cobaltstrike | 77f3cf4c9b1e6c42a9927a04a9c0727fd2d3e576c6a63e49370dfede61f81e49

General

Target

77f3cf4c9b1e6c42a9927a04a9c0727fd2d3e576c6a63e49370dfede61f81e49.exe
Size

1.1MB
MD5

fe1e96958b3daaa6d6a80a20180d558a
SHA1

3512a79b0f93e8d82c5d6e9ed01c72895d34cd00
SHA256

77f3cf4c9b1e6c42a9927a04a9c0727fd2d3e576c6a63e49370dfede61f81e49
SHA512

80c01b5f188c4080d844c483f825f5e6b4c9e10e765d0e876b2d7617b10702dbf431486e22eabccf0dd074ea0a8fc6bdd608ea466f89de16599c16e28c0f58c5

Score

10^/10

cobaltstrike 1 backdoor link pdf trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

1

C2

http://update.micrrosoft.life:8443/jquery-3.3.1.min.js

Attributes

access_type
512
beacon_type
2048
host
update.micrrosoft.life,/jquery-3.3.1.min.js
http_header1
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAABAAAAAcSG9zdDogdXBkYXRlLm1pY3Jyb3NvZnQubGlmZQAAAAoAAAAlUmVmZXJlcjogaHR0cDovL3VwZGF0ZS5taWNyb3NvZnQuY29tLwAAAAoAAAAeQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlAAAABwAAAAAAAAANAAAAAgAAAAlfX2NmZHVpZD0AAAAGAAAABkNvb2tpZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAABAAAAAcSG9zdDogdXBkYXRlLm1pY3Jyb3NvZnQubGlmZQAAAAoAAAAlUmVmZXJlcjogaHR0cDovL3VwZGF0ZS5taWNyb3NvZnQuY29tLwAAAAoAAAAeQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlAAAABwAAAAAAAAAPAAAADQAAAAUAAAAIX19jZmR1aWQAAAAHAAAAAQAAAA8AAAANAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
jitter
9472
polling_time
45000
port_number
8443
sc_process32
%windir%\syswow64\dllhost.exe
sc_process64
%windir%\sysnative\dllhost.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCMzD/AZsTe+L9OMJsKFX3v1nhbQkO1ubtGq8teBoaBGRO84Q3felGNQB8iVNbFpmmoykrsbYwDu8Ir2LrfTROG3X5oGN8d6+lOg4zo6Rjfvrnydiv0dnxIfn02T1431q9GcIvSBHb7J7i/7f8tJPSHdJBOGtVJg9ienNWCF2WllwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4.234810624e+09
unknown2
AAAABAAAAAEAAAXyAAAAAgAAAFQAAAACAAAPWwAAAA0AAAAPAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/jquery-3.3.2.min.js
user_agent
Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
watermark
1

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Executes dropped EXE 1 IoCs

Processes:

notepad.exe

pid process

1688 notepad.exe

pid	process
1688	notepad.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4844-132-0x00000000005B0000-0x00000000007C4000-memory.dmp	upx
behavioral2/memory/4844-137-0x00000000005B0000-0x00000000007C4000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

cmd.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Control Panel\International\Geo\Nation cmd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Control Panel\International\Geo\Nation	cmd.exe

HTTP links in PDF interactive object 1 IoCs

Detects HTTP links in interactive objects within PDF files.

pdf link

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\实名举报.pdf	pdf_with_link_action

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings cmd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

AcroRd32.exe

pid	process
4660	AcroRd32.exe
4660	AcroRd32.exe
4660	AcroRd32.exe
4660	AcroRd32.exe
4660	AcroRd32.exe
4660	AcroRd32.exe
4660	AcroRd32.exe
4660	AcroRd32.exe
4660	AcroRd32.exe
4660	AcroRd32.exe
4660	AcroRd32.exe
4660	AcroRd32.exe
4660	AcroRd32.exe
4660	AcroRd32.exe
4660	AcroRd32.exe
4660	AcroRd32.exe
4660	AcroRd32.exe
4660	AcroRd32.exe
4660	AcroRd32.exe
4660	AcroRd32.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

77f3cf4c9b1e6c42a9927a04a9c0727fd2d3e576c6a63e49370dfede61f81e49.exe

pid process

4844 77f3cf4c9b1e6c42a9927a04a9c0727fd2d3e576c6a63e49370dfede61f81e49.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

4660 AcroRd32.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

AcroRd32.exe

pid process

4660 AcroRd32.exe
4660 AcroRd32.exe
4660 AcroRd32.exe
4660 AcroRd32.exe
4660 AcroRd32.exe
4660 AcroRd32.exe

pid	process
4844	77f3cf4c9b1e6c42a9927a04a9c0727fd2d3e576c6a63e49370dfede61f81e49.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

77f3cf4c9b1e6c42a9927a04a9c0727fd2d3e576c6a63e49370dfede61f81e49.execmd.exeAcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 4844 wrote to memory of 4524	4844	77f3cf4c9b1e6c42a9927a04a9c0727fd2d3e576c6a63e49370dfede61f81e49.exe	cmd.exe
PID 4844 wrote to memory of 4524	4844	77f3cf4c9b1e6c42a9927a04a9c0727fd2d3e576c6a63e49370dfede61f81e49.exe	cmd.exe
PID 4844 wrote to memory of 4524	4844	77f3cf4c9b1e6c42a9927a04a9c0727fd2d3e576c6a63e49370dfede61f81e49.exe	cmd.exe
PID 4844 wrote to memory of 1688	4844	77f3cf4c9b1e6c42a9927a04a9c0727fd2d3e576c6a63e49370dfede61f81e49.exe	notepad.exe
PID 4844 wrote to memory of 1688	4844	77f3cf4c9b1e6c42a9927a04a9c0727fd2d3e576c6a63e49370dfede61f81e49.exe	notepad.exe
PID 4524 wrote to memory of 4660	4524	cmd.exe	AcroRd32.exe
PID 4524 wrote to memory of 4660	4524	cmd.exe	AcroRd32.exe
PID 4524 wrote to memory of 4660	4524	cmd.exe	AcroRd32.exe
PID 4660 wrote to memory of 4316	4660	AcroRd32.exe	RdrCEF.exe
PID 4660 wrote to memory of 4316	4660	AcroRd32.exe	RdrCEF.exe
PID 4660 wrote to memory of 4316	4660	AcroRd32.exe	RdrCEF.exe
PID 4660 wrote to memory of 4592	4660	AcroRd32.exe	RdrCEF.exe
PID 4660 wrote to memory of 4592	4660	AcroRd32.exe	RdrCEF.exe
PID 4660 wrote to memory of 4592	4660	AcroRd32.exe	RdrCEF.exe
PID 4660 wrote to memory of 3568	4660	AcroRd32.exe	RdrCEF.exe
PID 4660 wrote to memory of 3568	4660	AcroRd32.exe	RdrCEF.exe
PID 4660 wrote to memory of 3568	4660	AcroRd32.exe	RdrCEF.exe
PID 3568 wrote to memory of 2080	3568	RdrCEF.exe	RdrCEF.exe
PID 3568 wrote to memory of 2080	3568	RdrCEF.exe	RdrCEF.exe
PID 3568 wrote to memory of 2080	3568	RdrCEF.exe	RdrCEF.exe
PID 3568 wrote to memory of 2080	3568	RdrCEF.exe	RdrCEF.exe
PID 3568 wrote to memory of 2080	3568	RdrCEF.exe	RdrCEF.exe
PID 3568 wrote to memory of 2080	3568	RdrCEF.exe	RdrCEF.exe
PID 3568 wrote to memory of 2080	3568	RdrCEF.exe	RdrCEF.exe
PID 3568 wrote to memory of 2080	3568	RdrCEF.exe	RdrCEF.exe
PID 3568 wrote to memory of 2080	3568	RdrCEF.exe	RdrCEF.exe
PID 3568 wrote to memory of 2080	3568	RdrCEF.exe	RdrCEF.exe
PID 3568 wrote to memory of 2080	3568	RdrCEF.exe	RdrCEF.exe
PID 3568 wrote to memory of 2080	3568	RdrCEF.exe	RdrCEF.exe
PID 3568 wrote to memory of 2080	3568	RdrCEF.exe	RdrCEF.exe
PID 3568 wrote to memory of 2080	3568	RdrCEF.exe	RdrCEF.exe
PID 3568 wrote to memory of 2080	3568	RdrCEF.exe	RdrCEF.exe
PID 3568 wrote to memory of 2080	3568	RdrCEF.exe	RdrCEF.exe
PID 3568 wrote to memory of 2080	3568	RdrCEF.exe	RdrCEF.exe
PID 3568 wrote to memory of 2080	3568	RdrCEF.exe	RdrCEF.exe
PID 3568 wrote to memory of 2080	3568	RdrCEF.exe	RdrCEF.exe
PID 3568 wrote to memory of 2080	3568	RdrCEF.exe	RdrCEF.exe
PID 3568 wrote to memory of 2080	3568	RdrCEF.exe	RdrCEF.exe
PID 3568 wrote to memory of 2080	3568	RdrCEF.exe	RdrCEF.exe
PID 3568 wrote to memory of 2080	3568	RdrCEF.exe	RdrCEF.exe
PID 3568 wrote to memory of 2080	3568	RdrCEF.exe	RdrCEF.exe
PID 3568 wrote to memory of 2080	3568	RdrCEF.exe	RdrCEF.exe
PID 3568 wrote to memory of 2080	3568	RdrCEF.exe	RdrCEF.exe
PID 3568 wrote to memory of 2080	3568	RdrCEF.exe	RdrCEF.exe
PID 3568 wrote to memory of 2080	3568	RdrCEF.exe	RdrCEF.exe
PID 3568 wrote to memory of 2080	3568	RdrCEF.exe	RdrCEF.exe
PID 3568 wrote to memory of 2080	3568	RdrCEF.exe	RdrCEF.exe
PID 3568 wrote to memory of 2080	3568	RdrCEF.exe	RdrCEF.exe
PID 3568 wrote to memory of 2080	3568	RdrCEF.exe	RdrCEF.exe
PID 3568 wrote to memory of 2080	3568	RdrCEF.exe	RdrCEF.exe
PID 3568 wrote to memory of 2080	3568	RdrCEF.exe	RdrCEF.exe
PID 3568 wrote to memory of 2080	3568	RdrCEF.exe	RdrCEF.exe
PID 3568 wrote to memory of 2080	3568	RdrCEF.exe	RdrCEF.exe
PID 3568 wrote to memory of 2080	3568	RdrCEF.exe	RdrCEF.exe
PID 3568 wrote to memory of 2080	3568	RdrCEF.exe	RdrCEF.exe
PID 3568 wrote to memory of 2080	3568	RdrCEF.exe	RdrCEF.exe
PID 3568 wrote to memory of 2080	3568	RdrCEF.exe	RdrCEF.exe
PID 3568 wrote to memory of 2080	3568	RdrCEF.exe	RdrCEF.exe
PID 3568 wrote to memory of 2440	3568	RdrCEF.exe	RdrCEF.exe
PID 3568 wrote to memory of 2440	3568	RdrCEF.exe	RdrCEF.exe
PID 3568 wrote to memory of 2440	3568	RdrCEF.exe	RdrCEF.exe
PID 3568 wrote to memory of 2440	3568	RdrCEF.exe	RdrCEF.exe
PID 3568 wrote to memory of 2440	3568	RdrCEF.exe	RdrCEF.exe
PID 3568 wrote to memory of 2440	3568	RdrCEF.exe	RdrCEF.exe

C:\Users\Admin\AppData\Local\Temp\77f3cf4c9b1e6c42a9927a04a9c0727fd2d3e576c6a63e49370dfede61f81e49.exe
"C:\Users\Admin\AppData\Local\Temp\77f3cf4c9b1e6c42a9927a04a9c0727fd2d3e576c6a63e49370dfede61f81e49.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4844

C:\Windows\SysWOW64\cmd.exe
cmd " /c " C:\Users\Admin\AppData\Local\Temp\实名举报.pdf
2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4524

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\实名举报.pdf"
3⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4660

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
4⤵
PID:4316

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
4⤵
PID:4592

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
4⤵
- Suspicious use of WriteProcessMemory
PID:3568

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E02985C2FEB9EEF62A7D16A8FC8919AD --mojo-platform-channel-handle=1732 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
5⤵
PID:2080

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=EDCD3B93C89FABBE04535C4E9707275B --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=EDCD3B93C89FABBE04535C4E9707275B --renderer-client-id=2 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job /prefetch:1
5⤵
PID:2440

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=CF6D7F4B3336E4A73405C0A1CE5824E0 --mojo-platform-channel-handle=2276 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
5⤵
PID:4976

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=A6EF58B4FAEC13D084B891A8788521D2 --mojo-platform-channel-handle=1728 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
5⤵
PID:4424

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=8DC5A6E70CEF874FDB746E994C621510 --mojo-platform-channel-handle=1904 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
5⤵
PID:3380

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=0B5D8F907A15276BD3255C0B6E07DCB8 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=0B5D8F907A15276BD3255C0B6E07DCB8 --renderer-client-id=8 --mojo-platform-channel-handle=1876 --allow-no-sandbox-job /prefetch:1
5⤵
PID:4484

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
4⤵
PID:4300

C:\Users\Public\notepad.exe
C:\Users\Public\notepad.exe
2⤵
- Executes dropped EXE
PID:1688

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4896

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\实名举报.pdf
Filesize
35KB

MD5
f228c4bce0df6f0adcb25abcaf07ad32

SHA1
05c562abf45371d29741eec5e184ebf0d94416f9

SHA256
be693b95442d67c7b295647c80f31dfe772e89281631ed9a68503ce541d3f4e6

SHA512
d9a0c96db7dac9f51392c09983eb0b35556bf4729a53af7ddaa624f25d7c1aa266ef46f557af58677c0540209c8d5038f65bbe11e59ace124fa72e27b64f0761

Download Submit
C:\Users\Public\notepad.exe
Filesize
19KB

MD5
bf93b78f2ae8897ac87b60098900d199

SHA1
5981781a12454db3e74557a568ab1993486168a4

SHA256
748bf468297d335ca4f7213b27e6d38c2e400f98b835cf9f77eb935ec17ba613

SHA512
cd8d6db7cf94a4b7b962cbd2659bd7774cbdfc83cd9576ee3dcbf5b213eab217fa0c4ee9297e656386de56a9f27b3ec9e92ef7380b050f10f19c9e1af85d4783

Download Submit
C:\Users\Public\notepad.exe
Filesize
19KB

MD5
bf93b78f2ae8897ac87b60098900d199

SHA1
5981781a12454db3e74557a568ab1993486168a4

SHA256
748bf468297d335ca4f7213b27e6d38c2e400f98b835cf9f77eb935ec17ba613

SHA512
cd8d6db7cf94a4b7b962cbd2659bd7774cbdfc83cd9576ee3dcbf5b213eab217fa0c4ee9297e656386de56a9f27b3ec9e92ef7380b050f10f19c9e1af85d4783

Download Submit
memory/1688-140-0x000002800B9D0000-0x000002800BE42000-memory.dmp

Filesize
4.4MB

Download
memory/1688-138-0x000002800B9D0000-0x000002800BE42000-memory.dmp

Filesize
4.4MB

Download
memory/1688-139-0x000002800B5D0000-0x000002800B9D0000-memory.dmp

Filesize
4.0MB

Download
memory/1688-134-0x0000000000000000-mapping.dmp

Download
memory/1688-143-0x000002800B5D0000-0x000002800B9D0000-memory.dmp

Filesize
4.0MB

Download
memory/2080-148-0x0000000000000000-mapping.dmp

Download
memory/2440-151-0x0000000000000000-mapping.dmp

Download
memory/3380-162-0x0000000000000000-mapping.dmp

Download
memory/3568-146-0x0000000000000000-mapping.dmp

Download
memory/4300-164-0x0000000000000000-mapping.dmp

Download
memory/4316-144-0x0000000000000000-mapping.dmp

Download
memory/4424-159-0x0000000000000000-mapping.dmp

Download
memory/4484-166-0x0000000000000000-mapping.dmp

Download
memory/4524-133-0x0000000000000000-mapping.dmp

Download
memory/4592-145-0x0000000000000000-mapping.dmp

Download
memory/4660-142-0x0000000000000000-mapping.dmp

Download
memory/4844-132-0x00000000005B0000-0x00000000007C4000-memory.dmp

Filesize
2.1MB

Download
memory/4844-137-0x00000000005B0000-0x00000000007C4000-memory.dmp

Filesize
2.1MB

Download
memory/4976-156-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads