Analysis
-
max time kernel
159s -
max time network
166s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
28-01-2022 17:53
Static task
static1
Behavioral task
behavioral1
Sample
6b40a43df8389ae182ee619fadd61ca837f6516f66602a41cc9fb327ef981af0.exe
Resource
win7-en-20211208
General
-
Target
6b40a43df8389ae182ee619fadd61ca837f6516f66602a41cc9fb327ef981af0.exe
-
Size
4.2MB
-
MD5
ae2a9dea39697831ae7dc64f02c951cc
-
SHA1
e0007a2e0e9ae47dd028029c402d7d0a08ebbc25
-
SHA256
6b40a43df8389ae182ee619fadd61ca837f6516f66602a41cc9fb327ef981af0
-
SHA512
86af5fcb46709453e550f681f0748295a038dcc0af34bb8dd6d4e1f4bf82946226794e611a6eee6314809b38048ac3b86072c3dd2454b116a119f15c46a7489b
Malware Config
Signatures
-
Executes dropped EXE 9 IoCs
Processes:
winchk32.exewinchk32.exewinchk32.exewinchk32.exewinchk64.exeExplorer.EXErutserv.exerutserv.exerfusclient.exepid Process 1096 winchk32.exe 1560 winchk32.exe 960 winchk32.exe 1060 winchk32.exe 1744 winchk64.exe 3056 Explorer.EXE 2104 rutserv.exe 3368 rutserv.exe 3044 rfusclient.exe -
Drops file in System32 directory 3 IoCs
Processes:
rutserv.exedescription ioc Process File opened for modification C:\Windows\SysWOW64\rutserv.pdb rutserv.exe File opened for modification C:\Windows\SysWOW64\exe\rutserv.pdb rutserv.exe File opened for modification C:\Windows\SysWOW64\symbols\exe\rutserv.pdb rutserv.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
winchk32.exewinchk32.exedescription pid Process procid_target PID 1096 set thread context of 1560 1096 winchk32.exe 71 PID 960 set thread context of 1060 960 winchk32.exe 78 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
AcroRd32.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
xcopy.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe -
Processes:
AcroRd32.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Modifies registry class 1 IoCs
Processes:
6b40a43df8389ae182ee619fadd61ca837f6516f66602a41cc9fb327ef981af0.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings 6b40a43df8389ae182ee619fadd61ca837f6516f66602a41cc9fb327ef981af0.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
winchk32.exewinchk32.exewinchk64.exeExplorer.EXErutserv.exepid Process 1560 winchk32.exe 1560 winchk32.exe 1560 winchk32.exe 1560 winchk32.exe 1560 winchk32.exe 1560 winchk32.exe 1560 winchk32.exe 1560 winchk32.exe 1060 winchk32.exe 1060 winchk32.exe 1060 winchk32.exe 1060 winchk32.exe 1060 winchk32.exe 1060 winchk32.exe 1060 winchk32.exe 1744 winchk64.exe 1744 winchk64.exe 1060 winchk32.exe 3056 Explorer.EXE 3056 Explorer.EXE 1060 winchk32.exe 1060 winchk32.exe 1744 winchk64.exe 1744 winchk64.exe 1060 winchk32.exe 1060 winchk32.exe 1744 winchk64.exe 1744 winchk64.exe 1744 winchk64.exe 1744 winchk64.exe 1060 winchk32.exe 1060 winchk32.exe 1744 winchk64.exe 1744 winchk64.exe 1060 winchk32.exe 1060 winchk32.exe 1060 winchk32.exe 1744 winchk64.exe 1060 winchk32.exe 1744 winchk64.exe 1060 winchk32.exe 1060 winchk32.exe 1744 winchk64.exe 1744 winchk64.exe 1744 winchk64.exe 1744 winchk64.exe 1060 winchk32.exe 1060 winchk32.exe 1060 winchk32.exe 1060 winchk32.exe 2104 rutserv.exe 2104 rutserv.exe 1744 winchk64.exe 1744 winchk64.exe 2104 rutserv.exe 2104 rutserv.exe 1744 winchk64.exe 1744 winchk64.exe 1060 winchk32.exe 1060 winchk32.exe 1744 winchk64.exe 1744 winchk64.exe 1060 winchk32.exe 1060 winchk32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid Process 3056 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
winchk32.exewinchk32.exewinchk64.exerutserv.exerutserv.exeExplorer.EXEdescription pid Process Token: SeDebugPrivilege 1560 winchk32.exe Token: SeDebugPrivilege 1060 winchk32.exe Token: SeDebugPrivilege 1744 winchk64.exe Token: SeDebugPrivilege 2104 rutserv.exe Token: SeTakeOwnershipPrivilege 3368 rutserv.exe Token: SeTcbPrivilege 3368 rutserv.exe Token: SeTcbPrivilege 3368 rutserv.exe Token: SeShutdownPrivilege 3056 Explorer.EXE Token: SeCreatePagefilePrivilege 3056 Explorer.EXE Token: SeShutdownPrivilege 3056 Explorer.EXE Token: SeCreatePagefilePrivilege 3056 Explorer.EXE Token: SeShutdownPrivilege 3056 Explorer.EXE Token: SeCreatePagefilePrivilege 3056 Explorer.EXE Token: SeShutdownPrivilege 3056 Explorer.EXE Token: SeCreatePagefilePrivilege 3056 Explorer.EXE Token: SeShutdownPrivilege 3056 Explorer.EXE Token: SeCreatePagefilePrivilege 3056 Explorer.EXE Token: SeShutdownPrivilege 3056 Explorer.EXE Token: SeCreatePagefilePrivilege 3056 Explorer.EXE Token: SeShutdownPrivilege 3056 Explorer.EXE Token: SeCreatePagefilePrivilege 3056 Explorer.EXE Token: SeShutdownPrivilege 3056 Explorer.EXE Token: SeCreatePagefilePrivilege 3056 Explorer.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
AcroRd32.exepid Process 1676 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
rutserv.exerutserv.exeAcroRd32.exepid Process 2104 rutserv.exe 3368 rutserv.exe 1676 AcroRd32.exe 1676 AcroRd32.exe 1676 AcroRd32.exe 1676 AcroRd32.exe 1676 AcroRd32.exe 1676 AcroRd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
6b40a43df8389ae182ee619fadd61ca837f6516f66602a41cc9fb327ef981af0.exewinchk32.exewinchk32.execmd.execmd.exewinchk32.exewinchk32.execmd.exewinchk64.execmd.exerutserv.exeAcroRd32.exeRdrCEF.exedescription pid Process procid_target PID 2724 wrote to memory of 1096 2724 6b40a43df8389ae182ee619fadd61ca837f6516f66602a41cc9fb327ef981af0.exe 69 PID 2724 wrote to memory of 1096 2724 6b40a43df8389ae182ee619fadd61ca837f6516f66602a41cc9fb327ef981af0.exe 69 PID 2724 wrote to memory of 1096 2724 6b40a43df8389ae182ee619fadd61ca837f6516f66602a41cc9fb327ef981af0.exe 69 PID 1096 wrote to memory of 1560 1096 winchk32.exe 71 PID 1096 wrote to memory of 1560 1096 winchk32.exe 71 PID 1096 wrote to memory of 1560 1096 winchk32.exe 71 PID 1096 wrote to memory of 1560 1096 winchk32.exe 71 PID 1096 wrote to memory of 1560 1096 winchk32.exe 71 PID 1096 wrote to memory of 1560 1096 