -s 760
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3764 --field-trial-handle=2228,i,17475224967547320003,13667387715861799238,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.108.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 156.97.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| NL | 142.251.39.106:443 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 218.122.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.239.69.13.in-addr.arpa | udp |
Files
memory/2684-0-0x0000000010000000-0x0000000012D79000-memory.dmp
memory/2684-1-0x0000000002520000-0x000000000252A000-memory.dmp
memory/2684-2-0x0000000002520000-0x000000000252A000-memory.dmp
memory/2684-3-0x0000000002530000-0x0000000002537000-memory.dmp
memory/2684-4-0x0000000002530000-0x0000000002537000-memory.dmp
memory/2684-6-0x0000000002540000-0x0000000002544000-memory.dmp
memory/2684-10-0x0000000002550000-0x0000000002568000-memory.dmp
memory/2684-8-0x0000000002540000-0x0000000002544000-memory.dmp
memory/2684-11-0x0000000002550000-0x0000000002568000-memory.dmp
memory/2684-12-0x00000000026E0000-0x000000000274D000-memory.dmp
memory/2684-13-0x0000000003760000-0x0000000003B60000-memory.dmp
memory/2684-15-0x0000000003760000-0x0000000003B60000-memory.dmp
memory/2684-14-0x0000000003760000-0x0000000003B60000-memory.dmp
memory/2684-16-0x00007FFFC92D0000-0x00007FFFC94C5000-memory.dmp
memory/2684-18-0x00000000768F0000-0x0000000076B05000-memory.dmp
memory/4660-19-0x00000000003C0000-0x00000000003C9000-memory.dmp
memory/4660-21-0x00000000022E0000-0x00000000026E0000-memory.dmp
memory/2684-22-0x0000000003760000-0x0000000003B60000-memory.dmp
memory/4660-23-0x00000000022E0000-0x00000000026E0000-memory.dmp
memory/4660-25-0x00000000022E0000-0x00000000026E0000-memory.dmp
memory/4660-24-0x00007FFFC92D0000-0x00007FFFC94C5000-memory.dmp
memory/4660-27-0x00000000768F0000-0x0000000076B05000-memory.dmp
memory/4660-28-0x00000000022E0000-0x00000000026E0000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-04-03 19:53
Reported
2024-04-03 19:59
Platform
win7-20240221-en
Max time kernel
122s
Max time network
133s
Command Line
Signatures
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Processes
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Leonardo_Al\Update_Leo.pdf"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | e315647712e83a6f19df8ff40cbdd6c3 |
| SHA1 | 12dcd7440c062f5329afc69f219e26242159014e |
| SHA256 | eb4a222fadfaee81b3166096098ff6ba07258e61ef9ad9aebb36f6a44a9a0914 |
| SHA512 | bb9f583d7d929b111ed29994ce4590e22bb9e290dc2546cf7849783a411f69f8fb356fa76dc842b96abbd22e98efc02463ee160238d42371ed00a3a0cf15d5f0 |
Analysis: behavioral4
Detonation Overview
Submitted
2024-04-03 19:53
Reported
2024-04-03 19:59
Platform
win10v2004-20240226-en
Max time kernel
153s
Max time network
182s
Command Line
Signatures
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Leonardo_Al\Update_Leo.pdf"
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=3D89DB160B0F1436046653F78898B06B --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=3D89DB160B0F1436046653F78898B06B --renderer-client-id=2 --mojo-platform-channel-handle=1732 --allow-no-sandbox-job /prefetch:1
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=87D579A78CBE122E4661929D84E8301D --mojo-platform-channel-handle=1748 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=627EC14F7B95B8A7898A3C4A00B3290C --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=627EC14F7B95B8A7898A3C4A00B3290C --renderer-client-id=4 --mojo-platform-channel-handle=2296 --allow-no-sandbox-job /prefetch:1
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=7D29F473B0E7480B7C150E4361153186 --mojo-platform-channel-handle=2448 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=EB04238456B6FC5FD14E7869EE0FBCAE --mojo-platform-channel-handle=2136 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=07E71CDD156032B2E25894EE9F11E26E --mojo-platform-channel-handle=2812 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 135.244.100.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 199.122.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.223.142.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 218.122.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.179.89.13.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
| MD5 | b30d3becc8731792523d599d949e63f5 |
| SHA1 | 19350257e42d7aee17fb3bf139a9d3adb330fad4 |
| SHA256 | b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3 |
| SHA512 | 523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e |
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
| MD5 | 752a1f26b18748311b691c7d8fc20633 |
| SHA1 | c1f8e83eebc1cc1e9b88c773338eb09ff82ab862 |
| SHA256 | 111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131 |
| SHA512 | a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5 |
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
| MD5 | f6cd2d6a9adfb32ab2f02f6f95204aab |
| SHA1 | 4371c5e856e1f0ca495a63d55ca09ed55bf2976f |
| SHA256 | 7090e8ce99d2ab22d6373f1b16b5134e96eed81cc68a4013791da55594533e0d |
| SHA512 | f41af918be8fed27bcc1c3ef6852a823318d120d429dc8f288ec87ee155f3182f5551d6655d3d485a5b3cf505893d302af94d7a62165bba7712fa00bc6e4fb67 |
Analysis: behavioral5
Detonation Overview
Submitted
2024-04-03 19:53
Reported
2024-04-03 19:59
Platform
win7-20240221-en
Max time kernel
122s
Max time network
126s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2436 wrote to memory of 2644 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2436 wrote to memory of 2644 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2436 wrote to memory of 2644 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2436 wrote to memory of 2644 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2436 wrote to memory of 2644 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2436 wrote to memory of 2644 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2436 wrote to memory of 2644 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\Leonardo_Al\g2m.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\Leonardo_Al\g2m.dll
Network
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-04-03 19:53
Reported
2024-04-03 19:59
Platform
win10v2004-20240226-en
Max time kernel
146s
Max time network
151s
Command Line
Signatures
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 4864 created 2608 | N/A | C:\Windows\SysWOW64\regsvr32.exe | C:\Windows\system32\sihost.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\regsvr32.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2944 wrote to memory of 4864 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2944 wrote to memory of 4864 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2944 wrote to memory of 4864 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 4864 wrote to memory of 4204 | N/A | C:\Windows\SysWOW64\regsvr32.exe | C:\Windows\SysWOW64\dialer.exe |
| PID 4864 wrote to memory of 4204 | N/A | C:\Windows\SysWOW64\regsvr32.exe | C:\Windows\SysWOW64\dialer.exe |
| PID 4864 wrote to memory of 4204 | N/A | C:\Windows\SysWOW64\regsvr32.exe | C:\Windows\SysWOW64\dialer.exe |
| PID 4864 wrote to memory of 4204 | N/A | C:\Windows\SysWOW64\regsvr32.exe | C:\Windows\SysWOW64\dialer.exe |
| PID 4864 wrote to memory of 4204 | N/A | C:\Windows\SysWOW64\regsvr32.exe | C:\Windows\SysWOW64\dialer.exe |
Processes
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\Leonardo_Al\g2m.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\Leonardo_Al\g2m.dll
C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4864 -ip 4864
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 892
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 213.122.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 36.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.108.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.193.132.51.in-addr.arpa | udp |
Files
memory/4864-2-0x0000000010000000-0x0000000012D79000-memory.dmp
memory/4864-3-0x0000000002090000-0x000000000209A000-memory.dmp
memory/4864-1-0x0000000002090000-0x000000000209A000-memory.dmp
memory/4864-5-0x00000000021A0000-0x00000000021A7000-memory.dmp
memory/4864-7-0x00000000021A0000-0x00000000021A7000-memory.dmp
memory/4864-11-0x00000000021C0000-0x00000000021D8000-memory.dmp
memory/4864-12-0x00000000021C0000-0x00000000021D8000-memory.dmp
memory/4864-9-0x00000000021B0000-0x00000000021B4000-memory.dmp
memory/4864-10-0x00000000021B0000-0x00000000021B4000-memory.dmp
memory/4864-13-0x0000000002240000-0x00000000022AD000-memory.dmp
memory/4864-14-0x0000000003470000-0x0000000003870000-memory.dmp
memory/4864-15-0x0000000003470000-0x0000000003870000-memory.dmp
memory/4864-16-0x00007FFB34AB0000-0x00007FFB34CA5000-memory.dmp
memory/4864-17-0x0000000003470000-0x0000000003870000-memory.dmp
memory/4864-19-0x0000000076E00000-0x0000000077015000-memory.dmp
memory/4204-20-0x00000000007C0000-0x00000000007C9000-memory.dmp
memory/4204-22-0x0000000002610000-0x0000000002A10000-memory.dmp
memory/4204-23-0x00007FFB34AB0000-0x00007FFB34CA5000-memory.dmp
memory/4204-25-0x0000000076E00000-0x0000000077015000-memory.dmp
memory/4204-26-0x0000000002610000-0x0000000002A10000-memory.dmp
memory/4204-27-0x0000000002610000-0x0000000002A10000-memory.dmp
memory/4864-28-0x0000000003470000-0x0000000003870000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-03 19:53
Reported
2024-04-03 19:59
Platform
win7-20240220-en
Max time kernel
118s
Max time network
121s
Command Line
Signatures
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 1656 created 1120 | N/A | C:\Users\Admin\AppData\Local\Temp\Leonardo_Al\LeonardoAl_Setup.exe | C:\Windows\Explorer.EXE |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Leonardo_Al\LeonardoAl_Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Leonardo_Al\LeonardoAl_Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Leonardo_Al\LeonardoAl_Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1656 wrote to memory of 2144 | N/A | C:\Users\Admin\AppData\Local\Temp\Leonardo_Al\LeonardoAl_Setup.exe | C:\Windows\SysWOW64\dialer.exe |
| PID 1656 wrote to memory of 2144 | N/A | C:\Users\Admin\AppData\Local\Temp\Leonardo_Al\LeonardoAl_Setup.exe | C:\Windows\SysWOW64\dialer.exe |
| PID 1656 wrote to memory of 2144 | N/A | C:\Users\Admin\AppData\Local\Temp\Leonardo_Al\LeonardoAl_Setup.exe | C:\Windows\SysWOW64\dialer.exe |
| PID 1656 wrote to memory of 2144 | N/A | C:\Users\Admin\AppData\Local\Temp\Leonardo_Al\LeonardoAl_Setup.exe | C:\Windows\SysWOW64\dialer.exe |
| PID 1656 wrote to memory of 2144 | N/A | C:\Users\Admin\AppData\Local\Temp\Leonardo_Al\LeonardoAl_Setup.exe | C:\Windows\SysWOW64\dialer.exe |
| PID 1656 wrote to memory of 2144 | N/A | C:\Users\Admin\AppData\Local\Temp\Leonardo_Al\LeonardoAl_Setup.exe | C:\Windows\SysWOW64\dialer.exe |
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\Leonardo_Al\LeonardoAl_Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Leonardo_Al\LeonardoAl_Setup.exe"
C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
Network
Files
memory/1656-2-0x0000000010000000-0x0000000012D79000-memory.dmp
memory/1656-1-0x0000000002070000-0x000000000207A000-memory.dmp
memory/1656-4-0x0000000002070000-0x000000000207A000-memory.dmp
memory/1656-6-0x0000000002080000-0x0000000002087000-memory.dmp
memory/1656-8-0x0000000002080000-0x0000000002087000-memory.dmp
memory/1656-10-0x0000000002090000-0x0000000002094000-memory.dmp
memory/1656-11-0x0000000002090000-0x0000000002094000-memory.dmp
memory/1656-12-0x00000000020A0000-0x00000000020B8000-memory.dmp
memory/1656-14-0x00000000020A0000-0x00000000020B8000-memory.dmp
memory/1656-15-0x0000000002190000-0x00000000021FD000-memory.dmp
memory/1656-17-0x0000000003460000-0x0000000003860000-memory.dmp
memory/1656-16-0x0000000003460000-0x0000000003860000-memory.dmp
memory/1656-18-0x0000000003460000-0x0000000003860000-memory.dmp
memory/1656-19-0x00000000770C0000-0x0000000077269000-memory.dmp
memory/1656-21-0x0000000003460000-0x0000000003860000-memory.dmp
memory/1656-22-0x00000000764E0000-0x0000000076527000-memory.dmp
memory/2144-23-0x0000000000080000-0x0000000000089000-memory.dmp
memory/2144-26-0x0000000001DC0000-0x00000000021C0000-memory.dmp
memory/2144-27-0x00000000770C0000-0x0000000077269000-memory.dmp
memory/2144-25-0x0000000001DC0000-0x00000000021C0000-memory.dmp
memory/2144-32-0x00000000764E0000-0x0000000076527000-memory.dmp
memory/2144-31-0x00000000770C0000-0x0000000077269000-memory.dmp
memory/1656-30-0x0000000003460000-0x0000000003860000-memory.dmp
memory/2144-28-0x0000000001DC0000-0x00000000021C0000-memory.dmp
memory/2144-33-0x0000000001DC0000-0x00000000021C0000-memory.dmp