Analysis
-
max time kernel
79s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
14-10-2022 17:45
Static task
static1
Behavioral task
behavioral1
Sample
NisSrv.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
NisSrv.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral3
Sample
circular_29092022.pdf
Resource
win7-20220812-en
Behavioral task
behavioral4
Sample
circular_29092022.pdf
Resource
win10v2004-20220901-en
Behavioral task
behavioral5
Sample
circular_29092022.pdf.lnk
Resource
win7-20220901-en
General
-
Target
circular_29092022.pdf.lnk
-
Size
2KB
-
MD5
9401c4021ce5ae57da50eb7fddfff950
-
SHA1
ec7f933174448b63b979027e79192e3127c8b5f4
-
SHA256
7259f69b075b7d849d7d0e300fe1d63057372aaedd07223de2d6b4023f5bf48c
-
SHA512
5458c93f60ef207954fb17a750e692fcf738013a85d92898ea284b190aab4ce84ad4dc30a58562094567da483e041347036c1c557fd6d9c05241cb256033996e
Malware Config
Extracted
netwire
54.145.6.146:443
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
MSOffice-%Rand%
-
lock_executable
false
-
mutex
IERXehpS
-
offline_keylogger
false
-
password
a1cap0ne@1960s
-
registry_autorun
false
-
use_mutex
false
Signatures
-
NetWire RAT payload 4 IoCs
Processes:
resource yara_rule behavioral6/memory/4864-164-0x0000000000400000-0x0000000000450000-memory.dmp netwire behavioral6/memory/4864-165-0x0000000000400000-0x0000000000450000-memory.dmp netwire behavioral6/memory/4864-166-0x0000000000400000-0x0000000000450000-memory.dmp netwire behavioral6/memory/4864-167-0x0000000000400000-0x0000000000450000-memory.dmp netwire -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.execmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation cmd.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
NisSrv.exedescription pid process target process PID 4528 set thread context of 4864 4528 NisSrv.exe AddInProcess32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
AcroRd32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe -
Processes:
AcroRd32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings cmd.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
Processes:
NisSrv.exeAcroRd32.exepid process 4528 NisSrv.exe 2984 AcroRd32.exe 2984 AcroRd32.exe 2984 AcroRd32.exe 2984 AcroRd32.exe 2984 AcroRd32.exe 2984 AcroRd32.exe 2984 AcroRd32.exe 2984 AcroRd32.exe 2984 AcroRd32.exe 2984 AcroRd32.exe 2984 AcroRd32.exe 2984 AcroRd32.exe 2984 AcroRd32.exe 2984 AcroRd32.exe 2984 AcroRd32.exe 2984 AcroRd32.exe 2984 AcroRd32.exe 2984 AcroRd32.exe 2984 AcroRd32.exe 2984 AcroRd32.exe 4528 NisSrv.exe 4528 NisSrv.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
NisSrv.exedescription pid process Token: SeDebugPrivilege 4528 NisSrv.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
AcroRd32.exepid process 2984 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
AcroRd32.exepid process 2984 AcroRd32.exe 2984 AcroRd32.exe 2984 AcroRd32.exe 2984 AcroRd32.exe 2984 AcroRd32.exe 2984 AcroRd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.execmd.exeAcroRd32.exeRdrCEF.exedescription pid process target process PID 4172 wrote to memory of 3884 4172 cmd.exe cmd.exe PID 4172 wrote to memory of 3884 4172 cmd.exe cmd.exe PID 3884 wrote to memory of 4528 3884 cmd.exe NisSrv.exe PID 3884 wrote to memory of 4528 3884 cmd.exe NisSrv.exe PID 3884 wrote to memory of 4528 3884 cmd.exe NisSrv.exe PID 3884 wrote to memory of 2984 3884 cmd.exe AcroRd32.exe PID 3884 wrote to memory of 2984 3884 cmd.exe AcroRd32.exe PID 3884 wrote to memory of 2984 3884 cmd.exe AcroRd32.exe PID 2984 wrote to memory of 4048 2984 AcroRd32.exe RdrCEF.exe PID 2984 wrote to memory of 4048 2984 AcroRd32.exe RdrCEF.exe PID 2984 wrote to memory of 4048 2984 AcroRd32.exe RdrCEF.exe PID 4048 wrote to memory of 4840 4048 RdrCEF.exe RdrCEF.exe PID 4048 wrote to memory of 4840 4048 RdrCEF.exe RdrCEF.exe PID 4048 wrote to memory of 4840 4048 RdrCEF.exe RdrCEF.exe PID 4048 wrote to memory of 4840 4048 RdrCEF.exe RdrCEF.exe PID 4048 wrote to memory of 4840 4048 RdrCEF.exe RdrCEF.exe PID 4048 wrote to memory of 4840 4048 RdrCEF.exe RdrCEF.exe PID 4048 wrote to memory of 4840 4048 RdrCEF.exe RdrCEF.exe PID 4048 wrote to memory of 4840 4048 RdrCEF.exe RdrCEF.exe PID 4048 wrote to memory of 4840 4048 RdrCEF.exe RdrCEF.exe PID 4048 wrote to memory of 4840 4048 RdrCEF.exe RdrCEF.exe PID 4048 wrote to memory of 4840 4048 RdrCEF.exe RdrCEF.exe PID 4048 wrote to memory of 4840 4048 RdrCEF.exe RdrCEF.exe PID 4048 wrote to memory of 4840 4048 RdrCEF.exe RdrCEF.exe PID 4048 wrote to memory of 4840 4048 RdrCEF.exe RdrCEF.exe PID 4048 wrote to memory of 4840 4048 RdrCEF.exe RdrCEF.exe PID 4048 wrote to memory of 4840 4048 RdrCEF.exe RdrCEF.exe PID 4048 wrote to memory of 4840 4048 RdrCEF.exe RdrCEF.exe PID 4048 wrote to memory of 4840 4048 RdrCEF.exe RdrCEF.exe PID 4048 wrote to memory of 4840 4048 RdrCEF.exe RdrCEF.exe PID 4048 wrote to memory of 4840 4048 RdrCEF.exe RdrCEF.exe PID 4048 wrote to memory of 4840 4048 RdrCEF.exe RdrCEF.exe PID 4048 wrote to memory of 4840 4048 RdrCEF.exe RdrCEF.exe PID 4048 wrote to memory of 4840 4048 RdrCEF.exe RdrCEF.exe PID 4048 wrote to memory of 4840 4048 RdrCEF.exe RdrCEF.exe PID 4048 wrote to memory of 4840 4048 RdrCEF.exe RdrCEF.exe PID 4048 wrote to memory of 4840 4048 RdrCEF.exe RdrCEF.exe PID 4048 wrote to memory of 4840 4048 RdrCEF.exe RdrCEF.exe PID 4048 wrote to memory of 4840 4048 RdrCEF.exe RdrCEF.exe PID 4048 wrote to memory of 4840 4048 RdrCEF.exe RdrCEF.exe PID 4048 wrote to memory of 4840 4048 RdrCEF.exe RdrCEF.exe PID 4048 wrote to memory of 4840 4048 RdrCEF.exe RdrCEF.exe PID 4048 wrote to memory of 4840 4048 RdrCEF.exe RdrCEF.exe PID 4048 wrote to memory of 4840 4048 RdrCEF.exe RdrCEF.exe PID 4048 wrote to memory of 4840 4048 RdrCEF.exe RdrCEF.exe PID 4048 wrote to memory of 4840 4048 RdrCEF.exe RdrCEF.exe PID 4048 wrote to memory of 4840 4048 RdrCEF.exe RdrCEF.exe PID 4048 wrote to memory of 4840 4048 RdrCEF.exe RdrCEF.exe PID 4048 wrote to memory of 4840 4048 RdrCEF.exe RdrCEF.exe PID 4048 wrote to memory of 4840 4048 RdrCEF.exe RdrCEF.exe PID 4048 wrote to memory of 4840 4048 RdrCEF.exe RdrCEF.exe PID 4048 wrote to memory of 4840 4048 RdrCEF.exe RdrCEF.exe PID 4048 wrote to memory of 3768 4048 RdrCEF.exe RdrCEF.exe PID 4048 wrote to memory of 3768 4048 RdrCEF.exe RdrCEF.exe PID 4048 wrote to memory of 3768 4048 RdrCEF.exe RdrCEF.exe PID 4048 wrote to memory of 3768 4048 RdrCEF.exe RdrCEF.exe PID 4048 wrote to memory of 3768 4048 RdrCEF.exe RdrCEF.exe PID 4048 wrote to memory of 3768 4048 RdrCEF.exe RdrCEF.exe PID 4048 wrote to memory of 3768 4048 RdrCEF.exe RdrCEF.exe PID 4048 wrote to memory of 3768 4048 RdrCEF.exe RdrCEF.exe PID 4048 wrote to memory of 3768 4048 RdrCEF.exe RdrCEF.exe PID 4048 wrote to memory of 3768 4048 RdrCEF.exe RdrCEF.exe PID 4048 wrote to memory of 3768 4048 RdrCEF.exe RdrCEF.exe PID 4048 wrote to memory of 3768 4048 RdrCEF.exe RdrCEF.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\circular_29092022.pdf.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c START /B NisSrv.exe & circular_29092022.pdf2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\NisSrv.exeNisSrv.exe3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"4⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\circular_29092022.pdf"3⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140434⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=9D167AB5CE9C27339494F20550F1FEEA --mojo-platform-channel-handle=1756 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:25⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=681008EAA7ACD9701643A92C5ECC399B --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=681008EAA7ACD9701643A92C5ECC399B --renderer-client-id=2 --mojo-platform-channel-handle=1764 --allow-no-sandbox-job /prefetch:15⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=D27B002B80009D259AD6ACE5141BF322 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=D27B002B80009D259AD6ACE5141BF322 --renderer-client-id=4 --mojo-platform-channel-handle=2172 --allow-no-sandbox-job /prefetch:15⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=DF5CBF0843F5232763E18D1EDEFE3120 --mojo-platform-channel-handle=2432 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:25⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=1DAD0F995F5791754CB1D97AC6F33FB9 --mojo-platform-channel-handle=2628 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:25⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=1EDBBE0FFD5DEFCB8089EE1C6D01D26F --mojo-platform-channel-handle=1744 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:25⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/916-150-0x0000000000000000-mapping.dmp
-
memory/2400-161-0x0000000000000000-mapping.dmp
-
memory/2984-134-0x0000000000000000-mapping.dmp
-
memory/3768-145-0x0000000000000000-mapping.dmp
-
memory/3884-132-0x0000000000000000-mapping.dmp
-
memory/4048-140-0x0000000000000000-mapping.dmp
-
memory/4128-155-0x0000000000000000-mapping.dmp
-
memory/4528-137-0x00000000086C0000-0x0000000008C64000-memory.dmpFilesize
5.6MB
-
memory/4528-139-0x00000000081A0000-0x00000000081AA000-memory.dmpFilesize
40KB
-
memory/4528-138-0x00000000081C0000-0x0000000008252000-memory.dmpFilesize
584KB
-
memory/4528-136-0x0000000004D80000-0x0000000004E1C000-memory.dmpFilesize
624KB
-
memory/4528-135-0x0000000000F00000-0x0000000000F98000-memory.dmpFilesize
608KB
-
memory/4528-133-0x0000000000000000-mapping.dmp
-
memory/4840-142-0x0000000000000000-mapping.dmp
-
memory/4864-163-0x0000000000000000-mapping.dmp
-
memory/4864-164-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/4864-165-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/4864-166-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/4864-167-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/5032-158-0x0000000000000000-mapping.dmp