Analysis
-
max time kernel
147s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
13-10-2023 02:59
Static task
static1
Behavioral task
behavioral1
Sample
fc815124dc2b846eb3215b2f91816f5d1c6f9a91ad34fda37dfee97b20f8f409.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
fc815124dc2b846eb3215b2f91816f5d1c6f9a91ad34fda37dfee97b20f8f409.exe
Resource
win10v2004-20230915-en
General
-
Target
fc815124dc2b846eb3215b2f91816f5d1c6f9a91ad34fda37dfee97b20f8f409.exe
-
Size
1.8MB
-
MD5
41b00fa23fb3b79db9203028ea9d03d4
-
SHA1
2bf0aedc99774acdff729b757ec057480cc004d3
-
SHA256
fc815124dc2b846eb3215b2f91816f5d1c6f9a91ad34fda37dfee97b20f8f409
-
SHA512
b4cacc9b3bef3a40335263ef24b49026f8b68e83fd685f6c5e397d2ee6846ea437fdca8888ef1677464d3c6026cd53c5fe1ddd0e1e4f36d4b565779c1881202d
-
SSDEEP
24576:LcGviP2CcmpREm3Tpj7juvMuY179aA82wlvCxVaIr7Fq5sMxn8ZiF35M8KD1vPl:L0rgDSw+sxPA8KD11
Malware Config
Extracted
cobaltstrike
100000
http://cache.jquerysource.co:443/jquery-3.3.0.min.js
-
access_type
512
-
beacon_type
2048
-
host
cache.jquerysource.co,/jquery-3.3.0.min.js
-
http_header1
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAlUmVmZXJlcjogaHR0cHM6Ly9yZWxlYXNlcy5qcXVlcnkuY29tLwAAAAcAAAAAAAAAAwAAAAIAAAAKU0VTU0lPTklEPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAkUmVmZXJlcjogaHR0cDovL3JlbGVhc2VzLmpxdWVyeS5jb20vAAAABwAAAAAAAAADAAAAAgAAAAlKU0VTU0lPTj0AAAAGAAAABkNvb2tpZQAAAAcAAAABAAAAAwAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
9472
-
polling_time
10000
-
port_number
443
-
sc_process32
%windir%\syswow64\dllhost.exe
-
sc_process64
%windir%\sysnative\dllhost.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCmQEPSLVuoOihACFPRnPSA3ftXYZ5SROYUUuItwE4kyXr+Bf8AXVqBnXaGIG9WpHAq9W+MzS6EhuMVG3U2Od8d77hCK6QAEFRCBiVHE5/jyjCR0FbJyrmVm1Uzbfqae2vVQ+HwGRFQhdwFvj7upXuaEZmO+D0S5U7Rfo3p7eNozQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4.16770176e+09
-
unknown2
AAAABAAAAAEAAAXyAAAAAgAAAFMAAAACAAAPWwAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/jquery-3.3.1.min.js
-
user_agent
Mozilla/5.0 (Windows NT) AppleWebKit/537.36 (KHTML, like Gecko, Efficiently) Safari/537.36
-
watermark
100000
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
backdoor.exepid process 100 backdoor.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
AcroRd32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe -
Processes:
AcroRd32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000_Classes\Local Settings cmd.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
AcroRd32.exepid process 4112 AcroRd32.exe 4112 AcroRd32.exe 4112 AcroRd32.exe 4112 AcroRd32.exe 4112 AcroRd32.exe 4112 AcroRd32.exe 4112 AcroRd32.exe 4112 AcroRd32.exe 4112 AcroRd32.exe 4112 AcroRd32.exe 4112 AcroRd32.exe 4112 AcroRd32.exe 4112 AcroRd32.exe 4112 AcroRd32.exe 4112 AcroRd32.exe 4112 AcroRd32.exe 4112 AcroRd32.exe 4112 AcroRd32.exe 4112 AcroRd32.exe 4112 AcroRd32.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
fc815124dc2b846eb3215b2f91816f5d1c6f9a91ad34fda37dfee97b20f8f409.exepid process 2832 fc815124dc2b846eb3215b2f91816f5d1c6f9a91ad34fda37dfee97b20f8f409.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
AcroRd32.exepid process 4112 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
AcroRd32.exepid process 4112 AcroRd32.exe 4112 AcroRd32.exe 4112 AcroRd32.exe 4112 AcroRd32.exe 4112 AcroRd32.exe 4112 AcroRd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
fc815124dc2b846eb3215b2f91816f5d1c6f9a91ad34fda37dfee97b20f8f409.execmd.exeAcroRd32.exeRdrCEF.exedescription pid process target process PID 2832 wrote to memory of 1464 2832 fc815124dc2b846eb3215b2f91816f5d1c6f9a91ad34fda37dfee97b20f8f409.exe cmd.exe PID 2832 wrote to memory of 1464 2832 fc815124dc2b846eb3215b2f91816f5d1c6f9a91ad34fda37dfee97b20f8f409.exe cmd.exe PID 2832 wrote to memory of 1464 2832 fc815124dc2b846eb3215b2f91816f5d1c6f9a91ad34fda37dfee97b20f8f409.exe cmd.exe PID 2832 wrote to memory of 100 2832 fc815124dc2b846eb3215b2f91816f5d1c6f9a91ad34fda37dfee97b20f8f409.exe backdoor.exe PID 2832 wrote to memory of 100 2832 fc815124dc2b846eb3215b2f91816f5d1c6f9a91ad34fda37dfee97b20f8f409.exe backdoor.exe PID 1464 wrote to memory of 4112 1464 cmd.exe AcroRd32.exe PID 1464 wrote to memory of 4112 1464 cmd.exe AcroRd32.exe PID 1464 wrote to memory of 4112 1464 cmd.exe AcroRd32.exe PID 4112 wrote to memory of 1456 4112 AcroRd32.exe RdrCEF.exe PID 4112 wrote to memory of 1456 4112 AcroRd32.exe RdrCEF.exe PID 4112 wrote to memory of 1456 4112 AcroRd32.exe RdrCEF.exe PID 1456 wrote to memory of 5040 1456 RdrCEF.exe RdrCEF.exe PID 1456 wrote to memory of 5040 1456 RdrCEF.exe RdrCEF.exe PID 1456 wrote to memory of 5040 1456 RdrCEF.exe RdrCEF.exe PID 1456 wrote to memory of 5040 1456 RdrCEF.exe RdrCEF.exe PID 1456 wrote to memory of 5040 1456 RdrCEF.exe RdrCEF.exe PID 1456 wrote to memory of 5040 1456 RdrCEF.exe RdrCEF.exe PID 1456 wrote to memory of 5040 1456 RdrCEF.exe RdrCEF.exe PID 1456 wrote to memory of 5040 1456 RdrCEF.exe RdrCEF.exe PID 1456 wrote to memory of 5040 1456 RdrCEF.exe RdrCEF.exe PID 1456 wrote to memory of 5040 1456 RdrCEF.exe RdrCEF.exe PID 1456 wrote to memory of 5040 1456 RdrCEF.exe RdrCEF.exe PID 1456 wrote to memory of 5040 1456 RdrCEF.exe RdrCEF.exe PID 1456 wrote to memory of 5040 1456 RdrCEF.exe RdrCEF.exe PID 1456 wrote to memory of 5040 1456 RdrCEF.exe RdrCEF.exe PID 1456 wrote to memory of 5040 1456 RdrCEF.exe RdrCEF.exe PID 1456 wrote to memory of 5040 1456 RdrCEF.exe RdrCEF.exe PID 1456 wrote to memory of 5040 1456 RdrCEF.exe RdrCEF.exe PID 1456 wrote to memory of 5040 1456 RdrCEF.exe RdrCEF.exe PID 1456 wrote to memory of 5040 1456 RdrCEF.exe RdrCEF.exe PID 1456 wrote to memory of 5040 1456 RdrCEF.exe RdrCEF.exe PID 1456 wrote to memory of 5040 1456 RdrCEF.exe RdrCEF.exe PID 1456 wrote to memory of 5040 1456 RdrCEF.exe RdrCEF.exe PID 1456 wrote to memory of 5040 1456 RdrCEF.exe RdrCEF.exe PID 1456 wrote to memory of 5040 1456 RdrCEF.exe RdrCEF.exe PID 1456 wrote to memory of 5040 1456 RdrCEF.exe RdrCEF.exe PID 1456 wrote to memory of 5040 1456 RdrCEF.exe RdrCEF.exe PID 1456 wrote to memory of 5040 1456 RdrCEF.exe RdrCEF.exe PID 1456 wrote to memory of 5040 1456 RdrCEF.exe RdrCEF.exe PID 1456 wrote to memory of 5040 1456 RdrCEF.exe RdrCEF.exe PID 1456 wrote to memory of 5040 1456 RdrCEF.exe RdrCEF.exe PID 1456 wrote to memory of 5040 1456 RdrCEF.exe RdrCEF.exe PID 1456 wrote to memory of 5040 1456 RdrCEF.exe RdrCEF.exe PID 1456 wrote to memory of 5040 1456 RdrCEF.exe RdrCEF.exe PID 1456 wrote to memory of 5040 1456 RdrCEF.exe RdrCEF.exe PID 1456 wrote to memory of 5040 1456 RdrCEF.exe RdrCEF.exe PID 1456 wrote to memory of 5040 1456 RdrCEF.exe RdrCEF.exe PID 1456 wrote to memory of 5040 1456 RdrCEF.exe RdrCEF.exe PID 1456 wrote to memory of 5040 1456 RdrCEF.exe RdrCEF.exe PID 1456 wrote to memory of 5040 1456 RdrCEF.exe RdrCEF.exe PID 1456 wrote to memory of 5040 1456 RdrCEF.exe RdrCEF.exe PID 1456 wrote to memory of 5040 1456 RdrCEF.exe RdrCEF.exe PID 1456 wrote to memory of 2020 1456 RdrCEF.exe RdrCEF.exe PID 1456 wrote to memory of 2020 1456 RdrCEF.exe RdrCEF.exe PID 1456 wrote to memory of 2020 1456 RdrCEF.exe RdrCEF.exe PID 1456 wrote to memory of 2020 1456 RdrCEF.exe RdrCEF.exe PID 1456 wrote to memory of 2020 1456 RdrCEF.exe RdrCEF.exe PID 1456 wrote to memory of 2020 1456 RdrCEF.exe RdrCEF.exe PID 1456 wrote to memory of 2020 1456 RdrCEF.exe RdrCEF.exe PID 1456 wrote to memory of 2020 1456 RdrCEF.exe RdrCEF.exe PID 1456 wrote to memory of 2020 1456 RdrCEF.exe RdrCEF.exe PID 1456 wrote to memory of 2020 1456 RdrCEF.exe RdrCEF.exe PID 1456 wrote to memory of 2020 1456 RdrCEF.exe RdrCEF.exe PID 1456 wrote to memory of 2020 1456 RdrCEF.exe RdrCEF.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fc815124dc2b846eb3215b2f91816f5d1c6f9a91ad34fda37dfee97b20f8f409.exe"C:\Users\Admin\AppData\Local\Temp\fc815124dc2b846eb3215b2f91816f5d1c6f9a91ad34fda37dfee97b20f8f409.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd " /c " C:\Users\Admin\AppData\Local\Temp\小林的简历.pdf2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\小林的简历.pdf"3⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140434⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=8232EF255948A270E7C65B22DB903CFE --mojo-platform-channel-handle=1768 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:25⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=AB1BFC04EEC81667710865E59B06B5BB --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=AB1BFC04EEC81667710865E59B06B5BB --renderer-client-id=2 --mojo-platform-channel-handle=1792 --allow-no-sandbox-job /prefetch:15⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=A518D5C7E7B6E792F8C0D66D243011E1 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=A518D5C7E7B6E792F8C0D66D243011E1 --renderer-client-id=4 --mojo-platform-channel-handle=2344 --allow-no-sandbox-job /prefetch:15⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=F83F3CA8E8360796B348AB62F1B4387A --mojo-platform-channel-handle=2488 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:25⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=1BFB09625E35BB9778878455025A3E67 --mojo-platform-channel-handle=2772 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:25⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=D4108CA01F98C22B94A62F9E126D532C --mojo-platform-channel-handle=2516 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:25⤵
-
C:\Users\Public\backdoor.exeC:\Users\Public\backdoor.exe2⤵
- Executes dropped EXE
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessagesFilesize
64KB
MD532da4483bf49ccee6c8d2137d79f2c20
SHA1db2065ae5026f31e69f08cf1ae3102c06e1a7821
SHA25688e1188238b565878bc63655bf57f2929769eef631b04c120bb58b67b7ab8f44
SHA51266fcb92d476a30f975014a6f5190da67baf685078471453518095e8f615adf5f6fbcbf16078a04ec00b0c0c922ae39f2dd14ad49852c077341bfddf75536aebc
-
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessagesFilesize
36KB
MD5b30d3becc8731792523d599d949e63f5
SHA119350257e42d7aee17fb3bf139a9d3adb330fad4
SHA256b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3
SHA512523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e
-
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessagesFilesize
56KB
MD5752a1f26b18748311b691c7d8fc20633
SHA1c1f8e83eebc1cc1e9b88c773338eb09ff82ab862
SHA256111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131
SHA512a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5
-
C:\Users\Admin\AppData\Local\Temp\小林的简历.pdfFilesize
130KB
MD5fc5f31eb71eb2020241657580845e3e3
SHA14de78818457a9d5049c7f5bbf03dc1837da62554
SHA2564b9f8b59ccaa105db2ea0e5c5601cbb4779e7ce286b90404f6dd1cfa76e78b32
SHA5127ff3f6be060a57058e4d4764075d44aee6aa94e7cff531a0ce988f312d00e8b1dbc9c4969171f5d71dd1d458ebb8788d515822fab39d77bf01cb6424c9fd6fed
-
C:\Users\Public\backdoor.exeFilesize
281KB
MD5d742c33d6497d614ded13df915c2fd91
SHA18075b81c6c08afec7ba00b1c78187d9db439c643
SHA2563ea45fb61da83cc278d27faf487c976af30e86fa5c3e3dccb4511e4ee82c9a06
SHA512397fd6cf5d1064fb6081bc35a71180bf3f3abcc106a511069db3e4b5afc95a912fad277201dba781272b77d0056cbcc5d6cc87bcda95199386a527e9069e164d
-
C:\Users\Public\backdoor.exeFilesize
281KB
MD5d742c33d6497d614ded13df915c2fd91
SHA18075b81c6c08afec7ba00b1c78187d9db439c643
SHA2563ea45fb61da83cc278d27faf487c976af30e86fa5c3e3dccb4511e4ee82c9a06
SHA512397fd6cf5d1064fb6081bc35a71180bf3f3abcc106a511069db3e4b5afc95a912fad277201dba781272b77d0056cbcc5d6cc87bcda95199386a527e9069e164d
-
memory/100-6-0x0000000000A20000-0x0000000000A61000-memory.dmpFilesize
260KB
-
memory/100-7-0x0000000000CB0000-0x0000000001122000-memory.dmpFilesize
4.4MB
-
memory/100-9-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/4112-136-0x000000000AAD0000-0x000000000AD7B000-memory.dmpFilesize
2.7MB