Analysis
-
max time kernel
121s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220722-en -
resource tags
arch:x64arch:x86image:win10v2004-20220722-enlocale:en-usos:windows10-2004-x64system -
submitted
03-08-2022 06:24
Behavioral task
behavioral1
Sample
77f3cf4c9b1e6c42a9927a04a9c0727fd2d3e576c6a63e49370dfede61f81e49.exe
Resource
win7-20220718-en
General
-
Target
77f3cf4c9b1e6c42a9927a04a9c0727fd2d3e576c6a63e49370dfede61f81e49.exe
-
Size
1.1MB
-
MD5
fe1e96958b3daaa6d6a80a20180d558a
-
SHA1
3512a79b0f93e8d82c5d6e9ed01c72895d34cd00
-
SHA256
77f3cf4c9b1e6c42a9927a04a9c0727fd2d3e576c6a63e49370dfede61f81e49
-
SHA512
80c01b5f188c4080d844c483f825f5e6b4c9e10e765d0e876b2d7617b10702dbf431486e22eabccf0dd074ea0a8fc6bdd608ea466f89de16599c16e28c0f58c5
Malware Config
Extracted
cobaltstrike
1
http://update.micrrosoft.life:8443/jquery-3.3.1.min.js
-
access_type
512
-
beacon_type
2048
-
host
update.micrrosoft.life,/jquery-3.3.1.min.js
-
http_header1
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAABAAAAAcSG9zdDogdXBkYXRlLm1pY3Jyb3NvZnQubGlmZQAAAAoAAAAlUmVmZXJlcjogaHR0cDovL3VwZGF0ZS5taWNyb3NvZnQuY29tLwAAAAoAAAAeQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlAAAABwAAAAAAAAANAAAAAgAAAAlfX2NmZHVpZD0AAAAGAAAABkNvb2tpZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAABAAAAAcSG9zdDogdXBkYXRlLm1pY3Jyb3NvZnQubGlmZQAAAAoAAAAlUmVmZXJlcjogaHR0cDovL3VwZGF0ZS5taWNyb3NvZnQuY29tLwAAAAoAAAAeQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlAAAABwAAAAAAAAAPAAAADQAAAAUAAAAIX19jZmR1aWQAAAAHAAAAAQAAAA8AAAANAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
9472
-
polling_time
45000
-
port_number
8443
-
sc_process32
%windir%\syswow64\dllhost.exe
-
sc_process64
%windir%\sysnative\dllhost.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCMzD/AZsTe+L9OMJsKFX3v1nhbQkO1ubtGq8teBoaBGRO84Q3felGNQB8iVNbFpmmoykrsbYwDu8Ir2LrfTROG3X5oGN8d6+lOg4zo6Rjfvrnydiv0dnxIfn02T1431q9GcIvSBHb7J7i/7f8tJPSHdJBOGtVJg9ienNWCF2WllwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4.234810624e+09
-
unknown2
AAAABAAAAAEAAAXyAAAAAgAAAFQAAAACAAAPWwAAAA0AAAAPAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/jquery-3.3.2.min.js
-
user_agent
Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
-
watermark
1
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Executes dropped EXE 1 IoCs
Processes:
notepad.exepid process 1688 notepad.exe -
Processes:
resource yara_rule behavioral2/memory/4844-132-0x00000000005B0000-0x00000000007C4000-memory.dmp upx behavioral2/memory/4844-137-0x00000000005B0000-0x00000000007C4000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Control Panel\International\Geo\Nation cmd.exe -
HTTP links in PDF interactive object 1 IoCs
Detects HTTP links in interactive objects within PDF files.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\实名举报.pdf pdf_with_link_action -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
AcroRd32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe -
Processes:
AcroRd32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings cmd.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
AcroRd32.exepid process 4660 AcroRd32.exe 4660 AcroRd32.exe 4660 AcroRd32.exe 4660 AcroRd32.exe 4660 AcroRd32.exe 4660 AcroRd32.exe 4660 AcroRd32.exe 4660 AcroRd32.exe 4660 AcroRd32.exe 4660 AcroRd32.exe 4660 AcroRd32.exe 4660 AcroRd32.exe 4660 AcroRd32.exe 4660 AcroRd32.exe 4660 AcroRd32.exe 4660 AcroRd32.exe 4660 AcroRd32.exe 4660 AcroRd32.exe 4660 AcroRd32.exe 4660 AcroRd32.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
77f3cf4c9b1e6c42a9927a04a9c0727fd2d3e576c6a63e49370dfede61f81e49.exepid process 4844 77f3cf4c9b1e6c42a9927a04a9c0727fd2d3e576c6a63e49370dfede61f81e49.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
AcroRd32.exepid process 4660 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
AcroRd32.exepid process 4660 AcroRd32.exe 4660 AcroRd32.exe 4660 AcroRd32.exe 4660 AcroRd32.exe 4660 AcroRd32.exe 4660 AcroRd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
77f3cf4c9b1e6c42a9927a04a9c0727fd2d3e576c6a63e49370dfede61f81e49.execmd.exeAcroRd32.exeRdrCEF.exedescription pid process target process PID 4844 wrote to memory of 4524 4844 77f3cf4c9b1e6c42a9927a04a9c0727fd2d3e576c6a63e49370dfede61f81e49.exe cmd.exe PID 4844 wrote to memory of 4524 4844 77f3cf4c9b1e6c42a9927a04a9c0727fd2d3e576c6a63e49370dfede61f81e49.exe cmd.exe PID 4844 wrote to memory of 4524 4844 77f3cf4c9b1e6c42a9927a04a9c0727fd2d3e576c6a63e49370dfede61f81e49.exe cmd.exe PID 4844 wrote to memory of 1688 4844 77f3cf4c9b1e6c42a9927a04a9c0727fd2d3e576c6a63e49370dfede61f81e49.exe notepad.exe PID 4844 wrote to memory of 1688 4844 77f3cf4c9b1e6c42a9927a04a9c0727fd2d3e576c6a63e49370dfede61f81e49.exe notepad.exe PID 4524 wrote to memory of 4660 4524 cmd.exe AcroRd32.exe PID 4524 wrote to memory of 4660 4524 cmd.exe AcroRd32.exe PID 4524 wrote to memory of 4660 4524 cmd.exe AcroRd32.exe PID 4660 wrote to memory of 4316 4660 AcroRd32.exe RdrCEF.exe PID 4660 wrote to memory of 4316 4660 AcroRd32.exe RdrCEF.exe PID 4660 wrote to memory of 4316 4660 AcroRd32.exe RdrCEF.exe PID 4660 wrote to memory of 4592 4660 AcroRd32.exe RdrCEF.exe PID 4660 wrote to memory of 4592 4660 AcroRd32.exe RdrCEF.exe PID 4660 wrote to memory of 4592 4660 AcroRd32.exe RdrCEF.exe PID 4660 wrote to memory of 3568 4660 AcroRd32.exe RdrCEF.exe PID 4660 wrote to memory of 3568 4660 AcroRd32.exe RdrCEF.exe PID 4660 wrote to memory of 3568 4660 AcroRd32.exe RdrCEF.exe PID 3568 wrote to memory of 2080 3568 RdrCEF.exe RdrCEF.exe PID 3568 wrote to memory of 2080 3568 RdrCEF.exe RdrCEF.exe PID 3568 wrote to memory of 2080 3568 RdrCEF.exe RdrCEF.exe PID 3568 wrote to memory of 2080 3568 RdrCEF.exe RdrCEF.exe PID 3568 wrote to memory of 2080 3568 RdrCEF.exe RdrCEF.exe PID 3568 wrote to memory of 2080 3568 RdrCEF.exe RdrCEF.exe PID 3568 wrote to memory of 2080 3568 RdrCEF.exe RdrCEF.exe PID 3568 wrote to memory of 2080 3568 RdrCEF.exe RdrCEF.exe PID 3568 wrote to memory of 2080 3568 RdrCEF.exe RdrCEF.exe PID 3568 wrote to memory of 2080 3568 RdrCEF.exe RdrCEF.exe PID 3568 wrote to memory of 2080 3568 RdrCEF.exe RdrCEF.exe PID 3568 wrote to memory of 2080 3568 RdrCEF.exe RdrCEF.exe PID 3568 wrote to memory of 2080 3568 RdrCEF.exe RdrCEF.exe PID 3568 wrote to memory of 2080 3568 RdrCEF.exe RdrCEF.exe PID 3568 wrote to memory of 2080 3568 RdrCEF.exe RdrCEF.exe PID 3568 wrote to memory of 2080 3568 RdrCEF.exe RdrCEF.exe PID 3568 wrote to memory of 2080 3568 RdrCEF.exe RdrCEF.exe PID 3568 wrote to memory of 2080 3568 RdrCEF.exe RdrCEF.exe PID 3568 wrote to memory of 2080 3568 RdrCEF.exe RdrCEF.exe PID 3568 wrote to memory of 2080 3568 RdrCEF.exe RdrCEF.exe PID 3568 wrote to memory of 2080 3568 RdrCEF.exe RdrCEF.exe PID 3568 wrote to memory of 2080 3568 RdrCEF.exe RdrCEF.exe PID 3568 wrote to memory of 2080 3568 RdrCEF.exe RdrCEF.exe PID 3568 wrote to memory of 2080 3568 RdrCEF.exe RdrCEF.exe PID 3568 wrote to memory of 2080 3568 RdrCEF.exe RdrCEF.exe PID 3568 wrote to memory of 2080 3568 RdrCEF.exe RdrCEF.exe PID 3568 wrote to memory of 2080 3568 RdrCEF.exe RdrCEF.exe PID 3568 wrote to memory of 2080 3568 RdrCEF.exe RdrCEF.exe PID 3568 wrote to memory of 2080 3568 RdrCEF.exe RdrCEF.exe PID 3568 wrote to memory of 2080 3568 RdrCEF.exe RdrCEF.exe PID 3568 wrote to memory of 2080 3568 RdrCEF.exe RdrCEF.exe PID 3568 wrote to memory of 2080 3568 RdrCEF.exe RdrCEF.exe PID 3568 wrote to memory of 2080 3568 RdrCEF.exe RdrCEF.exe PID 3568 wrote to memory of 2080 3568 RdrCEF.exe RdrCEF.exe PID 3568 wrote to memory of 2080 3568 RdrCEF.exe RdrCEF.exe PID 3568 wrote to memory of 2080 3568 RdrCEF.exe RdrCEF.exe PID 3568 wrote to memory of 2080 3568 RdrCEF.exe RdrCEF.exe PID 3568 wrote to memory of 2080 3568 RdrCEF.exe RdrCEF.exe PID 3568 wrote to memory of 2080 3568 RdrCEF.exe RdrCEF.exe PID 3568 wrote to memory of 2080 3568 RdrCEF.exe RdrCEF.exe PID 3568 wrote to memory of 2080 3568 RdrCEF.exe RdrCEF.exe PID 3568 wrote to memory of 2440 3568 RdrCEF.exe RdrCEF.exe PID 3568 wrote to memory of 2440 3568 RdrCEF.exe RdrCEF.exe PID 3568 wrote to memory of 2440 3568 RdrCEF.exe RdrCEF.exe PID 3568 wrote to memory of 2440 3568 RdrCEF.exe RdrCEF.exe PID 3568 wrote to memory of 2440 3568 RdrCEF.exe RdrCEF.exe PID 3568 wrote to memory of 2440 3568 RdrCEF.exe RdrCEF.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\77f3cf4c9b1e6c42a9927a04a9c0727fd2d3e576c6a63e49370dfede61f81e49.exe"C:\Users\Admin\AppData\Local\Temp\77f3cf4c9b1e6c42a9927a04a9c0727fd2d3e576c6a63e49370dfede61f81e49.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd " /c " C:\Users\Admin\AppData\Local\Temp\实名举报.pdf2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\实名举报.pdf"3⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140434⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140434⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140434⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E02985C2FEB9EEF62A7D16A8FC8919AD --mojo-platform-channel-handle=1732 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:25⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=EDCD3B93C89FABBE04535C4E9707275B --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=EDCD3B93C89FABBE04535C4E9707275B --renderer-client-id=2 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job /prefetch:15⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=CF6D7F4B3336E4A73405C0A1CE5824E0 --mojo-platform-channel-handle=2276 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:25⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=A6EF58B4FAEC13D084B891A8788521D2 --mojo-platform-channel-handle=1728 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:25⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=8DC5A6E70CEF874FDB746E994C621510 --mojo-platform-channel-handle=1904 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:25⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=0B5D8F907A15276BD3255C0B6E07DCB8 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=0B5D8F907A15276BD3255C0B6E07DCB8 --renderer-client-id=8 --mojo-platform-channel-handle=1876 --allow-no-sandbox-job /prefetch:15⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140434⤵
-
C:\Users\Public\notepad.exeC:\Users\Public\notepad.exe2⤵
- Executes dropped EXE
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\实名举报.pdfFilesize
35KB
MD5f228c4bce0df6f0adcb25abcaf07ad32
SHA105c562abf45371d29741eec5e184ebf0d94416f9
SHA256be693b95442d67c7b295647c80f31dfe772e89281631ed9a68503ce541d3f4e6
SHA512d9a0c96db7dac9f51392c09983eb0b35556bf4729a53af7ddaa624f25d7c1aa266ef46f557af58677c0540209c8d5038f65bbe11e59ace124fa72e27b64f0761
-
C:\Users\Public\notepad.exeFilesize
19KB
MD5bf93b78f2ae8897ac87b60098900d199
SHA15981781a12454db3e74557a568ab1993486168a4
SHA256748bf468297d335ca4f7213b27e6d38c2e400f98b835cf9f77eb935ec17ba613
SHA512cd8d6db7cf94a4b7b962cbd2659bd7774cbdfc83cd9576ee3dcbf5b213eab217fa0c4ee9297e656386de56a9f27b3ec9e92ef7380b050f10f19c9e1af85d4783
-
C:\Users\Public\notepad.exeFilesize
19KB
MD5bf93b78f2ae8897ac87b60098900d199
SHA15981781a12454db3e74557a568ab1993486168a4
SHA256748bf468297d335ca4f7213b27e6d38c2e400f98b835cf9f77eb935ec17ba613
SHA512cd8d6db7cf94a4b7b962cbd2659bd7774cbdfc83cd9576ee3dcbf5b213eab217fa0c4ee9297e656386de56a9f27b3ec9e92ef7380b050f10f19c9e1af85d4783
-
memory/1688-140-0x000002800B9D0000-0x000002800BE42000-memory.dmpFilesize
4.4MB
-
memory/1688-138-0x000002800B9D0000-0x000002800BE42000-memory.dmpFilesize
4.4MB
-
memory/1688-139-0x000002800B5D0000-0x000002800B9D0000-memory.dmpFilesize
4.0MB
-
memory/1688-134-0x0000000000000000-mapping.dmp
-
memory/1688-143-0x000002800B5D0000-0x000002800B9D0000-memory.dmpFilesize
4.0MB
-
memory/2080-148-0x0000000000000000-mapping.dmp
-
memory/2440-151-0x0000000000000000-mapping.dmp
-
memory/3380-162-0x0000000000000000-mapping.dmp
-
memory/3568-146-0x0000000000000000-mapping.dmp
-
memory/4300-164-0x0000000000000000-mapping.dmp
-
memory/4316-144-0x0000000000000000-mapping.dmp
-
memory/4424-159-0x0000000000000000-mapping.dmp
-
memory/4484-166-0x0000000000000000-mapping.dmp
-
memory/4524-133-0x0000000000000000-mapping.dmp
-
memory/4592-145-0x0000000000000000-mapping.dmp
-
memory/4660-142-0x0000000000000000-mapping.dmp
-
memory/4844-132-0x00000000005B0000-0x00000000007C4000-memory.dmpFilesize
2.1MB
-
memory/4844-137-0x00000000005B0000-0x00000000007C4000-memory.dmpFilesize
2.1MB
-
memory/4976-156-0x0000000000000000-mapping.dmp