netwire | cd592c969a3a940e43888a1902ec9e4605ed28676d3945ab84d72175fbc87253

General

Target

circular_29092022.pdf.lnk
Size

2KB
MD5

9401c4021ce5ae57da50eb7fddfff950
SHA1

ec7f933174448b63b979027e79192e3127c8b5f4
SHA256

7259f69b075b7d849d7d0e300fe1d63057372aaedd07223de2d6b4023f5bf48c
SHA512

5458c93f60ef207954fb17a750e692fcf738013a85d92898ea284b190aab4ce84ad4dc30a58562094567da483e041347036c1c557fd6d9c05241cb256033996e

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

C2

54.145.6.146:443

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
MSOffice-%Rand%
lock_executable
false
mutex
IERXehpS
offline_keylogger
false
password
a1cap0ne@1960s
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral6/memory/4864-164-0x0000000000400000-0x0000000000450000-memory.dmp	netwire
behavioral6/memory/4864-165-0x0000000000400000-0x0000000000450000-memory.dmp	netwire
behavioral6/memory/4864-166-0x0000000000400000-0x0000000000450000-memory.dmp	netwire
behavioral6/memory/4864-167-0x0000000000400000-0x0000000000450000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cmd.execmd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	cmd.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

NisSrv.exe

description pid process target process

PID 4528 set thread context of 4864 4528 NisSrv.exe AddInProcess32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 4528 set thread context of 4864	4528	NisSrv.exe	AddInProcess32.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings cmd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

NisSrv.exeAcroRd32.exe

pid	process
4528	NisSrv.exe
2984	AcroRd32.exe
2984	AcroRd32.exe
2984	AcroRd32.exe
2984	AcroRd32.exe
2984	AcroRd32.exe
2984	AcroRd32.exe
2984	AcroRd32.exe
2984	AcroRd32.exe
2984	AcroRd32.exe
2984	AcroRd32.exe
2984	AcroRd32.exe
2984	AcroRd32.exe
2984	AcroRd32.exe
2984	AcroRd32.exe
2984	AcroRd32.exe
2984	AcroRd32.exe
2984	AcroRd32.exe
2984	AcroRd32.exe
2984	AcroRd32.exe
2984	AcroRd32.exe
4528	NisSrv.exe
4528	NisSrv.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

NisSrv.exe

description pid process

Token: SeDebugPrivilege 4528 NisSrv.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

2984 AcroRd32.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

AcroRd32.exe

pid process

2984 AcroRd32.exe
2984 AcroRd32.exe
2984 AcroRd32.exe
2984 AcroRd32.exe
2984 AcroRd32.exe
2984 AcroRd32.exe

description	pid	process
Token: SeDebugPrivilege	4528	NisSrv.exe

pid	process
2984	AcroRd32.exe

pid	process
2984	AcroRd32.exe
2984	AcroRd32.exe
2984	AcroRd32.exe
2984	AcroRd32.exe
2984	AcroRd32.exe
2984	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.execmd.exeAcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 4172 wrote to memory of 3884	4172	cmd.exe	cmd.exe
PID 4172 wrote to memory of 3884	4172	cmd.exe	cmd.exe
PID 3884 wrote to memory of 4528	3884	cmd.exe	NisSrv.exe
PID 3884 wrote to memory of 4528	3884	cmd.exe	NisSrv.exe
PID 3884 wrote to memory of 4528	3884	cmd.exe	NisSrv.exe
PID 3884 wrote to memory of 2984	3884	cmd.exe	AcroRd32.exe
PID 3884 wrote to memory of 2984	3884	cmd.exe	AcroRd32.exe
PID 3884 wrote to memory of 2984	3884	cmd.exe	AcroRd32.exe
PID 2984 wrote to memory of 4048	2984	AcroRd32.exe	RdrCEF.exe
PID 2984 wrote to memory of 4048	2984	AcroRd32.exe	RdrCEF.exe
PID 2984 wrote to memory of 4048	2984	AcroRd32.exe	RdrCEF.exe
PID 4048 wrote to memory of 4840	4048	RdrCEF.exe	RdrCEF.exe
PID 4048 wrote to memory of 4840	4048	RdrCEF.exe	RdrCEF.exe
PID 4048 wrote to memory of 4840	4048	RdrCEF.exe	RdrCEF.exe
PID 4048 wrote to memory of 4840	4048	RdrCEF.exe	RdrCEF.exe
PID 4048 wrote to memory of 4840	4048	RdrCEF.exe	RdrCEF.exe
PID 4048 wrote to memory of 4840	4048	RdrCEF.exe	RdrCEF.exe
PID 4048 wrote to memory of 4840	4048	RdrCEF.exe	RdrCEF.exe
PID 4048 wrote to memory of 4840	4048	RdrCEF.exe	RdrCEF.exe
PID 4048 wrote to memory of 4840	4048	RdrCEF.exe	RdrCEF.exe
PID 4048 wrote to memory of 4840	4048	RdrCEF.exe	RdrCEF.exe
PID 4048 wrote to memory of 4840	4048	RdrCEF.exe	RdrCEF.exe
PID 4048 wrote to memory of 4840	4048	RdrCEF.exe	RdrCEF.exe
PID 4048 wrote to memory of 4840	4048	RdrCEF.exe	RdrCEF.exe
PID 4048 wrote to memory of 4840	4048	RdrCEF.exe	RdrCEF.exe
PID 4048 wrote to memory of 4840	4048	RdrCEF.exe	RdrCEF.exe
PID 4048 wrote to memory of 4840	4048	RdrCEF.exe	RdrCEF.exe
PID 4048 wrote to memory of 4840	4048	RdrCEF.exe	RdrCEF.exe
PID 4048 wrote to memory of 4840	4048	RdrCEF.exe	RdrCEF.exe
PID 4048 wrote to memory of 4840	4048	RdrCEF.exe	RdrCEF.exe
PID 4048 wrote to memory of 4840	4048	RdrCEF.exe	RdrCEF.exe
PID 4048 wrote to memory of 4840	4048	RdrCEF.exe	RdrCEF.exe
PID 4048 wrote to memory of 4840	4048	RdrCEF.exe	RdrCEF.exe
PID 4048 wrote to memory of 4840	4048	RdrCEF.exe	RdrCEF.exe
PID 4048 wrote to memory of 4840	4048	RdrCEF.exe	RdrCEF.exe
PID 4048 wrote to memory of 4840	4048	RdrCEF.exe	RdrCEF.exe
PID 4048 wrote to memory of 4840	4048	RdrCEF.exe	RdrCEF.exe
PID 4048 wrote to memory of 4840	4048	RdrCEF.exe	RdrCEF.exe
PID 4048 wrote to memory of 4840	4048	RdrCEF.exe	RdrCEF.exe
PID 4048 wrote to memory of 4840	4048	RdrCEF.exe	RdrCEF.exe
PID 4048 wrote to memory of 4840	4048	RdrCEF.exe	RdrCEF.exe
PID 4048 wrote to memory of 4840	4048	RdrCEF.exe	RdrCEF.exe
PID 4048 wrote to memory of 4840	4048	RdrCEF.exe	RdrCEF.exe
PID 4048 wrote to memory of 4840	4048	RdrCEF.exe	RdrCEF.exe
PID 4048 wrote to memory of 4840	4048	RdrCEF.exe	RdrCEF.exe
PID 4048 wrote to memory of 4840	4048	RdrCEF.exe	RdrCEF.exe
PID 4048 wrote to memory of 4840	4048	RdrCEF.exe	RdrCEF.exe
PID 4048 wrote to memory of 4840	4048	RdrCEF.exe	RdrCEF.exe
PID 4048 wrote to memory of 4840	4048	RdrCEF.exe	RdrCEF.exe
PID 4048 wrote to memory of 4840	4048	RdrCEF.exe	RdrCEF.exe
PID 4048 wrote to memory of 4840	4048	RdrCEF.exe	RdrCEF.exe
PID 4048 wrote to memory of 4840	4048	RdrCEF.exe	RdrCEF.exe
PID 4048 wrote to memory of 3768	4048	RdrCEF.exe	RdrCEF.exe
PID 4048 wrote to memory of 3768	4048	RdrCEF.exe	RdrCEF.exe
PID 4048 wrote to memory of 3768	4048	RdrCEF.exe	RdrCEF.exe
PID 4048 wrote to memory of 3768	4048	RdrCEF.exe	RdrCEF.exe
PID 4048 wrote to memory of 3768	4048	RdrCEF.exe	RdrCEF.exe
PID 4048 wrote to memory of 3768	4048	RdrCEF.exe	RdrCEF.exe
PID 4048 wrote to memory of 3768	4048	RdrCEF.exe	RdrCEF.exe
PID 4048 wrote to memory of 3768	4048	RdrCEF.exe	RdrCEF.exe
PID 4048 wrote to memory of 3768	4048	RdrCEF.exe	RdrCEF.exe
PID 4048 wrote to memory of 3768	4048	RdrCEF.exe	RdrCEF.exe
PID 4048 wrote to memory of 3768	4048	RdrCEF.exe	RdrCEF.exe
PID 4048 wrote to memory of 3768	4048	RdrCEF.exe	RdrCEF.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\circular_29092022.pdf.lnk
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4172

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c START /B NisSrv.exe & circular_29092022.pdf
2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3884

C:\Users\Admin\AppData\Local\Temp\NisSrv.exe
NisSrv.exe
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4528

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
4⤵
PID:4864

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\circular_29092022.pdf"
3⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2984

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
4⤵
- Suspicious use of WriteProcessMemory
PID:4048

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=9D167AB5CE9C27339494F20550F1FEEA --mojo-platform-channel-handle=1756 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
5⤵
PID:4840

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=681008EAA7ACD9701643A92C5ECC399B --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=681008EAA7ACD9701643A92C5ECC399B --renderer-client-id=2 --mojo-platform-channel-handle=1764 --allow-no-sandbox-job /prefetch:1
5⤵
PID:3768

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=D27B002B80009D259AD6ACE5141BF322 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=D27B002B80009D259AD6ACE5141BF322 --renderer-client-id=4 --mojo-platform-channel-handle=2172 --allow-no-sandbox-job /prefetch:1
5⤵
PID:916

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=DF5CBF0843F5232763E18D1EDEFE3120 --mojo-platform-channel-handle=2432 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
5⤵
PID:4128

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=1DAD0F995F5791754CB1D97AC6F33FB9 --mojo-platform-channel-handle=2628 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
5⤵
PID:5032

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=1EDBBE0FFD5DEFCB8089EE1C6D01D26F --mojo-platform-channel-handle=1744 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
5⤵
PID:2400

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3328

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/916-150-0x0000000000000000-mapping.dmp

Download
memory/2400-161-0x0000000000000000-mapping.dmp

Download
memory/2984-134-0x0000000000000000-mapping.dmp

Download
memory/3768-145-0x0000000000000000-mapping.dmp

Download
memory/3884-132-0x0000000000000000-mapping.dmp

Download
memory/4048-140-0x0000000000000000-mapping.dmp

Download
memory/4128-155-0x0000000000000000-mapping.dmp

Download
memory/4528-137-0x00000000086C0000-0x0000000008C64000-memory.dmp

Filesize
5.6MB

Download
memory/4528-139-0x00000000081A0000-0x00000000081AA000-memory.dmp

Filesize
40KB

Download
memory/4528-138-0x00000000081C0000-0x0000000008252000-memory.dmp

Filesize
584KB

Download
memory/4528-136-0x0000000004D80000-0x0000000004E1C000-memory.dmp

Filesize
624KB

Download
memory/4528-135-0x0000000000F00000-0x0000000000F98000-memory.dmp

Filesize
608KB

Download
memory/4528-133-0x0000000000000000-mapping.dmp

Download
memory/4840-142-0x0000000000000000-mapping.dmp

Download
memory/4864-163-0x0000000000000000-mapping.dmp

Download
memory/4864-164-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4864-165-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4864-166-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4864-167-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/5032-158-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads