cobaltstrike | e7bf6176eb0f048d92c32f88265fb268e1fcb95c010b8ac561a830b20be0b756

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
16-06-2023 15:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d69dc8e0a175d54082c6f8650294e8a243536ca6183f4f62050f8bc017d05f67.exe
Size

6.3MB
MD5

e2702d7772965f4aea5d7a01d027f481
SHA1

c5a7518605e64882fc54d47e1234466ab33bab5b
SHA256

d69dc8e0a175d54082c6f8650294e8a243536ca6183f4f62050f8bc017d05f67
SHA512

95a5263364718ec88d7deebb76ebe4342e6cb86838e8b4217a135925f588792bb8ca25f5e17237abd61b171f671c80fa0a8c185c44f1972de274c41aeee5eec6
SSDEEP

196608:f8n+RHarkpO1zCypLpJfsdrJTeEbPt1m3wQ+l:ET31zdRpJUdJTZDt1m2

Score

10^/10

cobaltstrike 1359593325 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

http://47.100.229.207:80/bootstrap-2.min.js

Attributes

user_agent
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Extracted

Family

cobaltstrike

Botnet

1359593325

http://47.100.229.207:80/api/user

Attributes

access_type
512
host
47.100.229.207,/api/user
http_header1
AAAACgAAAI9BY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LGltYWdlL2F2aWYsaW1hZ2Uvd2VicCxpbWFnZS9hcG5nLCovKjtxPTAuOCxhcHBsaWNhdGlvbi9zaWduZWQtZXhjaGFuZ2U7dj1iMztxPTAuOQAAAAoAAAAeQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlAAAABwAAAAAAAAADAAAAAgAAAApTRVNTSU9OSUQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAAI9BY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LGltYWdlL2F2aWYsaW1hZ2Uvd2VicCxpbWFnZS9hcG5nLCovKjtxPTAuOCxhcHBsaWNhdGlvbi9zaWduZWQtZXhjaGFuZ2U7dj1iMztxPTAuOQAAAAoAAAAeQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlAAAABwAAAAAAAAADAAAAAgAAAAlKU0VTU0lPTj0AAAAGAAAABkNvb2tpZQAAAAcAAAABAAAAAwAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
polling_time
1000
port_number
80
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCPdyzFRVv7L5NJsDxJsRBqH7w21Me44wpG9eJzt4tko0k/p8jrDpu8ys/AWwm1UOBidaPL/AfTpvIkrjfbvJphRIOpNZRbLb+uZwy0ZD0Jw5uU7ZSAjHcFJ9uWnayQotYrnmqMJZs9LKSzMz2BN0Y7MAu9Ktx2yOWMc4IJ+ZzMawIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
2.018841856e+09
unknown2
AAAABAAAAAEAAAAMAAAAAgAAABQAAAADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/api/login
user_agent
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
watermark
1359593325

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

cmd.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation cmd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	cmd.exe

Loads dropped DLL 10 IoCs

Processes:

d69dc8e0a175d54082c6f8650294e8a243536ca6183f4f62050f8bc017d05f67.exeAcroRd32.exe

pid	process
3484	d69dc8e0a175d54082c6f8650294e8a243536ca6183f4f62050f8bc017d05f67.exe
3484	d69dc8e0a175d54082c6f8650294e8a243536ca6183f4f62050f8bc017d05f67.exe
3484	d69dc8e0a175d54082c6f8650294e8a243536ca6183f4f62050f8bc017d05f67.exe
3484	d69dc8e0a175d54082c6f8650294e8a243536ca6183f4f62050f8bc017d05f67.exe
3484	d69dc8e0a175d54082c6f8650294e8a243536ca6183f4f62050f8bc017d05f67.exe
3484	d69dc8e0a175d54082c6f8650294e8a243536ca6183f4f62050f8bc017d05f67.exe
3484	d69dc8e0a175d54082c6f8650294e8a243536ca6183f4f62050f8bc017d05f67.exe
3484	d69dc8e0a175d54082c6f8650294e8a243536ca6183f4f62050f8bc017d05f67.exe
3484	d69dc8e0a175d54082c6f8650294e8a243536ca6183f4f62050f8bc017d05f67.exe
4588	AcroRd32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings cmd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

AcroRd32.exe

pid	process
4588	AcroRd32.exe
4588	AcroRd32.exe
4588	AcroRd32.exe
4588	AcroRd32.exe
4588	AcroRd32.exe
4588	AcroRd32.exe
4588	AcroRd32.exe
4588	AcroRd32.exe
4588	AcroRd32.exe
4588	AcroRd32.exe
4588	AcroRd32.exe
4588	AcroRd32.exe
4588	AcroRd32.exe
4588	AcroRd32.exe
4588	AcroRd32.exe
4588	AcroRd32.exe
4588	AcroRd32.exe
4588	AcroRd32.exe
4588	AcroRd32.exe
4588	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

d69dc8e0a175d54082c6f8650294e8a243536ca6183f4f62050f8bc017d05f67.exe

description pid process

Token: 35 3484 d69dc8e0a175d54082c6f8650294e8a243536ca6183f4f62050f8bc017d05f67.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

4588 AcroRd32.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

AcroRd32.exe

pid process

4588 AcroRd32.exe
4588 AcroRd32.exe
4588 AcroRd32.exe
4588 AcroRd32.exe
4588 AcroRd32.exe
4588 AcroRd32.exe

description	pid	process
Token: 35	3484	d69dc8e0a175d54082c6f8650294e8a243536ca6183f4f62050f8bc017d05f67.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

d69dc8e0a175d54082c6f8650294e8a243536ca6183f4f62050f8bc017d05f67.exed69dc8e0a175d54082c6f8650294e8a243536ca6183f4f62050f8bc017d05f67.execmd.exeAcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 3724 wrote to memory of 3484	3724	d69dc8e0a175d54082c6f8650294e8a243536ca6183f4f62050f8bc017d05f67.exe	d69dc8e0a175d54082c6f8650294e8a243536ca6183f4f62050f8bc017d05f67.exe
PID 3724 wrote to memory of 3484	3724	d69dc8e0a175d54082c6f8650294e8a243536ca6183f4f62050f8bc017d05f67.exe	d69dc8e0a175d54082c6f8650294e8a243536ca6183f4f62050f8bc017d05f67.exe
PID 3484 wrote to memory of 244	3484	d69dc8e0a175d54082c6f8650294e8a243536ca6183f4f62050f8bc017d05f67.exe	cmd.exe
PID 3484 wrote to memory of 244	3484	d69dc8e0a175d54082c6f8650294e8a243536ca6183f4f62050f8bc017d05f67.exe	cmd.exe
PID 244 wrote to memory of 4588	244	cmd.exe	AcroRd32.exe
PID 244 wrote to memory of 4588	244	cmd.exe	AcroRd32.exe
PID 244 wrote to memory of 4588	244	cmd.exe	AcroRd32.exe
PID 4588 wrote to memory of 1776	4588	AcroRd32.exe	RdrCEF.exe
PID 4588 wrote to memory of 1776	4588	AcroRd32.exe	RdrCEF.exe
PID 4588 wrote to memory of 1776	4588	AcroRd32.exe	RdrCEF.exe
PID 1776 wrote to memory of 3744	1776	RdrCEF.exe	RdrCEF.exe
PID 1776 wrote to memory of 3744	1776	RdrCEF.exe	RdrCEF.exe
PID 1776 wrote to memory of 3744	1776	RdrCEF.exe	RdrCEF.exe
PID 1776 wrote to memory of 3744	1776	RdrCEF.exe	RdrCEF.exe
PID 1776 wrote to memory of 3744	1776	RdrCEF.exe	RdrCEF.exe
PID 1776 wrote to memory of 3744	1776	RdrCEF.exe	RdrCEF.exe
PID 1776 wrote to memory of 3744	1776	RdrCEF.exe	RdrCEF.exe
PID 1776 wrote to memory of 3744	1776	RdrCEF.exe	RdrCEF.exe
PID 1776 wrote to memory of 3744	1776	RdrCEF.exe	RdrCEF.exe
PID 1776 wrote to memory of 3744	1776	RdrCEF.exe	RdrCEF.exe
PID 1776 wrote to memory of 3744	1776	RdrCEF.exe	RdrCEF.exe
PID 1776 wrote to memory of 3744	1776	RdrCEF.exe	RdrCEF.exe
PID 1776 wrote to memory of 3744	1776	RdrCEF.exe	RdrCEF.exe
PID 1776 wrote to memory of 3744	1776	RdrCEF.exe	RdrCEF.exe
PID 1776 wrote to memory of 3744	1776	RdrCEF.exe	RdrCEF.exe
PID 1776 wrote to memory of 3744	1776	RdrCEF.exe	RdrCEF.exe
PID 1776 wrote to memory of 3744	1776	RdrCEF.exe	RdrCEF.exe
PID 1776 wrote to memory of 3744	1776	RdrCEF.exe	RdrCEF.exe
PID 1776 wrote to memory of 3744	1776	RdrCEF.exe	RdrCEF.exe
PID 1776 wrote to memory of 3744	1776	RdrCEF.exe	RdrCEF.exe
PID 1776 wrote to memory of 3744	1776	RdrCEF.exe	RdrCEF.exe
PID 1776 wrote to memory of 3744	1776	RdrCEF.exe	RdrCEF.exe
PID 1776 wrote to memory of 3744	1776	RdrCEF.exe	RdrCEF.exe
PID 1776 wrote to memory of 3744	1776	RdrCEF.exe	RdrCEF.exe
PID 1776 wrote to memory of 3744	1776	RdrCEF.exe	RdrCEF.exe
PID 1776 wrote to memory of 3744	1776	RdrCEF.exe	RdrCEF.exe
PID 1776 wrote to memory of 3744	1776	RdrCEF.exe	RdrCEF.exe
PID 1776 wrote to memory of 3744	1776	RdrCEF.exe	RdrCEF.exe
PID 1776 wrote to memory of 3744	1776	RdrCEF.exe	RdrCEF.exe
PID 1776 wrote to memory of 3744	1776	RdrCEF.exe	RdrCEF.exe
PID 1776 wrote to memory of 3744	1776	RdrCEF.exe	RdrCEF.exe
PID 1776 wrote to memory of 3744	1776	RdrCEF.exe	RdrCEF.exe
PID 1776 wrote to memory of 3744	1776	RdrCEF.exe	RdrCEF.exe
PID 1776 wrote to memory of 3744	1776	RdrCEF.exe	RdrCEF.exe
PID 1776 wrote to memory of 3744	1776	RdrCEF.exe	RdrCEF.exe
PID 1776 wrote to memory of 3744	1776	RdrCEF.exe	RdrCEF.exe
PID 1776 wrote to memory of 3744	1776	RdrCEF.exe	RdrCEF.exe
PID 1776 wrote to memory of 3744	1776	RdrCEF.exe	RdrCEF.exe
PID 1776 wrote to memory of 3744	1776	RdrCEF.exe	RdrCEF.exe
PID 1776 wrote to memory of 3744	1776	RdrCEF.exe	RdrCEF.exe
PID 1776 wrote to memory of 3744	1776	RdrCEF.exe	RdrCEF.exe
PID 1776 wrote to memory of 3744	1776	RdrCEF.exe	RdrCEF.exe
PID 1776 wrote to memory of 3744	1776	RdrCEF.exe	RdrCEF.exe
PID 1776 wrote to memory of 3768	1776	RdrCEF.exe	RdrCEF.exe
PID 1776 wrote to memory of 3768	1776	RdrCEF.exe	RdrCEF.exe
PID 1776 wrote to memory of 3768	1776	RdrCEF.exe	RdrCEF.exe
PID 1776 wrote to memory of 3768	1776	RdrCEF.exe	RdrCEF.exe
PID 1776 wrote to memory of 3768	1776	RdrCEF.exe	RdrCEF.exe
PID 1776 wrote to memory of 3768	1776	RdrCEF.exe	RdrCEF.exe
PID 1776 wrote to memory of 3768	1776	RdrCEF.exe	RdrCEF.exe
PID 1776 wrote to memory of 3768	1776	RdrCEF.exe	RdrCEF.exe
PID 1776 wrote to memory of 3768	1776	RdrCEF.exe	RdrCEF.exe
PID 1776 wrote to memory of 3768	1776	RdrCEF.exe	RdrCEF.exe
PID 1776 wrote to memory of 3768	1776	RdrCEF.exe	RdrCEF.exe

C:\Users\Admin\AppData\Local\Temp\d69dc8e0a175d54082c6f8650294e8a243536ca6183f4f62050f8bc017d05f67.exe
"C:\Users\Admin\AppData\Local\Temp\d69dc8e0a175d54082c6f8650294e8a243536ca6183f4f62050f8bc017d05f67.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3724

C:\Users\Admin\AppData\Local\Temp\d69dc8e0a175d54082c6f8650294e8a243536ca6183f4f62050f8bc017d05f67.exe
"C:\Users\Admin\AppData\Local\Temp\d69dc8e0a175d54082c6f8650294e8a243536ca6183f4f62050f8bc017d05f67.exe"
2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3484

C:\Windows\SYSTEM32\cmd.exe
cmd /c start C:\Users\Admin\AppData\Local\Temp\d69dc8e0a175d54082c6f8650294e8a243536ca6183f4f62050f8bc017d05f67.pdf
3⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:244

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\d69dc8e0a175d54082c6f8650294e8a243536ca6183f4f62050f8bc017d05f67.pdf"
4⤵
- Loads dropped DLL
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4588

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
5⤵
- Suspicious use of WriteProcessMemory
PID:1776

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=256219470513D701800ECB45B92F1EF5 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=256219470513D701800ECB45B92F1EF5 --renderer-client-id=2 --mojo-platform-channel-handle=1728 --allow-no-sandbox-job /prefetch:1
6⤵
PID:3744

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E3A3F2B17A9EC487BA7AB10D19D4C65F --mojo-platform-channel-handle=1736 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
6⤵
PID:3768

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=586BA4A2054E0AF2F2A9A9B2A66C0EBF --mojo-platform-channel-handle=2336 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
6⤵
PID:3440

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=650ECF28875A525161150ADCF294DBC3 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=650ECF28875A525161150ADCF294DBC3 --renderer-client-id=5 --mojo-platform-channel-handle=2428 --allow-no-sandbox-job /prefetch:1
6⤵
PID:3036

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=3029EA7D0AC9A6A9A1A5FDEE87AEE2EA --mojo-platform-channel-handle=2728 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
6⤵
PID:4324

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=DA92D6AE3CD49E0128539020184F30F5 --mojo-platform-channel-handle=1716 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
6⤵
PID:3512

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:452

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
Filesize
36KB

MD5
b30d3becc8731792523d599d949e63f5

SHA1
19350257e42d7aee17fb3bf139a9d3adb330fad4

SHA256
b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

SHA512
523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
Filesize
56KB

MD5
752a1f26b18748311b691c7d8fc20633

SHA1
c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

SHA256
111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

SHA512
a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
Filesize
64KB

MD5
2ab90a12ce8649c749adabb819707c24

SHA1
acec96c1261dd413fc7cc48315def65a12d6e8b7

SHA256
f37e74d4bdd3a904fb96a7bd65018588ff07c7fbb00f4befc37cb62db0e1021b

SHA512
ff24407cfb51e8dac1f8c2512d544de8a73a2fb6830f92b46525da8003645899d6a73c487a23ae867e69a61d6bc21eca6f655af1846d34d955f98ed1affb645f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37242\VCRUNTIME140.dll
Filesize
85KB

MD5
edf9d5c18111d82cf10ec99f6afa6b47

SHA1
d247f5b9d4d3061e3d421e0e623595aa40d9493c

SHA256
d89c7b863fc1ac3a179d45d5fe1b9fd35fb6fbd45171ca68d0d68ab1c1ad04fb

SHA512
bf017aa8275c5b6d064984a606c5d40852aa70047759468395fe520f7f68b5452befc3145efaa7c51f8ec3bf71d9e32dbd5633637f040d58ff9a4b6953bf1cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37242\VCRUNTIME140.dll
Filesize
85KB

MD5
edf9d5c18111d82cf10ec99f6afa6b47

SHA1
d247f5b9d4d3061e3d421e0e623595aa40d9493c

SHA256
d89c7b863fc1ac3a179d45d5fe1b9fd35fb6fbd45171ca68d0d68ab1c1ad04fb

SHA512
bf017aa8275c5b6d064984a606c5d40852aa70047759468395fe520f7f68b5452befc3145efaa7c51f8ec3bf71d9e32dbd5633637f040d58ff9a4b6953bf1cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37242\VCRUNTIME140.dll
Filesize
85KB

MD5
edf9d5c18111d82cf10ec99f6afa6b47

SHA1
d247f5b9d4d3061e3d421e0e623595aa40d9493c

SHA256
d89c7b863fc1ac3a179d45d5fe1b9fd35fb6fbd45171ca68d0d68ab1c1ad04fb

SHA512
bf017aa8275c5b6d064984a606c5d40852aa70047759468395fe520f7f68b5452befc3145efaa7c51f8ec3bf71d9e32dbd5633637f040d58ff9a4b6953bf1cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37242\_bz2.pyd
Filesize
92KB

MD5
781086049c52d0daa1c5b9116191935f

SHA1
b92e842eb16802e6ac588ba7f2ecb5a2ee58830f

SHA256
caf5544d3dedc1e7eae3c32895dffcd9cab54904eb2bd5149a68480622702b28

SHA512
d2b37456eca5b0135acb911f9f10b93b119392cf2a4ea1c16139c6461b9ea61b23c47c4129177cc46bf831fc77af12ca097ddd248b39d570a3608b93c093bd4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37242\_bz2.pyd
Filesize
92KB

MD5
781086049c52d0daa1c5b9116191935f

SHA1
b92e842eb16802e6ac588ba7f2ecb5a2ee58830f

SHA256
caf5544d3dedc1e7eae3c32895dffcd9cab54904eb2bd5149a68480622702b28

SHA512
d2b37456eca5b0135acb911f9f10b93b119392cf2a4ea1c16139c6461b9ea61b23c47c4129177cc46bf831fc77af12ca097ddd248b39d570a3608b93c093bd4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37242\_ctypes.pyd
Filesize
128KB

MD5
0048255ea3e120c19def1329d9b1ea6c

SHA1
f9449147f9702dc552b92700a6a1fae49234afe0

SHA256
6535a1127e6267c3db2046d24bb350946236899d372b85357395be66cb67e701

SHA512
874e0d2958d47673bfade57288a6a305f0f82b7ae0fcff94cbc200a33c6205c05f3ffc8b4535aec6377818aece736f728ff7640be9a6974833af1b808559f07c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37242\_ctypes.pyd
Filesize
128KB

MD5
0048255ea3e120c19def1329d9b1ea6c

SHA1
f9449147f9702dc552b92700a6a1fae49234afe0

SHA256
6535a1127e6267c3db2046d24bb350946236899d372b85357395be66cb67e701

SHA512
874e0d2958d47673bfade57288a6a305f0f82b7ae0fcff94cbc200a33c6205c05f3ffc8b4535aec6377818aece736f728ff7640be9a6974833af1b808559f07c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37242\_hashlib.pyd
Filesize
1.6MB

MD5
1f1b16ce322a3579621eb2298021ae5d

SHA1
564cda201a32c8c45d201700327c9f445c31ceea

SHA256
a6fcba0c96ae6bd77ab3cf2e1f00123a7a078af8352e29748110e1cfa7e0645f

SHA512
a03a3818ded1f448c7c81c4b107decafc3ecf5635a6a6d3e98c2243311a0f567ce608eb68da808b8ed454a3b2a96c1b7467e14dd604fc3aaece43d5e93168a6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37242\_hashlib.pyd
Filesize
1.6MB

MD5
1f1b16ce322a3579621eb2298021ae5d

SHA1
564cda201a32c8c45d201700327c9f445c31ceea

SHA256
a6fcba0c96ae6bd77ab3cf2e1f00123a7a078af8352e29748110e1cfa7e0645f

SHA512
a03a3818ded1f448c7c81c4b107decafc3ecf5635a6a6d3e98c2243311a0f567ce608eb68da808b8ed454a3b2a96c1b7467e14dd604fc3aaece43d5e93168a6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37242\_lzma.pyd
Filesize
248KB

MD5
b89e3510c3cb812812c7eca86755a929

SHA1
9dcb54f69aea59fdcf2e07ce12e8b743a211888a

SHA256
3621b4a48f64a85505d15d73eb347933ecb3ff87844a33d24a535ac4b0720ce1

SHA512
194a2ae8c82a83ca6eda5f9ec3c859b73e68d4db32284b2513a3c3467bbb54f6568a6a84a8fa50b945c50ec9e22080b0e8f7aaf7f42c19dc7c85f9ae36666e5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37242\_lzma.pyd
Filesize
248KB

MD5
b89e3510c3cb812812c7eca86755a929

SHA1
9dcb54f69aea59fdcf2e07ce12e8b743a211888a

SHA256
3621b4a48f64a85505d15d73eb347933ecb3ff87844a33d24a535ac4b0720ce1

SHA512
194a2ae8c82a83ca6eda5f9ec3c859b73e68d4db32284b2513a3c3467bbb54f6568a6a84a8fa50b945c50ec9e22080b0e8f7aaf7f42c19dc7c85f9ae36666e5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37242\base_library.zip
Filesize
768KB

MD5
bd841aa2d1650221c2ed8f36b60c0167

SHA1
55e6bc5e479293b9efb612df92290620adbff06e

SHA256
eb78798004daa1a32badf74a5131aa4d0b41dc4c41f74a060b42f85de4e7fd4b

SHA512
fef9702e034aac75d0e095a5a44261db6fee113e64fdbf03b94d815260fd4027f41fe13dab773ed3ace6f2fa4b47642cddec225409c14d871a2f348db2bc04dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37242\python36.dll
Filesize
3.4MB

MD5
fe983cda06dc52dacb19f2ec948b39d2

SHA1
74bdef7de87468e42c22e4bee7f9fc8bc528204a

SHA256
a082a2ab69ebf8f1bfabcd2387de47b95cb0f142d5ef39571e1f667131d64847

SHA512
1d01c3b722b36c2678c1368720b4eda1f9f57a258680757baa383b99d32466842b44ae6308aa7c6aebb9c94eb1135f7b855aad8e835ded31336cf01477987fd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37242\python36.dll
Filesize
3.4MB

MD5
fe983cda06dc52dacb19f2ec948b39d2

SHA1
74bdef7de87468e42c22e4bee7f9fc8bc528204a

SHA256
a082a2ab69ebf8f1bfabcd2387de47b95cb0f142d5ef39571e1f667131d64847

SHA512
1d01c3b722b36c2678c1368720b4eda1f9f57a258680757baa383b99d32466842b44ae6308aa7c6aebb9c94eb1135f7b855aad8e835ded31336cf01477987fd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37242\pywintypes36.dll
Filesize
133KB

MD5
1bd3075cbff50b3761065efa900b9dbd

SHA1
94a43392a5f1644d5c0809704afb21a3df28f94f

SHA256
88653bb3828f9a4ce988ff92f56976e08540cbe14bd8d87bab5dd044e0d5a66e

SHA512
b673714e4756b635592a117d5ebba2960ecc8c856bb5d8bd30b6ad2154906606b131b0771c12f29cfb0e110f45fedb25834d2da96b523040da4f5bbcfe62c051

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37242\pywintypes36.dll
Filesize
133KB

MD5
1bd3075cbff50b3761065efa900b9dbd

SHA1
94a43392a5f1644d5c0809704afb21a3df28f94f

SHA256
88653bb3828f9a4ce988ff92f56976e08540cbe14bd8d87bab5dd044e0d5a66e

SHA512
b673714e4756b635592a117d5ebba2960ecc8c856bb5d8bd30b6ad2154906606b131b0771c12f29cfb0e110f45fedb25834d2da96b523040da4f5bbcfe62c051

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37242\ucrtbase.dll
Filesize
961KB

MD5
2381e189321ead521ff71e72d08a6b17

SHA1
0db7fea07b4bc14f0f9d71ecfa6ddf3097229875

SHA256
4918f2e631ef1ae34c7863fa4f3bd7663b2fdf0fa160c0de507ed343484ac806

SHA512
2d51d1de627deb852d5ce48315654dfb34115ea9f546f640bb2304cd763d4576eadff5cd7fd184a9b17bac8bf37309a0409034d6303662edfa1a6db69366b9e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37242\ucrtbase.dll
Filesize
961KB

MD5
2381e189321ead521ff71e72d08a6b17

SHA1
0db7fea07b4bc14f0f9d71ecfa6ddf3097229875

SHA256
4918f2e631ef1ae34c7863fa4f3bd7663b2fdf0fa160c0de507ed343484ac806

SHA512
2d51d1de627deb852d5ce48315654dfb34115ea9f546f640bb2304cd763d4576eadff5cd7fd184a9b17bac8bf37309a0409034d6303662edfa1a6db69366b9e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37242\win32api.pyd
Filesize
136KB

MD5
62e5cdef1cfc1adedb8172e501b3223d

SHA1
6c916a6d2f639560416ecf15b5aa2a82ff895850

SHA256
905326688071915f708995265081c4053393da13b10d8c2227a19fde9e535774

SHA512
db0b1b4c1022e07d09deb7f316848ac15aab50f54e7ac34274557e6c15301f5db4562951d20ae716a5c73b2b7d9f9d01f0f07ee4b2d0684cd4c50aed5d59e4ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37242\win32api.pyd
Filesize
136KB

MD5
62e5cdef1cfc1adedb8172e501b3223d

SHA1
6c916a6d2f639560416ecf15b5aa2a82ff895850

SHA256
905326688071915f708995265081c4053393da13b10d8c2227a19fde9e535774

SHA512
db0b1b4c1022e07d09deb7f316848ac15aab50f54e7ac34274557e6c15301f5db4562951d20ae716a5c73b2b7d9f9d01f0f07ee4b2d0684cd4c50aed5d59e4ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\d69dc8e0a175d54082c6f8650294e8a243536ca6183f4f62050f8bc017d05f67.pdf
Filesize
234KB

MD5
018beeb298700dc64768b0bad7de9489

SHA1
8b93a7efe82f045e87897a4ab6e632ed6752932a

SHA256
fe9bf1cbf494549c983ef65f113193e7d5be1c482bf92776033ea37331a51ed2

SHA512
3556184df9a5ed736a585d1e1f4c3f453965deeac28aa56a2e9b2f84d8cf694c511ac679449eeef55d54bfd1754d7b8e56f46cb8adef8c46b4f472d1c1fe1812

Download Submit
memory/3484-212-0x00000225EAF60000-0x00000225EAFAD000-memory.dmp

Filesize
308KB

Download
memory/3484-242-0x00000225EAF60000-0x00000225EAFAD000-memory.dmp

Filesize
308KB

Download
memory/3484-211-0x00000225EAB60000-0x00000225EAF60000-memory.dmp

Filesize
4.0MB

Download
memory/3484-206-0x00000225EA660000-0x00000225EA661000-memory.dmp

Filesize
4KB

Download
memory/4588-340-0x000000000A560000-0x000000000A581000-memory.dmp

Filesize
132KB

Download