Analysis Overview
SHA256
e264f8835236ba69a65ee098b5b55db60b258e130720521ee2f87edaa412c525
Threat Level: Known bad
The file e264f8835236ba69a65ee098b5b55db60b258e130720521ee2f87edaa412c525 was found to be: Known bad.
Malicious Activity Summary
UAC bypass
ISR Stealer payload
Modifies firewall policy service
Sality
ISR Stealer
Windows security bypass
Nirsoft
NirSoft MailPassView
NirSoft WebBrowserPassView
Executes dropped EXE
UPX packed file
Uses the VBS compiler for execution
Loads dropped DLL
Checks computer location settings
Windows security modification
Deletes itself
Checks whether UAC is enabled
Enumerates connected drives
Accesses Microsoft Outlook accounts
Drops autorun.inf file
Suspicious use of SetThreadContext
Drops file in Program Files directory
Drops file in Windows directory
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
System policy modification
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-10-11 17:32
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-10-11 17:32
Reported
2022-10-12 02:19
Platform
win7-20220901-en
Max time kernel
150s
Max time network
112s
Command Line
Signatures
ISR Stealer
ISR Stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" | C:\Users\Admin\AppData\Local\Temp\e264f8835236ba69a65ee098b5b55db60b258e130720521ee2f87edaa412c525.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Users\Admin\AppData\Local\Temp\e264f8835236ba69a65ee098b5b55db60b258e130720521ee2f87edaa412c525.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" | C:\Users\Admin\AppData\Local\Temp\e264f8835236ba69a65ee098b5b55db60b258e130720521ee2f87edaa412c525.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv.exe | N/A |
Sality
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\e264f8835236ba69a65ee098b5b55db60b258e130720521ee2f87edaa412c525.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv.exe | N/A |
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\e264f8835236ba69a65ee098b5b55db60b258e130720521ee2f87edaa412c525.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Users\Admin\AppData\Local\Temp\e264f8835236ba69a65ee098b5b55db60b258e130720521ee2f87edaa412c525.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\e264f8835236ba69a65ee098b5b55db60b258e130720521ee2f87edaa412c525.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\e264f8835236ba69a65ee098b5b55db60b258e130720521ee2f87edaa412c525.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Users\Admin\AppData\Local\Temp\e264f8835236ba69a65ee098b5b55db60b258e130720521ee2f87edaa412c525.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\e264f8835236ba69a65ee098b5b55db60b258e130720521ee2f87edaa412c525.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv.exe | N/A |
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AdobeARMservice.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AdobeARMservice.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e264f8835236ba69a65ee098b5b55db60b258e130720521ee2f87edaa412c525.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AdobeARMservice.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv.exe | N/A |
Uses the VBS compiler for execution
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\e264f8835236ba69a65ee098b5b55db60b258e130720521ee2f87edaa412c525.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Users\Admin\AppData\Local\Temp\e264f8835236ba69a65ee098b5b55db60b258e130720521ee2f87edaa412c525.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\e264f8835236ba69a65ee098b5b55db60b258e130720521ee2f87edaa412c525.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\e264f8835236ba69a65ee098b5b55db60b258e130720521ee2f87edaa412c525.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Users\Admin\AppData\Local\Temp\e264f8835236ba69a65ee098b5b55db60b258e130720521ee2f87edaa412c525.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\e264f8835236ba69a65ee098b5b55db60b258e130720521ee2f87edaa412c525.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc | C:\Users\Admin\AppData\Local\Temp\e264f8835236ba69a65ee098b5b55db60b258e130720521ee2f87edaa412c525.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv.exe | N/A |
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\e264f8835236ba69a65ee098b5b55db60b258e130720521ee2f87edaa412c525.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv.exe | N/A |
Enumerates connected drives
Drops autorun.inf file
| Description | Indicator | Process | Target |
| File opened for modification | C:\autorun.inf | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1456 set thread context of 1684 | N/A | C:\Users\Admin\AppData\Local\Temp\e264f8835236ba69a65ee098b5b55db60b258e130720521ee2f87edaa412c525.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe |
| PID 1684 set thread context of 1688 | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe |
| PID 1684 set thread context of 1956 | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe |
| PID 1488 set thread context of 1260 | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe |
| PID 1260 set thread context of 1332 | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe |
| PID 1260 set thread context of 276 | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SYSTEM.INI | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e264f8835236ba69a65ee098b5b55db60b258e130720521ee2f87edaa412c525.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AdobeARMservice.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AdobeARMservice.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AdobeARMservice.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AdobeARMservice.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\e264f8835236ba69a65ee098b5b55db60b258e130720521ee2f87edaa412c525.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv.exe | N/A |
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Windows\system32\taskhost.exe
"taskhost.exe"
C:\Users\Admin\AppData\Local\Temp\e264f8835236ba69a65ee098b5b55db60b258e130720521ee2f87edaa412c525.exe
"C:\Users\Admin\AppData\Local\Temp\e264f8835236ba69a65ee098b5b55db60b258e130720521ee2f87edaa412c525.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AdobeARMservice.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AdobeARMservice.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\avsYaDQwcn.ini"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\bFJ7zuGmcO.ini"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AdobeARMservice.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AdobeARMservice.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\4FWmOKPs2q.ini"
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\cw70KqZSrq.ini"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | new77.site50.net | udp |
| US | 153.92.0.100:80 | new77.site50.net | tcp |
| US | 8.8.8.8:53 | www.000webhost.com | udp |
| US | 104.19.184.120:443 | www.000webhost.com | tcp |
Files
memory/1456-54-0x0000000075B51000-0x0000000075B53000-memory.dmp
memory/1456-55-0x0000000074140000-0x00000000746EB000-memory.dmp
memory/1456-56-0x0000000074140000-0x00000000746EB000-memory.dmp
memory/1684-57-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1684-58-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1684-60-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1684-62-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1684-63-0x0000000000401180-mapping.dmp
memory/1372-67-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Roaming\Microsoft\Windows\AdobeARMservice.exe
| MD5 | 3d382345d721797c1c905ca4592fe15e |
| SHA1 | afaf72653dee7f9f5427bec39c5c9bff312befac |
| SHA256 | 653b668d53381441b76caf76e715fab690ef822757f4efa9a5875866f46e7126 |