winchk32.exe 71 PID 1096 wrote to memory of 1560 1096 winchk32.exe 71 PID 1096 wrote to memory of 1560 1096 winchk32.exe 71 PID 1096 wrote to memory of 1560 1096 winchk32.exe 71 PID 1560 wrote to memory of 592 1560 winchk32.exe 72 PID 1560 wrote to memory of 592 1560 winchk32.exe 72 PID 1560 wrote to memory of 592 1560 winchk32.exe 72 PID 592 wrote to memory of 664 592 cmd.exe 74 PID 592 wrote to memory of 664 592 cmd.exe 74 PID 592 wrote to memory of 664 592 cmd.exe 74 PID 1560 wrote to memory of 3184 1560 winchk32.exe 75 PID 1560 wrote to memory of 3184 1560 winchk32.exe 75 PID 1560 wrote to memory of 3184 1560 winchk32.exe 75 PID 3184 wrote to memory of 960 3184 cmd.exe 77 PID 3184 wrote to memory of 960 3184 cmd.exe 77 PID 3184 wrote to memory of 960 3184 cmd.exe 77 PID 960 wrote to memory of 1060 960 winchk32.exe 78 PID 960 wrote to memory of 1060 960 winchk32.exe 78 PID 960 wrote to memory of 1060 960 winchk32.exe 78 PID 960 wrote to memory of 1060 960 winchk32.exe 78 PID 960 wrote to memory of 1060 960 winchk32.exe 78 PID 960 wrote to memory of 1060 960 winchk32.exe 78 PID 960 wrote to memory of 1060 960 winchk32.exe 78 PID 960 wrote to memory of 1060 960 winchk32.exe 78 PID 960 wrote to memory of 1060 960 winchk32.exe 78 PID 1060 wrote to memory of 1132 1060 winchk32.exe 79 PID 1060 wrote to memory of 1132 1060 winchk32.exe 79 PID 1060 wrote to memory of 1132 1060 winchk32.exe 79 PID 1060 wrote to memory of 3964 1060 winchk32.exe 82 PID 1060 wrote to memory of 3964 1060 winchk32.exe 82 PID 1060 wrote to memory of 3964 1060 winchk32.exe 82 PID 1060 wrote to memory of 3056 1060 winchk32.exe 25 PID 2724 wrote to memory of 1676 2724 6b40a43df8389ae182ee619fadd61ca837f6516f66602a41cc9fb327ef981af0.exe 83 PID 2724 wrote to memory of 1676 2724 6b40a43df8389ae182ee619fadd61ca837f6516f66602a41cc9fb327ef981af0.exe 83 PID 2724 wrote to memory of 1676 2724 6b40a43df8389ae182ee619fadd61ca837f6516f66602a41cc9fb327ef981af0.exe 83 PID 1132 wrote to memory of 1744 1132 cmd.exe 84 PID 1132 wrote to memory of 1744 1132 cmd.exe 84 PID 1744 wrote to memory of 3056 1744 winchk64.exe 25 PID 3964 wrote to memory of 2104 3964 cmd.exe 85 PID 3964 wrote to memory of 2104 3964 cmd.exe 85 PID 3964 wrote to memory of 2104 3964 cmd.exe 85 PID 3368 wrote to memory of 3044 3368 rutserv.exe 88 PID 3368 wrote to memory of 3044 3368 rutserv.exe 88 PID 3368 wrote to memory of 3044 3368 rutserv.exe 88 PID 1676 wrote to memory of 1908 1676 AcroRd32.exe 89 PID 1676 wrote to memory of 1908 1676 AcroRd32.exe 89 PID 1676 wrote to memory of 1908 1676 AcroRd32.exe 89 PID 1908 wrote to memory of 2692 1908 RdrCEF.exe 90 PID 1908 wrote to memory of 2692 1908 RdrCEF.exe 90 PID 1908 wrote to memory of 2692 1908 RdrCEF.exe 90 PID 1908 wrote to memory of 2692 1908 RdrCEF.exe 90 PID 1908 wrote to memory of 2692 1908 RdrCEF.exe 90 PID 1908 wrote to memory of 2692 1908 RdrCEF.exe 90 PID 1908 wrote to memory of 2692 1908 RdrCEF.exe 90 PID 1908 wrote to memory of 2692 1908 RdrCEF.exe 90 PID 1908 wrote to memory of 2692 1908 RdrCEF.exe 90
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3056 -
C:\Users\Admin\AppData\Local\Temp\6b40a43df8389ae182ee619fadd61ca837f6516f66602a41cc9fb327ef981af0.exe"C:\Users\Admin\AppData\Local\Temp\6b40a43df8389ae182ee619fadd61ca837f6516f66602a41cc9fb327ef981af0.exe"2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe" /inst /xwait3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\winchk32.exe" /inst /xwait4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\Windows\SysWOW64\cmd.execmd.exe /C xcopy /Y /E /Q * C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\5⤵
- Suspicious use of WriteProcessMemory
PID:592 -
C:\Windows\SysWOW64\xcopy.exexcopy /Y /E /Q * C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\6⤵
- Enumerates system info in registry
PID:664
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /C C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe5⤵
- Suspicious use of WriteProcessMemory
PID:3184 -
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exeC:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exeC:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk32.exe7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1060 -
C:\Windows\SysWOW64\cmd.execmd.exe /C C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk64.exe /inj8⤵
- Suspicious use of WriteProcessMemory
PID:1132 -
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk64.exeC:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\winchk64.exe /inj9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1744
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /C C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe8⤵
- Suspicious use of WriteProcessMemory
PID:3964 -
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exeC:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2104 -
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exeC:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rutserv.exe -second10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3368 -
C:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rfusclient.exeC:\Users\Admin\AppData\Roaming\29D451CF-3548-4486-8465-A23029B8F6FA\101\rfusclient.exe /tray /user11⤵
- Executes dropped EXE
PID:3044
-
-
-
-
-
-
-
-
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\ZPDG.pdf"3⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140434⤵
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=2B139CCF36B985D934646F26F8225271 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=2B139CCF36B985D934646F26F8225271 --renderer-client-id=2 --mojo-platform-channel-handle=1668 --allow-no-sandbox-job /prefetch:15⤵PID:2692
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=19AF2BA53F9495F0E6D5EDAA199E5EE0 --mojo-platform-channel-handle=1844 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:25⤵PID:2732
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=328A8A4B585085E84F44316F232ACD7D --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=328A8A4B585085E84F44316F232ACD7D --renderer-client-id=4 --mojo-platform-channel-handle=2108 --allow-no-sandbox-job /prefetch:15⤵PID:3420
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=16583FD51584AB54AC7D3126195C3B76 --mojo-platform-channel-handle=2112 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:25⤵PID:1028
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=6647B8DF472F921E137908704C8BD1D2 --mojo-platform-channel-handle=2596 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:25⤵PID:3180
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=713929609013DD1C6651E1FBBBE79F84 --mojo-platform-channel-handle=2248 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:25⤵PID:3924
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
b1111bd15606f7b8bad5dbc672e89820
SHA1510c93d3dc620b17500c10369585f4af7cf3ce0d
SHA256fcf82d010dcb43630affed736b67a77363ef3762437ae0a348a0aabdc29303c3
SHA5124b3f86f1002b126083881a91b62c358f7799a066aa8766f4f1a1e12aefbec0a43e120fea388ce410d742fe3f1be2e46b0c7c58b52f2e60e16a2c00567935d40a
-
MD5
d04903fe8cc96fece1f22ebdbc1b644e
SHA1446d3fbae9889fe59afad02c6fb71d8838c3fc67
SHA25680f2da88942f71f0963a46be74b00d50b9af71c746e52da775262680cc4baf96
SHA51240d179e8b27ada2c75e826f5bd33517e77a2f75ea89bd4e572c8e1d58ca1f82dd1bb45d46e7e1a421e797867ec8a5db9c921f89c9b06956692d3723f472372af
-
MD5
69e8ec9bdccd6ed33fcad2fa19602b2f
SHA19f48e109675cdb0a53400358c27853db48fcd156
SHA256cff2de4c828e78febfb2eb8b4780092d395016608b641e126e67e27058415759
SHA512b22b948aec9b58dca27481e5d638dd53c99e4f9ed4f7f2270ae1a60b36567ac9c02635d33e528d82dd77157e62107616bba199cf6f34078bd1ecdb7ebe424773
-
MD5
ba9dbe65381759bb06d3dc6a2d0089c8
SHA137a2a15c52caa7d63af86778c2dd1d2d81d4a270
SHA256ff102c6601d2252ed19a1db07f4786813cca2797d404533c33fa0a065ab5a173
SHA5122471e3df6f15646aa06cdea9cc2388addffec85dfde9343dfee3b2f083d98d7e8a314d1cb51b07689a9529f035bd551fd16d3cc899f5e57f9c35fd778e8258cf
-
MD5
cfe2c4ec0998f1b71faf23496bf90b00
SHA1c90756a3c6f6dc34e12babf5f26543510aace704
SHA256cccffad62eda9ef83ac30bf03a5934f51f3120920156f4ff273e0528d3a3eea9
SHA512f9211902b0c7b1f3451a98b03cbc12be440663eb49f77620ff8ae9b00fb8967765bfacfbd0b9ebf5d6554eb9379372981bc4ac96a69f8f58621c1215c5839c67
-
MD5
d0c6d15c0e4811547a6a8afe3a2448cd
SHA1963cf321740c4ef606fec65fce85fb3a9a6223ac
SHA25690f26c4e687ba5b90376c508d398f9f00b71e7d0d26c7337d81fc7fae473b431
SHA5126503ac3874dcc5a9f9bd9aa2586fccea01609ca758a54ef3f9508380468fdce638dfc8dbeed6b3d166842f7ac76b5297d5ceef8c0b2f0ab0cb44a9b347c67f2a
-
MD5
d0c6d15c0e4811547a6a8afe3a2448cd
SHA1963cf321740c4ef606fec65fce85fb3a9a6223ac
SHA25690f26c4e687ba5b90376c508d398f9f00b71e7d0d26c7337d81fc7fae473b431
SHA5126503ac3874dcc5a9f9bd9aa2586fccea01609ca758a54ef3f9508380468fdce638dfc8dbeed6b3d166842f7ac76b5297d5ceef8c0b2f0ab0cb44a9b347c67f2a
-
MD5
d0c6d15c0e4811547a6a8afe3a2448cd
SHA1963cf321740c4ef606fec65fce85fb3a9a6223ac
SHA25690f26c4e687ba5b90376c508d398f9f00b71e7d0d26c7337d81fc7fae473b431
SHA5126503ac3874dcc5a9f9bd9aa2586fccea01609ca758a54ef3f9508380468fdce638dfc8dbeed6b3d166842f7ac76b5297d5ceef8c0b2f0ab0cb44a9b347c67f2a
-
MD5
8ee5ab32edced6eb38819b7674bfb0cd
SHA1030dc8c3832f664fa10efa3105dff0a9b6d48911
SHA256a4de66b79f1d129e3da059ca93d62cf2f88e08fa06a5c492ca154ee25e321f9b
SHA51282f4ccbb53c2ecb71c3dcd2c0d7d15ce5cc0a66f92f9f661cfc9ee98df093c481cbbb8888a854d359a388e28ab1085ec7e02452bffed030c118226caf70a6bf9
-
MD5
00f39df9d0d2428803f9f1fee5a96586
SHA1f6030ae46dc2cef9c68da1844f7dcea4f25a90a3
SHA25655abd66849d3eb61ed290e82b45351237cb379ae7988c13c3a807ffac44cf403
SHA512affe2230ea0e44cd5dd1a17c064bbcbf6c10e51710779d3f9077124a2d79615e48233f72f6008c07c4951438cf3d44db649eef4311c6da4125d6f3672b57c484
-
MD5
9f8575849738336f7a231e056122ceaa
SHA1730e20ee7228080a7f90a238d9e65d55edd84301
SHA25624980d2af24ce57cb13275fc1f83fb498eae73bb800f55ac56b6bd317e8ee95c
SHA512fa3f214e6733b343e4b4cc823ef13a2f7e652bbfd63fe03fd512e9709d8df74e58cc96325f2a8c090f0a6ab08a6b64e76d6b48aff0b25fd7de5b8b155552116c
-
MD5
5c18c0ebbadf702d16100c4ad7484fd6
SHA1f26c663d5f6f534543a7c42b02254c98bb4ec0d5
SHA25624a5d4d40d0505f4e022846dcadd7d18384cddb3614d3cb61488f8a3bc66a381
SHA512ebeda5b362ea431a03fb282f7a6a6dc2980a718744a9887f91e615e8c02548e8a71abf3ec5774d56fe0068d0d6958e2477e53f674646c93b3254ad7abbbff543
-
MD5
b1111bd15606f7b8bad5dbc672e89820
SHA1510c93d3dc620b17500c10369585f4af7cf3ce0d
SHA256fcf82d010dcb43630affed736b67a77363ef3762437ae0a348a0aabdc29303c3
SHA5124b3f86f1002b126083881a91b62c358f7799a066aa8766f4f1a1e12aefbec0a43e120fea388ce410d742fe3f1be2e46b0c7c58b52f2e60e16a2c00567935d40a
-
MD5
b1111bd15606f7b8bad5dbc672e89820
SHA1510c93d3dc620b17500c10369585f4af7cf3ce0d
SHA256fcf82d010dcb43630affed736b67a77363ef3762437ae0a348a0aabdc29303c3
SHA5124b3f86f1002b126083881a91b62c358f7799a066aa8766f4f1a1e12aefbec0a43e120fea388ce410d742fe3f1be2e46b0c7c58b52f2e60e16a2c00567935d40a
-
MD5
d04903fe8cc96fece1f22ebdbc1b644e
SHA1446d3fbae9889fe59afad02c6fb71d8838c3fc67
SHA25680f2da88942f71f0963a46be74b00d50b9af71c746e52da775262680cc4baf96
SHA51240d179e8b27ada2c75e826f5bd33517e77a2f75ea89bd4e572c8e1d58ca1f82dd1bb45d46e7e1a421e797867ec8a5db9c921f89c9b06956692d3723f472372af
-
MD5
d04903fe8cc96fece1f22ebdbc1b644e
SHA1446d3fbae9889fe59afad02c6fb71d8838c3fc67
SHA25680f2da88942f71f0963a46be74b00d50b9af71c746e52da775262680cc4baf96
SHA51240d179e8b27ada2c75e826f5bd33517e77a2f75ea89bd4e572c8e1d58ca1f82dd1bb45d46e7e1a421e797867ec8a5db9c921f89c9b06956692d3723f472372af
-
MD5
d04903fe8cc96fece1f22ebdbc1b644e
SHA1446d3fbae9889fe59afad02c6fb71d8838c3fc67
SHA25680f2da88942f71f0963a46be74b00d50b9af71c746e52da775262680cc4baf96
SHA51240d179e8b27ada2c75e826f5bd33517e77a2f75ea89bd4e572c8e1d58ca1f82dd1bb45d46e7e1a421e797867ec8a5db9c921f89c9b06956692d3723f472372af
-
MD5
ba9dbe65381759bb06d3dc6a2d0089c8
SHA137a2a15c52caa7d63af86778c2dd1d2d81d4a270
SHA256ff102c6601d2252ed19a1db07f4786813cca2797d404533c33fa0a065ab5a173
SHA5122471e3df6f15646aa06cdea9cc2388addffec85dfde9343dfee3b2f083d98d7e8a314d1cb51b07689a9529f035bd551fd16d3cc899f5e57f9c35fd778e8258cf
-
MD5
cfe2c4ec0998f1b71faf23496bf90b00
SHA1c90756a3c6f6dc34e12babf5f26543510aace704
SHA256cccffad62eda9ef83ac30bf03a5934f51f3120920156f4ff273e0528d3a3eea9
SHA512f9211902b0c7b1f3451a98b03cbc12be440663eb49f77620ff8ae9b00fb8967765bfacfbd0b9ebf5d6554eb9379372981bc4ac96a69f8f58621c1215c5839c67
-
MD5
d0c6d15c0e4811547a6a8afe3a2448cd
SHA1963cf321740c4ef606fec65fce85fb3a9a6223ac
SHA25690f26c4e687ba5b90376c508d398f9f00b71e7d0d26c7337d81fc7fae473b431
SHA5126503ac3874dcc5a9f9bd9aa2586fccea01609ca758a54ef3f9508380468fdce638dfc8dbeed6b3d166842f7ac76b5297d5ceef8c0b2f0ab0cb44a9b347c67f2a
-
MD5
d0c6d15c0e4811547a6a8afe3a2448cd
SHA1963cf321740c4ef606fec65fce85fb3a9a6223ac
SHA25690f26c4e687ba5b90376c508d398f9f00b71e7d0d26c7337d81fc7fae473b431
SHA5126503ac3874dcc5a9f9bd9aa2586fccea01609ca758a54ef3f9508380468fdce638dfc8dbeed6b3d166842f7ac76b5297d5ceef8c0b2f0ab0cb44a9b347c67f2a
-
MD5
d0c6d15c0e4811547a6a8afe3a2448cd
SHA1963cf321740c4ef606fec65fce85fb3a9a6223ac
SHA25690f26c4e687ba5b90376c508d398f9f00b71e7d0d26c7337d81fc7fae473b431
SHA5126503ac3874dcc5a9f9bd9aa2586fccea01609ca758a54ef3f9508380468fdce638dfc8dbeed6b3d166842f7ac76b5297d5ceef8c0b2f0ab0cb44a9b347c67f2a
-
MD5
8ee5ab32edced6eb38819b7674bfb0cd
SHA1030dc8c3832f664fa10efa3105dff0a9b6d48911
SHA256a4de66b79f1d129e3da059ca93d62cf2f88e08fa06a5c492ca154ee25e321f9b
SHA51282f4ccbb53c2ecb71c3dcd2c0d7d15ce5cc0a66f92f9f661cfc9ee98df093c481cbbb8888a854d359a388e28ab1085ec7e02452bffed030c118226caf70a6bf9
-
MD5
00f39df9d0d2428803f9f1fee5a96586
SHA1f6030ae46dc2cef9c68da1844f7dcea4f25a90a3
SHA25655abd66849d3eb61ed290e82b45351237cb379ae7988c13c3a807ffac44cf403
SHA512affe2230ea0e44cd5dd1a17c064bbcbf6c10e51710779d3f9077124a2d79615e48233f72f6008c07c4951438cf3d44db649eef4311c6da4125d6f3672b57c484
-
MD5
00f39df9d0d2428803f9f1fee5a96586
SHA1f6030ae46dc2cef9c68da1844f7dcea4f25a90a3
SHA25655abd66849d3eb61ed290e82b45351237cb379ae7988c13c3a807ffac44cf403
SHA512affe2230ea0e44cd5dd1a17c064bbcbf6c10e51710779d3f9077124a2d79615e48233f72f6008c07c4951438cf3d44db649eef4311c6da4125d6f3672b57c484
-
MD5
5c18c0ebbadf702d16100c4ad7484fd6
SHA1f26c663d5f6f534543a7c42b02254c98bb4ec0d5
SHA25624a5d4d40d0505f4e022846dcadd7d18384cddb3614d3cb61488f8a3bc66a381
SHA512ebeda5b362ea431a03fb282f7a6a6dc2980a718744a9887f91e615e8c02548e8a71abf3ec5774d56fe0068d0d6958e2477e53f674646c93b3254ad7abbbff543
-
MD5
5c18c0ebbadf702d16100c4ad7484fd6
SHA1f26c663d5f6f534543a7c42b02254c98bb4ec0d5
SHA25624a5d4d40d0505f4e022846dcadd7d18384cddb3614d3cb61488f8a3bc66a381
SHA512ebeda5b362ea431a03fb282f7a6a6dc2980a718744a9887f91e615e8c02548e8a71abf3ec5774d56fe0068d0d6958e2477e53f674646c93b3254ad7abbbff543