warzonerat | hxxps://website[.]org/MOQs82

Analysis

max time kernel
77s
max time network
82s
platform
windows10-2004_x64
resource
win10v2004-20230703-es
resource tags

arch:x64arch:x86image:win10v2004-20230703-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
10/07/2023, 06:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://website.org/MOQs82

Score

10^/10

warzonerat infostealer rat

Malware Config

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Control Panel\International\Geo\Nation	Demanda Civil.scr

Executes dropped EXE 6 IoCs

pid	Process
2680	Demanda Civil.scr
3108	Demanda Civil.scr
5044	DemandaCivil.exe
4296	DemandaCivil.exe
2516	Documentos.exe
4524	Documentos.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
4296	DemandaCivil.exe
4296	DemandaCivil.exe
4524	Documentos.exe
4524	Documentos.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 5044 set thread context of 4296	5044	DemandaCivil.exe	105
PID 2516 set thread context of 4524	2516	Documentos.exe	111

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings	Demanda Civil.scr

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\Demanda_Civil.uue:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

pid	Process
4524	Documentos.exe
4524	Documentos.exe
4524	Documentos.exe
4524	Documentos.exe
4524	Documentos.exe
4524	Documentos.exe
4524	Documentos.exe
4524	Documentos.exe
4524	Documentos.exe
4524	Documentos.exe
4524	Documentos.exe
4524	Documentos.exe
4524	Documentos.exe
4524	Documentos.exe
4524	Documentos.exe
4524	Documentos.exe
4524	Documentos.exe
4524	Documentos.exe
4524	Documentos.exe
4524	Documentos.exe
4524	Documentos.exe
4524	Documentos.exe
4524	Documentos.exe
4524	Documentos.exe
4524	Documentos.exe
4524	Documentos.exe
4524	Documentos.exe
4524	Documentos.exe
4524	Documentos.exe
4524	Documentos.exe
4524	Documentos.exe
4524	Documentos.exe
4524	Documentos.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2516	OpenWith.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
5044	DemandaCivil.exe
2516	Documentos.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	1296	firefox.exe
Token: SeDebugPrivilege	1296	firefox.exe
Token: SeDebugPrivilege	1296	firefox.exe
Token: SeRestorePrivilege	1336	7zG.exe
Token: 35	1336	7zG.exe
Token: SeSecurityPrivilege	1336	7zG.exe
Token: SeSecurityPrivilege	1336	7zG.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
1296	firefox.exe
1296	firefox.exe
1296	firefox.exe
1296	firefox.exe
1336	7zG.exe
4320	AcroRd32.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1296	firefox.exe
1296	firefox.exe
1296	firefox.exe

Suspicious use of SetWindowsHookEx 33 IoCs

pid	Process
1296	firefox.exe
1296	firefox.exe
1296	firefox.exe
1296	firefox.exe
2516	OpenWith.exe
2516	OpenWith.exe
2516	OpenWith.exe
2516	OpenWith.exe
2516	OpenWith.exe
2516	OpenWith.exe
2516	OpenWith.exe
2516	OpenWith.exe
2516	OpenWith.exe
2516	OpenWith.exe
2516	OpenWith.exe
2516	OpenWith.exe
2516	OpenWith.exe
2516	OpenWith.exe
2516	OpenWith.exe
2516	OpenWith.exe
2516	OpenWith.exe
2516	OpenWith.exe
2516	OpenWith.exe
2516	OpenWith.exe
2516	OpenWith.exe
2516	OpenWith.exe
2516	OpenWith.exe
5044	DemandaCivil.exe
4320	AcroRd32.exe
4320	AcroRd32.exe
4320	AcroRd32.exe
4320	AcroRd32.exe
2516	Documentos.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1628 wrote to memory of 1296	1628	firefox.exe	45
PID 1628 wrote to memory of 1296	1628	firefox.exe	45
PID 1628 wrote to memory of 1296	1628	firefox.exe	45
PID 1628 wrote to memory of 1296	1628	firefox.exe	45
PID 1628 wrote to memory of 1296	1628	firefox.exe	45
PID 1628 wrote to memory of 1296	1628	firefox.exe	45
PID 1628 wrote to memory of 1296	1628	firefox.exe	45
PID 1628 wrote to memory of 1296	1628	firefox.exe	45
PID 1628 wrote to memory of 1296	1628	firefox.exe	45
PID 1628 wrote to memory of 1296	1628	firefox.exe	45
PID 1628 wrote to memory of 1296	1628	firefox.exe	45
PID 1296 wrote to memory of 3968	1296	firefox.exe	85
PID 1296 wrote to memory of 3968	1296	firefox.exe	85
PID 1296 wrote to memory of 1636	1296	firefox.exe	86
PID 1296 wrote to memory of 1636	1296	firefox.exe	86
PID 1296 wrote to memory of 1636	1296	firefox.exe	86
PID 1296 wrote to memory of 1636	1296	firefox.exe	86
PID 1296 wrote to memory of 1636	1296	firefox.exe	86
PID 1296 wrote to memory of 1636	1296	firefox.exe	86
PID 1296 wrote to memory of 1636	1296	firefox.exe	86
PID 1296 wrote to memory of 1636	1296	firefox.exe	86
PID 1296 wrote to memory of 1636	1296	firefox.exe	86
PID 1296 wrote to memory of 1636	1296	firefox.exe	86
PID 1296 wrote to memory of 1636	1296	firefox.exe	86
PID 1296 wrote to memory of 1636	1296	firefox.exe	86
PID 1296 wrote to memory of 1636	1296	firefox.exe	86
PID 1296 wrote to memory of 1636	1296	firefox.exe	86
PID 1296 wrote to memory of 1636	1296	firefox.exe	86
PID 1296 wrote to memory of 1636	1296	firefox.exe	86
PID 1296 wrote to memory of 1636	1296	firefox.exe	86
PID 1296 wrote to memory of 1636	1296	firefox.exe	86
PID 1296 wrote to memory of 1636	1296	firefox.exe	86
PID 1296 wrote to memory of 1636	1296	firefox.exe	86
PID 1296 wrote to memory of 1636	1296	firefox.exe	86
PID 1296 wrote to memory of 1636	1296	firefox.exe	86
PID 1296 wrote to memory of 1636	1296	firefox.exe	86
PID 1296 wrote to memory of 1636	1296	firefox.exe	86
PID 1296 wrote to memory of 1636	1296	firefox.exe	86
PID 1296 wrote to memory of 1636	1296	firefox.exe	86
PID 1296 wrote to memory of 1636	1296	firefox.exe	86
PID 1296 wrote to memory of 1636	1296	firefox.exe	86
PID 1296 wrote to memory of 1636	1296	firefox.exe	86
PID 1296 wrote to memory of 1636	1296	firefox.exe	86
PID 1296 wrote to memory of 1636	1296	firefox.exe	86
PID 1296 wrote to memory of 1636	1296	firefox.exe	86
PID 1296 wrote to memory of 1636	1296	firefox.exe	86
PID 1296 wrote to memory of 1636	1296	firefox.exe	86
PID 1296 wrote to memory of 1636	1296	firefox.exe	86
PID 1296 wrote to memory of 1636	1296	firefox.exe	86
PID 1296 wrote to memory of 1636	1296	firefox.exe	86
PID 1296 wrote to memory of 1636	1296	firefox.exe	86
PID 1296 wrote to memory of 1636	1296	firefox.exe	86
PID 1296 wrote to memory of 1636	1296	firefox.exe	86
PID 1296 wrote to memory of 1636	1296	firefox.exe	86
PID 1296 wrote to memory of 1636	1296	firefox.exe	86
PID 1296 wrote to memory of 1636	1296	firefox.exe	86
PID 1296 wrote to memory of 1636	1296	firefox.exe	86
PID 1296 wrote to memory of 1636	1296	firefox.exe	86
PID 1296 wrote to memory of 1636	1296	firefox.exe	86
PID 1296 wrote to memory of 1636	1296	firefox.exe	86
PID 1296 wrote to memory of 1636	1296	firefox.exe	86
PID 1296 wrote to memory of 4668	1296	firefox.exe	88
PID 1296 wrote to memory of 4668	1296	firefox.exe	88
PID 1296 wrote to memory of 4668	1296	firefox.exe	88

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://website.org/MOQs82
1⤵
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" https://website.org/MOQs82
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1296
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1296.0.1701008833\1950957953" -parentBuildID 20221007134813 -prefsHandle 1884 -prefMapHandle 1876 -prefsLen 20938 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {daccf8a3-ef35-4c4a-b0c8-7b808ac162da} 1296 "\\.\pipe\gecko-crash-server-pipe.1296" 1964 1ac57cfc158 gpu
    3⤵
    PID:3968
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1296.1.2106780117\82358294" -parentBuildID 20221007134813 -prefsHandle 2360 -prefMapHandle 2348 -prefsLen 21754 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {04107a2d-d623-4728-867b-257f1fc98b76} 1296 "\\.\pipe\gecko-crash-server-pipe.1296" 2388 1ac4b372e58 socket
    3⤵
    PID:1636
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1296.2.12833563\389287388" -childID 1 -isForBrowser -prefsHandle 2904 -prefMapHandle 3252 -prefsLen 21792 -prefMapSize 232675 -jsInitHandle 1400 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0557a05b-604e-44ec-ba96-06ea750f073a} 1296 "\\.\pipe\gecko-crash-server-pipe.1296" 2892 1ac5bd2c758 tab
    3⤵
    PID:4668
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1296.3.108598727\1248553808" -childID 2 -isForBrowser -prefsHandle 3612 -prefMapHandle 3564 -prefsLen 26437 -prefMapSize 232675 -jsInitHandle 1400 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6e6639ae-a92b-46d1-af6d-955a027dab8b} 1296 "\\.\pipe\gecko-crash-server-pipe.1296" 3624 1ac4b369358 tab
    3⤵
    PID:4128
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1296.4.743391743\1197252706" -childID 3 -isForBrowser -prefsHandle 4860 -prefMapHandle 4872 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1400 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5ccbd4dc-074b-4d80-8270-67a1cbefe3df} 1296 "\\.\pipe\gecko-crash-server-pipe.1296" 4884 1ac5e267558 tab
    3⤵
    PID:2456
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1296.5.1416818668\209093645" -childID 4 -isForBrowser -prefsHandle 4916 -prefMapHandle 5008 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1400 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2b088456-a75b-4602-8b5a-4da14b341308} 1296 "\\.\pipe\gecko-crash-server-pipe.1296" 5036 1ac5e267858 tab
    3⤵
    PID:2332
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1296.6.2073470613\3549600" -childID 5 -isForBrowser -prefsHandle 5244 -prefMapHandle 5248 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1400 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6d623133-c996-49aa-adac-0653d6ba35bb} 1296 "\\.\pipe\gecko-crash-server-pipe.1296" 5232 1ac5e265d58 tab
    3⤵
    PID:1592

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1572

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2516

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Demanda_Civil\" -spe -an -ai#7zMap19705:88:7zEvent4351
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1336

C:\Users\Admin\Downloads\Demanda_Civil\Demanda Civil.scr
"C:\Users\Admin\Downloads\Demanda_Civil\Demanda Civil.scr" /S
1⤵
- Executes dropped EXE
PID:2680

C:\Users\Admin\Downloads\Demanda_Civil\Demanda Civil.scr
"C:\Users\Admin\Downloads\Demanda_Civil\Demanda Civil.scr" /S
1⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:3108
- C:\Users\Admin\Downloads\Demanda_Civil\DemandaCivil.exe
  "C:\Users\Admin\Downloads\Demanda_Civil\DemandaCivil.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  PID:5044
- - C:\Users\Admin\Downloads\Demanda_Civil\DemandaCivil.exe
    "C:\Users\Admin\Downloads\Demanda_Civil\DemandaCivil.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:4296
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\Users\Admin\Documents\Documentos.exe"
      4⤵
      PID:4440
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\Users\Admin\Documents\Documentos.exe"
        5⤵
        
        PID:4396
  - - C:\Users\Admin\Documents\Documentos.exe
      "C:\Users\Admin\Documents\Documentos.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: MapViewOfSection
      Suspicious use of SetWindowsHookEx
      PID:2516
    - - C:\Users\Admin\Documents\Documentos.exe
        
        "C:\Users\Admin\Documents\Documentos.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:4524
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe"
        6⤵
        
        PID:2680
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Downloads\Demanda_Civil\Demanda civil.pdf"
  2⤵
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:4320
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
    3⤵
    PID:2760
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=5A724ACC096EDAEDE1A98DA923C77CF3 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=5A724ACC096EDAEDE1A98DA923C77CF3 --renderer-client-id=2 --mojo-platform-channel-handle=1780 --allow-no-sandbox-job /prefetch:1
      4⤵
      PID:4568
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=80F859DE681EE165AC265024FAD2FB74 --mojo-platform-channel-handle=1920 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:1860
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=2000D7B8D682543B02BE1276E710FCB1 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=2000D7B8D682543B02BE1276E710FCB1 --renderer-client-id=4 --mojo-platform-channel-handle=2236 --allow-no-sandbox-job /prefetch:1
      4⤵
      PID:1056
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=76E4C665806DD60C5CF694B7BF4AAF49 --mojo-platform-channel-handle=2616 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:4540
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=2FDB4DA2B4A6471D5B4FED61FAE85566 --mojo-platform-channel-handle=2092 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:1036
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=AA3D3B6ECDA7B07ACA5006CEF82A9C86 --mojo-platform-channel-handle=2176 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:4240