| SHA512 | 2ab94ebf446bc8a3a5f630f245e061c18732b11f1702019f07681851d2134647fbc4e417af65396afa78ad3b407b0691bc80adfdf542f066bfc32663a7b95794 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AdobeARMservice.exe
| MD5 | 3d382345d721797c1c905ca4592fe15e |
| SHA1 | afaf72653dee7f9f5427bec39c5c9bff312befac |
| SHA256 | 653b668d53381441b76caf76e715fab690ef822757f4efa9a5875866f46e7126 |
| SHA512 | 2ab94ebf446bc8a3a5f630f245e061c18732b11f1702019f07681851d2134647fbc4e417af65396afa78ad3b407b0691bc80adfdf542f066bfc32663a7b95794 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AdobeARMservice.exe
| MD5 | 3d382345d721797c1c905ca4592fe15e |
| SHA1 | afaf72653dee7f9f5427bec39c5c9bff312befac |
| SHA256 | 653b668d53381441b76caf76e715fab690ef822757f4efa9a5875866f46e7126 |
| SHA512 | 2ab94ebf446bc8a3a5f630f245e061c18732b11f1702019f07681851d2134647fbc4e417af65396afa78ad3b407b0691bc80adfdf542f066bfc32663a7b95794 |
memory/1684-68-0x00000000026B0000-0x000000000373E000-memory.dmp
memory/1684-72-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1372-74-0x0000000074140000-0x00000000746EB000-memory.dmp
memory/1684-75-0x0000000000520000-0x0000000000522000-memory.dmp
memory/1688-77-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1688-78-0x00000000004512E0-mapping.dmp
memory/1688-81-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1688-82-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1456-83-0x0000000004610000-0x000000000461A000-memory.dmp
memory/1372-84-0x0000000000520000-0x0000000000522000-memory.dmp
memory/1688-85-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1372-86-0x0000000000CC5000-0x0000000000CD6000-memory.dmp
\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv.exe
| MD5 | 65001e6d6cf125d88f272c004aabfbd0 |
| SHA1 | 7710729d91acc8f935e1246db107ff8aa122bb34 |
| SHA256 | e264f8835236ba69a65ee098b5b55db60b258e130720521ee2f87edaa412c525 |
| SHA512 | b19e1e366c1a5c6aca686f80eeaeb56af7b642b8ffa1c29ad18cf3168373a929deee7af9c3ed7e82870f32771d76cffb09e821b3a2067b584bc82637365d9fee |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv.exe
| MD5 | 65001e6d6cf125d88f272c004aabfbd0 |
| SHA1 | 7710729d91acc8f935e1246db107ff8aa122bb34 |
| SHA256 | e264f8835236ba69a65ee098b5b55db60b258e130720521ee2f87edaa412c525 |
| SHA512 | b19e1e366c1a5c6aca686f80eeaeb56af7b642b8ffa1c29ad18cf3168373a929deee7af9c3ed7e82870f32771d76cffb09e821b3a2067b584bc82637365d9fee |
memory/1488-89-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv.exe
| MD5 | 65001e6d6cf125d88f272c004aabfbd0 |
| SHA1 | 7710729d91acc8f935e1246db107ff8aa122bb34 |
| SHA256 | e264f8835236ba69a65ee098b5b55db60b258e130720521ee2f87edaa412c525 |
| SHA512 | b19e1e366c1a5c6aca686f80eeaeb56af7b642b8ffa1c29ad18cf3168373a929deee7af9c3ed7e82870f32771d76cffb09e821b3a2067b584bc82637365d9fee |
memory/1488-92-0x0000000074140000-0x00000000746EB000-memory.dmp
memory/1688-93-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\avsYaDQwcn.ini
| MD5 | d1ea279fb5559c020a1b4137dc4de237 |
| SHA1 | db6f8988af46b56216a6f0daf95ab8c9bdb57400 |
| SHA256 | fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba |
| SHA512 | 720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3 |
memory/1956-96-0x000000000041C410-mapping.dmp
memory/1956-95-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1956-99-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1956-100-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1956-101-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1488-102-0x0000000000440000-0x0000000000442000-memory.dmp
memory/1684-103-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1684-104-0x00000000026B0000-0x000000000373E000-memory.dmp
memory/1372-105-0x0000000074140000-0x00000000746EB000-memory.dmp
memory/1372-107-0x0000000000520000-0x0000000000522000-memory.dmp
memory/1456-106-0x0000000004610000-0x000000000461A000-memory.dmp
memory/1372-108-0x0000000000CC5000-0x0000000000CD6000-memory.dmp
C:\Windows\SYSTEM.INI
| MD5 | 4752f4e6f00cca33af2daffd009c5948 |
| SHA1 | e166909390766ea5c6c11a1d14dc24ab7b729547 |
| SHA256 | 696c823e8260976a046dc2975e7679ebaed387493f2aab00a82c9697be8a3b90 |
| SHA512 | b0578e977007ae7650a6a92a274d9479cca507efb7c87eb30eae6a9fd2e347fae5bb489054c10763cf56499dc47cc69d2c36a50f8be20c936e1b94fff4493691 |
memory/1488-110-0x0000000074140000-0x00000000746EB000-memory.dmp
memory/1456-111-0x0000000007C40000-0x000000000888A000-memory.dmp
memory/1456-112-0x0000000074140000-0x00000000746EB000-memory.dmp
memory/1372-113-0x0000000074140000-0x00000000746EB000-memory.dmp
memory/1372-114-0x0000000000CC5000-0x0000000000CD6000-memory.dmp
memory/1260-121-0x0000000000401180-mapping.dmp
memory/1968-124-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Roaming\Microsoft\Windows\AdobeARMservice.exe
| MD5 | 3d382345d721797c1c905ca4592fe15e |
| SHA1 | afaf72653dee7f9f5427bec39c5c9bff312befac |
| SHA256 | 653b668d53381441b76caf76e715fab690ef822757f4efa9a5875866f46e7126 |
| SHA512 | 2ab94ebf446bc8a3a5f630f245e061c18732b11f1702019f07681851d2134647fbc4e417af65396afa78ad3b407b0691bc80adfdf542f066bfc32663a7b95794 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AdobeARMservice.exe
| MD5 | 3d382345d721797c1c905ca4592fe15e |
| SHA1 | afaf72653dee7f9f5427bec39c5c9bff312befac |
| SHA256 | 653b668d53381441b76caf76e715fab690ef822757f4efa9a5875866f46e7126 |
| SHA512 | 2ab94ebf446bc8a3a5f630f245e061c18732b11f1702019f07681851d2134647fbc4e417af65396afa78ad3b407b0691bc80adfdf542f066bfc32663a7b95794 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AdobeARMservice.exe
| MD5 | 3d382345d721797c1c905ca4592fe15e |
| SHA1 | afaf72653dee7f9f5427bec39c5c9bff312befac |
| SHA256 | 653b668d53381441b76caf76e715fab690ef822757f4efa9a5875866f46e7126 |
| SHA512 | 2ab94ebf446bc8a3a5f630f245e061c18732b11f1702019f07681851d2134647fbc4e417af65396afa78ad3b407b0691bc80adfdf542f066bfc32663a7b95794 |
memory/1260-127-0x0000000002600000-0x000000000368E000-memory.dmp
memory/1332-133-0x00000000004512E0-mapping.dmp
memory/1332-136-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1332-137-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1332-138-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1260-139-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1260-140-0x0000000002600000-0x000000000368E000-memory.dmp
memory/1260-142-0x0000000000630000-0x0000000000632000-memory.dmp
memory/1968-141-0x0000000074140000-0x00000000746EB000-memory.dmp
memory/1968-143-0x0000000000490000-0x0000000000492000-memory.dmp
memory/1968-144-0x00000000001C5000-0x00000000001D6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4FWmOKPs2q.ini
| MD5 | d1ea279fb5559c020a1b4137dc4de237 |
| SHA1 | db6f8988af46b56216a6f0daf95ab8c9bdb57400 |
| SHA256 | fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba |
| SHA512 | 720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3 |
memory/276-147-0x000000000041C410-mapping.dmp
memory/276-150-0x0000000000400000-0x000000000041F000-memory.dmp
memory/276-151-0x0000000000400000-0x000000000041F000-memory.dmp
memory/276-152-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1260-153-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1260-154-0x0000000002600000-0x000000000368E000-memory.dmp
memory/1968-155-0x0000000074140000-0x00000000746EB000-memory.dmp
memory/1968-157-0x0000000000490000-0x0000000000492000-memory.dmp
memory/1260-156-0x0000000000630000-0x0000000000632000-memory.dmp
memory/1260-158-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1260-159-0x0000000002600000-0x000000000368E000-memory.dmp
memory/1488-160-0x0000000006110000-0x0000000006D5A000-memory.dmp
memory/1488-161-0x0000000006110000-0x0000000006D5A000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-10-11 17:32
Reported
2022-10-12 02:20
Platform
win10v2004-20220812-en
Max time kernel
200s
Max time network
197s
Command Line
Signatures
ISR Stealer
ISR Stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Users\Admin\AppData\Local\Temp\e264f8835236ba69a65ee098b5b55db60b258e130720521ee2f87edaa412c525.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" | C:\Users\Admin\AppData\Local\Temp\e264f8835236ba69a65ee098b5b55db60b258e130720521ee2f87edaa412c525.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" | C:\Users\Admin\AppData\Local\Temp\e264f8835236ba69a65ee098b5b55db60b258e130720521ee2f87edaa412c525.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv.exe | N/A |
Sality
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\e264f8835236ba69a65ee098b5b55db60b258e130720521ee2f87edaa412c525.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv.exe | N/A |
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Users\Admin\AppData\Local\Temp\e264f8835236ba69a65ee098b5b55db60b258e130720521ee2f87edaa412c525.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\e264f8835236ba69a65ee098b5b55db60b258e130720521ee2f87edaa412c525.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\e264f8835236ba69a65ee098b5b55db60b258e130720521ee2f87edaa412c525.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Users\Admin\AppData\Local\Temp\e264f8835236ba69a65ee098b5b55db60b258e130720521ee2f87edaa412c525.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\e264f8835236ba69a65ee098b5b55db60b258e130720521ee2f87edaa412c525.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\e264f8835236ba69a65ee098b5b55db60b258e130720521ee2f87edaa412c525.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv.exe | N/A |
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AdobeARMservice.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AdobeARMservice.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\e264f8835236ba69a65ee098b5b55db60b258e130720521ee2f87edaa412c525.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv.exe | N/A |
Uses the VBS compiler for execution
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Users\Admin\AppData\Local\Temp\e264f8835236ba69a65ee098b5b55db60b258e130720521ee2f87edaa412c525.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\e264f8835236ba69a65ee098b5b55db60b258e130720521ee2f87edaa412c525.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\e264f8835236ba69a65ee098b5b55db60b258e130720521ee2f87edaa412c525.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\e264f8835236ba69a65ee098b5b55db60b258e130720521ee2f87edaa412c525.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\e264f8835236ba69a65ee098b5b55db60b258e130720521ee2f87edaa412c525.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Users\Admin\AppData\Local\Temp\e264f8835236ba69a65ee098b5b55db60b258e130720521ee2f87edaa412c525.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc | C:\Users\Admin\AppData\Local\Temp\e264f8835236ba69a65ee098b5b55db60b258e130720521ee2f87edaa412c525.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv.exe | N/A |
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\e264f8835236ba69a65ee098b5b55db60b258e130720521ee2f87edaa412c525.exe | N/A |
Enumerates connected drives
Drops autorun.inf file
| Description | Indicator | Process | Target |
| File opened for modification | C:\autorun.inf | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1168 set thread context of 4524 | N/A | C:\Users\Admin\AppData\Local\Temp\e264f8835236ba69a65ee098b5b55db60b258e130720521ee2f87edaa412c525.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe |
| PID 4524 set thread context of 216 | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe |
| PID 4524 set thread context of 3248 | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe |
| PID 4068 set thread context of 924 | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe |
| PID 924 set thread context of 636 | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe |
| PID 924 set thread context of 1384 | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv.exe | N/A |
| File opened for modification | C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv.exe | N/A |
| File opened for modification | C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv.exe | N/A |
| File opened for modification | C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeClickToRun.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv.exe | N/A |
| File opened for modification | C:\PROGRAM FILES\7-ZIP\7zFM.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv.exe | N/A |
| File opened for modification | C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv.exe | N/A |
| File opened for modification | C:\PROGRAM FILES\7-ZIP\Uninstall.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv.exe | N/A |
| File opened for modification | C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv.exe | N/A |
| File opened for modification | C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv.exe | N/A |
| File opened for modification | C:\PROGRAM FILES\7-ZIP\7z.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv.exe | N/A |
| File opened for modification | C:\PROGRAM FILES\7-ZIP\7zG.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SYSTEM.INI | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\e264f8835236ba69a65ee098b5b55db60b258e130720521ee2f87edaa412c525.exe | N/A |
Processes
C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
C:\Users\Admin\AppData\Local\Temp\e264f8835236ba69a65ee098b5b55db60b258e130720521ee2f87edaa412c525.exe
"C:\Users\Admin\AppData\Local\Temp\e264f8835236ba69a65ee098b5b55db60b258e130720521ee2f87edaa412c525.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\7uAtxttyAG.ini"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AdobeARMservice.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AdobeARMservice.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\KzKMMQfcyj.ini"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\o5uv9b2otK.ini"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AdobeARMservice.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AdobeARMservice.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\TdGxKMUJM8.ini"
Network
| Country | Destination | Domain | Proto |
| US | 209.197.3.8:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| NL | 104.110.191.140:80 | tcp | |
| FR | 40.79.150.121:443 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| NL | 178.79.208.1:80 | tcp | |
| NL | 178.79.208.1:80 | tcp | |
| NL | 178.79.208.1:80 | tcp | |
| US | 8.8.8.8:53 | new77.site50.net | udp |
| US | 153.92.0.100:80 | new77.site50.net | tcp |
| US | 8.8.8.8:53 | www.000webhost.com | udp |
| US | 104.19.184.120:443 | www.000webhost.com | tcp |
| US | 8.8.8.8:53 | 15.89.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | new77.site50.net | udp |
| US | 153.92.0.100:80 | new77.site50.net | tcp |
| US | 8.8.8.8:53 | www.000webhost.com | udp |
| US | 104.19.185.120:443 | www.000webhost.com | tcp |
Files
memory/1168-132-0x00000000748D0000-0x0000000074E81000-memory.dmp
memory/1168-133-0x00000000748D0000-0x0000000074E81000-memory.dmp
memory/4524-134-0x0000000000000000-mapping.dmp
memory/4524-135-0x0000000000400000-0x0000000000454000-memory.dmp
memory/4524-137-0x0000000002A40000-0x0000000003ACE000-memory.dmp
memory/4524-140-0x0000000000400000-0x0000000000454000-memory.dmp
memory/4524-141-0x0000000000400000-0x0000000000454000-memory.dmp
memory/216-143-0x0000000000400000-0x0000000000453000-memory.dmp
memory/216-142-0x0000000000000000-mapping.dmp
memory/4524-145-0x0000000002A40000-0x0000000003ACE000-memory.dmp
memory/216-146-0x0000000000400000-0x0000000000453000-memory.dmp
