Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16-12-2024 16:05
Static task
static1
Behavioral task
behavioral1
Sample
28a0058cbb3eb467a650f4589dab9d2ab12765ea07d28534bd69351dc6093e0fN.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
28a0058cbb3eb467a650f4589dab9d2ab12765ea07d28534bd69351dc6093e0fN.exe
Resource
win10v2004-20241007-en
General
-
Target
28a0058cbb3eb467a650f4589dab9d2ab12765ea07d28534bd69351dc6093e0fN.exe
-
Size
192KB
-
MD5
18a79c670207a856be0fcbc58a4c6b70
-
SHA1
8fe96a186e90dd0ce306fcfbe54056ae1c5ecf07
-
SHA256
28a0058cbb3eb467a650f4589dab9d2ab12765ea07d28534bd69351dc6093e0f
-
SHA512
005ceb943b073f8707afd91f468e87098c7add930cd97ea668de4937ec441fa6d593b5f9dd07b53a9949cdbf3187d11b864261d7d53eddea55b9d9a9d0ad82bf
-
SSDEEP
3072:EGPMlTjUYLCLoz12cFfi0HDYaKf7/t5uXwEdeTuTROMX9:ePaoUZOMHf7/tQ1eTQ7
Malware Config
Extracted
xworm
5.0
ingles-52514.portmap.host:52514
9Vc1HafYmpvbkdVv
-
install_file
USB.exe
Extracted
azorult
http://195.245.112.115/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Azorult family
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral2/files/0x000a000000023b78-24.dat family_xworm behavioral2/memory/2860-34-0x0000000000590000-0x00000000005A0000-memory.dmp family_xworm -
Xworm family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation 0.EXE -
Executes dropped EXE 3 IoCs
pid Process 4900 0.EXE 2964 server.exe 2860 XClient.exe -
Loads dropped DLL 4 IoCs
pid Process 2964 server.exe 2964 server.exe 2964 server.exe 2964 server.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook server.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook server.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook server.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 28a0058cbb3eb467a650f4589dab9d2ab12765ea07d28534bd69351dc6093e0fN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AdobeCollabSync.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AdobeCollabSync.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FullTrustNotifier.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString server.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings 0.EXE Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\MuiCache AdobeCollabSync.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
pid Process 116 AcroRd32.exe 116 AcroRd32.exe 116 AcroRd32.exe 116 AcroRd32.exe 116 AcroRd32.exe 116 AcroRd32.exe 116 AcroRd32.exe 116 AcroRd32.exe 116 AcroRd32.exe 116 AcroRd32.exe 116 AcroRd32.exe 116 AcroRd32.exe 116 AcroRd32.exe 116 AcroRd32.exe 116 AcroRd32.exe 116 AcroRd32.exe 116 AcroRd32.exe 116 AcroRd32.exe 116 AcroRd32.exe 116 AcroRd32.exe 2860 XClient.exe 2964 server.exe 2964 server.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2860 XClient.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 116 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 9 IoCs
pid Process 1808 28a0058cbb3eb467a650f4589dab9d2ab12765ea07d28534bd69351dc6093e0fN.exe 116 AcroRd32.exe 116 AcroRd32.exe 116 AcroRd32.exe 116 AcroRd32.exe 116 AcroRd32.exe 116 AcroRd32.exe 2860 XClient.exe 116 AcroRd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1808 wrote to memory of 4900 1808 28a0058cbb3eb467a650f4589dab9d2ab12765ea07d28534bd69351dc6093e0fN.exe 83 PID 1808 wrote to memory of 4900 1808 28a0058cbb3eb467a650f4589dab9d2ab12765ea07d28534bd69351dc6093e0fN.exe 83 PID 4900 wrote to memory of 116 4900 0.EXE 84 PID 4900 wrote to memory of 116 4900 0.EXE 84 PID 4900 wrote to memory of 116 4900 0.EXE 84 PID 4900 wrote to memory of 2964 4900 0.EXE 85 PID 4900 wrote to memory of 2964 4900 0.EXE 85 PID 4900 wrote to memory of 2964 4900 0.EXE 85 PID 4900 wrote to memory of 2860 4900 0.EXE 86 PID 4900 wrote to memory of 2860 4900 0.EXE 86 PID 116 wrote to memory of 1636 116 AcroRd32.exe 88 PID 116 wrote to memory of 1636 116 AcroRd32.exe 88 PID 116 wrote to memory of 1636 116 AcroRd32.exe 88 PID 1636 wrote to memory of 2216 1636 AdobeCollabSync.exe 89 PID 1636 wrote to memory of 2216 1636 AdobeCollabSync.exe 89 PID 1636 wrote to memory of 2216 1636 AdobeCollabSync.exe 89 PID 2216 wrote to memory of 1336 2216 AdobeCollabSync.exe 90 PID 2216 wrote to memory of 1336 2216 AdobeCollabSync.exe 90 PID 2216 wrote to memory of 1336 2216 AdobeCollabSync.exe 90 PID 116 wrote to memory of 2880 116 AcroRd32.exe 99 PID 116 wrote to memory of 2880 116 AcroRd32.exe 99 PID 116 wrote to memory of 2880 116 AcroRd32.exe 99 PID 2880 wrote to memory of 1728 2880 RdrCEF.exe 100 PID 2880 wrote to memory of 1728 2880 RdrCEF.exe 100 PID 2880 wrote to memory of 1728 2880 RdrCEF.exe 100 PID 2880 wrote to memory of 1728 2880 RdrCEF.exe 100 PID 2880 wrote to memory of 1728 2880 RdrCEF.exe 100 PID 2880 wrote to memory of 1728 2880 RdrCEF.exe 100 PID 2880 wrote to memory of 1728 2880 RdrCEF.exe 100 PID 2880 wrote to memory of 1728 2880 RdrCEF.exe 100 PID 2880 wrote to memory of 1728 2880 RdrCEF.exe 100 PID 2880 wrote to memory of 1728 2880 RdrCEF.exe 100 PID 2880 wrote to memory of 1728 2880 RdrCEF.exe 100 PID 2880 wrote to memory of 1728 2880 RdrCEF.exe 100 PID 2880 wrote to memory of 1728 2880 RdrCEF.exe 100 PID 2880 wrote to memory of 1728 2880 RdrCEF.exe 100 PID 2880 wrote to memory of 1728 2880 RdrCEF.exe 100 PID 2880 wrote to memory of 1728 2880 RdrCEF.exe 100 PID 2880 wrote to memory of 1728 2880 RdrCEF.exe 100 PID 2880 wrote to memory of 1728 2880 RdrCEF.exe 100 PID 2880 wrote to memory of 1728 2880 RdrCEF.exe 100 PID 2880 wrote to memory of 1728 2880 RdrCEF.exe 100 PID 2880 wrote to memory of 1728 2880 RdrCEF.exe 100 PID 2880 wrote to memory of 1728 2880 RdrCEF.exe 100 PID 2880 wrote to memory of 1728 2880 RdrCEF.exe 100 PID 2880 wrote to memory of 1728 2880 RdrCEF.exe 100 PID 2880 wrote to memory of 1728 2880 RdrCEF.exe 100 PID 2880 wrote to memory of 1728 2880 RdrCEF.exe 100 PID 2880 wrote to memory of 1728 2880 RdrCEF.exe 100 PID 2880 wrote to memory of 1728 2880 RdrCEF.exe 100 PID 2880 wrote to memory of 1728 2880 RdrCEF.exe 100 PID 2880 wrote to memory of 1728 2880 RdrCEF.exe 100 PID 2880 wrote to memory of 1728 2880 RdrCEF.exe 100 PID 2880 wrote to memory of 1728 2880 RdrCEF.exe 100 PID 2880 wrote to memory of 1728 2880 RdrCEF.exe 100 PID 2880 wrote to memory of 1728 2880 RdrCEF.exe 100 PID 2880 wrote to memory of 1728 2880 RdrCEF.exe 100 PID 2880 wrote to memory of 1728 2880 RdrCEF.exe 100 PID 2880 wrote to memory of 1728 2880 RdrCEF.exe 100 PID 2880 wrote to memory of 1728 2880 RdrCEF.exe 100 PID 2880 wrote to memory of 1728 2880 RdrCEF.exe 100 PID 2880 wrote to memory of 1728 2880 RdrCEF.exe 100 PID 2880 wrote to memory of 1728 2880 RdrCEF.exe 100 PID 2880 wrote to memory of 3044 2880 RdrCEF.exe 101 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook server.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook server.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\28a0058cbb3eb467a650f4589dab9d2ab12765ea07d28534bd69351dc6093e0fN.exe"C:\Users\Admin\AppData\Local\Temp\28a0058cbb3eb467a650f4589dab9d2ab12765ea07d28534bd69351dc6093e0fN.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Users\Admin\AppData\Local\Temp\0.EXEC:\Users\Admin\AppData\Local\Temp\0.EXE2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4900 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\1733144760935.pdf"3⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:116 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe" -c4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe" -c --type=collab-renderer --proc=16365⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe" GetChannelUri6⤵
- System Location Discovery: System Language Discovery
PID:1336
-
-
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140434⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=AF021B9EA51AF388F2652CE00B89BC26 --mojo-platform-channel-handle=1732 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:25⤵
- System Location Discovery: System Language Discovery
PID:1728
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=7CD161AC3CC02687E66BB49EE879EAEE --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=7CD161AC3CC02687E66BB49EE879EAEE --renderer-client-id=2 --mojo-platform-channel-handle=1724 --allow-no-sandbox-job /prefetch:15⤵
- System Location Discovery: System Language Discovery
PID:3044
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=40CD20069A7EF2988CB99BF35E54E0C5 --mojo-platform-channel-handle=2300 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:25⤵
- System Location Discovery: System Language Discovery
PID:2992
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=8ACF548EBA477F5F0F84F906D90C7EB5 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=8ACF548EBA477F5F0F84F906D90C7EB5 --renderer-client-id=5 --mojo-platform-channel-handle=1832 --allow-no-sandbox-job /prefetch:15⤵
- System Location Discovery: System Language Discovery
PID:2416
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=13714B9785A571ADD37EE90EF0B93B1A --mojo-platform-channel-handle=2436 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:25⤵
- System Location Discovery: System Language Discovery
PID:868
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=6D0E19D90495B505D88AE77DC4D55E2A --mojo-platform-channel-handle=2340 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:25⤵
- System Location Discovery: System Language Discovery
PID:3136
-
-
-
-
C:\ProgramData\server.exe"C:\ProgramData\server.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- outlook_office_path
- outlook_win_path
PID:2964
-
-
C:\ProgramData\XClient.exe"C:\ProgramData\XClient.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2860
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4736
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
7Credentials In Files
6Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
36KB
MD5d26695fbb8b538efbf75797cdc833448
SHA15d882569dae01ed5d1e5112d61f62b50804e88fd
SHA2567bf0cbcd0002dd07686387147c06e7d28518d43c561ab671319a180835a11af8
SHA512a2caa8bf74de4a7131db61a0ee9c13abf099912edb9f89374912f372a20cf14214f25b59f2a4e0455e9ecbf5047dbe1fbaecef2051817d7e626075c53b74151c
-
Filesize
112KB
MD54215daa70c421b486f350386ee87f4e1
SHA110bb6ccf58149ebac0395b5402a471a61f2244fa
SHA2564bcce8d46f30627ff73a8cf88a078e9683c8b571dc1febf648aa658673160978
SHA5126a8f6a97ad160dc564f83ff2317ff9273806732a97e78240e49fecb2a0f49f0c9a13633f2f99402f4bc44a924d48b48e31941c7573da4b187d96c122b9cbb52e
-
Filesize
36KB
MD5b30d3becc8731792523d599d949e63f5
SHA119350257e42d7aee17fb3bf139a9d3adb330fad4
SHA256b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3
SHA512523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e
-
Filesize
56KB
MD5752a1f26b18748311b691c7d8fc20633
SHA1c1f8e83eebc1cc1e9b88c773338eb09ff82ab862
SHA256111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131
SHA512a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5
-
Filesize
64KB
MD523acce2a973889ef71ee004dbc24d599
SHA19d78e93dd9d2d2446c0f67b6a7b71f5b2b79f06d
SHA2567b0b0f80caff9bb07f63597fa4c8620489c80cecdf12ead4d407dc5112af5358
SHA512cdae21652234cae5b8f6adc8d489a186378c78a0c5960996cc09df81195ebaf505f514782033a2fbd15e4b8da05ca0e1d50c9bfef2c44902340419c3b9cb944b
-
Filesize
92KB
MD5b6eb46c78aa64c1887488453104aa8d7
SHA19036d990e8f268de0521aa82b661c976ae9df7cd
SHA25645a3bc928e45f76b24ce59eade1ea56b2f3e988aa8f8ac199466dac8612208a7
SHA5121145c002b3aba6ce501522f7958e9d530cdffa3073a3181b8367dccf2d7367d0c05b8edcf614362b07979a52eb7de610a7d33f46586d1b49bfff0424f665fa8f
-
Filesize
92KB
MD5245950c48f668cf2fcb3c64778e64089
SHA13a5a14c820f58e35a3fc6f5de29669f0840587d8
SHA256a027cf12f2055635a3020f08e0448b2f0314791260ccd25570426088c5b0e307
SHA5124fc8448536663b551cc716d78715f06d4ed217fbdf755924f0b30aebbb6212798a61c6638f919d5c14bdb6998d6a12f0ca37281f3c7f484c1821fbfc98d4a24d
-
Filesize
92KB
MD5aebe0d2eb7a2077a55e57a955e62406a
SHA13f811b8148f12220f4b45699135e6d21c9847d8a
SHA25687aa4c64348b534771f03919b5bdca09596e89f6e0cca0a992bb3d290ec4155a
SHA512efa1b082925a4e478fcea74764bbacb91d43da8c01c4b360a34e6f7402af23f91c93b5e91c6266120e144b5300e8dae73a62a7b6d7c4328410128f6a72a7baed
-
Filesize
92KB
MD5deb100fda1ee3886974f1fc66b6afcc1
SHA13a2501529225090a54816ccccef0d8f0d66ed06b
SHA256bba8840768c743202158a6894c4cd7dd18442134ca95bc2e0c7ded6fec140439
SHA512c67d52400561b159ede69002a189a0ac57bf2202602564037d0d8de95a30a7b18fa5368ae8ce8782580ebf94b548a47da7f4b98cc0ddec06cca48cbbe8bea6e7
-
Filesize
3.8MB
MD59b03d106162aacb300a359dc05992151
SHA1060ee23a3145a57e784f7a913317a0457f7b140d
SHA256fa493f9ec9b7d5109bf936526f407ce13423f3ac524a79c73e92a11908b759a9
SHA5129005d48d7d116c9d8cf938208509a7147426916deb63b9a4d44aaeda3863911bc5520351f4ad3fcc36dc74e5e35de90f5a1243130366d9d405599329534ebf1f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04
Filesize471B
MD5a04e25e97142a532b83df0ab3463e206
SHA1c753b547f3810c2fc2b917dd30f5d4f82590daaa
SHA25650146fb7f4ee73302420a816d12bcded9c6d12dfe3fbf5e0e1799b86151d53df
SHA512eef68d4f662932543d1bbd460b91aac23708057f5b3dd8cd2ce6711456d0ef86da62a5601342bb215b48552c981508b101adeae99a9d7eceda4429c598f268de
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04
Filesize400B
MD5d7f9c711aa7e2c5be596cc46c0a8978e
SHA116c3c0cee9fc8f6c0b4c26dfe55956c12e09601e
SHA25699c48be2d540f8b6fbeddb0c201c0cee7ea83de438202602e8667cc9c8e9f611
SHA5125a8437923727531c77cd8627a6be02bb69c6690340e49d5b753997744ff00ae073f506d5be6deb752a38584a05a6f85ede19ff8bac0358d0ee9bdeb0ce748c72
-
Filesize
12KB
MD5b4db9158b921c9a0f818e9356394a89f
SHA114a94fa59f998b0676ae37c1088ca7cca3e357e3
SHA256852ba2f7534644d628329a2a39057adf8c12037ae46e85246936680f95cc1e0d
SHA5125be2cad4be7a35d8f7eeb0da5f2cdf0fddfbccc36de17626dddd74bd5ba340d374d5c25889a3c2696a3ed7ae7f5794f654b0849b1941be7edeb1fbbdcb702a0d
-
Filesize
12KB
MD5e32e877e8277bddf24412028ffba634e
SHA1fe4fd5957d9d88fe86901752468967b0542223a5
SHA25680d25552997fd83e6962b4140bc2d77d198ec37c60f61ee1ae83a30c5f29a684
SHA512501f7cb3f7a2233b5e411401b7ff14f05d1ee56c31f0513a0439feff5b84a751c0d7d8de982f1abd754db816bd4aa5b5e2a76268d26ba3c98b1f51fa8079c11a
-
Filesize
146KB
MD5b7dc093930fc871029bf5a99c4ae828b
SHA193b3150d45e4d689482912c12a6c64e118ba66a0
SHA25653ec1ce618277c3113ce7e988cfffb22eb27727db61dd58a1c827fff1e396ad3
SHA5120bf067c9f356f69c8b4d40d5850268cdd0fdae99fee470a595a960894a88c09a3927ddb03087ff61bf3fd25c071e721656b6d5bb115f2b2bb21a2424586c2e88
-
Filesize
79KB
MD5d31ff8f1d89d0c075d22466a78d6f34c
SHA1869871694bedd2ee272c16b5652ad4dd29f9f8ab
SHA256a5c6834f1ef48e8a45a162ea18aa9ba0a0f5c57d24eb1199fa1d9bf9a0092629
SHA512401e2c5c821e65054eb87f14221750f9889047ad592e410670899e7691aeee839264ceb4d2d895929e206ac86e1cd6de15a5c92377f8ef8fb40e0ab274fde368
-
Filesize
135KB
MD59e682f1eb98a9d41468fc3e50f907635
SHA185e0ceca36f657ddf6547aa0744f0855a27527ee
SHA256830533bb569594ec2f7c07896b90225006b90a9af108f49d6fb6bebd02428b2d
SHA512230230722d61ac1089fabf3f2decfa04f9296498f8e2a2a49b1527797dca67b5a11ab8656f04087acadf873fa8976400d57c77c404eba4aff89d92b9986f32ed
-
Filesize
429KB
MD5109f0f02fd37c84bfc7508d4227d7ed5
SHA1ef7420141bb15ac334d3964082361a460bfdb975
SHA256334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4
SHA51246eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39
-
Filesize
1.2MB
MD5556ea09421a0f74d31c4c0a89a70dc23
SHA1f739ba9b548ee64b13eb434a3130406d23f836e3
SHA256f0e6210d4a0d48c7908d8d1c270449c91eb4523e312a61256833bfeaf699abfb
SHA5122481fc80dffa8922569552c3c3ebaef8d0341b80427447a14b291ec39ea62ab9c05a75e85eef5ea7f857488cab1463c18586f9b076e2958c5a314e459045ede2
-
Filesize
81KB
MD57587bf9cb4147022cd5681b015183046
SHA1f2106306a8f6f0da5afb7fc765cfa0757ad5a628
SHA256c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d
SHA5120b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f
-
Filesize
14KB
MD5947f93fe0eed44767626846f28cfde05
SHA1f6276d2a2b4a9d8a8e23c84019cd3961e9d60e88
SHA25606a576fc14e995c437b26c0d150b4e84cd745e7cedfd972a84b42b51c842fc9b
SHA512f97739eb0d22a99b06ef340aefb0d5a5b45b679d28accff3de2565166392c7d2fabaa33f945696f7d456ba2ef323f48e43eb26578f71c8b2e8ed32fb4dc69bc9
-
Filesize
5.7MB
MD53524ced1006474450f7b29d89dbd929a
SHA1f34a844e5fd3e25c40323c17b7ac23be26b8cc13
SHA256787f524624ebc20ffac885fe4cc6d4a4e24d1497e5bce7b3c6c6884849e0bd3c
SHA51255ce7a8767041b654d48d6a92e3beeebea8d18b54c5e7203b900527546585035e04650c2d0592e3c653ab4091f014ed7033c8b570f8eeab858a0bd108ac0e162