rms | 64c9b9ded4fb595717bf9a0999f6cc2f92e7b7d4b7d06eaaa8e75ba6922e7335

Analysis

max time kernel
163s
max time network
166s
platform
windows10_x64
resource
win10-en-20211208
submitted
28-01-2022 17:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

64c9b9ded4fb595717bf9a0999f6cc2f92e7b7d4b7d06eaaa8e75ba6922e7335.exe
Size

4.2MB
MD5

a09a299fe4a28990a8e2aa829d5c8813
SHA1

e95c651c539eaf73e142d1867a1a96098a5e219f
SHA256

64c9b9ded4fb595717bf9a0999f6cc2f92e7b7d4b7d06eaaa8e75ba6922e7335
SHA512

9adbda1c42ed28890acad6430938e05cdbcb75ac1d01438b047ea6ee3a322ec16106dc049cbc463ccc27d4882a39949745390a34b3a8a21a97ee52a3a5528f57

Score

10^/10

rms rat trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

Executes dropped EXE 9 IoCs

pid	Process
856	winchk32.exe
1248	winchk32.exe
4004	winchk32.exe
1472	winchk32.exe
2300	winchk64.exe
1928	Explorer.EXE
2784	rutserv.exe
1876	rutserv.exe
3176	rfusclient.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\symbols\exe\rutserv.pdb	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\rutserv.pdb	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\exe\rutserv.pdb	rutserv.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 856 set thread context of 1248	856	winchk32.exe	70
PID 4004 set thread context of 1472	4004	winchk32.exe	77

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	64c9b9ded4fb595717bf9a0999f6cc2f92e7b7d4b7d06eaaa8e75ba6922e7335.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1248	winchk32.exe
1248	winchk32.exe
1248	winchk32.exe
1248	winchk32.exe
1248	winchk32.exe
1248	winchk32.exe
1248	winchk32.exe
1248	winchk32.exe
1472	winchk32.exe
1472	winchk32.exe
1472	winchk32.exe
1472	winchk32.exe
1472	winchk32.exe
1472	winchk32.exe
1472	winchk32.exe
1472	winchk32.exe
1472	winchk32.exe
1472	winchk32.exe
1472	winchk32.exe
1472	winchk32.exe
1472	winchk32.exe
1472	winchk32.exe
1472	winchk32.exe
1472	winchk32.exe
1472	winchk32.exe
1472	winchk32.exe
1472	winchk32.exe
1472	winchk32.exe
1472	winchk32.exe
1472	winchk32.exe
1472	winchk32.exe
1472	winchk32.exe
2300	winchk64.exe
2300	winchk64.exe
1928	Explorer.EXE
1928	Explorer.EXE
1472	winchk32.exe
1472	winchk32.exe
2300	winchk64.exe
2300	winchk64.exe
1472	winchk32.exe
1472	winchk32.exe
2300	winchk64.exe
2300	winchk64.exe
1472	winchk32.exe
1472	winchk32.exe
2300	winchk64.exe
2300	winchk64.exe
1472	winchk32.exe
1472	winchk32.exe
2300	winchk64.exe
2300	winchk64.exe
1472	winchk32.exe
1472	winchk32.exe
2300	winchk64.exe
2300	winchk64.exe
1472	winchk32.exe
1472	winchk32.exe
2300	winchk64.exe
2300	winchk64.exe
2300	winchk64.exe
2300	winchk64.exe
1472	winchk32.exe
1472	winchk32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1928	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeDebugPrivilege	1248	winchk32.exe
Token: SeDebugPrivilege	1472	winchk32.exe
Token: SeDebugPrivilege	2300	winchk64.exe
Token: SeDebugPrivilege	2784	rutserv.exe
Token: SeTakeOwnershipPrivilege	1876	rutserv.exe
Token: SeTcbPrivilege	1876	rutserv.exe
Token: SeTcbPrivilege	1876	rutserv.exe
Token: SeShutdownPrivilege	1928	Explorer.EXE
Token: SeCreatePagefilePrivilege	1928	Explorer.EXE
Token: SeShutdownPrivilege	1928	Explorer.EXE
Token: SeCreatePagefilePrivilege	1928	Explorer.EXE
Token: SeShutdownPrivilege	1928	Explorer.EXE
Token: SeCreatePagefilePrivilege	1928	Explorer.EXE
Token: SeShutdownPrivilege	1928	Explorer.EXE
Token: SeCreatePagefilePrivilege	1928	Explorer.EXE
Token: SeShutdownPrivilege	1928	Explorer.EXE
Token: SeCreatePagefilePrivilege	1928	Explorer.EXE
Token: SeShutdownPrivilege	1928	Explorer.EXE
Token: SeCreatePagefilePrivilege	1928	Explorer.EXE
Token: SeShutdownPrivilege	1928	Explorer.EXE
Token: SeCreatePagefilePrivilege	1928	Explorer.EXE
Token: SeShutdownPrivilege	1928	Explorer.EXE
Token: SeCreatePagefilePrivilege	1928	Explorer.EXE
Token: SeShutdownPrivilege	1928	Explorer.EXE
Token: SeCreatePagefilePrivilege	1928	Explorer.EXE
Token: SeShutdownPrivilege	1928	Explorer.EXE
Token: SeCreatePagefilePrivilege	1928	Explorer.EXE
Token: SeShutdownPrivilege	1928	Explorer.EXE
Token: SeCreatePagefilePrivilege	1928	Explorer.EXE
Token: SeShutdownPrivilege	1928	Explorer.EXE
Token: SeCreatePagefilePrivilege	1928	Explorer.EXE
Token: SeShutdownPrivilege	1928	Explorer.EXE
Token: SeCreatePagefilePrivilege	1928	Explorer.EXE
Token: SeShutdownPrivilege	1928	Explorer.EXE
Token: SeCreatePagefilePrivilege	1928	Explorer.EXE
Token: SeShutdownPrivilege	1928	Explorer.EXE
Token: SeCreatePagefilePrivilege	1928	Explorer.EXE
Token: SeShutdownPrivilege	1928	Explorer.EXE
Token: SeCreatePagefilePrivilege	1928	Explorer.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3924	AcroRd32.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2784	rutserv.exe
1876	rutserv.exe
3924	AcroRd32.exe
3924	AcroRd32.exe
3924	AcroRd32.exe
3924	AcroRd32.exe
3924	AcroRd32.exe
3924	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2700 wrote to memory of 856	2700	64c9b9ded4fb595717bf9a0999f6cc2f92e7b7d4b7d06eaaa8e75ba6922e7335.exe	68
PID 2700 wrote to memory of 856	2700	64c9b9ded4fb595717bf9a0999f6cc2f92e7b7d4b7d06eaaa8e75ba6922e7335.exe	68
PID 2700 wrote to memory of 856	2700	64c9b9ded4fb595717bf9a0999f6cc2f92e7b7d4b7d06eaaa8e75ba6922e7335.exe	68
PID 856 wrote to memory of 1248	856	winchk32.exe	70
PID 856 wrote to memory of 1248	856	winchk32.exe	70
PID 856 wrote to memory of 1248	856	winchk32.exe	70
PID 856 wrote to memory of 1248	856	winchk32.exe	70
PID 856 wrote to memory of 1248	856	winchk32.exe	70
PID 856 wrote to memory of 1248	856	winchk32.exe	70
PID 856 wrote to memory of 1248	856	winchk32.exe	70
PID 856 wrote to memory of 1248	856	winchk32.exe	70
PID 856 wrote to memory of 1248	856	winchk32.exe	70
PID 1248 wrote to memory of 952	1248	winchk32.exe	71
PID 1248 wrote to memory of 952	1248	winchk32.exe	71
PID 1248 wrote to memory of 952	1248	winchk32.exe	71
PID 952 wrote to memory of 1188	952	cmd.exe	73
PID 952 wrote to memory of 1188	952	cmd.exe	73
PID 952 wrote to memory of 1188	952	cmd.exe	73
PID 1248 wrote to memory of 3864	1248	winchk32.exe	74
PID 1248 wrote to memory of 3864	1248	winchk32.exe	74
PID 1248 wrote to memory of 3864	1248	winchk32.exe	74
PID 3864 wrote to memory of 4004	3864	cmd.exe	76
PID 3864 wrote to memory of 4004	3864	cmd.exe	76
PID 3864 wrote to memory of 4004	3864	cmd.exe	76
PID 4004 wrote to memory of 1472	4004	winchk32.exe	77
PID 4004 wrote to memory of 1472	4004	winchk32.exe	77
PID 4004 wrote to memory of 1472	4004	winchk32.exe	77
PID 4004 wrote to memory of 1472	4004	winchk32.exe	77
PID 4004 wrote to memory of 1472	4004	winchk32.exe	77
PID 4004 wrote to memory of 1472	4004	winchk32.exe	77
PID 4004 wrote to memory of 1472	4004	winchk32.exe	77
PID 4004 wrote to memory of 1472	4004	winchk32.exe	77
PID 4004 wrote to memory of 1472	4004	winchk32.exe	77
PID 1472 wrote to memory of 2244	1472	winchk32.exe	78
PID 1472 wrote to memory of 2244	1472	winchk32.exe	78
PID 1472 wrote to memory of 2244	1472	winchk32.exe	78
PID 1472 wrote to memory of 1704	1472	winchk32.exe	81
PID 1472 wrote to memory of 1704	1472	winchk32.exe	81
PID 1472 wrote to memory of 1704	1472	winchk32.exe	81
PID 1472 wrote to memory of 1928	1472	winchk32.exe	9
PID 2244 wrote to memory of 2300	2244	cmd.exe	82
PID 2244 wrote to memory of 2300	2244	cmd.exe	82
PID 2300 wrote to memory of 1928	2300	winchk64.exe	9
PID 2700 wrote to memory of 3924	2700	64c9b9ded4fb595717bf9a0999f6cc2f92e7b7d4b7d06eaaa8e75ba6922e7335.exe	83
PID 2700 wrote to memory of 3924	2700	64c9b9ded4fb595717bf9a0999f6cc2f92e7b7d4b7d06eaaa8e75ba6922e7335.exe	83
PID 2700 wrote to memory of 3924	2700	64c9b9ded4fb595717bf9a0999f6cc2f92e7b7d4b7d06eaaa8e75ba6922e7335.exe	83
PID 1704 wrote to memory of 2784	1704	cmd.exe	84
PID 1704 wrote to memory of 2784	1704	cmd.exe	84
PID 1704 wrote to memory of 2784	1704	cmd.exe	84
PID 1876 wrote to memory of 3176	1876	rutserv.exe	87
PID 1876 wrote to memory of 3176	1876	rutserv.exe	87
PID 1876 wrote to memory of 3176	1876	rutserv.exe	87
PID 3924 wrote to memory of 1636	3924	AcroRd32.exe	89
PID 3924 wrote to memory of 1636	3924	AcroRd32.exe	89
PID 3924 wrote to memory of 1636	3924	AcroRd32.exe	89
PID 1636 wrote to memory of 500	1636	RdrCEF.exe	90
PID 1636 wrote to memory of 500	1636	RdrCEF.exe	90
PID 1636 wrote to memory of 500	1636	RdrCEF.exe	90
PID 1636 wrote to memory of 500	1636	RdrCEF.exe	90
PID 1636 wrote to memory of 500	1636	RdrCEF.exe	90
PID 1636 wrote to memory of 500	1636	RdrCEF.exe	90
PID 1636 wrote to memory of 500	1636	RdrCEF.exe	90
PID 1636 wrote to memory of 500	1636	RdrCEF.exe	90
PID 1636 wrote to memory of 500	1636	RdrCEF.exe	90

