Analysis
-
max time kernel
133s -
max time network
151s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
06-01-2022 03:26
Behavioral task
behavioral1
Sample
8307b7961483dbf57866eb3a58ee1645dc060319e3781ff5487babd28f7b13f4.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
8307b7961483dbf57866eb3a58ee1645dc060319e3781ff5487babd28f7b13f4.exe
Resource
win10-en-20211208
General
-
Target
8307b7961483dbf57866eb3a58ee1645dc060319e3781ff5487babd28f7b13f4.exe
-
Size
1.4MB
-
MD5
5bda122840962b4fa884a5259064ed74
-
SHA1
baf9c557f397be3b58a9a8f56b8ff224ac231fec
-
SHA256
8307b7961483dbf57866eb3a58ee1645dc060319e3781ff5487babd28f7b13f4
-
SHA512
4992c44c5b67d47a92964b3ceb7cfa70b079e3f18912104279998766e21acde6fc37834688a3d6270cb4a1081687eb153475cc9b2f5d11f43f4487a014429ba8
Malware Config
Extracted
metasploit
windows/download_exec
http://www.ctfwiki.workers.dev:443/_static/jquery-3.3.1.min.js
Extracted
cobaltstrike
305419896
http://qianx1n.xyz:443/jquery.min.js
-
access_type
512
-
beacon_type
2048
-
dns_idle
1.908702538e+09
-
host
qianx1n.xyz,/jquery.min.js
-
http_header1
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAgUmVmZXJlcjogaHR0cDovL2NvZGUuanF1ZXJ5LmNvbS8AAAAKAAAAHkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQAAAAcAAAAAAAAADQAAAAIAAAAJX19jZmR1aWQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAgUmVmZXJlcjogaHR0cDovL2NvZGUuanF1ZXJ5LmNvbS8AAAAKAAAAHkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQAAAAcAAAAAAAAADQAAAAUAAAAIX19jZmR1aWQAAAAHAAAAAQAAAAMAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
jitter
9472
-
maxdns
255
-
polling_time
45000
-
port_number
443
-
sc_process32
%windir%\syswow64\dllhost.exe
-
sc_process64
%windir%\sysnative\dllhost.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDyvfJWs++715HoMi9tlSZSgCf/o1NKJcRyCt2fTA4//I0nzqtcA1ePMsVi1OFNl2UlIXhJdeJXyZ+3km9g0VU6Lli+SRreeue/EolQNu6YmItro9iipWpHHpBxJvHPffpj0aivjN83hgY2CISRln6KsnXMspQpkSBBKYBL7Kv9kwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4.184478976e+09
-
unknown2
AAAABAAAAAEAAAXyAAAAAgAAAFQAAAACAAAPWwAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/jquery.js
-
user_agent
Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
-
watermark
305419896
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
suricata: ET MALWARE Cobalt Strike Malleable C2 JQuery Custom Profile Response
suricata: ET MALWARE Cobalt Strike Malleable C2 JQuery Custom Profile Response
-
Blocklisted process makes network request 5 IoCs
Processes:
rundll32.exeflow pid process 11 1796 rundll32.exe 21 1796 rundll32.exe 36 1796 rundll32.exe 40 1796 rundll32.exe 41 1796 rundll32.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 1796 rundll32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
8307b7961483dbf57866eb3a58ee1645dc060319e3781ff5487babd28f7b13f4.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\lnk = "C:\\ProgramData\\lnk.lnk" 8307b7961483dbf57866eb3a58ee1645dc060319e3781ff5487babd28f7b13f4.exe -
HTTP links in PDF interactive object 1 IoCs
Detects HTTP links in interactive objects within PDF files.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Ææ°²ÐÅ°²È«¹¥·ÀÑÝÏ°¼Ó¹ÌÖ¸µ¼ÊÖ²á.pdf pdf_with_link_action -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
AcroRd32.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe -
Processes:
AcroRd32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Modifies registry class 1 IoCs
Processes:
8307b7961483dbf57866eb3a58ee1645dc060319e3781ff5487babd28f7b13f4.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings 8307b7961483dbf57866eb3a58ee1645dc060319e3781ff5487babd28f7b13f4.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
AcroRd32.exepid process 1680 AcroRd32.exe 1680 AcroRd32.exe 1680 AcroRd32.exe 1680 AcroRd32.exe 1680 AcroRd32.exe 1680 AcroRd32.exe 1680 AcroRd32.exe 1680 AcroRd32.exe 1680 AcroRd32.exe 1680 AcroRd32.exe 1680 AcroRd32.exe 1680 AcroRd32.exe 1680 AcroRd32.exe 1680 AcroRd32.exe 1680 AcroRd32.exe 1680 AcroRd32.exe 1680 AcroRd32.exe 1680 AcroRd32.exe 1680 AcroRd32.exe 1680 AcroRd32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
8307b7961483dbf57866eb3a58ee1645dc060319e3781ff5487babd28f7b13f4.exedescription pid process Token: SeIncBasePriorityPrivilege 456 8307b7961483dbf57866eb3a58ee1645dc060319e3781ff5487babd28f7b13f4.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
AcroRd32.exepid process 1680 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
AcroRd32.exepid process 1680 AcroRd32.exe 1680 AcroRd32.exe 1680 AcroRd32.exe 1680 AcroRd32.exe 1680 AcroRd32.exe 1680 AcroRd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
8307b7961483dbf57866eb3a58ee1645dc060319e3781ff5487babd28f7b13f4.exeAcroRd32.exeRdrCEF.exedescription pid process target process PID 456 wrote to memory of 1680 456 8307b7961483dbf57866eb3a58ee1645dc060319e3781ff5487babd28f7b13f4.exe AcroRd32.exe PID 456 wrote to memory of 1680 456 8307b7961483dbf57866eb3a58ee1645dc060319e3781ff5487babd28f7b13f4.exe AcroRd32.exe PID 456 wrote to memory of 1680 456 8307b7961483dbf57866eb3a58ee1645dc060319e3781ff5487babd28f7b13f4.exe AcroRd32.exe PID 456 wrote to memory of 1796 456 8307b7961483dbf57866eb3a58ee1645dc060319e3781ff5487babd28f7b13f4.exe rundll32.exe PID 456 wrote to memory of 1796 456 8307b7961483dbf57866eb3a58ee1645dc060319e3781ff5487babd28f7b13f4.exe rundll32.exe PID 456 wrote to memory of 1796 456 8307b7961483dbf57866eb3a58ee1645dc060319e3781ff5487babd28f7b13f4.exe rundll32.exe PID 456 wrote to memory of 2300 456 8307b7961483dbf57866eb3a58ee1645dc060319e3781ff5487babd28f7b13f4.exe cmd.exe PID 456 wrote to memory of 2300 456 8307b7961483dbf57866eb3a58ee1645dc060319e3781ff5487babd28f7b13f4.exe cmd.exe PID 456 wrote to memory of 2300 456 8307b7961483dbf57866eb3a58ee1645dc060319e3781ff5487babd28f7b13f4.exe cmd.exe PID 1680 wrote to memory of 1176 1680 AcroRd32.exe RdrCEF.exe PID 1680 wrote to memory of 1176 1680 AcroRd32.exe RdrCEF.exe PID 1680 wrote to memory of 1176 1680 AcroRd32.exe RdrCEF.exe PID 1176 wrote to memory of 1676 1176 RdrCEF.exe RdrCEF.exe PID 1176 wrote to memory of 1676 1176 RdrCEF.exe RdrCEF.exe PID 1176 wrote to memory of 1676 1176 RdrCEF.exe RdrCEF.exe PID 1176 wrote to memory of 1676 1176 RdrCEF.exe RdrCEF.exe PID 1176 wrote to memory of 1676 1176 RdrCEF.exe RdrCEF.exe PID 1176 wrote to memory of 1676 1176 RdrCEF.exe RdrCEF.exe PID 1176 wrote to memory of 1676 1176 RdrCEF.exe RdrCEF.exe PID 1176 wrote to memory of 1676 1176 RdrCEF.exe RdrCEF.exe PID 1176 wrote to memory of 1676 1176 RdrCEF.exe RdrCEF.exe PID 1176 wrote to memory of 1676 1176 RdrCEF.exe RdrCEF.exe PID 1176 wrote to memory of 1676 1176 RdrCEF.exe RdrCEF.exe PID 1176 wrote to memory of 1676 1176 RdrCEF.exe RdrCEF.exe PID 1176 wrote to memory of 1676 1176 RdrCEF.exe RdrCEF.exe PID 1176 wrote to memory of 1676 1176 RdrCEF.exe RdrCEF.exe PID 1176 wrote to memory of 1676 1176 RdrCEF.exe RdrCEF.exe PID 1176 wrote to memory of 1676 1176 RdrCEF.exe RdrCEF.exe PID 1176 wrote to memory of 1676 1176 RdrCEF.exe RdrCEF.exe PID 1176 wrote to memory of 1676 1176 RdrCEF.exe RdrCEF.exe PID 1176 wrote to memory of 1676 1176 RdrCEF.exe RdrCEF.exe PID 1176 wrote to memory of 1676 1176 RdrCEF.exe RdrCEF.exe PID 1176 wrote to memory of 1676 1176 RdrCEF.exe RdrCEF.exe PID 1176 wrote to memory of 1676 1176 RdrCEF.exe RdrCEF.exe PID 1176 wrote to memory of 1676 1176 RdrCEF.exe RdrCEF.exe PID 1176 wrote to memory of 1676 1176 RdrCEF.exe RdrCEF.exe PID 1176 wrote to memory of 1676 1176 RdrCEF.exe RdrCEF.exe PID 1176 wrote to memory of 1676 1176 RdrCEF.exe RdrCEF.exe PID 1176 wrote to memory of 1676 1176 RdrCEF.exe RdrCEF.exe PID 1176 wrote to memory of 1676 1176 RdrCEF.exe RdrCEF.exe PID 1176 wrote to memory of 1676 1176 RdrCEF.exe RdrCEF.exe PID 1176 wrote to memory of 1676 1176 RdrCEF.exe RdrCEF.exe PID 1176 wrote to memory of 1676 1176 RdrCEF.exe RdrCEF.exe PID 1176 wrote to memory of 1676 1176 RdrCEF.exe RdrCEF.exe PID 1176 wrote to memory of 1676 1176 RdrCEF.exe RdrCEF.exe PID 1176 wrote to memory of 1676 1176 RdrCEF.exe RdrCEF.exe PID 1176 wrote to memory of 1676 1176 RdrCEF.exe RdrCEF.exe PID 1176 wrote to memory of 1676 1176 RdrCEF.exe RdrCEF.exe PID 1176 wrote to memory of 1676 1176 RdrCEF.exe RdrCEF.exe PID 1176 wrote to memory of 1676 1176 RdrCEF.exe RdrCEF.exe PID 1176 wrote to memory of 1676 1176 RdrCEF.exe RdrCEF.exe PID 1176 wrote to memory of 1676 1176 RdrCEF.exe RdrCEF.exe PID 1176 wrote to memory of 1676 1176 RdrCEF.exe RdrCEF.exe PID 1176 wrote to memory of 856 1176 RdrCEF.exe RdrCEF.exe PID 1176 wrote to memory of 856 1176 RdrCEF.exe RdrCEF.exe PID 1176 wrote to memory of 856 1176 RdrCEF.exe RdrCEF.exe PID 1176 wrote to memory of 856 1176 RdrCEF.exe RdrCEF.exe PID 1176 wrote to memory of 856 1176 RdrCEF.exe RdrCEF.exe PID 1176 wrote to memory of 856 1176 RdrCEF.exe RdrCEF.exe PID 1176 wrote to memory of 856 1176 RdrCEF.exe RdrCEF.exe PID 1176 wrote to memory of 856 1176 RdrCEF.exe RdrCEF.exe PID 1176 wrote to memory of 856 1176 RdrCEF.exe RdrCEF.exe PID 1176 wrote to memory of 856 1176 RdrCEF.exe RdrCEF.exe PID 1176 wrote to memory of 856 1176 RdrCEF.exe RdrCEF.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8307b7961483dbf57866eb3a58ee1645dc060319e3781ff5487babd28f7b13f4.exe"C:\Users\Admin\AppData\Local\Temp\8307b7961483dbf57866eb3a58ee1645dc060319e3781ff5487babd28f7b13f4.exe"1⤵
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Ææ°²ÐÅ°²È«¹¥·ÀÑÝÏ°¼Ó¹ÌÖ¸µ¼ÊÖ²á.pdf"2⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140433⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=8E148DE2FA29AC8586A27B3E6572D5F2 --mojo-platform-channel-handle=1644 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=19814FA9010E385214125F7CA7842D38 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=19814FA9010E385214125F7CA7842D38 --renderer-client-id=2 --mojo-platform-channel-handle=1660 --allow-no-sandbox-job /prefetch:14⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=EAC047C88C186D4E3E97800D6513D1A7 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=EAC047C88C186D4E3E97800D6513D1A7 --renderer-client-id=4 --mojo-platform-channel-handle=2072 --allow-no-sandbox-job /prefetch:14⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E9716DC3EE8287C1F9E4AD8B9D7B0C39 --mojo-platform-channel-handle=2476 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=454722F0D6C2BC9BA3F9F30F50346877 --mojo-platform-channel-handle=1804 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=0CE153E8816F7571D6E51BC13EEEA076 --mojo-platform-channel-handle=2556 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
-
C:\windows\SysWOW64\rundll32.exe"C:\windows\system32\rundll32.exe" "C:\ProgramData\test.dll",Start2⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\8307B7~1.EXE > nul2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\test.dllMD5
46048d51dd824be472c93aa05ef0a353
SHA1f7f7c3a5aed0db850365a4b1fac45c7415859eb0
SHA25617f52e0144b2c518e5dab0bb1f8ef06378cb6caba1593c47653aa936670e8526
SHA512c4ec061692f1e5772916fb855a278bbd06cafcaded791c2387af0989df9845c23c0221950a003875252416e122c651146111d44d57f7ff760ac7f2450654ca46
-
C:\Users\Admin\AppData\Local\Temp\Ææ°²ÐÅ°²È«¹¥·ÀÑÝÏ°¼Ó¹ÌÖ¸µ¼ÊÖ²á.pdfMD5
1fb15a15ad8271da571d536684d1f7bd
SHA1df7ca8fe4fae41b0f3d5ad320b237ad5aff5b2b6
SHA2561af9106309a8276e3b48e3a45d2b7defe3112dbc76c087ad1db82d81abfd9957
SHA51297c92964c71d353102aec9f031e3894a1f35cb08e472d2c30394a965ded6d3b53273236c18d010e529769ca4440f73deab6097e3a57c43201c4caae6fd601215
-
\ProgramData\test.dllMD5
46048d51dd824be472c93aa05ef0a353
SHA1f7f7c3a5aed0db850365a4b1fac45c7415859eb0
SHA25617f52e0144b2c518e5dab0bb1f8ef06378cb6caba1593c47653aa936670e8526
SHA512c4ec061692f1e5772916fb855a278bbd06cafcaded791c2387af0989df9845c23c0221950a003875252416e122c651146111d44d57f7ff760ac7f2450654ca46
-
memory/856-132-0x0000000000000000-mapping.dmp
-
memory/856-135-0x0000000001020000-0x0000000001021000-memory.dmpFilesize
4KB
-
memory/856-131-0x0000000000BFC000-0x0000000000BFD000-memory.dmpFilesize
4KB
-
memory/856-134-0x0000000000220000-0x0000000000221000-memory.dmpFilesize
4KB
-
memory/856-130-0x0000000077932000-0x0000000077933000-memory.dmpFilesize
4KB
-
memory/1176-125-0x0000000000000000-mapping.dmp
-
memory/1388-138-0x0000000000000000-mapping.dmp
-
memory/1388-137-0x0000000000FBC000-0x0000000000FBD000-memory.dmpFilesize
4KB
-
memory/1388-136-0x0000000077932000-0x0000000077933000-memory.dmpFilesize
4KB
-
memory/1676-127-0x0000000001027000-0x0000000001028000-memory.dmpFilesize
4KB
-
memory/1676-128-0x0000000000000000-mapping.dmp
-
memory/1676-129-0x0000000000170000-0x0000000000171000-memory.dmpFilesize
4KB
-
memory/1676-126-0x0000000077932000-0x0000000077933000-memory.dmpFilesize
4KB
-
memory/1680-115-0x0000000000000000-mapping.dmp
-
memory/1796-123-0x0000000004FE0000-0x0000000005452000-memory.dmpFilesize
4.4MB
-
memory/1796-122-0x0000000004FE0000-0x0000000005452000-memory.dmpFilesize
4.4MB
-
memory/1796-120-0x0000000004450000-0x0000000004451000-memory.dmpFilesize
4KB
-
memory/1796-124-0x0000000004BE0000-0x0000000004FE0000-memory.dmpFilesize
4.0MB
-
memory/1796-116-0x0000000000000000-mapping.dmp
-
memory/1948-150-0x0000000077932000-0x0000000077933000-memory.dmpFilesize
4KB
-
memory/1948-152-0x0000000000000000-mapping.dmp
-
memory/1948-151-0x0000000000FBD000-0x0000000000FBE000-memory.dmpFilesize
4KB
-
memory/2196-142-0x0000000077932000-0x0000000077933000-memory.dmpFilesize
4KB
-
memory/2196-143-0x0000000000FBC000-0x0000000000FBD000-memory.dmpFilesize
4KB
-
memory/2196-144-0x0000000000000000-mapping.dmp
-
memory/2300-119-0x0000000000000000-mapping.dmp
-
memory/3160-148-0x0000000000000000-mapping.dmp
-
memory/3160-147-0x0000000000FB1000-0x0000000000FB2000-memory.dmpFilesize
4KB
-
memory/3160-146-0x0000000077932000-0x0000000077933000-memory.dmpFilesize
4KB