Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-12-2024 16:05

General

  • Target

    28a0058cbb3eb467a650f4589dab9d2ab12765ea07d28534bd69351dc6093e0fN.exe

  • Size

    192KB

  • MD5

    18a79c670207a856be0fcbc58a4c6b70

  • SHA1

    8fe96a186e90dd0ce306fcfbe54056ae1c5ecf07

  • SHA256

    28a0058cbb3eb467a650f4589dab9d2ab12765ea07d28534bd69351dc6093e0f

  • SHA512

    005ceb943b073f8707afd91f468e87098c7add930cd97ea668de4937ec441fa6d593b5f9dd07b53a9949cdbf3187d11b864261d7d53eddea55b9d9a9d0ad82bf

  • SSDEEP

    3072:EGPMlTjUYLCLoz12cFfi0HDYaKf7/t5uXwEdeTuTROMX9:ePaoUZOMHf7/tQ1eTQ7

Malware Config

Extracted

Family

xworm

Version

5.0

C2

ingles-52514.portmap.host:52514

Mutex

9Vc1HafYmpvbkdVv

Attributes
  • install_file

    USB.exe

aes.plain

Extracted

Family

azorult

C2

http://195.245.112.115/index.php

Signatures

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

  • Azorult family
  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Xworm family
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 4 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\28a0058cbb3eb467a650f4589dab9d2ab12765ea07d28534bd69351dc6093e0fN.exe
    "C:\Users\Admin\AppData\Local\Temp\28a0058cbb3eb467a650f4589dab9d2ab12765ea07d28534bd69351dc6093e0fN.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1808
    • C:\Users\Admin\AppData\Local\Temp\0.EXE
      C:\Users\Admin\AppData\Local\Temp\0.EXE
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4900
      • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\1733144760935.pdf"
        3⤵
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Modifies Internet Explorer settings
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:116
        • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe
          "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe" -c
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1636
          • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe
            "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe" -c --type=collab-renderer --proc=1636
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:2216
            • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe
              "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe" GetChannelUri
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1336
        • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
          "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2880
          • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
            "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=AF021B9EA51AF388F2652CE00B89BC26 --mojo-platform-channel-handle=1732 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1728
          • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
            "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=7CD161AC3CC02687E66BB49EE879EAEE --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=7CD161AC3CC02687E66BB49EE879EAEE --renderer-client-id=2 --mojo-platform-channel-handle=1724 --allow-no-sandbox-job /prefetch:1
            5⤵
            • System Location Discovery: System Language Discovery
            PID:3044
          • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
            "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=40CD20069A7EF2988CB99BF35E54E0C5 --mojo-platform-channel-handle=2300 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2992
          • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
            "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=8ACF548EBA477F5F0F84F906D90C7EB5 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=8ACF548EBA477F5F0F84F906D90C7EB5 --renderer-client-id=5 --mojo-platform-channel-handle=1832 --allow-no-sandbox-job /prefetch:1
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2416
          • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
            "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=13714B9785A571ADD37EE90EF0B93B1A --mojo-platform-channel-handle=2436 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
            5⤵
            • System Location Discovery: System Language Discovery
            PID:868
          • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
            "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=6D0E19D90495B505D88AE77DC4D55E2A --mojo-platform-channel-handle=2340 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
            5⤵
            • System Location Discovery: System Language Discovery
            PID:3136
      • C:\ProgramData\server.exe
        "C:\ProgramData\server.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Accesses Microsoft Outlook profiles
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • outlook_office_path
        • outlook_win_path
        PID:2964
      • C:\ProgramData\XClient.exe
        "C:\ProgramData\XClient.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:2860
  • C:\Windows\System32\CompPkgSrv.exe
    C:\Windows\System32\CompPkgSrv.exe -Embedding
    1⤵
      PID:4736

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\XClient.exe

      Filesize

      36KB

      MD5

      d26695fbb8b538efbf75797cdc833448

      SHA1

      5d882569dae01ed5d1e5112d61f62b50804e88fd

      SHA256

      7bf0cbcd0002dd07686387147c06e7d28518d43c561ab671319a180835a11af8

      SHA512

      a2caa8bf74de4a7131db61a0ee9c13abf099912edb9f89374912f372a20cf14214f25b59f2a4e0455e9ecbf5047dbe1fbaecef2051817d7e626075c53b74151c

    • C:\ProgramData\server.exe

      Filesize

      112KB

      MD5

      4215daa70c421b486f350386ee87f4e1

      SHA1

      10bb6ccf58149ebac0395b5402a471a61f2244fa

      SHA256

      4bcce8d46f30627ff73a8cf88a078e9683c8b571dc1febf648aa658673160978

      SHA512

      6a8f6a97ad160dc564f83ff2317ff9273806732a97e78240e49fecb2a0f49f0c9a13633f2f99402f4bc44a924d48b48e31941c7573da4b187d96c122b9cbb52e

    • C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

      Filesize

      36KB

      MD5

      b30d3becc8731792523d599d949e63f5

      SHA1

      19350257e42d7aee17fb3bf139a9d3adb330fad4

      SHA256

      b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

      SHA512

      523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

    • C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

      Filesize

      56KB

      MD5

      752a1f26b18748311b691c7d8fc20633

      SHA1

      c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

      SHA256

      111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

      SHA512

      a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

    • C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

      Filesize

      64KB

      MD5

      23acce2a973889ef71ee004dbc24d599

      SHA1

      9d78e93dd9d2d2446c0f67b6a7b71f5b2b79f06d

      SHA256

      7b0b0f80caff9bb07f63597fa4c8620489c80cecdf12ead4d407dc5112af5358

      SHA512

      cdae21652234cae5b8f6adc8d489a186378c78a0c5960996cc09df81195ebaf505f514782033a2fbd15e4b8da05ca0e1d50c9bfef2c44902340419c3b9cb944b

    • C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\metadata\Synchronizer

      Filesize

      92KB

      MD5

      b6eb46c78aa64c1887488453104aa8d7

      SHA1

      9036d990e8f268de0521aa82b661c976ae9df7cd

      SHA256

      45a3bc928e45f76b24ce59eade1ea56b2f3e988aa8f8ac199466dac8612208a7

      SHA512

      1145c002b3aba6ce501522f7958e9d530cdffa3073a3181b8367dccf2d7367d0c05b8edcf614362b07979a52eb7de610a7d33f46586d1b49bfff0424f665fa8f

    • C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\metadata\Synchronizer

      Filesize

      92KB

      MD5

      245950c48f668cf2fcb3c64778e64089

      SHA1

      3a5a14c820f58e35a3fc6f5de29669f0840587d8

      SHA256

      a027cf12f2055635a3020f08e0448b2f0314791260ccd25570426088c5b0e307

      SHA512

      4fc8448536663b551cc716d78715f06d4ed217fbdf755924f0b30aebbb6212798a61c6638f919d5c14bdb6998d6a12f0ca37281f3c7f484c1821fbfc98d4a24d

    • C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\metadata\Synchronizer

      Filesize

      92KB

      MD5

      aebe0d2eb7a2077a55e57a955e62406a

      SHA1

      3f811b8148f12220f4b45699135e6d21c9847d8a

      SHA256

      87aa4c64348b534771f03919b5bdca09596e89f6e0cca0a992bb3d290ec4155a

      SHA512

      efa1b082925a4e478fcea74764bbacb91d43da8c01c4b360a34e6f7402af23f91c93b5e91c6266120e144b5300e8dae73a62a7b6d7c4328410128f6a72a7baed

    • C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\metadata\Synchronizer

      Filesize

      92KB

      MD5

      deb100fda1ee3886974f1fc66b6afcc1

      SHA1

      3a2501529225090a54816ccccef0d8f0d66ed06b

      SHA256

      bba8840768c743202158a6894c4cd7dd18442134ca95bc2e0c7ded6fec140439

      SHA512

      c67d52400561b159ede69002a189a0ac57bf2202602564037d0d8de95a30a7b18fa5368ae8ce8782580ebf94b548a47da7f4b98cc0ddec06cca48cbbe8bea6e7

    • C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\resources\resource-18

      Filesize

      3.8MB

      MD5

      9b03d106162aacb300a359dc05992151

      SHA1

      060ee23a3145a57e784f7a913317a0457f7b140d

      SHA256

      fa493f9ec9b7d5109bf936526f407ce13423f3ac524a79c73e92a11908b759a9

      SHA512

      9005d48d7d116c9d8cf938208509a7147426916deb63b9a4d44aaeda3863911bc5520351f4ad3fcc36dc74e5e35de90f5a1243130366d9d405599329534ebf1f

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

      Filesize

      471B

      MD5

      a04e25e97142a532b83df0ab3463e206

      SHA1

      c753b547f3810c2fc2b917dd30f5d4f82590daaa

      SHA256

      50146fb7f4ee73302420a816d12bcded9c6d12dfe3fbf5e0e1799b86151d53df

      SHA512

      eef68d4f662932543d1bbd460b91aac23708057f5b3dd8cd2ce6711456d0ef86da62a5601342bb215b48552c981508b101adeae99a9d7eceda4429c598f268de

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

      Filesize

      400B

      MD5

      d7f9c711aa7e2c5be596cc46c0a8978e

      SHA1

      16c3c0cee9fc8f6c0b4c26dfe55956c12e09601e

      SHA256

      99c48be2d540f8b6fbeddb0c201c0cee7ea83de438202602e8667cc9c8e9f611

      SHA512

      5a8437923727531c77cd8627a6be02bb69c6690340e49d5b753997744ff00ae073f506d5be6deb752a38584a05a6f85ede19ff8bac0358d0ee9bdeb0ce748c72

    • C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

      Filesize

      12KB

      MD5

      b4db9158b921c9a0f818e9356394a89f

      SHA1

      14a94fa59f998b0676ae37c1088ca7cca3e357e3

      SHA256

      852ba2f7534644d628329a2a39057adf8c12037ae46e85246936680f95cc1e0d

      SHA512

      5be2cad4be7a35d8f7eeb0da5f2cdf0fddfbccc36de17626dddd74bd5ba340d374d5c25889a3c2696a3ed7ae7f5794f654b0849b1941be7edeb1fbbdcb702a0d

    • C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

      Filesize

      12KB

      MD5

      e32e877e8277bddf24412028ffba634e

      SHA1

      fe4fd5957d9d88fe86901752468967b0542223a5

      SHA256

      80d25552997fd83e6962b4140bc2d77d198ec37c60f61ee1ae83a30c5f29a684

      SHA512

      501f7cb3f7a2233b5e411401b7ff14f05d1ee56c31f0513a0439feff5b84a751c0d7d8de982f1abd754db816bd4aa5b5e2a76268d26ba3c98b1f51fa8079c11a

    • C:\Users\Admin\AppData\Local\Temp\0.EXE

      Filesize

      146KB

      MD5

      b7dc093930fc871029bf5a99c4ae828b

      SHA1

      93b3150d45e4d689482912c12a6c64e118ba66a0

      SHA256

      53ec1ce618277c3113ce7e988cfffb22eb27727db61dd58a1c827fff1e396ad3

      SHA512

      0bf067c9f356f69c8b4d40d5850268cdd0fdae99fee470a595a960894a88c09a3927ddb03087ff61bf3fd25c071e721656b6d5bb115f2b2bb21a2424586c2e88

    • C:\Users\Admin\AppData\Local\Temp\1733144760935.pdf

      Filesize

      79KB

      MD5

      d31ff8f1d89d0c075d22466a78d6f34c

      SHA1

      869871694bedd2ee272c16b5652ad4dd29f9f8ab

      SHA256

      a5c6834f1ef48e8a45a162ea18aa9ba0a0f5c57d24eb1199fa1d9bf9a0092629

      SHA512

      401e2c5c821e65054eb87f14221750f9889047ad592e410670899e7691aeee839264ceb4d2d895929e206ac86e1cd6de15a5c92377f8ef8fb40e0ab274fde368

    • C:\Users\Admin\AppData\Local\Temp\AA4E28D9\mozglue.dll

      Filesize

      135KB

      MD5

      9e682f1eb98a9d41468fc3e50f907635

      SHA1

      85e0ceca36f657ddf6547aa0744f0855a27527ee

      SHA256

      830533bb569594ec2f7c07896b90225006b90a9af108f49d6fb6bebd02428b2d

      SHA512

      230230722d61ac1089fabf3f2decfa04f9296498f8e2a2a49b1527797dca67b5a11ab8656f04087acadf873fa8976400d57c77c404eba4aff89d92b9986f32ed

    • C:\Users\Admin\AppData\Local\Temp\AA4E28D9\msvcp140.dll

      Filesize

      429KB

      MD5

      109f0f02fd37c84bfc7508d4227d7ed5

      SHA1

      ef7420141bb15ac334d3964082361a460bfdb975

      SHA256

      334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

      SHA512

      46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

    • C:\Users\Admin\AppData\Local\Temp\AA4E28D9\nss3.dll

      Filesize

      1.2MB

      MD5

      556ea09421a0f74d31c4c0a89a70dc23

      SHA1

      f739ba9b548ee64b13eb434a3130406d23f836e3

      SHA256

      f0e6210d4a0d48c7908d8d1c270449c91eb4523e312a61256833bfeaf699abfb

      SHA512

      2481fc80dffa8922569552c3c3ebaef8d0341b80427447a14b291ec39ea62ab9c05a75e85eef5ea7f857488cab1463c18586f9b076e2958c5a314e459045ede2

    • C:\Users\Admin\AppData\Local\Temp\AA4E28D9\vcruntime140.dll

      Filesize

      81KB

      MD5

      7587bf9cb4147022cd5681b015183046

      SHA1

      f2106306a8f6f0da5afb7fc765cfa0757ad5a628

      SHA256

      c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

      SHA512

      0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

    • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\addressbook.acrodata

      Filesize

      14KB

      MD5

      947f93fe0eed44767626846f28cfde05

      SHA1

      f6276d2a2b4a9d8a8e23c84019cd3961e9d60e88

      SHA256

      06a576fc14e995c437b26c0d150b4e84cd745e7cedfd972a84b42b51c842fc9b

      SHA512

      f97739eb0d22a99b06ef340aefb0d5a5b45b679d28accff3de2565166392c7d2fabaa33f945696f7d456ba2ef323f48e43eb26578f71c8b2e8ed32fb4dc69bc9

    • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\addressbook.acrodata

      Filesize

      5.7MB

      MD5

      3524ced1006474450f7b29d89dbd929a

      SHA1

      f34a844e5fd3e25c40323c17b7ac23be26b8cc13

      SHA256

      787f524624ebc20ffac885fe4cc6d4a4e24d1497e5bce7b3c6c6884849e0bd3c

      SHA512

      55ce7a8767041b654d48d6a92e3beeebea8d18b54c5e7203b900527546585035e04650c2d0592e3c653ab4091f014ed7033c8b570f8eeab858a0bd108ac0e162

    • memory/2860-34-0x0000000000590000-0x00000000005A0000-memory.dmp

      Filesize

      64KB

    • memory/2964-213-0x0000000000400000-0x0000000000420000-memory.dmp

      Filesize

      128KB

    • memory/4900-33-0x00007FFBC3910000-0x00007FFBC43D1000-memory.dmp

      Filesize

      10.8MB

    • memory/4900-9-0x00007FFBC3910000-0x00007FFBC43D1000-memory.dmp

      Filesize

      10.8MB

    • memory/4900-7-0x00000000001D0000-0x00000000001FA000-memory.dmp

      Filesize

      168KB

    • memory/4900-6-0x00007FFBC3913000-0x00007FFBC3915000-memory.dmp

      Filesize

      8KB