Analysis
-
max time kernel
151s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
07-06-2024 08:36
Behavioral task
behavioral1
Sample
Requirements upwork.scr
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Requirements upwork.scr
Resource
win10v2004-20240508-en
General
-
Target
Requirements upwork.scr
-
Size
699.6MB
-
MD5
1cbf33e0f9964d14cc107236d8060972
-
SHA1
bd7052b3f20a83ed7ce837030d7aee6b1150781a
-
SHA256
b7615563fc08671d442b6f8102eeb61f5058f75821bac5f701385f7c123d7fa5
-
SHA512
1042f8ee6b23000d55082af3061a8559c266302d5a72eb35041d33a090ec4e70850f7d55df3c3463478d40d0a17f4a1834d9e72a59829041540898d6b4bba63b
-
SSDEEP
393216:fM07b4unYmNXdJu4LTYi7dRcogr6+7QJhrrXZEwCz:fNIunb9bJRRgrWXZEw0
Malware Config
Signatures
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 5052 created 2616 5052 calc.exe 44 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation Requirements upwork.scr -
Executes dropped EXE 3 IoCs
pid Process 1104 pythonw.exe 1996 pythonw.exe 5052 calc.exe -
Loads dropped DLL 4 IoCs
pid Process 1104 pythonw.exe 1104 pythonw.exe 1996 pythonw.exe 1996 pythonw.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\e: explorer.exe File opened (read-only) \??\p: explorer.exe File opened (read-only) \??\P: explorer.exe File opened (read-only) \??\q: explorer.exe File opened (read-only) \??\Z: explorer.exe File opened (read-only) \??\F: explorer.exe File opened (read-only) \??\S: explorer.exe File opened (read-only) \??\s: explorer.exe File opened (read-only) \??\u: explorer.exe File opened (read-only) \??\a: explorer.exe File opened (read-only) \??\A: explorer.exe File opened (read-only) \??\b: explorer.exe File opened (read-only) \??\K: explorer.exe File opened (read-only) \??\m: explorer.exe File opened (read-only) \??\r: explorer.exe File opened (read-only) \??\W: explorer.exe File opened (read-only) \??\y: explorer.exe File opened (read-only) \??\T: explorer.exe File opened (read-only) \??\x: explorer.exe File opened (read-only) \??\E: explorer.exe File opened (read-only) \??\G: explorer.exe File opened (read-only) \??\H: explorer.exe File opened (read-only) \??\n: explorer.exe File opened (read-only) \??\O: explorer.exe File opened (read-only) \??\t: explorer.exe File opened (read-only) \??\X: explorer.exe File opened (read-only) \??\j: explorer.exe File opened (read-only) \??\k: explorer.exe File opened (read-only) \??\Q: explorer.exe File opened (read-only) \??\V: explorer.exe File opened (read-only) \??\w: explorer.exe File opened (read-only) \??\Y: explorer.exe File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\g: explorer.exe File opened (read-only) \??\i: explorer.exe File opened (read-only) \??\o: explorer.exe File opened (read-only) \??\R: explorer.exe File opened (read-only) \??\B: explorer.exe File opened (read-only) \??\h: explorer.exe File opened (read-only) \??\I: explorer.exe File opened (read-only) \??\J: explorer.exe File opened (read-only) \??\l: explorer.exe File opened (read-only) \??\M: explorer.exe File opened (read-only) \??\U: explorer.exe File opened (read-only) \??\z: explorer.exe File opened (read-only) \??\L: explorer.exe File opened (read-only) \??\N: explorer.exe File opened (read-only) \??\v: explorer.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1996 set thread context of 1892 1996 pythonw.exe 97 PID 4408 set thread context of 5052 4408 explorer.exe 116 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings Requirements upwork.scr -
Suspicious behavior: EnumeratesProcesses 36 IoCs
pid Process 1104 pythonw.exe 1996 pythonw.exe 1996 pythonw.exe 1996 pythonw.exe 1892 cmd.exe 1892 cmd.exe 1892 cmd.exe 1892 cmd.exe 2484 AcroRd32.exe 2484 AcroRd32.exe 2484 AcroRd32.exe 2484 AcroRd32.exe 2484 AcroRd32.exe 2484 AcroRd32.exe 2484 AcroRd32.exe 2484 AcroRd32.exe 2484 AcroRd32.exe 2484 AcroRd32.exe 2484 AcroRd32.exe 2484 AcroRd32.exe 2484 AcroRd32.exe 2484 AcroRd32.exe 2484 AcroRd32.exe 2484 AcroRd32.exe 2484 AcroRd32.exe 2484 AcroRd32.exe 2484 AcroRd32.exe 2484 AcroRd32.exe 4408 explorer.exe 4408 explorer.exe 5052 calc.exe 5052 calc.exe 2152 dialer.exe 2152 dialer.exe 2152 dialer.exe 2152 dialer.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 1996 pythonw.exe 1892 cmd.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2484 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 2484 AcroRd32.exe 2484 AcroRd32.exe 2484 AcroRd32.exe 2484 AcroRd32.exe 2484 AcroRd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2132 wrote to memory of 1104 2132 Requirements upwork.scr 93 PID 2132 wrote to memory of 1104 2132 Requirements upwork.scr 93 PID 2132 wrote to memory of 2484 2132 Requirements upwork.scr 94 PID 2132 wrote to memory of 2484 2132 Requirements upwork.scr 94 PID 2132 wrote to memory of 2484 2132 Requirements upwork.scr 94 PID 1104 wrote to memory of 1996 1104 pythonw.exe 95 PID 1104 wrote to memory of 1996 1104 pythonw.exe 95 PID 1996 wrote to memory of 1892 1996 pythonw.exe 97 PID 1996 wrote to memory of 1892 1996 pythonw.exe 97 PID 1996 wrote to memory of 1892 1996 pythonw.exe 97 PID 2484 wrote to memory of 2496 2484 AcroRd32.exe 103 PID 2484 wrote to memory of 2496 2484 AcroRd32.exe 103 PID 2484 wrote to memory of 2496 2484 AcroRd32.exe 103 PID 2496 wrote to memory of 4636 2496 RdrCEF.exe 104 PID 2496 wrote to memory of 4636 2496 RdrCEF.exe 104 PID 2496 wrote to memory of 4636 2496 RdrCEF.exe 104 PID 2496 wrote to memory of 4636 2496 RdrCEF.exe 104 PID 2496 wrote to memory of 4636 2496 RdrCEF.exe 104 PID 2496 wrote to memory of 4636 2496 RdrCEF.exe 104 PID 2496 wrote to memory of 4636 2496 RdrCEF.exe 104 PID 2496 wrote to memory of 4636 2496 RdrCEF.exe 104 PID 2496 wrote to memory of 4636 2496 RdrCEF.exe 104 PID 2496 wrote to memory of 4636 2496 RdrCEF.exe 104 PID 2496 wrote to memory of 4636 2496 RdrCEF.exe 104 PID 2496 wrote to memory of 4636 2496 RdrCEF.exe 104 PID 2496 wrote to memory of 4636 2496 RdrCEF.exe 104 PID 2496 wrote to memory of 4636 2496 RdrCEF.exe 104 PID 2496 wrote to memory of 4636 2496 RdrCEF.exe 104 PID 2496 wrote to memory of 4636 2496 RdrCEF.exe 104 PID 2496 wrote to memory of 4636 2496 RdrCEF.exe 104 PID 2496 wrote to memory of 4636 2496 RdrCEF.exe 104 PID 2496 wrote to memory of 4636 2496 RdrCEF.exe 104 PID 2496 wrote to memory of 4636 2496 RdrCEF.exe 104 PID 2496 wrote to memory of 4636 2496 RdrCEF.exe 104 PID 2496 wrote to memory of 4636 2496 RdrCEF.exe 104 PID 2496 wrote to memory of 4636 2496 RdrCEF.exe 104 PID 2496 wrote to memory of 4636 2496 RdrCEF.exe 104 PID 2496 wrote to memory of 4636 2496 RdrCEF.exe 104 PID 2496 wrote to memory of 4636 2496 RdrCEF.exe 104 PID 2496 wrote to memory of 4636 2496 RdrCEF.exe 104 PID 2496 wrote to memory of 4636 2496 RdrCEF.exe 104 PID 2496 wrote to memory of 4636 2496 RdrCEF.exe 104 PID 2496 wrote to memory of 4636 2496 RdrCEF.exe 104 PID 2496 wrote to memory of 4636 2496 RdrCEF.exe 104 PID 2496 wrote to memory of 4636 2496 RdrCEF.exe 104 PID 2496 wrote to memory of 4636 2496 RdrCEF.exe 104 PID 2496 wrote to memory of 4636 2496 RdrCEF.exe 104 PID 2496 wrote to memory of 4636 2496 RdrCEF.exe 104 PID 2496 wrote to memory of 4636 2496 RdrCEF.exe 104 PID 2496 wrote to memory of 4636 2496 RdrCEF.exe 104 PID 2496 wrote to memory of 4636 2496 RdrCEF.exe 104 PID 2496 wrote to memory of 4636 2496 RdrCEF.exe 104 PID 2496 wrote to memory of 4636 2496 RdrCEF.exe 104 PID 2496 wrote to memory of 4636 2496 RdrCEF.exe 104 PID 2496 wrote to memory of 1272 2496 RdrCEF.exe 105 PID 2496 wrote to memory of 1272 2496 RdrCEF.exe 105 PID 2496 wrote to memory of 1272 2496 RdrCEF.exe 105 PID 2496 wrote to memory of 1272 2496 RdrCEF.exe 105 PID 2496 wrote to memory of 1272 2496 RdrCEF.exe 105 PID 2496 wrote to memory of 1272 2496 RdrCEF.exe 105 PID 2496 wrote to memory of 1272 2496 RdrCEF.exe 105 PID 2496 wrote to memory of 1272 2496 RdrCEF.exe 105 PID 2496 wrote to memory of 1272 2496 RdrCEF.exe 105 PID 2496 wrote to memory of 1272 2496 RdrCEF.exe 105
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2616
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2152
-
-
C:\Users\Admin\AppData\Local\Temp\Requirements upwork.scr"C:\Users\Admin\AppData\Local\Temp\Requirements upwork.scr" /S1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Users\Admin\AppData\Roaming\Programs\WinRAR\pythonw.exe"C:\Users\Admin\AppData\Roaming\Programs\WinRAR\pythonw.exe" /S2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Users\Admin\AppData\Roaming\wh_Ultra\pythonw.exe"C:\Users\Admin\AppData\Roaming\wh_Ultra\pythonw.exe" /S3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1892 -
C:\Windows\explorer.exe"C:\Windows\explorer.exe" /S5⤵
- Enumerates connected drives
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:4408 -
C:\Windows\SysWoW64\calc.exeC:\Windows\SysWoW64\calc.exe6⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5052
-
-
-
-
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\Temp\Requirements.pdf"2⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140433⤵
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=72923F373BB08749839827CE83061791 --mojo-platform-channel-handle=1732 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵PID:4636
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=5ABF09510C46B6297890BD633A45BEC9 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=5ABF09510C46B6297890BD633A45BEC9 --renderer-client-id=2 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job /prefetch:14⤵PID:1272
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=DC03D89F61CD6EABED98A08A2C0C2414 --mojo-platform-channel-handle=2316 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵PID:1288
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=BE5357285D63C6B0DB38CA46B050E6C7 --mojo-platform-channel-handle=1932 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵PID:1812
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=2B8034B2704DE7D1CA643EAC1EFEDE67 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=2B8034B2704DE7D1CA643EAC1EFEDE67 --renderer-client-id=6 --mojo-platform-channel-handle=1872 --allow-no-sandbox-job /prefetch:14⤵PID:1104
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=F8052D94DE0DE3964F7497FC918A3B9B --mojo-platform-channel-handle=2376 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵PID:4796
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4244,i,13035806169561352434,1332896185314862791,262144 --variations-seed-version --mojo-platform-channel-handle=3812 /prefetch:81⤵PID:1016
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2132
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD53df3c9d258679ccee4567278ab48c97d
SHA10cd4e28f930ca5d30b73b5f07fabd51c95309eef
SHA256181f0ba491e8e88e907040d36a47a0e0c4ed5575ee15dbee3d2ddda5ad79869f
SHA512c3567474fd402421b52eea430c437c805cc6c07cc018b2ab37f5546f4576e32c7ae77f49cae4f405e617ea4d49d9c190055031c9b457239bc9f6d07e15686522
-
Filesize
36KB
MD5b30d3becc8731792523d599d949e63f5
SHA119350257e42d7aee17fb3bf139a9d3adb330fad4
SHA256b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3
SHA512523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e
-
Filesize
56KB
MD5752a1f26b18748311b691c7d8fc20633
SHA1c1f8e83eebc1cc1e9b88c773338eb09ff82ab862
SHA256111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131
SHA512a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5
-
Filesize
2.4MB
MD5f3408db6841b9472cb403310b445608d
SHA1ea59bbe4a82d3af90b8db53f21f0438ae567ed0c
SHA256414b27b15dd5d1ad7b0806838e7e9d97a3fdd783fe9a55e7c114a1345dc88950
SHA512535dc3eb4fc899d65ecaaf299c9573076e1739625c100259c332ed40e5a46d3a2660b7a144507001a986f203a991484d6b8b7f7eb149b1e7cc87f8cc352db1b6
-
Filesize
106KB
MD549c96cecda5c6c660a107d378fdfc3d4
SHA100149b7a66723e3f0310f139489fe172f818ca8e
SHA25669320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc
SHA512e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d
-
Filesize
49KB
MD5cdec9e890deef870a230ac61480ba210
SHA1549a622bb93e5ab4114f10d8ed884d15be5e3777
SHA256c36e7e60ca938247cb90be8af70a8044e965dd58c69260748f6bfe3e5109eb04
SHA512ecb49dcaeaaf7fdefb622c8a2d7b8c187e8d791f8e26e16c669600aa24868d93cbccec0e7fc1cf0be12c7ea7b4f4412f0802e93ac5f2849229aa9c0b3e6bc98e
-
Filesize
4.3MB
MD58fbbe41173ae011a717c706f25d06121
SHA1db35f1d1a0916cc0732b9747bd67a37e827440aa
SHA256ccd635f18a955d0d6bec012be96de876bb2009ff522c3457df40792405637a5a
SHA5128a17ecd7545ccee3bba62df2c5a00b839f60e0009fa55d9c9d8cc962349a501c618d65f83de2a977bda9b4368224f6ea89a881478d58fa4b68a9891b998d985a
-
Filesize
94KB
MD59a4cc0d8e7007f7ef20ca585324e0739
SHA1f3e5a2e477cac4bab85940a2158eed78f2d74441
SHA256040d121a3179f49cd3f33f4bc998bc8f78b7f560bfd93f279224d69e76a06e92
SHA51254636a48141804112f5b4f2fc70cb7c959a041e5743aeedb5184091b51daa1d1a03f0016e8299c0d56d924c6c8ae585e4fc864021081ffdf1e6f3eab11dd43b3
-
Filesize
2.2MB
MD595a2d2cbff9d49bb8f71a968e6d70692
SHA1d1880df094228be3764a6d466396cd86a16749db
SHA2563074fd2d1c68a0224d9a1bb28c222ca303af7efe6a251b0ca2b7160c635ecdd5
SHA51209296b402aeeec2ba5e8005753533a78cf368b361b115e0d11d79375653036c0670918564bc53119a41e5d43a8680e69d339e44d34d33b53176e54550641e098
-
Filesize
717KB
MD5720b78ca59dbb0e1b885f47b9c4eebd3
SHA198629bc8c27329023931d158d2ab879e8136b5ff
SHA25673300eda96e39870895468cf7a7b90616b37d5d7673671c89db1776c192ed2be
SHA512ee22206441b41881acbae939dba2f4269e652782ba485963f81d3ae2aedd3838bba2a673de502a367cdc5f1a8c33a08e120495a473d617f2ec049fa5f0be17ac