memory/216-147-0x0000000000400000-0x0000000000453000-memory.dmp
memory/216-148-0x0000000000400000-0x0000000000453000-memory.dmp
memory/3480-149-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AdobeARMservice.exe
| MD5 | 3d382345d721797c1c905ca4592fe15e |
| SHA1 | afaf72653dee7f9f5427bec39c5c9bff312befac |
| SHA256 | 653b668d53381441b76caf76e715fab690ef822757f4efa9a5875866f46e7126 |
| SHA512 | 2ab94ebf446bc8a3a5f630f245e061c18732b11f1702019f07681851d2134647fbc4e417af65396afa78ad3b407b0691bc80adfdf542f066bfc32663a7b95794 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AdobeARMservice.exe
| MD5 | 3d382345d721797c1c905ca4592fe15e |
| SHA1 | afaf72653dee7f9f5427bec39c5c9bff312befac |
| SHA256 | 653b668d53381441b76caf76e715fab690ef822757f4efa9a5875866f46e7126 |
| SHA512 | 2ab94ebf446bc8a3a5f630f245e061c18732b11f1702019f07681851d2134647fbc4e417af65396afa78ad3b407b0691bc80adfdf542f066bfc32663a7b95794 |
memory/3480-152-0x00000000748D0000-0x0000000074E81000-memory.dmp
memory/4068-153-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv.exe
| MD5 | 65001e6d6cf125d88f272c004aabfbd0 |
| SHA1 | 7710729d91acc8f935e1246db107ff8aa122bb34 |
| SHA256 | e264f8835236ba69a65ee098b5b55db60b258e130720521ee2f87edaa412c525 |
| SHA512 | b19e1e366c1a5c6aca686f80eeaeb56af7b642b8ffa1c29ad18cf3168373a929deee7af9c3ed7e82870f32771d76cffb09e821b3a2067b584bc82637365d9fee |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv.exe
| MD5 | 65001e6d6cf125d88f272c004aabfbd0 |
| SHA1 | 7710729d91acc8f935e1246db107ff8aa122bb34 |
| SHA256 | e264f8835236ba69a65ee098b5b55db60b258e130720521ee2f87edaa412c525 |
| SHA512 | b19e1e366c1a5c6aca686f80eeaeb56af7b642b8ffa1c29ad18cf3168373a929deee7af9c3ed7e82870f32771d76cffb09e821b3a2067b584bc82637365d9fee |
memory/4068-156-0x00000000748D0000-0x0000000074E81000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7uAtxttyAG.ini
| MD5 | d1ea279fb5559c020a1b4137dc4de237 |
| SHA1 | db6f8988af46b56216a6f0daf95ab8c9bdb57400 |
| SHA256 | fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba |
| SHA512 | 720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3 |
memory/3248-158-0x0000000000000000-mapping.dmp
memory/3248-159-0x0000000000400000-0x000000000041F000-memory.dmp
memory/3248-161-0x0000000000400000-0x000000000041F000-memory.dmp
memory/3248-162-0x0000000000400000-0x000000000041F000-memory.dmp
memory/3248-163-0x0000000000400000-0x000000000041F000-memory.dmp
memory/4524-164-0x0000000002A40000-0x0000000003ACE000-memory.dmp
memory/4524-165-0x0000000000400000-0x0000000000454000-memory.dmp
memory/4524-166-0x0000000000400000-0x0000000000454000-memory.dmp
memory/4524-167-0x0000000002A40000-0x0000000003ACE000-memory.dmp
memory/3480-168-0x00000000748D0000-0x0000000074E81000-memory.dmp
memory/4068-169-0x00000000748D0000-0x0000000074E81000-memory.dmp
C:\Windows\SYSTEM.INI
| MD5 | e9b4a7c1f4b0ff53eb3d065d472b0340 |
| SHA1 | e058a4fc41e00045a34b9b19414a4553ae6d43da |
| SHA256 | bb45a6f24267b724acb49800a57a30453feeb2c432090b4162752fa56b220de2 |
| SHA512 | d28941d4a7f4b00968a94f2daa3397ebd2bc7f83c932f97a6e8dc4a7b8c05ac08efeef94c31aaedafa33f5ac060d932af1b68feb3abb38c72873b38362fda2b5 |
memory/1168-171-0x0000000009EC0000-0x000000000AF4E000-memory.dmp
memory/1168-172-0x00000000748D0000-0x0000000074E81000-memory.dmp
memory/1168-173-0x0000000009EC0000-0x000000000AF4E000-memory.dmp
memory/3480-174-0x00000000748D0000-0x0000000074E81000-memory.dmp
memory/4068-175-0x0000000009A70000-0x000000000AAFE000-memory.dmp
memory/924-176-0x0000000000000000-mapping.dmp
memory/636-181-0x0000000000000000-mapping.dmp
memory/636-184-0x0000000000400000-0x0000000000453000-memory.dmp
memory/4068-187-0x0000000009A70000-0x000000000AAFE000-memory.dmp
memory/820-185-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\AdobeARMservice.exe.log
| MD5 | 306dcf8451f1d1c4ea678200dba1150d |
| SHA1 | d1d7cbb50687b1dccddc86e10018bb5e3b25fd45 |