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3640

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rzyhfx4n.default-release\activity-stream.discovery_stream.json.tmp

Filesize
143KB

MD5
da1a77753026b16a9adde7580029c06c

SHA1
fc93e4e5fb2437174695e8e7a7c80ad15a68b830

SHA256
eaf9442369e827a51faf37ead75c4dd4bf41248ebf9ea533b8947cff4d6008c0

SHA512
de04a2e29cad837856daca9e157f065ddb134d0be0fe4801859f025b7f868982911e9d28c60b6d6354163c8655d78765e2ff6b950194ab77d70fdc3e335e72a2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rzyhfx4n.default-release\prefs-1.js

Filesize
7KB

MD5
a3fd11ad4f9488487714353add30478b

SHA1
8138d66df7c927622a33899c9debb51f496d0db7

SHA256
a8d7ed2bd14eac1a93a56fcc97f9790c4dfc20780db934d598acd2ebceb13a16

SHA512
02c940b65c81b0b7f464b135217e36f25d62e16a4c6d53fde03d397b4dea06422b6851ad0b38c8d7d0e3b11e65564b975582ee0249f879ca592149ff425aea23

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rzyhfx4n.default-release\prefs.js

Filesize
6KB

MD5
20a1232f852c6ca20477013df9bc56a2

SHA1
1598f3736e38d992a2c448617150ab842cd3ab89

SHA256
0de6d0a2e0132d042b87a1a84f78195e2be8883355e8659ec6e360c63cb13659

SHA512
9a915161183f48c6b4872f97cbe7080844b7c216703e3244ce591bf6fc21a8c2cbfcf9d91de007230b486e04dec6bda9836720ce0888285deaedea7cc05c20fd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rzyhfx4n.default-release\prefs.js

Filesize
6KB

MD5
37828c8b6bb435aec2e8ed925c951606

SHA1
1806d2f2fa007ff8571e1833e6a6fe24db412b3c

SHA256
67b7c809674911c5f0d2084c6805a499fe731384b4aad74c6f77321442e925fe

SHA512
340975e5f35769904dc2d7fa236305e33d3b20ae5cc020b9cfb99fa216a3d917f79ff2dab41804378155b7136b0334c560107c3dacd30b54d39036ee4508f942

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rzyhfx4n.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
988B

MD5
3ee2d48bd0dd246287bc383a6381ae5f

SHA1
d107f9354aa8b8dea5dba38f4d3ec4871a2cdfbc

SHA256
57bf107ab1381f77639294220ed4f6c2b3f549668c7c9bc9e9e9b1660a94cd49

SHA512
51eb6c1ab86daa576694579b23dbc515134cf5afbdea6c713950f4aaa4f2cd1c29c60a71534014dfecf38d5dd4dc2b10241fb8331212f7774beee0eb8a1c3543

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rzyhfx4n.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
24KB

MD5
163f4815d47845e7e083c9956de0bf7b

SHA1
3b6b4cc754a1c2dccc4e2a3684543750dad5b066

SHA256
7a6cf78cde7e51b4bfe0c804b350a179bd24bb4e54ae38e27a18b1939e4c2205

SHA512
7412276b3e1de0418ae8c148d1ecbbec26575ffefe6a0dda153c5030781b080b40e989cdd1793111bb70f7b8f649e2911119be32361caefb303bbc154bee2733

Download Submit
C:\Users\Admin\Documents\Documentos.exe

Filesize
1.2MB

MD5
a7fc5eda39f679686b3331f8275aa29c

SHA1
b25cba3b7b622139f6e7522cfacc8c36ceebd177

SHA256
b2afd7e582a0f1de83d3475d051c907d568225d09119a454ad6bb1e7e8846aa0

SHA512
0a5920260ff258e103aa36f42c989a83e57608119bed0c22539bcbfb4186b3a32484b27aa8fb182f9c65979f93118d29d820d1e93e2cf5340af4477cef152b59

Download Submit
C:\Users\Admin\Documents\Documentos.exe

Filesize
1.2MB

MD5
a7fc5eda39f679686b3331f8275aa29c

SHA1
b25cba3b7b622139f6e7522cfacc8c36ceebd177

SHA256
b2afd7e582a0f1de83d3475d051c907d568225d09119a454ad6bb1e7e8846aa0

SHA512
0a5920260ff258e103aa36f42c989a83e57608119bed0c22539bcbfb4186b3a32484b27aa8fb182f9c65979f93118d29d820d1e93e2cf5340af4477cef152b59

Download Submit
C:\Users\Admin\Documents\Documentos.exe

Filesize
1.2MB

MD5
a7fc5eda39f679686b3331f8275aa29c

SHA1
b25cba3b7b622139f6e7522cfacc8c36ceebd177

SHA256
b2afd7e582a0f1de83d3475d051c907d568225d09119a454ad6bb1e7e8846aa0

SHA512
0a5920260ff258e103aa36f42c989a83e57608119bed0c22539bcbfb4186b3a32484b27aa8fb182f9c65979f93118d29d820d1e93e2cf5340af4477cef152b59

Download Submit
C:\Users\Admin\Downloads\Demanda_Civil.aqGtkq5K.uue.part

Filesize
38KB

MD5
5e3581c01390234fb7e4006e306878ea

SHA1
de8d7d26916e847899ba1fd7fce0c19bf3322179

SHA256
fc8b1e59c3665ae3d4324bfb4e88b232ec916ff8d193c010436aaf1ae75c66dc

SHA512
ff814d1ad38b0c18b1690ccc324bcc864dd700507b927c55e95de8e0495c92bcd23bf9e317e2ece55891e275196bf6b4f2b77119a93094ce169910aa18cbe98f

Download Submit
C:\Users\Admin\Downloads\Demanda_Civil.uue

Filesize
665KB

MD5
0a6d16af5cbf5d687bb252a0f8a61828

SHA1
a146510393935a06d143830cd151c56c4c13aced

SHA256
ce7467c407df2141eb8c29b9a6d1d2793a7e2fda229492169b8cd0e01384faba

SHA512
804a50fdf15863391da8a7ceca38193cc1671b408055bed5a6122929d1319b3f40540ff8ef664ce8e962b56f86026fe5787e16fb9223ea451bae47f87b3f7f78

Download Submit
C:\Users\Admin\Downloads\Demanda_Civil\Demanda Civil.scr

Filesize
822KB

MD5
d79cb033111b69e98e6b8bf804a44d39

SHA1
d4727955b8768755f5797358095aeb051ad76191

SHA256
ceda1c6ee001d408498455bd2e13cbee14e99aef2923e76984dcd736e8672b8b

SHA512
1fc2b2e13f359834dbfaeeeffcfee8275d5746ef3d210edd76ebbeffe0e23212ba0df08c6345d1b0a24ef598074fb696b29ab0d5aacc2bcd6b629434edfd560f

Download Submit
C:\Users\Admin\Downloads\Demanda_Civil\Demanda Civil.scr

Filesize
822KB

MD5
d79cb033111b69e98e6b8bf804a44d39

SHA1
d4727955b8768755f5797358095aeb051ad76191

SHA256
ceda1c6ee001d408498455bd2e13cbee14e99aef2923e76984dcd736e8672b8b

SHA512
1fc2b2e13f359834dbfaeeeffcfee8275d5746ef3d210edd76ebbeffe0e23212ba0df08c6345d1b0a24ef598074fb696b29ab0d5aacc2bcd6b629434edfd560f

Download Submit
C:\Users\Admin\Downloads\Demanda_Civil\Demanda Civil.scr

Filesize
822KB

MD5
d79cb033111b69e98e6b8bf804a44d39

SHA1
d4727955b8768755f5797358095aeb051ad76191

SHA256
ceda1c6ee001d408498455bd2e13cbee14e99aef2923e76984dcd736e8672b8b

SHA512
1fc2b2e13f359834dbfaeeeffcfee8275d5746ef3d210edd76ebbeffe0e23212ba0df08c6345d1b0a24ef598074fb696b29ab0d5aacc2bcd6b629434edfd560f

Download Submit
C:\Users\Admin\Downloads\Demanda_Civil\Demanda civil.pdf

Filesize
884B

MD5
d5088a8ca6aa7f61a7a13c7002a60787

SHA1
022815c93f290a09d6696f0518986b2e5500020a

SHA256
d27af449c0aced5f18841107f4b4a9475441ae57f3050400f8eed2bf2fcefd42

SHA512
06802bd6912775096e0d015f2e5116ba2668c28d6d240c327ccf750039143eb499d6ae4cb96c741c0cdb757d35e367c45d2d8d1043f939b80bb383d944f51a52

Download Submit
C:\Users\Admin\Downloads\Demanda_Civil\DemandaCivil.exe

Filesize
1.2MB

MD5
a7fc5eda39f679686b3331f8275aa29c

SHA1
b25cba3b7b622139f6e7522cfacc8c36ceebd177

SHA256
b2afd7e582a0f1de83d3475d051c907d568225d09119a454ad6bb1e7e8846aa0

SHA512
0a5920260ff258e103aa36f42c989a83e57608119bed0c22539bcbfb4186b3a32484b27aa8fb182f9c65979f93118d29d820d1e93e2cf5340af4477cef152b59

Download Submit
C:\Users\Admin\Downloads\Demanda_Civil\DemandaCivil.exe

Filesize
1.2MB

MD5
a7fc5eda39f679686b3331f8275aa29c

SHA1
b25cba3b7b622139f6e7522cfacc8c36ceebd177

SHA256
b2afd7e582a0f1de83d3475d051c907d568225d09119a454ad6bb1e7e8846aa0

SHA512
0a5920260ff258e103aa36f42c989a83e57608119bed0c22539bcbfb4186b3a32484b27aa8fb182f9c65979f93118d29d820d1e93e2cf5340af4477cef152b59

Download Submit
C:\Users\Admin\Downloads\Demanda_Civil\DemandaCivil.exe

Filesize
1.2MB

MD5
a7fc5eda39f679686b3331f8275aa29c

SHA1
b25cba3b7b622139f6e7522cfacc8c36ceebd177

SHA256
b2afd7e582a0f1de83d3475d051c907d568225d09119a454ad6bb1e7e8846aa0

SHA512
0a5920260ff258e103aa36f42c989a83e57608119bed0c22539bcbfb4186b3a32484b27aa8fb182f9c65979f93118d29d820d1e93e2cf5340af4477cef152b59

Download Submit
C:\Users\Admin\Downloads\Demanda_Civil\DemandaCivil.exe

Filesize
1.2MB

MD5
a7fc5eda39f679686b3331f8275aa29c

SHA1
b25cba3b7b622139f6e7522cfacc8c36ceebd177

SHA256
b2afd7e582a0f1de83d3475d051c907d568225d09119a454ad6bb1e7e8846aa0

SHA512
0a5920260ff258e103aa36f42c989a83e57608119bed0c22539bcbfb4186b3a32484b27aa8fb182f9c65979f93118d29d820d1e93e2cf5340af4477cef152b59

Download Submit
memory/2680-349-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/4296-291-0x0000000000400000-0x000000000057B000-memory.dmp

Filesize
1.5MB

Download
memory/4296-299-0x00000000006E0000-0x00000000006E1000-memory.dmp

Filesize
4KB

Download
memory/4296-298-0x0000000000400000-0x000000000057B000-memory.dmp

Filesize
1.5MB

Download
memory/4296-297-0x0000000000400000-0x000000000057B000-memory.dmp

Filesize
1.5MB

Download
memory/4296-304-0x0000000000400000-0x000000000057B000-memory.dmp

Filesize
1.5MB

Download
memory/4296-306-0x0000000000400000-0x0000000000576000-memory.dmp

Filesize
1.5MB

Download
memory/4296-295-0x0000000000400000-0x000000000057B000-memory.dmp

Filesize
1.5MB

Download
memory/4524-312-0x0000000000400000-0x000000000057B000-memory.dmp

Filesize
1.5MB

Download
memory/4524-315-0x0000000000400000-0x000000000057B000-memory.dmp

Filesize
1.5MB

Download
memory/4524-321-0x0000000000400000-0x000000000057B000-memory.dmp

Filesize
1.5MB

Download
memory/4524-369-0x0000000000400000-0x0000000000576000-memory.dmp

Filesize
1.5MB

Download
memory/4524-370-0x0000000000400000-0x000000000057B000-memory.dmp

Filesize
1.5MB

Download
memory/5044-294-0x0000000002190000-0x0000000002199000-memory.dmp

Filesize
36KB

Download