fatalrat | b20b9e1d8707e147e2312ca5cf11470b401e3518bb9489d8d31e428635a82668

Analysis

max time kernel
141s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
08-03-2024 20:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b20b9e1d8707e147e2312ca5cf11470b401e3518bb9489d8d31e428635a82668.exe
Size

789KB
MD5

17d107bf7243f76070c91cfeb18ed71e
SHA1

9f85566ad0ee040546411e38d9882054f396f621
SHA256

b20b9e1d8707e147e2312ca5cf11470b401e3518bb9489d8d31e428635a82668
SHA512

684a4693f527f46983f6841dddab803bc36fc37152fd3c1ab2d441d3a559dd3fda37d5a145ef528efa8eddafe87ad996c140379922cc0da77e460a2120694900
SSDEEP

12288:0ubsNSOetfARQAPyGU+UwHbLl0tgT1MeQc57fPXzU8MpNfEz6Nw9x:0ubsnafAPyjs7LPP7ff5MpNfo6NSx

Score

10^/10

fatalrat infostealer rat

Malware Config

Signatures

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat

Fatal Rat payload 1 IoCs

rat infostealer

resource	yara_rule
behavioral2/memory/4004-14-0x0000000010000000-0x000000001002A000-memory.dmp	fatalrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	b20b9e1d8707e147e2312ca5cf11470b401e3518bb9489d8d31e428635a82668.exe

Executes dropped EXE 1 IoCs

pid	Process
4004	客户端安全防范.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	客户端安全防范.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	客户端安全防范.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings	b20b9e1d8707e147e2312ca5cf11470b401e3518bb9489d8d31e428635a82668.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4004	客户端安全防范.exe
4004	客户端安全防范.exe
4004	客户端安全防范.exe
4004	客户端安全防范.exe
4004	客户端安全防范.exe
4004	客户端安全防范.exe
4004	客户端安全防范.exe
4004	客户端安全防范.exe
4004	客户端安全防范.exe
4004	客户端安全防范.exe
4004	客户端安全防范.exe
4004	客户端安全防范.exe
4004	客户端安全防范.exe
4004	客户端安全防范.exe
4004	客户端安全防范.exe
4004	客户端安全防范.exe
4004	客户端安全防范.exe
4004	客户端安全防范.exe
4004	客户端安全防范.exe
4004	客户端安全防范.exe
4004	客户端安全防范.exe
4004	客户端安全防范.exe
4004	客户端安全防范.exe
4004	客户端安全防范.exe
4004	客户端安全防范.exe
4004	客户端安全防范.exe
4004	客户端安全防范.exe
4004	客户端安全防范.exe
4004	客户端安全防范.exe
4004	客户端安全防范.exe
4004	客户端安全防范.exe
4004	客户端安全防范.exe
4004	客户端安全防范.exe
4004	客户端安全防范.exe
4004	客户端安全防范.exe
4004	客户端安全防范.exe
4004	客户端安全防范.exe
4004	客户端安全防范.exe
4004	客户端安全防范.exe
4004	客户端安全防范.exe
4004	客户端安全防范.exe
4004	客户端安全防范.exe
4004	客户端安全防范.exe
4004	客户端安全防范.exe
4004	客户端安全防范.exe
4004	客户端安全防范.exe
4004	客户端安全防范.exe
4004	客户端安全防范.exe
4004	客户端安全防范.exe
4004	客户端安全防范.exe
4004	客户端安全防范.exe
4004	客户端安全防范.exe
4004	客户端安全防范.exe
4004	客户端安全防范.exe
4004	客户端安全防范.exe
4004	客户端安全防范.exe
4004	客户端安全防范.exe
4004	客户端安全防范.exe
4004	客户端安全防范.exe
4004	客户端安全防范.exe
4004	客户端安全防范.exe
4004	客户端安全防范.exe
4004	客户端安全防范.exe
4004	客户端安全防范.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2244	b20b9e1d8707e147e2312ca5cf11470b401e3518bb9489d8d31e428635a82668.exe
Token: SeRestorePrivilege	2244	b20b9e1d8707e147e2312ca5cf11470b401e3518bb9489d8d31e428635a82668.exe
Token: SeDebugPrivilege	4004	客户端安全防范.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4212	AcroRd32.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
4212	AcroRd32.exe
4212	AcroRd32.exe
4212	AcroRd32.exe
4212	AcroRd32.exe
4212	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 4004	2244	b20b9e1d8707e147e2312ca5cf11470b401e3518bb9489d8d31e428635a82668.exe	85
PID 2244 wrote to memory of 4004	2244	b20b9e1d8707e147e2312ca5cf11470b401e3518bb9489d8d31e428635a82668.exe	85
PID 2244 wrote to memory of 4004	2244	b20b9e1d8707e147e2312ca5cf11470b401e3518bb9489d8d31e428635a82668.exe	85
PID 2244 wrote to memory of 4212	2244	b20b9e1d8707e147e2312ca5cf11470b401e3518bb9489d8d31e428635a82668.exe	87
PID 2244 wrote to memory of 4212	2244	b20b9e1d8707e147e2312ca5cf11470b401e3518bb9489d8d31e428635a82668.exe	87
PID 2244 wrote to memory of 4212	2244	b20b9e1d8707e147e2312ca5cf11470b401e3518bb9489d8d31e428635a82668.exe	87
PID 4212 wrote to memory of 3348	4212	AcroRd32.exe	88
PID 4212 wrote to memory of 3348	4212	AcroRd32.exe	88
PID 4212 wrote to memory of 3348	4212	AcroRd32.exe	88
PID 3348 wrote to memory of 2180	3348	RdrCEF.exe	89
PID 3348 wrote to memory of 2180	3348	RdrCEF.exe	89
PID 3348 wrote to memory of 2180	3348	RdrCEF.exe	89
PID 3348 wrote to memory of 2180	3348	RdrCEF.exe	89
PID 3348 wrote to memory of 2180	3348	RdrCEF.exe	89
PID 3348 wrote to memory of 2180	3348	RdrCEF.exe	89
PID 3348 wrote to memory of 2180	3348	RdrCEF.exe	89
PID 3348 wrote to memory of 2180	3348	RdrCEF.exe	89
PID 3348 wrote to memory of 2180	3348	RdrCEF.exe	89
PID 3348 wrote to memory of 2180	3348	RdrCEF.exe	89
PID 3348 wrote to memory of 2180	3348	RdrCEF.exe	89
PID 3348 wrote to memory of 2180	3348	RdrCEF.exe	89
PID 3348 wrote to memory of 2180	3348	RdrCEF.exe	89
PID 3348 wrote to memory of 2180	3348	RdrCEF.exe	89
PID 3348 wrote to memory of 2180	3348	RdrCEF.exe	89
PID 3348 wrote to memory of 2180	3348	RdrCEF.exe	89
PID 3348 wrote to memory of 2180	3348	RdrCEF.exe	89
PID 3348 wrote to memory of 2180	3348	RdrCEF.exe	89
PID 3348 wrote to memory of 2180	3348	RdrCEF.exe	89
PID 3348 wrote to memory of 2180	3348	RdrCEF.exe	89
PID 3348 wrote to memory of 2180	3348	RdrCEF.exe	89
PID 3348 wrote to memory of 2180	3348	RdrCEF.exe	89
PID 3348 wrote to memory of 2180	3348	RdrCEF.exe	89
PID 3348 wrote to memory of 2180	3348	RdrCEF.exe	89
PID 3348 wrote to memory of 2180	3348	RdrCEF.exe	89
PID 3348 wrote to memory of 2180	3348	RdrCEF.exe	89
PID 3348 wrote to memory of 2180	3348	RdrCEF.exe	89
PID 3348 wrote to memory of 2180	3348	RdrCEF.exe	89
PID 3348 wrote to memory of 2180	3348	RdrCEF.exe	89
PID 3348 wrote to memory of 2180	3348	RdrCEF.exe	89
PID 3348 wrote to memory of 2180	3348	RdrCEF.exe	89
PID 3348 wrote to memory of 2180	3348	RdrCEF.exe	89
PID 3348 wrote to memory of 2180	3348	RdrCEF.exe	89
PID 3348 wrote to memory of 2180	3348	RdrCEF.exe	89
PID 3348 wrote to memory of 2180	3348	RdrCEF.exe	89
PID 3348 wrote to memory of 2180	3348	RdrCEF.exe	89
PID 3348 wrote to memory of 2180	3348	RdrCEF.exe	89
PID 3348 wrote to memory of 2180	3348	RdrCEF.exe	89
PID 3348 wrote to memory of 2180	3348	RdrCEF.exe	89
PID 3348 wrote to memory of 2180	3348	RdrCEF.exe	89
PID 3348 wrote to memory of 2180	3348	RdrCEF.exe	89
PID 3348 wrote to memory of 3532	3348	RdrCEF.exe	90
PID 3348 wrote to memory of 3532	3348	RdrCEF.exe	90
PID 3348 wrote to memory of 3532	3348	RdrCEF.exe	90
PID 3348 wrote to memory of 3532	3348	RdrCEF.exe	90
PID 3348 wrote to memory of 3532	3348	RdrCEF.exe	90
PID 3348 wrote to memory of 3532	3348	RdrCEF.exe	90
PID 3348 wrote to memory of 3532	3348	RdrCEF.exe	90
PID 3348 wrote to memory of 3532	3348	RdrCEF.exe	90
PID 3348 wrote to memory of 3532	3348	RdrCEF.exe	90
PID 3348 wrote to memory of 3532	3348	RdrCEF.exe	90
PID 3348 wrote to memory of 3532	3348	RdrCEF.exe	90
PID 3348 wrote to memory of 3532	3348	RdrCEF.exe	90
PID 3348 wrote to memory of 3532	3348	RdrCEF.exe	90
PID 3348 wrote to memory of 3532	3348	RdrCEF.exe	90

C:\Users\Admin\AppData\Local\Temp\b20b9e1d8707e147e2312ca5cf11470b401e3518bb9489d8d31e428635a82668.exe
"C:\Users\Admin\AppData\Local\Temp\b20b9e1d8707e147e2312ca5cf11470b401e3518bb9489d8d31e428635a82668.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Users\Admin\AppData\Local\Temp\客户端安全防范.exe
  "C:\Users\Admin\AppData\Local\Temp\客户端安全防范.exe"
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4004
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\客户端安全防范.pdf"
  2⤵
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4212
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3348
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=D86E05D62E0E55F124FB66CDA69753D8 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:2180
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=D934001ADD09F61001B7884BCC0A65A2 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=D934001ADD09F61001B7884BCC0A65A2 --renderer-client-id=2 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job /prefetch:1
      4⤵
      PID:3532
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=D1B3BC215C88E68CE7E512907390AB5E --mojo-platform-channel-handle=1752 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:3848
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=78F20F75B1D1CE65A05CDA56F9F6860F --mojo-platform-channel-handle=2324 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:3636
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=011B6077EA1EC78F14FB73644A85D081 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=011B6077EA1EC78F14FB73644A85D081 --renderer-client-id=6 --mojo-platform-channel-handle=2244 --allow-no-sandbox-job /prefetch:1
      4⤵
      PID:3204
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=D33BE39C04411273B3B6EE31529B685A --mojo-platform-channel-handle=2252 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:3596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
b78f864984a2506fddb142e51c8635a3

SHA1
972ef92098ea99c4a337a00dd359c8600eaadc64

SHA256
89a8a7c69b7ee87bad3d6b0c180cdb6f9cacf16657c269c98389d661c7391f88

SHA512
9973497d94e6e5b91e0c5d31f81238b9e4c8a7ea9c16836adbdc9d26e9b4e96aa86db2d6c1f1e7ba42ad16407d72dc028d595f6398888acb59da8b2e7e00b146

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
36KB

MD5
b30d3becc8731792523d599d949e63f5

SHA1
19350257e42d7aee17fb3bf139a9d3adb330fad4

SHA256
b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

SHA512
523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
56KB

MD5
752a1f26b18748311b691c7d8fc20633

SHA1
c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

SHA256
111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

SHA512
a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

Download Submit
C:\Users\Admin\AppData\Local\Temp\客户端安全防范.exe

Filesize
192KB

MD5
35c9b6da794925ee797ce0f6aff3b65b

SHA1
8b2b5d61fc207ffc1483af64da93b61ea6f822f3

SHA256
032fa2a25fe3191577ef3e046b524d1af6d7a94619603309a36d8746f02a8238

SHA512
bcc4576d8f61a02711823e0cc66d9e008006335a28ead8b39cbe5459cf37c88b14c5aa086467c7a3cbb0c8f9f34197fcc30996dda3fc4a030949bc72599c1ecf

Download Submit
C:\Users\Admin\AppData\Local\Temp\客户端安全防范.pdf

Filesize
269KB

MD5
d9a15b0221f217a9ae7e2aa169e7cff1

SHA1
f54b71f1524a9adc7654335160e06d7088b63a63

SHA256
126c9b425f2d8f1945ae175761f91de7af1538de12d68083df9fc4283eb76908

SHA512
939edd5c87fca83388044f9b75722073df1a85bb2638ad2001933c9863785eb2fa1deebeb20b2701691768dc0b4ae4a9a08cbb8557953f6f5a0a0f3261512635

Download Submit
memory/4004-14-0x0000000010000000-0x000000001002A000-memory.dmp

Filesize
168KB

Download