| SHA256 | a499000e9be82b2f5c2aaec440ace36ea9f22acc18d7117e68de70a7e5743e61 |
| SHA512 | f51f6b58115e377619f458838f68d52d316a16c461fdeca721370252266eaf21068053c2a9d278ff551492e8b55b90e3c1fd8f985d6d4442c5d01347d188b414 |
memory/924-191-0x0000000000400000-0x0000000000454000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AdobeARMservice.exe
| MD5 | 3d382345d721797c1c905ca4592fe15e |
| SHA1 | afaf72653dee7f9f5427bec39c5c9bff312befac |
| SHA256 | 653b668d53381441b76caf76e715fab690ef822757f4efa9a5875866f46e7126 |
| SHA512 | 2ab94ebf446bc8a3a5f630f245e061c18732b11f1702019f07681851d2134647fbc4e417af65396afa78ad3b407b0691bc80adfdf542f066bfc32663a7b95794 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AdobeARMservice.exe
| MD5 | 3d382345d721797c1c905ca4592fe15e |
| SHA1 | afaf72653dee7f9f5427bec39c5c9bff312befac |
| SHA256 | 653b668d53381441b76caf76e715fab690ef822757f4efa9a5875866f46e7126 |
| SHA512 | 2ab94ebf446bc8a3a5f630f245e061c18732b11f1702019f07681851d2134647fbc4e417af65396afa78ad3b407b0691bc80adfdf542f066bfc32663a7b95794 |
memory/636-186-0x0000000000400000-0x0000000000453000-memory.dmp
memory/636-192-0x0000000000400000-0x0000000000453000-memory.dmp
memory/820-193-0x00000000748D0000-0x0000000074E81000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\o5uv9b2otK.ini
| MD5 | d1ea279fb5559c020a1b4137dc4de237 |
| SHA1 | db6f8988af46b56216a6f0daf95ab8c9bdb57400 |
| SHA256 | fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba |
| SHA512 | 720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\S58XVZL8\index[1].htm
| MD5 | 4f8e702cc244ec5d4de32740c0ecbd97 |
| SHA1 | 3adb1f02d5b6054de0046e367c1d687b6cdf7aff |
| SHA256 | 9e17cb15dd75bbbd5dbb984eda674863c3b10ab72613cf8a39a00c3e11a8492a |
| SHA512 | 21047fea5269fee75a2a187aa09316519e35068cb2f2f76cfaf371e5224445e9d5c98497bd76fb9608d2b73e9dac1a3f5bfadfdc4623c479d53ecf93d81d3c9f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
| MD5 | 6f59ed058aa06aaf5ec6213b955aabd4 |
| SHA1 | baf7b828a563b8fb6111e4ce35e0055575ad80b4 |
| SHA256 | 2d82e2629fa2e08f28b43b15da43dff56c7f4b23b39d66109c7c61998e35b4d5 |
| SHA512 | 6b0f041dafb98b9eaf70ac0d20a98c56e1c42231c4a4ae6e11582b20d20bf8f96dfd7747739a10d77368994441adb0e181b356f8569697b1f22ab4fe931170ce |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
| MD5 | f4632ed54e50757d9c8df8db5a97b020 |
| SHA1 | 37130f88c18ea3fc273a1b3f5cd49e4baf3deff2 |
| SHA256 | 6dccd1c1211fe9505aff55ca211feb2f3662b7a45f9f410f519632bb3d83663d |
| SHA512 | 0e76cc55b4f9489b473930d56413e4c4f2448c96ac6cd1c9e385bfdf0f3a599bb0f71a29522e6d9d7f0634a21dc0f751bfd348d8a6587cc21549e8f40f3aabc9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
| MD5 | 0698dbc93ba7b6bef73ba316695f8317 |
| SHA1 | a444078ff1eb7c88f52cb4e324365926b491ed47 |
| SHA256 | 263292040d77903899257c1d21201dc64d6f8d6b5a1d945cd5b28d0124d7906c |
| SHA512 | ebacaa7009aebb88199cd70fd0bb3afe69ed300318cb633edd1c0404e42aef829617f589bcbad6cb7ab4bd0a8ae87f7df1435c786184ecc5de61c8fc6950a900 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
| MD5 | 72e042d30fd79d9dae12e286e8c9b61b |
| SHA1 | ade8d9369eb9e871ae9e3ea8a859b127c3e6cb12 |
| SHA256 | 2096c2c66ff6a263cdec9c57ada58b2a4e9e64422ce554283da9cb6b4c6d14b7 |
| SHA512 | 57435cdcab046bab84d92c1606dab03c409c733bfa07d8f87f28de5142cba003756396373025bb831bfa68722e5ec6c0de610485f467771e7e550139bf4b0b2c |
memory/1384-200-0x0000000000000000-mapping.dmp
memory/1384-204-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1384-203-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1384-205-0x0000000000400000-0x000000000041F000-memory.dmp
memory/4068-206-0x0000000009A70000-0x000000000AAFE000-memory.dmp
memory/924-207-0x0000000000400000-0x0000000000454000-memory.dmp
memory/636-208-0x0000000000400000-0x0000000000453000-memory.dmp
memory/820-209-0x00000000748D0000-0x0000000074E81000-memory.dmp