netwire | b6be90e3f72bce2fe0ec0a1d5c4117d81955b214f5de72dd189739ab8175ef30

General

Target

Shell-996933_29-07-2020.exe
Size

467KB
MD5

5102ee8e4128267915b1c288b82ce6b5
SHA1

63344aefdf0b14a864c24abbb0884d769b3595ac
SHA256

54e95ef949e6f817b50144b1f8ae37a609d5ab3bc07567699a642a339566d555
SHA512

fa09a941c1e64b44fbee495e946b4527a3228bfd7bbc5cc74e961b3eeb4b706b993fbef2d79f169d2f60a3c0a2739a2a080f68c1b230347c5c30cab74ea4abff

Score

10^/10

netwire botnet persistence rat stealer upx

Malware Config

Extracted

Family

netwire

C2

43.226.229.43:2030

Attributes

activex_autorun
false
activex_key
copy_executable
true
delete_original
false
host_id
TangoTango
install_path
%AppData%\Install\Host.exe
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
offline_keylogger
true
password
Password
registry_autorun
true
startup_name
NetWire
use_mutex
false

Signatures

NetWire RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1152-134-0x0000000002430000-0x0000000002463000-memory.dmp	netwire
behavioral2/memory/3440-150-0x00000000023C0000-0x00000000023F3000-memory.dmp	netwire
behavioral2/memory/3196-151-0x0000000003160000-0x0000000003193000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 3 IoCs

Processes:

Host.exeHost.exeHost.exe

pid process

1776 Host.exe
3440 Host.exe
1264 Host.exe

pid	process
1776	Host.exe
3440	Host.exe
1264	Host.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Install\Host.exe	upx
C:\Users\Admin\AppData\Roaming\Install\Host.exe	upx
C:\Users\Admin\AppData\Roaming\Install\Host.exe	upx
C:\Users\Admin\AppData\Roaming\Install\Host.exe	upx

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Shell-996933_29-07-2020.exeShell-996933_29-07-2020.exeHost.exeShell-996933_29-07-2020.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	Shell-996933_29-07-2020.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	Shell-996933_29-07-2020.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	Host.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	Shell-996933_29-07-2020.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Host.exeShell-996933_29-07-2020.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NetWire = "C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe"	Host.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	Shell-996933_29-07-2020.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NetWire = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Shell-996933_29-07-2020.exe"	Shell-996933_29-07-2020.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	Host.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

Shell-996933_29-07-2020.exeHost.exeShell-996933_29-07-2020.exe

description	pid	process	target process
PID 4344 set thread context of 1152	4344	Shell-996933_29-07-2020.exe	Shell-996933_29-07-2020.exe
PID 1776 set thread context of 3440	1776	Host.exe	Host.exe
PID 4996 set thread context of 3196	4996	Shell-996933_29-07-2020.exe	Shell-996933_29-07-2020.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exeAcroRd32.exeAcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 3 IoCs

Processes:

Shell-996933_29-07-2020.exeHost.exeShell-996933_29-07-2020.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings	Shell-996933_29-07-2020.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings	Host.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings	Shell-996933_29-07-2020.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Shell-996933_29-07-2020.exeShell-996933_29-07-2020.exeShell-996933_29-07-2020.exeHost.exeShell-996933_29-07-2020.exeHost.exeHost.exeShell-996933_29-07-2020.exeShell-996933_29-07-2020.exe

pid	process
4344	Shell-996933_29-07-2020.exe
4344	Shell-996933_29-07-2020.exe
3740	Shell-996933_29-07-2020.exe
3740	Shell-996933_29-07-2020.exe
3740	Shell-996933_29-07-2020.exe
3740	Shell-996933_29-07-2020.exe
3740	Shell-996933_29-07-2020.exe
3740	Shell-996933_29-07-2020.exe
3740	Shell-996933_29-07-2020.exe
3740	Shell-996933_29-07-2020.exe
3740	Shell-996933_29-07-2020.exe
3740	Shell-996933_29-07-2020.exe
3740	Shell-996933_29-07-2020.exe
3740	Shell-996933_29-07-2020.exe
3740	Shell-996933_29-07-2020.exe
3740	Shell-996933_29-07-2020.exe
3740	Shell-996933_29-07-2020.exe
3740	Shell-996933_29-07-2020.exe
3740	Shell-996933_29-07-2020.exe
3740	Shell-996933_29-07-2020.exe
3740	Shell-996933_29-07-2020.exe
3740	Shell-996933_29-07-2020.exe
3740	Shell-996933_29-07-2020.exe
3740	Shell-996933_29-07-2020.exe
3740	Shell-996933_29-07-2020.exe
3740	Shell-996933_29-07-2020.exe
3740	Shell-996933_29-07-2020.exe
3740	Shell-996933_29-07-2020.exe
1152	Shell-996933_29-07-2020.exe
1152	Shell-996933_29-07-2020.exe
1152	Shell-996933_29-07-2020.exe
1152	Shell-996933_29-07-2020.exe
3740	Shell-996933_29-07-2020.exe
3740	Shell-996933_29-07-2020.exe
3740	Shell-996933_29-07-2020.exe
3740	Shell-996933_29-07-2020.exe
3740	Shell-996933_29-07-2020.exe
3740	Shell-996933_29-07-2020.exe
3740	Shell-996933_29-07-2020.exe
3740	Shell-996933_29-07-2020.exe
3740	Shell-996933_29-07-2020.exe
3740	Shell-996933_29-07-2020.exe
1776	Host.exe
1776	Host.exe
4996	Shell-996933_29-07-2020.exe
4996	Shell-996933_29-07-2020.exe
3440	Host.exe
3440	Host.exe
3440	Host.exe
3440	Host.exe
1264	Host.exe
1264	Host.exe
1264	Host.exe
1264	Host.exe
3196	Shell-996933_29-07-2020.exe
3196	Shell-996933_29-07-2020.exe
3196	Shell-996933_29-07-2020.exe
3196	Shell-996933_29-07-2020.exe
1264	Host.exe
1264	Host.exe
820	Shell-996933_29-07-2020.exe
820	Shell-996933_29-07-2020.exe
820	Shell-996933_29-07-2020.exe
820	Shell-996933_29-07-2020.exe

Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

Shell-996933_29-07-2020.exeHost.exeShell-996933_29-07-2020.exe

pid process

4344 Shell-996933_29-07-2020.exe
1776 Host.exe
4996 Shell-996933_29-07-2020.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