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1928
- C:\Users\Admin\AppData\Local\Temp\64c9b9ded4fb595717bf9a0999f6cc2f92e7b7d4b7d06eaaa8e75ba6922e7335.exe
  "C:\Users\Admin\AppData\Local\Temp\64c9b9ded4fb595717bf9a0999f6cc2f92e7b7d4b7d06eaaa8e75ba6922e7335.exe"
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe" /inst /xwait
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:856
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe" /inst /xwait
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1248
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C xcopy /Y /E /Q * C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:952
      - C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /Y /E /Q * C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\
        6⤵
        Enumerates system info in registry
        
        PID:1188
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3864
      - C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe
        
        C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4004
        
        C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe
        
        C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1472
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk64.exe /inj
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2244
        
        C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk64.exe
        
        C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk64.exe /inj
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2300
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1704
        
        C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe
        
        C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2784
        
        C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe
        
        C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe -second
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1876
        
        C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rfusclient.exe
        
        C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rfusclient.exe /tray /user
        11⤵
        Executes dropped EXE
        
        PID:3176
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\ZPDG.pdf"
    3⤵
    - Checks processor information in registry
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3924
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1636
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=FE527B30026B53EC390722A009D1DEC9 --mojo-platform-channel-handle=1668 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        
        PID:500
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=39FA7DE360766BAF9A2E6D46B9727979 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=39FA7DE360766BAF9A2E6D46B9727979 --renderer-client-id=2 --mojo-platform-channel-handle=1676 --allow-no-sandbox-job /prefetch:1
        5⤵
        
        PID:1012
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=4E79A63EE1615DA96F4864A6FCAA44C7 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=4E79A63EE1615DA96F4864A6FCAA44C7 --renderer-client-id=4 --mojo-platform-channel-handle=2100 --allow-no-sandbox-job /prefetch:1
        5⤵
        
        PID:3552
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=2195C8F0E5B216855608C6B52890141A --mojo-platform-channel-handle=2512 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        
        PID:1592
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E46BF4AE82C7A9A6A394FD7F9A6FD9FA --mojo-platform-channel-handle=1876 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        
        PID:1620
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=FF7D38A154D96D23EE8E12E3C020BAB7 --mojo-platform-channel-handle=2568 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        
        PID:3724

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/500-241-0x0000000077582000-0x0000000077583000-memory.dmp

Filesize
4KB

Download
memory/856-202-0x0000000000470000-0x0000000000471000-memory.dmp

Filesize
4KB

Download
memory/1012-244-0x0000000077582000-0x0000000077583000-memory.dmp

Filesize
4KB

Download
memory/1248-213-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1248-205-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1248-203-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1472-223-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1472-221-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1592-254-0x0000000077582000-0x0000000077583000-memory.dmp

Filesize
4KB

Download
memory/1620-257-0x0000000077582000-0x0000000077583000-memory.dmp

Filesize
4KB

Download
memory/1876-236-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

Filesize
4KB

Download
memory/1928-239-0x00007FFDB2F40000-0x00007FFDB2F41000-memory.dmp

Filesize
4KB

Download
memory/2784-234-0x0000000000B60000-0x0000000000B61000-memory.dmp

Filesize
4KB

Download
memory/3176-240-0x0000000000B00000-0x0000000000B01000-memory.dmp

Filesize
4KB

Download
memory/3552-249-0x0000000077582000-0x0000000077583000-memory.dmp

Filesize
4KB

Download
memory/3724-260-0x0000000077582000-0x0000000077583000-memory.dmp

Filesize
4KB

Download