Analysis
-
max time kernel
163s -
max time network
166s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
28-01-2022 17:43
Static task
static1
Behavioral task
behavioral1
Sample
64c9b9ded4fb595717bf9a0999f6cc2f92e7b7d4b7d06eaaa8e75ba6922e7335.exe
Resource
win7-en-20211208
General
-
Target
64c9b9ded4fb595717bf9a0999f6cc2f92e7b7d4b7d06eaaa8e75ba6922e7335.exe
-
Size
4.2MB
-
MD5
a09a299fe4a28990a8e2aa829d5c8813
-
SHA1
e95c651c539eaf73e142d1867a1a96098a5e219f
-
SHA256
64c9b9ded4fb595717bf9a0999f6cc2f92e7b7d4b7d06eaaa8e75ba6922e7335
-
SHA512
9adbda1c42ed28890acad6430938e05cdbcb75ac1d01438b047ea6ee3a322ec16106dc049cbc463ccc27d4882a39949745390a34b3a8a21a97ee52a3a5528f57
Malware Config
Signatures
-
Executes dropped EXE 9 IoCs
Processes:
winchk32.exewinchk32.exewinchk32.exewinchk32.exewinchk64.exeExplorer.EXErutserv.exerutserv.exerfusclient.exepid Process 856 winchk32.exe 1248 winchk32.exe 4004 winchk32.exe 1472 winchk32.exe 2300 winchk64.exe 1928 Explorer.EXE 2784 rutserv.exe 1876 rutserv.exe 3176 rfusclient.exe -
Drops file in System32 directory 3 IoCs
Processes:
rutserv.exedescription ioc Process File opened for modification C:\Windows\SysWOW64\symbols\exe\rutserv.pdb rutserv.exe File opened for modification C:\Windows\SysWOW64\rutserv.pdb rutserv.exe File opened for modification C:\Windows\SysWOW64\exe\rutserv.pdb rutserv.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
winchk32.exewinchk32.exedescription pid Process procid_target PID 856 set thread context of 1248 856 winchk32.exe 70 PID 4004 set thread context of 1472 4004 winchk32.exe 77 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
AcroRd32.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
xcopy.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe -
Processes:
AcroRd32.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Modifies registry class 1 IoCs
Processes:
64c9b9ded4fb595717bf9a0999f6cc2f92e7b7d4b7d06eaaa8e75ba6922e7335.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings 64c9b9ded4fb595717bf9a0999f6cc2f92e7b7d4b7d06eaaa8e75ba6922e7335.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
winchk32.exewinchk32.exewinchk64.exeExplorer.EXEpid Process 1248 winchk32.exe 1248 winchk32.exe 1248 winchk32.exe 1248 winchk32.exe 1248 winchk32.exe 1248 winchk32.exe 1248 winchk32.exe 1248 winchk32.exe 1472 winchk32.exe 1472 winchk32.exe 1472 winchk32.exe 1472 winchk32.exe 1472 winchk32.exe 1472 winchk32.exe 1472 winchk32.exe 1472 winchk32.exe 1472 winchk32.exe 1472 winchk32.exe 1472 winchk32.exe 1472 winchk32.exe 1472 winchk32.exe 1472 winchk32.exe 1472 winchk32.exe 1472 winchk32.exe 1472 winchk32.exe 1472 winchk32.exe 1472 winchk32.exe 1472 winchk32.exe 1472 winchk32.exe 1472 winchk32.exe 1472 winchk32.exe 1472 winchk32.exe 2300 winchk64.exe 2300 winchk64.exe 1928 Explorer.EXE 1928 Explorer.EXE 1472 winchk32.exe 1472 winchk32.exe 2300 winchk64.exe 2300 winchk64.exe 1472 winchk32.exe 1472 winchk32.exe 2300 winchk64.exe 2300 winchk64.exe 1472 winchk32.exe 1472 winchk32.exe 2300 winchk64.exe 2300 winchk64.exe 1472 winchk32.exe 1472 winchk32.exe 2300 winchk64.exe 2300 winchk64.exe 1472 winchk32.exe 1472 winchk32.exe 2300 winchk64.exe 2300 winchk64.exe 1472 winchk32.exe 1472 winchk32.exe 2300 winchk64.exe 2300 winchk64.exe 2300 winchk64.exe 2300 winchk64.exe 1472 winchk32.exe 1472 winchk32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid Process 1928 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 39 IoCs
Processes:
winchk32.exewinchk32.exewinchk64.exerutserv.exerutserv.exeExplorer.EXEdescription pid Process Token: SeDebugPrivilege 1248 winchk32.exe Token: SeDebugPrivilege 1472 winchk32.exe Token: SeDebugPrivilege 2300 winchk64.exe Token: SeDebugPrivilege 2784 rutserv.exe Token: SeTakeOwnershipPrivilege 1876 rutserv.exe Token: SeTcbPrivilege 1876 rutserv.exe Token: SeTcbPrivilege 1876 rutserv.exe Token: SeShutdownPrivilege 1928 Explorer.EXE Token: SeCreatePagefilePrivilege 1928 Explorer.EXE Token: SeShutdownPrivilege 1928 Explorer.EXE Token: SeCreatePagefilePrivilege 1928 Explorer.EXE Token: SeShutdownPrivilege 1928 Explorer.EXE Token: SeCreatePagefilePrivilege 1928 Explorer.EXE Token: SeShutdownPrivilege 1928 Explorer.EXE Token: SeCreatePagefilePrivilege 1928 Explorer.EXE Token: SeShutdownPrivilege 1928 Explorer.EXE Token: SeCreatePagefilePrivilege 1928 Explorer.EXE Token: SeShutdownPrivilege 1928 Explorer.EXE Token: SeCreatePagefilePrivilege 1928 Explorer.EXE Token: SeShutdownPrivilege 1928 Explorer.EXE Token: SeCreatePagefilePrivilege 1928 Explorer.EXE Token: SeShutdownPrivilege 1928 Explorer.EXE Token: SeCreatePagefilePrivilege 1928 Explorer.EXE Token: SeShutdownPrivilege 1928 Explorer.EXE Token: SeCreatePagefilePrivilege 1928 Explorer.EXE Token: SeShutdownPrivilege 1928 Explorer.EXE Token: SeCreatePagefilePrivilege 1928 Explorer.EXE Token: SeShutdownPrivilege 1928 Explorer.EXE Token: SeCreatePagefilePrivilege 1928 Explorer.EXE Token: SeShutdownPrivilege 1928 Explorer.EXE Token: SeCreatePagefilePrivilege 1928 Explorer.EXE Token: SeShutdownPrivilege 1928 Explorer.EXE Token: SeCreatePagefilePrivilege 1928 Explorer.EXE Token: SeShutdownPrivilege 1928 Explorer.EXE Token: SeCreatePagefilePrivilege 1928 Explorer.EXE Token: SeShutdownPrivilege 1928 Explorer.EXE Token: SeCreatePagefilePrivilege 1928 Explorer.EXE Token: SeShutdownPrivilege 1928 Explorer.EXE Token: SeCreatePagefilePrivilege 1928 Explorer.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
AcroRd32.exepid Process 3924 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
rutserv.exerutserv.exeAcroRd32.exepid Process 2784 rutserv.exe 1876 rutserv.exe 3924 AcroRd32.exe 3924 AcroRd32.exe 3924 AcroRd32.exe 3924 AcroRd32.exe 3924 AcroRd32.exe 3924 AcroRd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
64c9b9ded4fb595717bf9a0999f6cc2f92e7b7d4b7d06eaaa8e75ba6922e7335.exewinchk32.exewinchk32.execmd.execmd.exewinchk32.exewinchk32.execmd.exewinchk64.execmd.exerutserv.exeAcroRd32.exeRdrCEF.exedescription pid Process procid_target PID 2700 wrote to memory of 856 2700 64c9b9ded4fb595717bf9a0999f6cc2f92e7b7d4b7d06eaaa8e75ba6922e7335.exe 68 PID 2700 wrote to memory of 856 2700 64c9b9ded4fb595717bf9a0999f6cc2f92e7b7d4b7d06eaaa8e75ba6922e7335.exe 68 PID 2700 wrote to memory of 856 2700 64c9b9ded4fb595717bf9a0999f6cc2f92e7b7d4b7d06eaaa8e75ba6922e7335.exe 68 PID 856 wrote to memory of 1248 856 winchk32.exe 70 PID 856 wrote to memory of 1248 856 winchk32.exe 70 PID 856 wrote to memory of 1248 856 winchk32.exe 70 PID 856 wrote to memory of 1248 856 winchk32.exe 70 PID 856 wrote to memory of 1248 856 winchk32.exe 70 PID 856 wrote to memory of 1248 856 winchk32.exe 70 PID 856 wrote to memory of 1248 856 winchk32.exe 70 PID 856 wrote to memory of 1248 856 winchk32.exe 70 PID 856 wrote to memory of 1248 856 winchk32.exe 70 PID 1248 wrote to memory of 952 1248 winchk32.exe 71 PID 1248 wrote to memory of 952 1248 winchk32.exe 71 PID 1248 wrote to memory of 952 1248 winchk32.exe 71 PID 952 wrote to memory of 1188 952 cmd.exe 73 PID 952 wrote to memory of 1188 952 cmd.exe 73 PID 952 wrote to memory of 1188 952 cmd.exe 73 PID 1248 wrote to memory of 3864 1248 winchk32.exe 74 PID 1248 wrote to memory of 3864 1248 winchk32.exe 74 PID 1248 wrote to memory of 3864 1248 winchk32.exe 74 PID 3864 wrote to memory of 4004 3864 cmd.exe 76 PID 3864 wrote to memory of 4004 3864 cmd.exe 76 PID 3864 wrote to memory of 4004 3864 cmd.exe 76 PID 4004 wrote to memory of 1472 4004 winchk32.exe 77 PID 4004 wrote to memory of 1472 4004 winchk32.exe 77 PID 4004 wrote to memory of 1472 4004 winchk32.exe 77 PID 4004 wrote to memory of 1472 4004 winchk32.exe 77 PID 4004 wrote to memory of 1472 4004 winchk32.exe 77 PID 4004 wrote to memory of 1472 4004 winchk32.exe 77 PID 4004 wrote to memory of 1472 4004 winchk32.exe 77 PID 4004 wrote to memory of 1472 4004 winchk32.exe 77 PID 4004 wrote to memory of 1472 4004 winchk32.exe 77 PID 1472 wrote to memory of 2244 1472 winchk32.exe 78 PID 1472 wrote to memory of 2244 1472 winchk32.exe 78 PID 1472 wrote to memory of 2244 1472 winchk32.exe 78 PID 1472 wrote to memory of 1704 1472 winchk32.exe 81 PID 1472 wrote to memory of 1704 1472 winchk32.exe 81 PID 1472 wrote to memory of 1704 1472 winchk32.exe 81 PID 1472 wrote to memory of 1928 1472 winchk32.exe 9 PID 2244 wrote to memory of 2300 2244 cmd.exe 82 PID 2244 wrote to memory of 2300 2244 cmd.exe 82 PID 2300 wrote to memory of 1928 2300 winchk64.exe 9 PID 2700 wrote to memory of 3924 2700 64c9b9ded4fb595717bf9a0999f6cc2f92e7b7d4b7d06eaaa8e75ba6922e7335.exe 83 PID 2700 wrote to memory of 3924 2700 64c9b9ded4fb595717bf9a0999f6cc2f92e7b7d4b7d06eaaa8e75ba6922e7335.exe 83 PID 2700 wrote to memory of 3924 2700 64c9b9ded4fb595717bf9a0999f6cc2f92e7b7d4b7d06eaaa8e75ba6922e7335.exe 83 PID 1704 wrote to memory of 2784 1704 cmd.exe 84 PID 1704 wrote to memory of 2784 1704 cmd.exe 84 PID 1704 wrote to memory of 2784 1704 cmd.exe 84 PID 1876 wrote to memory of 3176 1876 rutserv.exe 87 PID 1876 wrote to memory of 3176 1876 rutserv.exe 87 PID 1876 wrote to memory of 3176 1876 rutserv.exe 87 PID 3924 wrote to memory of 1636 3924 AcroRd32.exe 89 PID 3924 wrote to memory of 1636 3924 AcroRd32.exe 89 PID 3924 wrote to memory of 1636 3924 AcroRd32.exe 89 PID 1636 wrote to memory of 500 1636 RdrCEF.exe 90 PID 1636 wrote to memory of 500 1636 RdrCEF.exe 90 PID 1636 wrote to memory of 500 1636 RdrCEF.exe 90 PID 1636 wrote to memory of 500 1636 RdrCEF.exe 90 PID 1636 wrote to memory of 500 1636 RdrCEF.exe 90 PID 1636 wrote to memory of 500 1636 RdrCEF.exe 90 PID 1636 wrote to memory of 500 1636 RdrCEF.exe 90 PID 1636 wrote to memory of 500 1636 RdrCEF.exe 90 PID 1636 wrote to memory of 500 1636 RdrCEF.exe 90
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1928 -
C:\Users\Admin\AppData\Local\Temp\64c9b9ded4fb595717bf9a0999f6cc2f92e7b7d4b7d06eaaa8e75ba6922e7335.exe"C:\Users\Admin\AppData\Local\Temp\64c9b9ded4fb595717bf9a0999f6cc2f92e7b7d4b7d06eaaa8e75ba6922e7335.exe"2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe" /inst /xwait3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe" /inst /xwait4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Windows\SysWOW64\cmd.execmd.exe /C xcopy /Y /E /Q * C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\5⤵
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Windows\SysWOW64\xcopy.exexcopy /Y /E /Q * C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\6⤵
- Enumerates system info in registry
PID:1188
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /C C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe5⤵
- Suspicious use of WriteProcessMemory
PID:3864 -
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exeC:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4004 -
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exeC:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Windows\SysWOW64\cmd.execmd.exe /C C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk64.exe /inj8⤵
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk64.exeC:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk64.exe /inj9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2300
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /C C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe8⤵
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exeC:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe9⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2784 -
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exeC:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe -second10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rfusclient.exeC:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rfusclient.exe /tray /user11⤵
- Executes dropped EXE
PID:3176
-
-
-
-
-
-
-
-
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\ZPDG.pdf"3⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3924 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140434⤵
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=FE527B30026B53EC390722A009D1DEC9 --mojo-platform-channel-handle=1668 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:25⤵PID:500
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=39FA7DE360766BAF9A2E6D46B9727979 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=39FA7DE360766BAF9A2E6D46B9727979 --renderer-client-id=2 --mojo-platform-channel-handle=1676 --allow-no-sandbox-job /prefetch:15⤵PID:1012
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=4E79A63EE1615DA96F4864A6FCAA44C7 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=4E79A63EE1615DA96F4864A6FCAA44C7 --renderer-client-id=4 --mojo-platform-channel-handle=2100 --allow-no-sandbox-job /prefetch:15⤵PID:3552
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=2195C8F0E5B216855608C6B52890141A --mojo-platform-channel-handle=2512 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:25⤵PID:1592
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E46BF4AE82C7A9A6A394FD7F9A6FD9FA --mojo-platform-channel-handle=1876 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:25⤵PID:1620
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=FF7D38A154D96D23EE8E12E3C020BAB7 --mojo-platform-channel-handle=2568 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:25⤵PID:3724
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
ab1e92ef682a01e3ff9c98497f5b8972
SHA1400438eb302886fd064274188647e6653e455eed
SHA25633beb5aa6feb6cda81908eaeb9f511388c236938937cdc9d02a39616dc7a0c45
SHA512526a988d12983d87a8f4155720ff335ed1c73cb80eb7b42f3813c9c36c64ff31af5409473634429031d6ba62568a16f8a06de7f2f061c28170ff2a7a18a7bc00
-
MD5
2cf7e5dbe01ea0bb608758fa07d03b7a
SHA1e56189fe86c9537c28099518d4f4ea2e42ef9eee
SHA25638bd6e45c43ca61f4de58a371c3699abe10c08a2d1663571cb140146b3dfb441
SHA5122911880542aca6c8d1414df87596d0a172f579531370804bd47545b41230adf761f87b561c7f6dab178c8e616ab0acdb4503f769cdedc7ad16fb11c612e2bfc5
-
MD5
69e8ec9bdccd6ed33fcad2fa19602b2f
SHA19f48e109675cdb0a53400358c27853db48fcd156
SHA256cff2de4c828e78febfb2eb8b4780092d395016608b641e126e67e27058415759
SHA512b22b948aec9b58dca27481e5d638dd53c99e4f9ed4f7f2270ae1a60b36567ac9c02635d33e528d82dd77157e62107616bba199cf6f34078bd1ecdb7ebe424773
-
MD5
ba9dbe65381759bb06d3dc6a2d0089c8
SHA137a2a15c52caa7d63af86778c2dd1d2d81d4a270
SHA256ff102c6601d2252ed19a1db07f4786813cca2797d404533c33fa0a065ab5a173
SHA5122471e3df6f15646aa06cdea9cc2388addffec85dfde9343dfee3b2f083d98d7e8a314d1cb51b07689a9529f035bd551fd16d3cc899f5e57f9c35fd778e8258cf
-
MD5
abdbcc091c67fd748cbbf0bf257f6712
SHA18f85738534158db9c600a29b9ded8ac85c3de8c1
SHA256821cc916a326adc1decdf565a1c9f5c08868aa070722f11ecd48e617deb37a39
SHA5129a7421a5c69695896b64c8e90c2ba6f6957a81c37ff32096a0fdad1a348fd921305d077a6a19302ef2a270f52dab6e9e2b03f9f6264550f325e68ffc2569f5fa
-
MD5
aff05aa5f2c03cb85b7c854a5d682d60
SHA1e00c309e3fe09248b8afcff29fc1a79445c913da
SHA256a3ae0d68144ae488422cb42ecc5e14d961406ae8e3eb66ca68b40df83bdd8836
SHA512016c0b209e960e8a33006d219cca5cd723c6fa3327c9c3606d20960f13984da574df6f084dd6e9fe105a52eecd753c3e23d127b6e54a6bc38240d9f344984132
-
MD5
aff05aa5f2c03cb85b7c854a5d682d60
SHA1e00c309e3fe09248b8afcff29fc1a79445c913da
SHA256a3ae0d68144ae488422cb42ecc5e14d961406ae8e3eb66ca68b40df83bdd8836
SHA512016c0b209e960e8a33006d219cca5cd723c6fa3327c9c3606d20960f13984da574df6f084dd6e9fe105a52eecd753c3e23d127b6e54a6bc38240d9f344984132
-
MD5
aff05aa5f2c03cb85b7c854a5d682d60
SHA1e00c309e3fe09248b8afcff29fc1a79445c913da
SHA256a3ae0d68144ae488422cb42ecc5e14d961406ae8e3eb66ca68b40df83bdd8836
SHA512016c0b209e960e8a33006d219cca5cd723c6fa3327c9c3606d20960f13984da574df6f084dd6e9fe105a52eecd753c3e23d127b6e54a6bc38240d9f344984132
-
MD5
8ee5ab32edced6eb38819b7674bfb0cd
SHA1030dc8c3832f664fa10efa3105dff0a9b6d48911
SHA256a4de66b79f1d129e3da059ca93d62cf2f88e08fa06a5c492ca154ee25e321f9b
SHA51282f4ccbb53c2ecb71c3dcd2c0d7d15ce5cc0a66f92f9f661cfc9ee98df093c481cbbb8888a854d359a388e28ab1085ec7e02452bffed030c118226caf70a6bf9
-
MD5
df73a0ee624fa95fb96a4125c15c0420
SHA1a5ace8f90c33cbdb12d398c0f227ec48f99551bf
SHA256e9d81266f9ba09aff6e9d98f8c18a95bac7695ac2ad3f41f19f13a77d559838e
SHA5121d43552b432479accccb7bd0c4b8c428c62a907828e13f5022cb690b767451b1b3b407d873258dd1439c9ca76e828fb70beebc58644ed86513b7d94fbdf1aa6e
-
MD5
42bb69a180bf12f972d10aed9ce02861
SHA1c2f9ffdf518da9e037f76902746de89c2e2821e8
SHA2569086824882cd7c64e3d43a6597e657c5f0290dfcacffc3d0f1faba15a61761ba
SHA5125ccbb47a79d3372c3edf074d09e82d7fce149cdaaa7f5b615226c247628b5fccec9980c44642ef36738b05f706f15984a4dd984b156fb103af2a20ff63917013
-
MD5
cfcdf13096177dd4ae41cba719a41a8f
SHA1a56a299a8eef9f4ff082184f66fad1b76c7cacb8
SHA256be809419f4b8f4fb16c3bc35d2a387c5aa3c440d10951064262df7a67ad26db1
SHA5128fef50620704e3d374a0fac1f610a18d315835bbc928e30da8b573a72aecfc5454ddecc3f42af95aa63d8f94e4317439b0e9b6056046d815f44f3ab5107a1614
-
MD5
ab1e92ef682a01e3ff9c98497f5b8972
SHA1400438eb302886fd064274188647e6653e455eed
SHA25633beb5aa6feb6cda81908eaeb9f511388c236938937cdc9d02a39616dc7a0c45
SHA512526a988d12983d87a8f4155720ff335ed1c73cb80eb7b42f3813c9c36c64ff31af5409473634429031d6ba62568a16f8a06de7f2f061c28170ff2a7a18a7bc00
-
MD5
ab1e92ef682a01e3ff9c98497f5b8972
SHA1400438eb302886fd064274188647e6653e455eed
SHA25633beb5aa6feb6cda81908eaeb9f511388c236938937cdc9d02a39616dc7a0c45
SHA512526a988d12983d87a8f4155720ff335ed1c73cb80eb7b42f3813c9c36c64ff31af5409473634429031d6ba62568a16f8a06de7f2f061c28170ff2a7a18a7bc00
-
MD5
2cf7e5dbe01ea0bb608758fa07d03b7a
SHA1e56189fe86c9537c28099518d4f4ea2e42ef9eee
SHA25638bd6e45c43ca61f4de58a371c3699abe10c08a2d1663571cb140146b3dfb441
SHA5122911880542aca6c8d1414df87596d0a172f579531370804bd47545b41230adf761f87b561c7f6dab178c8e616ab0acdb4503f769cdedc7ad16fb11c612e2bfc5
-
MD5
2cf7e5dbe01ea0bb608758fa07d03b7a
SHA1e56189fe86c9537c28099518d4f4ea2e42ef9eee
SHA25638bd6e45c43ca61f4de58a371c3699abe10c08a2d1663571cb140146b3dfb441
SHA5122911880542aca6c8d1414df87596d0a172f579531370804bd47545b41230adf761f87b561c7f6dab178c8e616ab0acdb4503f769cdedc7ad16fb11c612e2bfc5
-
MD5
2cf7e5dbe01ea0bb608758fa07d03b7a
SHA1e56189fe86c9537c28099518d4f4ea2e42ef9eee
SHA25638bd6e45c43ca61f4de58a371c3699abe10c08a2d1663571cb140146b3dfb441
SHA5122911880542aca6c8d1414df87596d0a172f579531370804bd47545b41230adf761f87b561c7f6dab178c8e616ab0acdb4503f769cdedc7ad16fb11c612e2bfc5
-
MD5
ba9dbe65381759bb06d3dc6a2d0089c8
SHA137a2a15c52caa7d63af86778c2dd1d2d81d4a270
SHA256ff102c6601d2252ed19a1db07f4786813cca2797d404533c33fa0a065ab5a173
SHA5122471e3df6f15646aa06cdea9cc2388addffec85dfde9343dfee3b2f083d98d7e8a314d1cb51b07689a9529f035bd551fd16d3cc899f5e57f9c35fd778e8258cf
-
MD5
abdbcc091c67fd748cbbf0bf257f6712
SHA18f85738534158db9c600a29b9ded8ac85c3de8c1
SHA256821cc916a326adc1decdf565a1c9f5c08868aa070722f11ecd48e617deb37a39
SHA5129a7421a5c69695896b64c8e90c2ba6f6957a81c37ff32096a0fdad1a348fd921305d077a6a19302ef2a270f52dab6e9e2b03f9f6264550f325e68ffc2569f5fa
-
MD5
aff05aa5f2c03cb85b7c854a5d682d60
SHA1e00c309e3fe09248b8afcff29fc1a79445c913da
SHA256a3ae0d68144ae488422cb42ecc5e14d961406ae8e3eb66ca68b40df83bdd8836
SHA512016c0b209e960e8a33006d219cca5cd723c6fa3327c9c3606d20960f13984da574df6f084dd6e9fe105a52eecd753c3e23d127b6e54a6bc38240d9f344984132
-
MD5
aff05aa5f2c03cb85b7c854a5d682d60
SHA1e00c309e3fe09248b8afcff29fc1a79445c913da
SHA256a3ae0d68144ae488422cb42ecc5e14d961406ae8e3eb66ca68b40df83bdd8836
SHA512016c0b209e960e8a33006d219cca5cd723c6fa3327c9c3606d20960f13984da574df6f084dd6e9fe105a52eecd753c3e23d127b6e54a6bc38240d9f344984132
-
MD5
aff05aa5f2c03cb85b7c854a5d682d60
SHA1e00c309e3fe09248b8afcff29fc1a79445c913da
SHA256a3ae0d68144ae488422cb42ecc5e14d961406ae8e3eb66ca68b40df83bdd8836
SHA512016c0b209e960e8a33006d219cca5cd723c6fa3327c9c3606d20960f13984da574df6f084dd6e9fe105a52eecd753c3e23d127b6e54a6bc38240d9f344984132
-
MD5
8ee5ab32edced6eb38819b7674bfb0cd
SHA1030dc8c3832f664fa10efa3105dff0a9b6d48911
SHA256a4de66b79f1d129e3da059ca93d62cf2f88e08fa06a5c492ca154ee25e321f9b
SHA51282f4ccbb53c2ecb71c3dcd2c0d7d15ce5cc0a66f92f9f661cfc9ee98df093c481cbbb8888a854d359a388e28ab1085ec7e02452bffed030c118226caf70a6bf9
-
MD5
df73a0ee624fa95fb96a4125c15c0420
SHA1a5ace8f90c33cbdb12d398c0f227ec48f99551bf
SHA256e9d81266f9ba09aff6e9d98f8c18a95bac7695ac2ad3f41f19f13a77d559838e
SHA5121d43552b432479accccb7bd0c4b8c428c62a907828e13f5022cb690b767451b1b3b407d873258dd1439c9ca76e828fb70beebc58644ed86513b7d94fbdf1aa6e
-
MD5
df73a0ee624fa95fb96a4125c15c0420
SHA1a5ace8f90c33cbdb12d398c0f227ec48f99551bf
SHA256e9d81266f9ba09aff6e9d98f8c18a95bac7695ac2ad3f41f19f13a77d559838e
SHA5121d43552b432479accccb7bd0c4b8c428c62a907828e13f5022cb690b767451b1b3b407d873258dd1439c9ca76e828fb70beebc58644ed86513b7d94fbdf1aa6e
-
MD5
cfcdf13096177dd4ae41cba719a41a8f
SHA1a56a299a8eef9f4ff082184f66fad1b76c7cacb8
SHA256be809419f4b8f4fb16c3bc35d2a387c5aa3c440d10951064262df7a67ad26db1
SHA5128fef50620704e3d374a0fac1f610a18d315835bbc928e30da8b573a72aecfc5454ddecc3f42af95aa63d8f94e4317439b0e9b6056046d815f44f3ab5107a1614
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
MD5
cfcdf13096177dd4ae41cba719a41a8f
SHA1a56a299a8eef9f4ff082184f66fad1b76c7cacb8
SHA256be809419f4b8f4fb16c3bc35d2a387c5aa3c440d10951064262df7a67ad26db1
SHA5128fef50620704e3d374a0fac1f610a18d315835bbc928e30da8b573a72aecfc5454ddecc3f42af95aa63d8f94e4317439b0e9b6056046d815f44f3ab5107a1614