3168 AcroRd32.exe

Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

AcroRd32.exeAcroRd32.exeAcroRd32.exeAdobeARM.exe

pid	process
3168	AcroRd32.exe
1260	AcroRd32.exe
2388	AcroRd32.exe
3168	AcroRd32.exe
3168	AcroRd32.exe
3168	AcroRd32.exe
3168	AcroRd32.exe
3168	AcroRd32.exe
2484	AdobeARM.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Shell-996933_29-07-2020.exeShell-996933_29-07-2020.exeShell-996933_29-07-2020.exeHost.exeShell-996933_29-07-2020.exeAcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 4344 wrote to memory of 1260	4344	Shell-996933_29-07-2020.exe	AcroRd32.exe
PID 4344 wrote to memory of 1260	4344	Shell-996933_29-07-2020.exe	AcroRd32.exe
PID 4344 wrote to memory of 1260	4344	Shell-996933_29-07-2020.exe	AcroRd32.exe
PID 4344 wrote to memory of 1152	4344	Shell-996933_29-07-2020.exe	Shell-996933_29-07-2020.exe
PID 4344 wrote to memory of 1152	4344	Shell-996933_29-07-2020.exe	Shell-996933_29-07-2020.exe
PID 4344 wrote to memory of 1152	4344	Shell-996933_29-07-2020.exe	Shell-996933_29-07-2020.exe
PID 4344 wrote to memory of 3740	4344	Shell-996933_29-07-2020.exe	Shell-996933_29-07-2020.exe
PID 4344 wrote to memory of 3740	4344	Shell-996933_29-07-2020.exe	Shell-996933_29-07-2020.exe
PID 4344 wrote to memory of 3740	4344	Shell-996933_29-07-2020.exe	Shell-996933_29-07-2020.exe
PID 1152 wrote to memory of 1776	1152	Shell-996933_29-07-2020.exe	Host.exe
PID 1152 wrote to memory of 1776	1152	Shell-996933_29-07-2020.exe	Host.exe
PID 1152 wrote to memory of 1776	1152	Shell-996933_29-07-2020.exe	Host.exe
PID 3740 wrote to memory of 4996	3740	Shell-996933_29-07-2020.exe	Shell-996933_29-07-2020.exe
PID 3740 wrote to memory of 4996	3740	Shell-996933_29-07-2020.exe	Shell-996933_29-07-2020.exe
PID 3740 wrote to memory of 4996	3740	Shell-996933_29-07-2020.exe	Shell-996933_29-07-2020.exe
PID 1776 wrote to memory of 2388	1776	Host.exe	AcroRd32.exe
PID 1776 wrote to memory of 2388	1776	Host.exe	AcroRd32.exe
PID 1776 wrote to memory of 2388	1776	Host.exe	AcroRd32.exe
PID 4996 wrote to memory of 3168	4996	Shell-996933_29-07-2020.exe	AcroRd32.exe
PID 4996 wrote to memory of 3168	4996	Shell-996933_29-07-2020.exe	AcroRd32.exe
PID 4996 wrote to memory of 3168	4996	Shell-996933_29-07-2020.exe	AcroRd32.exe
PID 1776 wrote to memory of 3440	1776	Host.exe	Host.exe
PID 1776 wrote to memory of 3440	1776	Host.exe	Host.exe
PID 1776 wrote to memory of 3440	1776	Host.exe	Host.exe
PID 1776 wrote to memory of 1264	1776	Host.exe	Host.exe
PID 1776 wrote to memory of 1264	1776	Host.exe	Host.exe
PID 1776 wrote to memory of 1264	1776	Host.exe	Host.exe
PID 4996 wrote to memory of 3196	4996	Shell-996933_29-07-2020.exe	Shell-996933_29-07-2020.exe
PID 4996 wrote to memory of 3196	4996	Shell-996933_29-07-2020.exe	Shell-996933_29-07-2020.exe
PID 4996 wrote to memory of 3196	4996	Shell-996933_29-07-2020.exe	Shell-996933_29-07-2020.exe
PID 4996 wrote to memory of 820	4996	Shell-996933_29-07-2020.exe	Shell-996933_29-07-2020.exe
PID 4996 wrote to memory of 820	4996	Shell-996933_29-07-2020.exe	Shell-996933_29-07-2020.exe
PID 4996 wrote to memory of 820	4996	Shell-996933_29-07-2020.exe	Shell-996933_29-07-2020.exe
PID 3168 wrote to memory of 3652	3168	AcroRd32.exe	RdrCEF.exe
PID 3168 wrote to memory of 3652	3168	AcroRd32.exe	RdrCEF.exe
PID 3168 wrote to memory of 3652	3168	AcroRd32.exe	RdrCEF.exe
PID 3168 wrote to memory of 4308	3168	AcroRd32.exe	RdrCEF.exe
PID 3168 wrote to memory of 4308	3168	AcroRd32.exe	RdrCEF.exe
PID 3168 wrote to memory of 4308	3168	AcroRd32.exe	RdrCEF.exe
PID 3168 wrote to memory of 4620	3168	AcroRd32.exe	RdrCEF.exe
PID 3168 wrote to memory of 4620	3168	AcroRd32.exe	RdrCEF.exe
PID 3168 wrote to memory of 4620	3168	AcroRd32.exe	RdrCEF.exe
PID 3168 wrote to memory of 4444	3168	AcroRd32.exe	RdrCEF.exe
PID 3168 wrote to memory of 4444	3168	AcroRd32.exe	RdrCEF.exe
PID 3168 wrote to memory of 4444	3168	AcroRd32.exe	RdrCEF.exe
PID 4620 wrote to memory of 3416	4620	RdrCEF.exe	RdrCEF.exe
PID 4620 wrote to memory of 3416	4620	RdrCEF.exe	RdrCEF.exe
PID 4620 wrote to memory of 3416	4620	RdrCEF.exe	RdrCEF.exe
PID 4620 wrote to memory of 3416	4620	RdrCEF.exe	RdrCEF.exe
PID 4620 wrote to memory of 3416	4620	RdrCEF.exe	RdrCEF.exe
PID 4620 wrote to memory of 3416	4620	RdrCEF.exe	RdrCEF.exe
PID 4620 wrote to memory of 3416	4620	RdrCEF.exe	RdrCEF.exe
PID 4620 wrote to memory of 3416	4620	RdrCEF.exe	RdrCEF.exe
PID 4620 wrote to memory of 3416	4620	RdrCEF.exe	RdrCEF.exe
PID 4620 wrote to memory of 3416	4620	RdrCEF.exe	RdrCEF.exe
PID 4620 wrote to memory of 3416	4620	RdrCEF.exe	RdrCEF.exe
PID 4620 wrote to memory of 3416	4620	RdrCEF.exe	RdrCEF.exe
PID 4620 wrote to memory of 3416	4620	RdrCEF.exe	RdrCEF.exe
PID 4620 wrote to memory of 3416	4620	RdrCEF.exe	RdrCEF.exe
PID 4620 wrote to memory of 3416	4620	RdrCEF.exe	RdrCEF.exe
PID 4620 wrote to memory of 3416	4620	RdrCEF.exe	RdrCEF.exe
PID 4620 wrote to memory of 3416	4620	RdrCEF.exe	RdrCEF.exe
PID 4620 wrote to memory of 3416	4620	RdrCEF.exe	RdrCEF.exe
PID 4620 wrote to memory of 3416	4620	RdrCEF.exe	RdrCEF.exe

C:\Users\Admin\AppData\Local\Temp\Shell-996933_29-07-2020.exe
"C:\Users\Admin\AppData\Local\Temp\Shell-996933_29-07-2020.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4344

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Order.pdf"
2⤵
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:1260

C:\Users\Admin\AppData\Local\Temp\Shell-996933_29-07-2020.exe
"C:\Users\Admin\AppData\Local\Temp\Shell-996933_29-07-2020.exe"
2⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1152

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1776

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Order.pdf"
4⤵
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:2388

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:3440

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe" 2 3440 240569531
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1264

C:\Users\Admin\AppData\Local\Temp\Shell-996933_29-07-2020.exe
"C:\Users\Admin\AppData\Local\Temp\Shell-996933_29-07-2020.exe" 2 1152 240567203
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3740

C:\Users\Admin\AppData\Local\Temp\Shell-996933_29-07-2020.exe
"C:\Users\Admin\AppData\Local\Temp\Shell-996933_29-07-2020.exe"
3⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4996

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Order.pdf"
4⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3168

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
5⤵
PID:3652

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
5⤵
PID:4308

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
5⤵
- Suspicious use of WriteProcessMemory
PID:4620

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=AED2CBBFA26D98F6F1E162FA7144E8B2 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
6⤵
PID:3416

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=B36F449AEE164B53C958DC9BB2628B2C --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=B36F449AEE164B53C958DC9BB2628B2C --renderer-client-id=2 --mojo-platform-channel-handle=1840 --allow-no-sandbox-job /prefetch:1
6⤵
PID:2480

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=3F82749EE193B7361845549FA0A604A1 --mojo-platform-channel-handle=2304 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
6⤵
PID:3460

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=B94128BC89841B94B202C786B4720CDE --mojo-platform-channel-handle=2112 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
6⤵
PID:5112

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=76A060287322DA32DB5E4E8B8C1FB1B9 --mojo-platform-channel-handle=1804 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
6⤵
PID:3240

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
5⤵
PID:4444

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
5⤵
PID:3972

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=A0F5B4295D1E56BDFB14D931295A963A --mojo-platform-channel-handle=1720 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
6⤵
PID:4848

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=5175F6755235E6BCF962425B56982DF4 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=5175F6755235E6BCF962425B56982DF4 --renderer-client-id=2 --mojo-platform-channel-handle=1712 --allow-no-sandbox-job /prefetch:1
6⤵
PID:4180

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=169D3CEAC116BFD301E2FCECEC8D684E --mojo-platform-channel-handle=2300 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
6⤵
PID:5016

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=F7DC9AE997D0B4D9041E24A4790248E9 --mojo-platform-channel-handle=1816 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
6⤵
PID:2356

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=4CE82625A0B4EEC0983468D1B901FF82 --mojo-platform-channel-handle=2008 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
6⤵
PID:3612

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=2EA17247848132A45962FB7719AA412D --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=2EA17247848132A45962FB7719AA412D --renderer-client-id=8 --mojo-platform-channel-handle=2544 --allow-no-sandbox-job /prefetch:1
6⤵
PID:3584

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
5⤵
PID:340

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" /PRODUCT:Reader /VERSION:19.0 /MODE:3
5⤵
- Suspicious use of SetWindowsHookEx
PID:2484

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"
6⤵
PID:2208

C:\Users\Admin\AppData\Local\Temp\Shell-996933_29-07-2020.exe
"C:\Users\Admin\AppData\Local\Temp\Shell-996933_29-07-2020.exe"
4⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:3196

C:\Users\Admin\AppData\Local\Temp\Shell-996933_29-07-2020.exe
"C:\Users\Admin\AppData\Local\Temp\Shell-996933_29-07-2020.exe" 2 3196 240569656
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:820

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:648

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Visited Links
Filesize
128KB

MD5
aa5dab2312d1574b321e82a45bbe61fd

SHA1
c9eaf0265c348d745375845b3197777b2a079abd

SHA256
f9f6b13a7589f89b5b93a481bb7fb04d357b24ee41397ab8d0af14ccb8ee0136

SHA512
f30c26967dc7baecc00985b1209a7aae6ce33bf3618fd6d5f4e94ad5b0965f081150f5b7210567cea5eba4b5e6e4c6d445cacc5e5fc2bfd3ec01fe4d67907ddc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Order.pdf
Filesize
38KB

MD5
64c51e428b3aae202fe3b1f250783e38

SHA1
9c37ca4019a5ed8b6368a2c8a9319cac7541d86d

SHA256
0f92458dfe74bca8a5fb6e5db0d52d0227e9126a846f311a6b3b7ba16d8021d4

SHA512
dab4a6fe5331d757311737dffa73ebca4a91c6fa53b50e50c1d39f839039ab46b8e5fd029259394292c30ec85a88726de31fb2fa99d87e9a7350e9f82f4985dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Order.pdf
Filesize
38KB

MD5
64c51e428b3aae202fe3b1f250783e38

SHA1
9c37ca4019a5ed8b6368a2c8a9319cac7541d86d

SHA256
0f92458dfe74bca8a5fb6e5db0d52d0227e9126a846f311a6b3b7ba16d8021d4

SHA512
dab4a6fe5331d757311737dffa73ebca4a91c6fa53b50e50c1d39f839039ab46b8e5fd029259394292c30ec85a88726de31fb2fa99d87e9a7350e9f82f4985dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Order.pdf
Filesize
38KB

MD5
64c51e428b3aae202fe3b1f250783e38

SHA1
9c37ca4019a5ed8b6368a2c8a9319cac7541d86d

SHA256
0f92458dfe74bca8a5fb6e5db0d52d0227e9126a846f311a6b3b7ba16d8021d4

SHA512
dab4a6fe5331d757311737dffa73ebca4a91c6fa53b50e50c1d39f839039ab46b8e5fd029259394292c30ec85a88726de31fb2fa99d87e9a7350e9f82f4985dd

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
467KB

MD5
5102ee8e4128267915b1c288b82ce6b5

SHA1
63344aefdf0b14a864c24abbb0884d769b3595ac

SHA256
54e95ef949e6f817b50144b1f8ae37a609d5ab3bc07567699a642a339566d555

SHA512
fa09a941c1e64b44fbee495e946b4527a3228bfd7bbc5cc74e961b3eeb4b706b993fbef2d79f169d2f60a3c0a2739a2a080f68c1b230347c5c30cab74ea4abff

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
467KB

MD5
5102ee8e4128267915b1c288b82ce6b5

SHA1
63344aefdf0b14a864c24abbb0884d769b3595ac

SHA256
54e95ef949e6f817b50144b1f8ae37a609d5ab3bc07567699a642a339566d555

SHA512
fa09a941c1e64b44fbee495e946b4527a3228bfd7bbc5cc74e961b3eeb4b706b993fbef2d79f169d2f60a3c0a2739a2a080f68c1b230347c5c30cab74ea4abff

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
467KB

MD5
5102ee8e4128267915b1c288b82ce6b5

SHA1
63344aefdf0b14a864c24abbb0884d769b3595ac

SHA256
54e95ef949e6f817b50144b1f8ae37a609d5ab3bc07567699a642a339566d555

SHA512
fa09a941c1e64b44fbee495e946b4527a3228bfd7bbc5cc74e961b3eeb4b706b993fbef2d79f169d2f60a3c0a2739a2a080f68c1b230347c5c30cab74ea4abff

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
467KB

MD5
5102ee8e4128267915b1c288b82ce6b5

SHA1
63344aefdf0b14a864c24abbb0884d769b3595ac

SHA256
54e95ef949e6f817b50144b1f8ae37a609d5ab3bc07567699a642a339566d555

SHA512
fa09a941c1e64b44fbee495e946b4527a3228bfd7bbc5cc74e961b3eeb4b706b993fbef2d79f169d2f60a3c0a2739a2a080f68c1b230347c5c30cab74ea4abff

Download Submit
memory/340-192-0x0000000000000000-mapping.dmp

Download
memory/820-149-0x0000000000000000-mapping.dmp

Download
memory/1152-134-0x0000000002430000-0x0000000002463000-memory.dmp

Filesize
204KB

Download
memory/1152-132-0x0000000000000000-mapping.dmp

Download
memory/1260-131-0x0000000000000000-mapping.dmp

Download
memory/1264-146-0x0000000000000000-mapping.dmp

Download
memory/1776-135-0x0000000000000000-mapping.dmp

Download
memory/2208-199-0x0000000000000000-mapping.dmp

Download
memory/2356-187-0x0000000000000000-mapping.dmp

Download
memory/2388-142-0x0000000000000000-mapping.dmp

Download
memory/2480-160-0x0000000000000000-mapping.dmp

Download
memory/2484-198-0x0000000000000000-mapping.dmp

Download
memory/3168-143-0x0000000000000000-mapping.dmp

Download
memory/3196-147-0x0000000000000000-mapping.dmp

Download
memory/3196-151-0x0000000003160000-0x0000000003193000-memory.dmp

Filesize
204KB

Download
memory/3240-171-0x0000000000000000-mapping.dmp

Download
memory/3416-157-0x0000000000000000-mapping.dmp

Download
memory/3440-150-0x00000000023C0000-0x00000000023F3000-memory.dmp

Filesize
204KB

Download
memory/3440-144-0x0000000000000000-mapping.dmp

Download
memory/3460-165-0x0000000000000000-mapping.dmp

Download
memory/3584-194-0x0000000000000000-mapping.dmp

Download
memory/3612-190-0x0000000000000000-mapping.dmp

Download
memory/3652-152-0x0000000000000000-mapping.dmp

Download
memory/3740-133-0x0000000000000000-mapping.dmp

Download
memory/3972-173-0x0000000000000000-mapping.dmp

Download
memory/4180-179-0x0000000000000000-mapping.dmp

Download
memory/4308-153-0x0000000000000000-mapping.dmp

Download
memory/4344-130-0x00000000006F0000-0x0000000000703000-memory.dmp

Filesize
76KB

Download
memory/4444-155-0x0000000000000000-mapping.dmp

Download
memory/4620-154-0x0000000000000000-mapping.dmp

Download
memory/4848-176-0x0000000000000000-mapping.dmp

Download
memory/4996-138-0x0000000000000000-mapping.dmp

Download
memory/5016-184-0x0000000000000000-mapping.dmp

Download
memory/5112-168-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads