cobaltstrike | f8fa90be3e6295c275a4d23429e8738228b70693806ed9b2f482581487cb8e08

General

Target

f8fa90be3e6295c275a4d23429e8738228b70693806ed9b2f482581487cb8e08.exe
Size

690KB
MD5

9c161668cc77563a0415c6b0b92bd6ba
SHA1

829a37bac477c316750199819070b56a55749199
SHA256

f8fa90be3e6295c275a4d23429e8738228b70693806ed9b2f482581487cb8e08
SHA512

eb0dc6b6832c75de9062f2271d9f678e478721b0426b0a7ed8a0df7fd7ebf573745f6e942c57aebb47076114b06c0490103e948399867b4a3c2e74b3b39d9715
SSDEEP

12288:WalHzyq8D3Pe3I3RsVFPIOXQfEKIdgQBR3P7r9r/+ppppppppppppppppppppppJ:WEazPe42VmfdIdgQBN1q

Score

10^/10

cobaltstrike 0 305419896 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

305419896

C2

http://47.108.173.88:8099/load

Attributes

access_type
512
host
47.108.173.88,/load
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
polling_time
60000
port_number
8099
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCnCZHWnYFqYB/6gJdkc4MPDTtBJ20nkEAd3tsY4tPKs8MV4yIjJb5CtlrbKHjzP1oD/1AQsj6EKlEMFIKtakLx5+VybrMYE+dDdkDteHmVX0AeFyw001FyQVlt1B+OSNPRscKI5sh1L/ZdwnrMy6S6nNbQ5N5hls6k2kgNO5nQ7QIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/submit.php
user_agent
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
watermark
305419896

Extracted

Family

cobaltstrike

Botnet

0

Attributes

watermark
0

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f8fa90be3e6295c275a4d23429e8738228b70693806ed9b2f482581487cb8e08.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	f8fa90be3e6295c275a4d23429e8738228b70693806ed9b2f482581487cb8e08.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

Processes:

f8fa90be3e6295c275a4d23429e8738228b70693806ed9b2f482581487cb8e08.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings	f8fa90be3e6295c275a4d23429e8738228b70693806ed9b2f482581487cb8e08.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

1092 AcroRd32.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

AcroRd32.exe

pid process

1092 AcroRd32.exe
1092 AcroRd32.exe
1092 AcroRd32.exe
1092 AcroRd32.exe
1092 AcroRd32.exe
1092 AcroRd32.exe

pid	process
1092	AcroRd32.exe

pid	process
1092	AcroRd32.exe
1092	AcroRd32.exe
1092	AcroRd32.exe
1092	AcroRd32.exe
1092	AcroRd32.exe
1092	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

f8fa90be3e6295c275a4d23429e8738228b70693806ed9b2f482581487cb8e08.exeAcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 4816 wrote to memory of 1092	4816	f8fa90be3e6295c275a4d23429e8738228b70693806ed9b2f482581487cb8e08.exe	AcroRd32.exe
PID 4816 wrote to memory of 1092	4816	f8fa90be3e6295c275a4d23429e8738228b70693806ed9b2f482581487cb8e08.exe	AcroRd32.exe
PID 4816 wrote to memory of 1092	4816	f8fa90be3e6295c275a4d23429e8738228b70693806ed9b2f482581487cb8e08.exe	AcroRd32.exe
PID 1092 wrote to memory of 1700	1092	AcroRd32.exe	RdrCEF.exe
PID 1092 wrote to memory of 1700	1092	AcroRd32.exe	RdrCEF.exe
PID 1092 wrote to memory of 1700	1092	AcroRd32.exe	RdrCEF.exe
PID 1700 wrote to memory of 1352	1700	RdrCEF.exe	RdrCEF.exe
PID 1700 wrote to memory of 1352	1700	RdrCEF.exe	RdrCEF.exe
PID 1700 wrote to memory of 1352	1700	RdrCEF.exe	RdrCEF.exe
PID 1700 wrote to memory of 1352	1700	RdrCEF.exe	RdrCEF.exe
PID 1700 wrote to memory of 1352	1700	RdrCEF.exe	RdrCEF.exe
PID 1700 wrote to memory of 1352	1700	RdrCEF.exe	RdrCEF.exe
PID 1700 wrote to memory of 1352	1700	RdrCEF.exe	RdrCEF.exe
PID 1700 wrote to memory of 1352	1700	RdrCEF.exe	RdrCEF.exe
PID 1700 wrote to memory of 1352	1700	RdrCEF.exe	RdrCEF.exe
PID 1700 wrote to memory of 1352	1700	RdrCEF.exe	RdrCEF.exe
PID 1700 wrote to memory of 1352	1700	RdrCEF.exe	RdrCEF.exe
PID 1700 wrote to memory of 1352	1700	RdrCEF.exe	RdrCEF.exe
PID 1700 wrote to memory of 1352	1700	RdrCEF.exe	RdrCEF.exe
PID 1700 wrote to memory of 1352	1700	RdrCEF.exe	RdrCEF.exe
PID 1700 wrote to memory of 1352	1700	RdrCEF.exe	RdrCEF.exe
PID 1700 wrote to memory of 1352	1700	RdrCEF.exe	RdrCEF.exe
PID 1700 wrote to memory of 1352	1700	RdrCEF.exe	RdrCEF.exe
PID 1700 wrote to memory of 1352	1700	RdrCEF.exe	RdrCEF.exe
PID 1700 wrote to memory of 1352	1700	RdrCEF.exe	RdrCEF.exe
PID 1700 wrote to memory of 1352	1700	RdrCEF.exe	RdrCEF.exe
PID 1700 wrote to memory of 1352	1700	RdrCEF.exe	RdrCEF.exe
PID 1700 wrote to memory of 1352	1700	RdrCEF.exe	RdrCEF.exe
PID 1700 wrote to memory of 1352	1700	RdrCEF.exe	RdrCEF.exe
PID 1700 wrote to memory of 1352	1700	RdrCEF.exe	RdrCEF.exe
PID 1700 wrote to memory of 1352	1700	RdrCEF.exe	RdrCEF.exe
PID 1700 wrote to memory of 1352	1700	RdrCEF.exe	RdrCEF.exe
PID 1700 wrote to memory of 1352	1700	RdrCEF.exe	RdrCEF.exe
PID 1700 wrote to memory of 1352	1700	RdrCEF.exe	RdrCEF.exe
PID 1700 wrote to memory of 1352	1700	RdrCEF.exe	RdrCEF.exe
PID 1700 wrote to memory of 1352	1700	RdrCEF.exe	RdrCEF.exe
PID 1700 wrote to memory of 1352	1700	RdrCEF.exe	RdrCEF.exe
PID 1700 wrote to memory of 1352	1700	RdrCEF.exe	RdrCEF.exe
PID 1700 wrote to memory of 1352	1700	RdrCEF.exe	RdrCEF.exe
PID 1700 wrote to memory of 1352	1700	RdrCEF.exe	RdrCEF.exe
PID 1700 wrote to memory of 1352	1700	RdrCEF.exe	RdrCEF.exe
PID 1700 wrote to memory of 1352	1700	RdrCEF.exe	RdrCEF.exe
PID 1700 wrote to memory of 1352	1700	RdrCEF.exe	RdrCEF.exe
PID 1700 wrote to memory of 1352	1700	RdrCEF.exe	RdrCEF.exe
PID 1700 wrote to memory of 1352	1700	RdrCEF.exe	RdrCEF.exe
PID 1700 wrote to memory of 1352	1700	RdrCEF.exe	RdrCEF.exe
PID 1700 wrote to memory of 1352	1700	RdrCEF.exe	RdrCEF.exe
PID 1700 wrote to memory of 2432	1700	RdrCEF.exe	RdrCEF.exe
PID 1700 wrote to memory of 2432	1700	RdrCEF.exe	RdrCEF.exe
PID 1700 wrote to memory of 2432	1700	RdrCEF.exe	RdrCEF.exe
PID 1700 wrote to memory of 2432	1700	RdrCEF.exe	RdrCEF.exe
PID 1700 wrote to memory of 2432	1700	RdrCEF.exe	RdrCEF.exe
PID 1700 wrote to memory of 2432	1700	RdrCEF.exe	RdrCEF.exe
PID 1700 wrote to memory of 2432	1700	RdrCEF.exe	RdrCEF.exe
PID 1700 wrote to memory of 2432	1700	RdrCEF.exe	RdrCEF.exe
PID 1700 wrote to memory of 2432	1700	RdrCEF.exe	RdrCEF.exe
PID 1700 wrote to memory of 2432	1700	RdrCEF.exe	RdrCEF.exe
PID 1700 wrote to memory of 2432	1700	RdrCEF.exe	RdrCEF.exe
PID 1700 wrote to memory of 2432	1700	RdrCEF.exe	RdrCEF.exe
PID 1700 wrote to memory of 2432	1700	RdrCEF.exe	RdrCEF.exe
PID 1700 wrote to memory of 2432	1700	RdrCEF.exe	RdrCEF.exe
PID 1700 wrote to memory of 2432	1700	RdrCEF.exe	RdrCEF.exe
PID 1700 wrote to memory of 2432	1700	RdrCEF.exe	RdrCEF.exe
PID 1700 wrote to memory of 2432	1700	RdrCEF.exe	RdrCEF.exe

C:\Users\Admin\AppData\Local\Temp\f8fa90be3e6295c275a4d23429e8738228b70693806ed9b2f482581487cb8e08.exe
"C:\Users\Admin\AppData\Local\Temp\f8fa90be3e6295c275a4d23429e8738228b70693806ed9b2f482581487cb8e08.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4816

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\f8fa90be3e6295c275a4d23429e8738228b70693806ed9b2f482581487cb8e08.pdf"
2⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1092

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
3⤵
- Suspicious use of WriteProcessMemory
PID:1700

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=46BF6F4EB321CA26A3D019565E598C24 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:1352

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=4FEA6CEDF300D4CE9F7B83CC4FB53D44 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=4FEA6CEDF300D4CE9F7B83CC4FB53D44 --renderer-client-id=2 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job /prefetch:1
4⤵
PID:2432

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=950E92187215CA3BED38DF10CDDBAB35 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=950E92187215CA3BED38DF10CDDBAB35 --renderer-client-id=4 --mojo-platform-channel-handle=2320 --allow-no-sandbox-job /prefetch:1
4⤵
PID:3172

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=359535547B975017F396C56D8846A6B2 --mojo-platform-channel-handle=2572 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:3076

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=C7E30BE65B7AAD48D348A821EB75FEF7 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=C7E30BE65B7AAD48D348A821EB75FEF7 --renderer-client-id=6 --mojo-platform-channel-handle=1972 --allow-no-sandbox-job /prefetch:1
4⤵
PID:4852

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=11D2685654B680A358B198F5A1237E77 --mojo-platform-channel-handle=2964 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:3812

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=BD976C602B8CC6D41243D9AF7FE566EE --mojo-platform-channel-handle=1752 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:4788

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
Filesize
64KB

MD5
ed38af82f8a68adc836adcbcc3c722aa

SHA1
570518c07db50b78b48520436c53223e060bbb63

SHA256
8f56b80bb9e30438f9fd9701a0f393e141ea278415d1224b8abe287e5498e0d9

SHA512
b965ad26bdc74597ba7804a9eb638c579ce1d7ac5e596821f4c4a64b3f552a2736c85ad4af7a7f63d0c1e447b5cd27ea3fde2327f8b5d74ef1f7b6c765d3d923

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
Filesize
64KB

MD5
6fcbcf52fe4e749e1bd607d2dff65a53

SHA1
7857ee973af6e993511729d92af1867d6aa8b9ae

SHA256
64291cbda4fe420dea360c1df096ff141a4913fe4c882ccf368fde9921c29cb4

SHA512
2ab26b7f8e15bf1abd99beeb720b7acafac47729da251f366c7d460f2fd45ca5828b333b3f03bf09e0cffce01463f31d8ca855f1540792c6edae288f46aae076

Download Submit
C:\Users\Admin\AppData\Local\Temp\f8fa90be3e6295c275a4d23429e8738228b70693806ed9b2f482581487cb8e08.pdf
Filesize
42KB

MD5
d776c75b72ad3c36421709cfd7e323af

SHA1
3a0a709e88ab03fb47d33f60f90ce0baf7ab6fff

SHA256
569629f78789fb257da5fe32e1924c8fcc6da5d2ea1497485c7ca4d18fd3c0e5

SHA512
54437d31026f626020eeba40f09823ba5f214163caae87109484ed7939e0e31f20aaee6b5d05072985accfd2db57a733ab194fb28ef2d9545f93670168f05f27

Download Submit
memory/4816-97-0x0000016C2FF80000-0x0000016C30080000-memory.dmp

Filesize
1024KB

Download
memory/4816-98-0x0000016C2E7C0000-0x0000016C2E80C000-memory.dmp

Filesize
304KB

Download
memory/4816-105-0x0000016C2FF80000-0x0000016C30080000-memory.dmp

Filesize
1024KB

Download
memory/4816-106-0x0000016C2E7C0000-0x0000016C2E80C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads