cobaltstrike | 92ed635d64ccf7f45c6be415da330781a714d2a50cd28a76665e3590e5a52c82

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2024 10:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

92ed635d64ccf7f45c6be415da330781a714d2a50cd28a76665e3590e5a52c82.exe
Size

2.6MB
MD5

146bbdff9871cfc484839ed59b994a2f
SHA1

ff44b337bd1ee4439f7d5330d426b1e510113351
SHA256

92ed635d64ccf7f45c6be415da330781a714d2a50cd28a76665e3590e5a52c82
SHA512

faf3ab3ec5ef9a4f43299937060764940a8f1b6c01309bfda52942dfd9ae9c45e909ed67b0cdbeee8f3c8c9cd88f9d34557427e9c2359dca06c37fe95b565d31
SSDEEP

49152:uB7HRCcJmv2aLv6xXV1/+/P3bhu2elmHPOcFl1Co/QeJe1MxtIP44V/ySQ0:W7+2gv6v1ihGcHPFi6pPGh

Score

10^/10

cobaltstrike backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

http://116.204.24.189:8888/MqQN

Attributes

user_agent
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

92ed635d64ccf7f45c6be415da330781a714d2a50cd28a76665e3590e5a52c82.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	92ed635d64ccf7f45c6be415da330781a714d2a50cd28a76665e3590e5a52c82.exe

Executes dropped EXE 1 IoCs

Processes:

artifact.exe

pid process

696 artifact.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
696	artifact.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

AcroRd32.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe
Modifies registry class 1 IoCs

Processes:

92ed635d64ccf7f45c6be415da330781a714d2a50cd28a76665e3590e5a52c82.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings 92ed635d64ccf7f45c6be415da330781a714d2a50cd28a76665e3590e5a52c82.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	92ed635d64ccf7f45c6be415da330781a714d2a50cd28a76665e3590e5a52c82.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

AcroRd32.exe

pid	process
4044	AcroRd32.exe
4044	AcroRd32.exe
4044	AcroRd32.exe
4044	AcroRd32.exe
4044	AcroRd32.exe
4044	AcroRd32.exe
4044	AcroRd32.exe
4044	AcroRd32.exe
4044	AcroRd32.exe
4044	AcroRd32.exe
4044	AcroRd32.exe
4044	AcroRd32.exe
4044	AcroRd32.exe
4044	AcroRd32.exe
4044	AcroRd32.exe
4044	AcroRd32.exe
4044	AcroRd32.exe
4044	AcroRd32.exe
4044	AcroRd32.exe
4044	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

4044 AcroRd32.exe
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

AcroRd32.exe

pid process

4044 AcroRd32.exe
4044 AcroRd32.exe
4044 AcroRd32.exe
4044 AcroRd32.exe
4044 AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

92ed635d64ccf7f45c6be415da330781a714d2a50cd28a76665e3590e5a52c82.exeAcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 2956 wrote to memory of 696	2956	92ed635d64ccf7f45c6be415da330781a714d2a50cd28a76665e3590e5a52c82.exe	artifact.exe
PID 2956 wrote to memory of 696	2956	92ed635d64ccf7f45c6be415da330781a714d2a50cd28a76665e3590e5a52c82.exe	artifact.exe
PID 2956 wrote to memory of 4044	2956	92ed635d64ccf7f45c6be415da330781a714d2a50cd28a76665e3590e5a52c82.exe	AcroRd32.exe
PID 2956 wrote to memory of 4044	2956	92ed635d64ccf7f45c6be415da330781a714d2a50cd28a76665e3590e5a52c82.exe	AcroRd32.exe
PID 2956 wrote to memory of 4044	2956	92ed635d64ccf7f45c6be415da330781a714d2a50cd28a76665e3590e5a52c82.exe	AcroRd32.exe
PID 4044 wrote to memory of 4512	4044	AcroRd32.exe	RdrCEF.exe
PID 4044 wrote to memory of 4512	4044	AcroRd32.exe	RdrCEF.exe
PID 4044 wrote to memory of 4512	4044	AcroRd32.exe	RdrCEF.exe
PID 4512 wrote to memory of 2892	4512	RdrCEF.exe	RdrCEF.exe
PID 4512 wrote to memory of 2892	4512	RdrCEF.exe	RdrCEF.exe
PID 4512 wrote to memory of 2892	4512	RdrCEF.exe	RdrCEF.exe
PID 4512 wrote to memory of 2892	4512	RdrCEF.exe	RdrCEF.exe
PID 4512 wrote to memory of 2892	4512	RdrCEF.exe	RdrCEF.exe
PID 4512 wrote to memory of 2892	4512	RdrCEF.exe	RdrCEF.exe
PID 4512 wrote to memory of 2892	4512	RdrCEF.exe	RdrCEF.exe
PID 4512 wrote to memory of 2892	4512	RdrCEF.exe	RdrCEF.exe
PID 4512 wrote to memory of 2892	4512	RdrCEF.exe	RdrCEF.exe
PID 4512 wrote to memory of 2892	4512	RdrCEF.exe	RdrCEF.exe
PID 4512 wrote to memory of 2892	4512	RdrCEF.exe	RdrCEF.exe
PID 4512 wrote to memory of 2892	4512	RdrCEF.exe	RdrCEF.exe
PID 4512 wrote to memory of 2892	4512	RdrCEF.exe	RdrCEF.exe
PID 4512 wrote to memory of 2892	4512	RdrCEF.exe	RdrCEF.exe
PID 4512 wrote to memory of 2892	4512	RdrCEF.exe	RdrCEF.exe
PID 4512 wrote to memory of 2892	4512	RdrCEF.exe	RdrCEF.exe
PID 4512 wrote to memory of 2892	4512	RdrCEF.exe	RdrCEF.exe
PID 4512 wrote to memory of 2892	4512	RdrCEF.exe	RdrCEF.exe
PID 4512 wrote to memory of 2892	4512	RdrCEF.exe	RdrCEF.exe
PID 4512 wrote to memory of 2892	4512	RdrCEF.exe	RdrCEF.exe
PID 4512 wrote to memory of 2892	4512	RdrCEF.exe	RdrCEF.exe
PID 4512 wrote to memory of 2892	4512	RdrCEF.exe	RdrCEF.exe
PID 4512 wrote to memory of 2892	4512	RdrCEF.exe	RdrCEF.exe
PID 4512 wrote to memory of 2892	4512	RdrCEF.exe	RdrCEF.exe
PID 4512 wrote to memory of 2892	4512	RdrCEF.exe	RdrCEF.exe
PID 4512 wrote to memory of 2892	4512	RdrCEF.exe	RdrCEF.exe
PID 4512 wrote to memory of 2892	4512	RdrCEF.exe	RdrCEF.exe
PID 4512 wrote to memory of 2892	4512	RdrCEF.exe	RdrCEF.exe
PID 4512 wrote to memory of 2892	4512	RdrCEF.exe	RdrCEF.exe
PID 4512 wrote to memory of 2892	4512	RdrCEF.exe	RdrCEF.exe
PID 4512 wrote to memory of 2892	4512	RdrCEF.exe	RdrCEF.exe
PID 4512 wrote to memory of 2892	4512	RdrCEF.exe	RdrCEF.exe
PID 4512 wrote to memory of 2892	4512	RdrCEF.exe	RdrCEF.exe
PID 4512 wrote to memory of 2892	4512	RdrCEF.exe	RdrCEF.exe
PID 4512 wrote to memory of 2892	4512	RdrCEF.exe	RdrCEF.exe
PID 4512 wrote to memory of 2892	4512	RdrCEF.exe	RdrCEF.exe
PID 4512 wrote to memory of 2892	4512	RdrCEF.exe	RdrCEF.exe
PID 4512 wrote to memory of 2892	4512	RdrCEF.exe	RdrCEF.exe
PID 4512 wrote to memory of 2892	4512	RdrCEF.exe	RdrCEF.exe
PID 4512 wrote to memory of 2892	4512	RdrCEF.exe	RdrCEF.exe
PID 4512 wrote to memory of 2892	4512	RdrCEF.exe	RdrCEF.exe
PID 4512 wrote to memory of 836	4512	RdrCEF.exe	RdrCEF.exe
PID 4512 wrote to memory of 836	4512	RdrCEF.exe	RdrCEF.exe
PID 4512 wrote to memory of 836	4512	RdrCEF.exe	RdrCEF.exe
PID 4512 wrote to memory of 836	4512	RdrCEF.exe	RdrCEF.exe
PID 4512 wrote to memory of 836	4512	RdrCEF.exe	RdrCEF.exe
PID 4512 wrote to memory of 836	4512	RdrCEF.exe	RdrCEF.exe
PID 4512 wrote to memory of 836	4512	RdrCEF.exe	RdrCEF.exe
PID 4512 wrote to memory of 836	4512	RdrCEF.exe	RdrCEF.exe
PID 4512 wrote to memory of 836	4512	RdrCEF.exe	RdrCEF.exe
PID 4512 wrote to memory of 836	4512	RdrCEF.exe	RdrCEF.exe
PID 4512 wrote to memory of 836	4512	RdrCEF.exe	RdrCEF.exe
PID 4512 wrote to memory of 836	4512	RdrCEF.exe	RdrCEF.exe
PID 4512 wrote to memory of 836	4512	RdrCEF.exe	RdrCEF.exe
PID 4512 wrote to memory of 836	4512	RdrCEF.exe	RdrCEF.exe
PID 4512 wrote to memory of 836	4512	RdrCEF.exe	RdrCEF.exe

C:\Users\Admin\AppData\Local\Temp\92ed635d64ccf7f45c6be415da330781a714d2a50cd28a76665e3590e5a52c82.exe
"C:\Users\Admin\AppData\Local\Temp\92ed635d64ccf7f45c6be415da330781a714d2a50cd28a76665e3590e5a52c82.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2956

C:\Windows\Temp\artifact.exe
"C:\Windows\Temp\artifact.exe"
2⤵
- Executes dropped EXE
PID:696

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Windows\Temp\健身房管理系统的设计与实现_孙梦成.pdf"
2⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4044

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
3⤵
- Suspicious use of WriteProcessMemory
PID:4512

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E6435E192EFBD612899CBB830221F22A --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:2892

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=C14AD2380A32F4B2B42332030005C4F6 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=C14AD2380A32F4B2B42332030005C4F6 --renderer-client-id=2 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job /prefetch:1
4⤵
PID:836

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=F9E06CE456171694E6D5361338C1B1BC --mojo-platform-channel-handle=2320 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:3304

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=F7382C2C4A64D764F51202985961165D --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=F7382C2C4A64D764F51202985961165D --renderer-client-id=5 --mojo-platform-channel-handle=1852 --allow-no-sandbox-job /prefetch:1
4⤵
PID:3496

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=69C6F74FBB230D8213A5DD2287C1DDF1 --mojo-platform-channel-handle=2672 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:4684

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=28E916895AAAE2B7F47001C680C59B39 --mojo-platform-channel-handle=2900 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:1120

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2024

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
Filesize
64KB

MD5
5ae0dc1310fd6d06115a4846879beac9

SHA1
4c6e8e6049922da4756d3b18633467109b16d758

SHA256
f8f191b0b68f5b239df3c98a743b3c65474f769b51ed69fc886d7c4838228a39

SHA512
b5f7eeadea99926503ae00d4e09c11f7b96bc72472f53c4c4f1760b2918e7c221b0cd74210e7f7843173efbca0aed7ad117b1a26c51dac8e00c6f82322d6c58d

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
Filesize
64KB

MD5
3d83913ef2353b5ad5f6866a3b692a74

SHA1
c999eb327e763f3496cee6219e6aea0b9665d55c

SHA256
6639f59eec6349831eea7e316c7c990421d41db8be121e8641f156783e082f1c

SHA512
5f531a97d063423c74c3b4b1a914548aad5d3a1fd2c2a0fa0be7d19583951ad394eec63bc5a0e7243425c4cbaa52a46bc58794bb80d5d8bdba309aa4ae60f50b

Download Submit
C:\Windows\Temp\artifact.exe
Filesize
19KB

MD5
baf284515fd1e008de905653576ba26a

SHA1
6c8ab2c8be44d39d84ab1a6d9a5bdc0079ba96f1

SHA256
ea4f06ccea1219dc39299afeb22eea3a2e2cbf8ca13b4d22bbcf3e5dde91d780

SHA512
74e1a31698488439978a3f06487634626a4a581532cf4db58af9a87a08cc4824d2e8a08e2fb023637b4ff65dfdbad6acab69cc78786e18c4d7e3d413dd5ffd6b

Download Submit
C:\Windows\Temp\健身房管理系统的设计与实现_孙梦成.pdf
Filesize
2.3MB

MD5
b4d255b6390bf346e1ba34d9f4f609c4

SHA1
1ea8820f614ac72386f2fe30139ddefe75507033

SHA256
a6fa60973c1045048b5e2e906f18ec40dfe4183302afb74bfbab7450e1d80306

SHA512
fbf6e97bbecdb263066f481a20257e0900d36d0d76ef96e5f56b95771839c27456d2aa9a57da74811ea67433f27ddabce2fa51e6567e2488f0bbf2c969309fec

Download Submit
memory/696-13-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/696-45-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download