Analysis
-
max time kernel
155s -
max time network
149s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
28-01-2022 18:35
Static task
static1
Behavioral task
behavioral1
Sample
c0d9e5238842dd573f6f7042b08ed7e11cfc6fa0daef30a68c837e89816c3eea.exe
Resource
win7-en-20211208
General
-
Target
c0d9e5238842dd573f6f7042b08ed7e11cfc6fa0daef30a68c837e89816c3eea.exe
-
Size
4.2MB
-
MD5
eaf87c7f8adf7bdcd2878ccb350676f9
-
SHA1
beef0ee9397b01855c6daa2bff8002db4899b121
-
SHA256
c0d9e5238842dd573f6f7042b08ed7e11cfc6fa0daef30a68c837e89816c3eea
-
SHA512
b81481f05f0817085cf7f91b9a269e7723d653e50d34925dd422cf60e250212a76af6dfb95eb812ffc735d6e264cdf6fe953e41727a08c5f94b0b8ee9a68a650
Malware Config
Signatures
-
Executes dropped EXE 9 IoCs
Processes:
winchk32.exewinchk32.exewinchk32.exewinchk32.exewinchk64.exerutserv.exeExplorer.EXErutserv.exerfusclient.exepid Process 2624 winchk32.exe 676 winchk32.exe 864 winchk32.exe 368 winchk32.exe 1484 winchk64.exe 1808 rutserv.exe 3016 Explorer.EXE 3424 rutserv.exe 352 rfusclient.exe -
Drops file in System32 directory 3 IoCs
Processes:
rutserv.exedescription ioc Process File opened for modification C:\Windows\SysWOW64\symbols\exe\rutserv.pdb rutserv.exe File opened for modification C:\Windows\SysWOW64\rutserv.pdb rutserv.exe File opened for modification C:\Windows\SysWOW64\exe\rutserv.pdb rutserv.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
winchk32.exewinchk32.exedescription pid Process procid_target PID 2624 set thread context of 676 2624 winchk32.exe 70 PID 864 set thread context of 368 864 winchk32.exe 77 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
AcroRd32.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
xcopy.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe -
Processes:
AcroRd32.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Modifies registry class 1 IoCs
Processes:
c0d9e5238842dd573f6f7042b08ed7e11cfc6fa0daef30a68c837e89816c3eea.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings c0d9e5238842dd573f6f7042b08ed7e11cfc6fa0daef30a68c837e89816c3eea.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
winchk32.exewinchk32.exewinchk64.exeExplorer.EXEpid Process 676 winchk32.exe 676 winchk32.exe 676 winchk32.exe 676 winchk32.exe 676 winchk32.exe 676 winchk32.exe 676 winchk32.exe 676 winchk32.exe 368 winchk32.exe 368 winchk32.exe 368 winchk32.exe 368 winchk32.exe 368 winchk32.exe 368 winchk32.exe 368 winchk32.exe 368 winchk32.exe 1484 winchk64.exe 1484 winchk64.exe 368 winchk32.exe 368 winchk32.exe 1484 winchk64.exe 1484 winchk64.exe 368 winchk32.exe 368 winchk32.exe 3016 Explorer.EXE 3016 Explorer.EXE 1484 winchk64.exe 1484 winchk64.exe 1484 winchk64.exe 368 winchk32.exe 1484 winchk64.exe 368 winchk32.exe 1484 winchk64.exe 1484 winchk64.exe 368 winchk32.exe 368 winchk32.exe 1484 winchk64.exe 1484 winchk64.exe 368 winchk32.exe 368 winchk32.exe 368 winchk32.exe 368 winchk32.exe 1484 winchk64.exe 1484 winchk64.exe 368 winchk32.exe 368 winchk32.exe 1484 winchk64.exe 1484 winchk64.exe 368 winchk32.exe 368 winchk32.exe 1484 winchk64.exe 1484 winchk64.exe 368 winchk32.exe 368 winchk32.exe 1484 winchk64.exe 1484 winchk64.exe 368 winchk32.exe 368 winchk32.exe 1484 winchk64.exe 1484 winchk64.exe 368 winchk32.exe 368 winchk32.exe 1484 winchk64.exe 1484 winchk64.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid Process 3016 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
winchk32.exewinchk32.exewinchk64.exerutserv.exerutserv.exeExplorer.EXEdescription pid Process Token: SeDebugPrivilege 676 winchk32.exe Token: SeDebugPrivilege 368 winchk32.exe Token: SeDebugPrivilege 1484 winchk64.exe Token: SeDebugPrivilege 1808 rutserv.exe Token: SeTakeOwnershipPrivilege 3424 rutserv.exe Token: SeTcbPrivilege 3424 rutserv.exe Token: SeTcbPrivilege 3424 rutserv.exe Token: SeShutdownPrivilege 3016 Explorer.EXE Token: SeCreatePagefilePrivilege 3016 Explorer.EXE Token: SeShutdownPrivilege 3016 Explorer.EXE Token: SeCreatePagefilePrivilege 3016 Explorer.EXE Token: SeShutdownPrivilege 3016 Explorer.EXE Token: SeCreatePagefilePrivilege 3016 Explorer.EXE Token: SeShutdownPrivilege 3016 Explorer.EXE Token: SeCreatePagefilePrivilege 3016 Explorer.EXE Token: SeShutdownPrivilege 3016 Explorer.EXE Token: SeCreatePagefilePrivilege 3016 Explorer.EXE Token: SeShutdownPrivilege 3016 Explorer.EXE Token: SeCreatePagefilePrivilege 3016 Explorer.EXE Token: SeShutdownPrivilege 3016 Explorer.EXE Token: SeCreatePagefilePrivilege 3016 Explorer.EXE Token: SeShutdownPrivilege 3016 Explorer.EXE Token: SeCreatePagefilePrivilege 3016 Explorer.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
AcroRd32.exepid Process 2164 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
rutserv.exerutserv.exeAcroRd32.exepid Process 1808 rutserv.exe 3424 rutserv.exe 2164 AcroRd32.exe 2164 AcroRd32.exe 2164 AcroRd32.exe 2164 AcroRd32.exe 2164 AcroRd32.exe 2164 AcroRd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
c0d9e5238842dd573f6f7042b08ed7e11cfc6fa0daef30a68c837e89816c3eea.exewinchk32.exewinchk32.execmd.execmd.exewinchk32.exewinchk32.execmd.exewinchk64.execmd.exerutserv.exeAcroRd32.exeRdrCEF.exedescription pid Process procid_target PID 2396 wrote to memory of 2624 2396 c0d9e5238842dd573f6f7042b08ed7e11cfc6fa0daef30a68c837e89816c3eea.exe 68 PID 2396 wrote to memory of 2624 2396 c0d9e5238842dd573f6f7042b08ed7e11cfc6fa0daef30a68c837e89816c3eea.exe 68 PID 2396 wrote to memory of 2624 2396 c0d9e5238842dd573f6f7042b08ed7e11cfc6fa0daef30a68c837e89816c3eea.exe 68 PID 2624 wrote to memory of 676 2624 winchk32.exe 70 PID 2624 wrote to memory of 676 2624 winchk32.exe 70 PID 2624 wrote to memory of 676 2624 winchk32.exe 70 PID 2624 wrote to memory of 676 2624 winchk32.exe 70 PID 2624 wrote to memory of 676 2624 winchk32.exe 70 PID 2624 wrote to memory of 676 2624 winchk32.exe 70 PID 2624 wrote to memory of 676 2624 winchk32.exe 70 PID 2624 wrote to memory of 676 2624 winchk32.exe 70 PID 2624 wrote to memory of 676 2624 winchk32.exe 70 PID 676 wrote to memory of 3796 676 winchk32.exe 71 PID 676 wrote to memory of 3796 676 winchk32.exe 71 PID 676 wrote to memory of 3796 676 winchk32.exe 71 PID 3796 wrote to memory of 2660 3796 cmd.exe 73 PID 3796 wrote to memory of 2660 3796 cmd.exe 73 PID 3796 wrote to memory of 2660 3796 cmd.exe 73 PID 676 wrote to memory of 420 676 winchk32.exe 74 PID 676 wrote to memory of 420 676 winchk32.exe 74 PID 676 wrote to memory of 420 676 winchk32.exe 74 PID 420 wrote to memory of 864 420 cmd.exe 76 PID 420 wrote to memory of 864 420 cmd.exe 76 PID 420 wrote to memory of 864 420 cmd.exe 76 PID 864 wrote to memory of 368 864 winchk32.exe 77 PID 864 wrote to memory of 368 864 winchk32.exe 77 PID 864 wrote to memory of 368 864 winchk32.exe 77 PID 864 wrote to memory of 368 864 winchk32.exe 77 PID 864 wrote to memory of 368 864 winchk32.exe 77 PID 864 wrote to memory of 368 864 winchk32.exe 77 PID 864 wrote to memory of 368 864 winchk32.exe 77 PID 864 wrote to memory of 368 864 winchk32.exe 77 PID 864 wrote to memory of 368 864 winchk32.exe 77 PID 368 wrote to memory of 2380 368 winchk32.exe 78 PID 368 wrote to memory of 2380 368 winchk32.exe 78 PID 368 wrote to memory of 2380 368 winchk32.exe 78 PID 368 wrote to memory of 2528 368 winchk32.exe 79 PID 368 wrote to memory of 2528 368 winchk32.exe 79 PID 368 wrote to memory of 2528 368 winchk32.exe 79 PID 368 wrote to memory of 3016 368 winchk32.exe 32 PID 2380 wrote to memory of 1484 2380 cmd.exe 82 PID 2380 wrote to memory of 1484 2380 cmd.exe 82 PID 1484 wrote to memory of 3016 1484 winchk64.exe 32 PID 2528 wrote to memory of 1808 2528 cmd.exe 83 PID 2528 wrote to memory of 1808 2528 cmd.exe 83 PID 2528 wrote to memory of 1808 2528 cmd.exe 83 PID 2396 wrote to memory of 2164 2396 c0d9e5238842dd573f6f7042b08ed7e11cfc6fa0daef30a68c837e89816c3eea.exe 84 PID 2396 wrote to memory of 2164 2396 c0d9e5238842dd573f6f7042b08ed7e11cfc6fa0daef30a68c837e89816c3eea.exe 84 PID 2396 wrote to memory of 2164 2396 c0d9e5238842dd573f6f7042b08ed7e11cfc6fa0daef30a68c837e89816c3eea.exe 84 PID 3424 wrote to memory of 352 3424 rutserv.exe 87 PID 3424 wrote to memory of 352 3424 rutserv.exe 87 PID 3424 wrote to memory of 352 3424 rutserv.exe 87 PID 2164 wrote to memory of 3848 2164 AcroRd32.exe 88 PID 2164 wrote to memory of 3848 2164 AcroRd32.exe 88 PID 2164 wrote to memory of 3848 2164 AcroRd32.exe 88 PID 3848 wrote to memory of 3600 3848 RdrCEF.exe 90 PID 3848 wrote to memory of 3600 3848 RdrCEF.exe 90 PID 3848 wrote to memory of 3600 3848 RdrCEF.exe 90 PID 3848 wrote to memory of 3600 3848 RdrCEF.exe 90 PID 3848 wrote to memory of 3600 3848 RdrCEF.exe 90 PID 3848 wrote to memory of 3600 3848 RdrCEF.exe 90 PID 3848 wrote to memory of 3600 3848 RdrCEF.exe 90 PID 3848 wrote to memory of 3600 3848 RdrCEF.exe 90 PID 3848 wrote to memory of 3600 3848 RdrCEF.exe 90
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3016 -
C:\Users\Admin\AppData\Local\Temp\c0d9e5238842dd573f6f7042b08ed7e11cfc6fa0daef30a68c837e89816c3eea.exe"C:\Users\Admin\AppData\Local\Temp\c0d9e5238842dd573f6f7042b08ed7e11cfc6fa0daef30a68c837e89816c3eea.exe"2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe" /inst /xwait3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe" /inst /xwait4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:676 -
C:\Windows\SysWOW64\cmd.execmd.exe /C xcopy /Y /E /Q * C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\5⤵
- Suspicious use of WriteProcessMemory
PID:3796 -
C:\Windows\SysWOW64\xcopy.exexcopy /Y /E /Q * C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\6⤵
- Enumerates system info in registry
PID:2660
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /C C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe5⤵
- Suspicious use of WriteProcessMemory
PID:420 -
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exeC:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:864 -
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exeC:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:368 -
C:\Windows\SysWOW64\cmd.execmd.exe /C C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk64.exe /inj8⤵
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk64.exeC:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk64.exe /inj9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1484
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /C C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe8⤵
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exeC:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe9⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1808 -
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exeC:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe -second10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3424 -
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rfusclient.exeC:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rfusclient.exe /tray /user11⤵
- Executes dropped EXE
PID:352
-
-
-
-
-
-
-
-
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\ZPDG.pdf"3⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140434⤵
- Suspicious use of WriteProcessMemory
PID:3848 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=AE2939A402F1F217EFD296A587A8B655 --mojo-platform-channel-handle=1684 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:25⤵PID:3600
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=66AC3F600B658D1DB697D80018FA691D --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=66AC3F600B658D1DB697D80018FA691D --renderer-client-id=2 --mojo-platform-channel-handle=1772 --allow-no-sandbox-job /prefetch:15⤵PID:3688
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=10754165917A17D5F502057095E8B597 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=10754165917A17D5F502057095E8B597 --renderer-client-id=4 --mojo-platform-channel-handle=2256 --allow-no-sandbox-job /prefetch:15⤵PID:1056
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=7FD7B317B46BF2A20B6C7A4DC751CB67 --mojo-platform-channel-handle=2528 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:25⤵PID:3204
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=F2EF7101D82CD5303AF20D81FD56C61C --mojo-platform-channel-handle=1680 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:25⤵PID:2108
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E7735FF7B95711B8B402EE2DC4C78EAB --mojo-platform-channel-handle=2648 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:25⤵PID:2748
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
2b6be729d5e282d53802acf04034e292
SHA142f70daa8c75e97551935d2370142c8904f5a20d
SHA256ac70a0803cf074027f286a214f322e1697575b96da9683430309f52674b11a64
SHA512df7e248b7b72a337537e91e09e442b45ff3f566ba69f257948eb5bc9b981d53a103783f1299f3fd1b42c040aa5e76683bda221d5acd4b89697276212b5f88130
-
MD5
edeb8db07b51907f167a3b8d6e423c01
SHA18888014c16732cd5136a8315127ba50bb8bb94ed
SHA25661c6d802381df12e963f64f16f67dc21b8950ea8c88518fbc7565725924c8137
SHA5128f8d79a0028c65cbe6b2d7805892120a03b29574cdad04c3c3e9c5697765ddab258cd314d1d3f5812f4fec5f4fd4e00f0e5827815ef98515bd9dab905a7bf1c5
-
MD5
69e8ec9bdccd6ed33fcad2fa19602b2f
SHA19f48e109675cdb0a53400358c27853db48fcd156
SHA256cff2de4c828e78febfb2eb8b4780092d395016608b641e126e67e27058415759
SHA512b22b948aec9b58dca27481e5d638dd53c99e4f9ed4f7f2270ae1a60b36567ac9c02635d33e528d82dd77157e62107616bba199cf6f34078bd1ecdb7ebe424773
-
MD5
ba9dbe65381759bb06d3dc6a2d0089c8
SHA137a2a15c52caa7d63af86778c2dd1d2d81d4a270
SHA256ff102c6601d2252ed19a1db07f4786813cca2797d404533c33fa0a065ab5a173
SHA5122471e3df6f15646aa06cdea9cc2388addffec85dfde9343dfee3b2f083d98d7e8a314d1cb51b07689a9529f035bd551fd16d3cc899f5e57f9c35fd778e8258cf
-
MD5
45911da4ca727ce607eb8823b2c921fe
SHA1555844ca5cd40dfc27778c2d3b6afa43d1b76685
SHA256a610432b9a0a96cc2f5ca166759723dfdabe91dbc1bc32c0061599a6fdf64b15
SHA51230fed77bf8e67b248854e2f993357d99a57e7951f6e21b462380f9ef33393045d564bb343a82df37c13e91817c2ee7ff0141851639e9bfcb62f38a17ef80939a
-
MD5
2af2a215a5ede7b64233954bd3bca8ee
SHA1cd82d898a3cea623179456d9ae5fad1fb5da01a0
SHA2564f1edb1b79ce7c403f8bf97da11bda3ab897460d8233969b817cacb758906335
SHA512399c2205631ca4e315407492572fee738dbe8d9cfbda33b91d9421132d800c127e36f7e82a1b0fe28133d96d4a4bd839ad35936b808f69df80df7f436a554f1e
-
MD5
2af2a215a5ede7b64233954bd3bca8ee
SHA1cd82d898a3cea623179456d9ae5fad1fb5da01a0
SHA2564f1edb1b79ce7c403f8bf97da11bda3ab897460d8233969b817cacb758906335
SHA512399c2205631ca4e315407492572fee738dbe8d9cfbda33b91d9421132d800c127e36f7e82a1b0fe28133d96d4a4bd839ad35936b808f69df80df7f436a554f1e
-
MD5
2af2a215a5ede7b64233954bd3bca8ee
SHA1cd82d898a3cea623179456d9ae5fad1fb5da01a0
SHA2564f1edb1b79ce7c403f8bf97da11bda3ab897460d8233969b817cacb758906335
SHA512399c2205631ca4e315407492572fee738dbe8d9cfbda33b91d9421132d800c127e36f7e82a1b0fe28133d96d4a4bd839ad35936b808f69df80df7f436a554f1e
-
MD5
8ee5ab32edced6eb38819b7674bfb0cd
SHA1030dc8c3832f664fa10efa3105dff0a9b6d48911
SHA256a4de66b79f1d129e3da059ca93d62cf2f88e08fa06a5c492ca154ee25e321f9b
SHA51282f4ccbb53c2ecb71c3dcd2c0d7d15ce5cc0a66f92f9f661cfc9ee98df093c481cbbb8888a854d359a388e28ab1085ec7e02452bffed030c118226caf70a6bf9
-
MD5
32d184528cf3a035e127e8c30c685738
SHA1dfdfcc61770425a8d1520550c028d1df2861e53f
SHA2564bfcd49380736d13d4c494074322abd634972059ecb3d0bf12eb89a4952cf451
SHA512e23975e7c3746b081e673a984eca9420d826888cb2d199ee1ca7d961dee191bdd0c1db02882e0f47b6c953a0d1086c14d717470ecc6faf2cb662afa29c985cd8
-
MD5
331534d4449f9a054c78abee1e39bcbd
SHA130ba2213be4355d619e20da733f27f59da7b937e
SHA256287621107bb7e3caf02b888e32f5e689330c8a5054e48b45e72207ad0f12f98f
SHA5123cf2f23bd0d4ffbf982994242da7587d934eb19569aea5decb373b4bf49622bb687a72ac5951a4adbff5165b8c63f18eaeb34c45f8941d5cbae01ab447fcab45
-
MD5
8fbb2786f777cfc9a19e4803a46df837
SHA117ea62ebc5f86997fd7e303fbbff3e343da38fcc
SHA2566eb9d836f2d8f225bf194120455201846f12ee6bd0d5db8b51d16c9cf9946c12
SHA512b6c74c65f33c91ae6ceddfe826ed2d3f9473fdd361ebb055f1f66dfe935bdd008a96440855b649a45d8e4e194bf67fdc6d6e92360e79bf28fdec21c95ba71087
-
MD5
2b6be729d5e282d53802acf04034e292
SHA142f70daa8c75e97551935d2370142c8904f5a20d
SHA256ac70a0803cf074027f286a214f322e1697575b96da9683430309f52674b11a64
SHA512df7e248b7b72a337537e91e09e442b45ff3f566ba69f257948eb5bc9b981d53a103783f1299f3fd1b42c040aa5e76683bda221d5acd4b89697276212b5f88130
-
MD5
2b6be729d5e282d53802acf04034e292
SHA142f70daa8c75e97551935d2370142c8904f5a20d
SHA256ac70a0803cf074027f286a214f322e1697575b96da9683430309f52674b11a64
SHA512df7e248b7b72a337537e91e09e442b45ff3f566ba69f257948eb5bc9b981d53a103783f1299f3fd1b42c040aa5e76683bda221d5acd4b89697276212b5f88130
-
MD5
edeb8db07b51907f167a3b8d6e423c01
SHA18888014c16732cd5136a8315127ba50bb8bb94ed
SHA25661c6d802381df12e963f64f16f67dc21b8950ea8c88518fbc7565725924c8137
SHA5128f8d79a0028c65cbe6b2d7805892120a03b29574cdad04c3c3e9c5697765ddab258cd314d1d3f5812f4fec5f4fd4e00f0e5827815ef98515bd9dab905a7bf1c5
-
MD5
edeb8db07b51907f167a3b8d6e423c01
SHA18888014c16732cd5136a8315127ba50bb8bb94ed
SHA25661c6d802381df12e963f64f16f67dc21b8950ea8c88518fbc7565725924c8137
SHA5128f8d79a0028c65cbe6b2d7805892120a03b29574cdad04c3c3e9c5697765ddab258cd314d1d3f5812f4fec5f4fd4e00f0e5827815ef98515bd9dab905a7bf1c5
-
MD5
edeb8db07b51907f167a3b8d6e423c01
SHA18888014c16732cd5136a8315127ba50bb8bb94ed
SHA25661c6d802381df12e963f64f16f67dc21b8950ea8c88518fbc7565725924c8137
SHA5128f8d79a0028c65cbe6b2d7805892120a03b29574cdad04c3c3e9c5697765ddab258cd314d1d3f5812f4fec5f4fd4e00f0e5827815ef98515bd9dab905a7bf1c5
-
MD5
ba9dbe65381759bb06d3dc6a2d0089c8
SHA137a2a15c52caa7d63af86778c2dd1d2d81d4a270
SHA256ff102c6601d2252ed19a1db07f4786813cca2797d404533c33fa0a065ab5a173
SHA5122471e3df6f15646aa06cdea9cc2388addffec85dfde9343dfee3b2f083d98d7e8a314d1cb51b07689a9529f035bd551fd16d3cc899f5e57f9c35fd778e8258cf
-
MD5
45911da4ca727ce607eb8823b2c921fe
SHA1555844ca5cd40dfc27778c2d3b6afa43d1b76685
SHA256a610432b9a0a96cc2f5ca166759723dfdabe91dbc1bc32c0061599a6fdf64b15
SHA51230fed77bf8e67b248854e2f993357d99a57e7951f6e21b462380f9ef33393045d564bb343a82df37c13e91817c2ee7ff0141851639e9bfcb62f38a17ef80939a
-
MD5
2af2a215a5ede7b64233954bd3bca8ee
SHA1cd82d898a3cea623179456d9ae5fad1fb5da01a0
SHA2564f1edb1b79ce7c403f8bf97da11bda3ab897460d8233969b817cacb758906335
SHA512399c2205631ca4e315407492572fee738dbe8d9cfbda33b91d9421132d800c127e36f7e82a1b0fe28133d96d4a4bd839ad35936b808f69df80df7f436a554f1e
-
MD5
2af2a215a5ede7b64233954bd3bca8ee
SHA1cd82d898a3cea623179456d9ae5fad1fb5da01a0
SHA2564f1edb1b79ce7c403f8bf97da11bda3ab897460d8233969b817cacb758906335
SHA512399c2205631ca4e315407492572fee738dbe8d9cfbda33b91d9421132d800c127e36f7e82a1b0fe28133d96d4a4bd839ad35936b808f69df80df7f436a554f1e
-
MD5
2af2a215a5ede7b64233954bd3bca8ee
SHA1cd82d898a3cea623179456d9ae5fad1fb5da01a0
SHA2564f1edb1b79ce7c403f8bf97da11bda3ab897460d8233969b817cacb758906335
SHA512399c2205631ca4e315407492572fee738dbe8d9cfbda33b91d9421132d800c127e36f7e82a1b0fe28133d96d4a4bd839ad35936b808f69df80df7f436a554f1e
-
MD5
8ee5ab32edced6eb38819b7674bfb0cd
SHA1030dc8c3832f664fa10efa3105dff0a9b6d48911
SHA256a4de66b79f1d129e3da059ca93d62cf2f88e08fa06a5c492ca154ee25e321f9b
SHA51282f4ccbb53c2ecb71c3dcd2c0d7d15ce5cc0a66f92f9f661cfc9ee98df093c481cbbb8888a854d359a388e28ab1085ec7e02452bffed030c118226caf70a6bf9
-
MD5
32d184528cf3a035e127e8c30c685738
SHA1dfdfcc61770425a8d1520550c028d1df2861e53f
SHA2564bfcd49380736d13d4c494074322abd634972059ecb3d0bf12eb89a4952cf451
SHA512e23975e7c3746b081e673a984eca9420d826888cb2d199ee1ca7d961dee191bdd0c1db02882e0f47b6c953a0d1086c14d717470ecc6faf2cb662afa29c985cd8
-
MD5
32d184528cf3a035e127e8c30c685738
SHA1dfdfcc61770425a8d1520550c028d1df2861e53f
SHA2564bfcd49380736d13d4c494074322abd634972059ecb3d0bf12eb89a4952cf451
SHA512e23975e7c3746b081e673a984eca9420d826888cb2d199ee1ca7d961dee191bdd0c1db02882e0f47b6c953a0d1086c14d717470ecc6faf2cb662afa29c985cd8
-
MD5
8fbb2786f777cfc9a19e4803a46df837
SHA117ea62ebc5f86997fd7e303fbbff3e343da38fcc
SHA2566eb9d836f2d8f225bf194120455201846f12ee6bd0d5db8b51d16c9cf9946c12
SHA512b6c74c65f33c91ae6ceddfe826ed2d3f9473fdd361ebb055f1f66dfe935bdd008a96440855b649a45d8e4e194bf67fdc6d6e92360e79bf28fdec21c95ba71087
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
MD5
8fbb2786f777cfc9a19e4803a46df837
SHA117ea62ebc5f86997fd7e303fbbff3e343da38fcc
SHA2566eb9d836f2d8f225bf194120455201846f12ee6bd0d5db8b51d16c9cf9946c12
SHA512b6c74c65f33c91ae6ceddfe826ed2d3f9473fdd361ebb055f1f66dfe935bdd008a96440855b649a45d8e4e194bf67fdc6d6e92360e79bf28fdec21c95ba71087