6a287290942d279952fa0ff4b6cc239e3e4122b24d81105f2207ada9b203b640

Analysis

max time kernel
152s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2022 21:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6a287290942d279952fa0ff4b6cc239e3e4122b24d81105f2207ada9b203b640.exe
Size

449KB
MD5

205d5d949e8f30087b6c4627976305a7
SHA1

6057323edd66c094604160ffc5c5dda6720084a5
SHA256

6a287290942d279952fa0ff4b6cc239e3e4122b24d81105f2207ada9b203b640
SHA512

b4510659794d40c7764eab3a0e2c235349e7b2123812d233c21fabe6d42a700a9d9451964b97af9007d3fab33f946ab285e963b3b94b2736a353a24928f76d26
SSDEEP

6144:PwhRhJY9Xmu9OaAA/5gpPVBtNpMGS/l8QJCUN:4LJY9Xm6L5MLpM5/lVTN

Score

8^/10

collection spyware stealer

Malware Config

Signatures

Executes dropped EXE 10 IoCs

Processes:

AdobeARMservice.exebthserv.exebthserv.exeAdobeARMservice.exeVHJHY.exeVHJHY.exeAdobeARMservice.exebthserv.exebthserv.exeAdobeARMservice.exe

pid	process
2332	AdobeARMservice.exe
4984	bthserv.exe
4520	bthserv.exe
812	AdobeARMservice.exe
2072	VHJHY.exe
996	VHJHY.exe
4448	AdobeARMservice.exe
3736	bthserv.exe
4716	bthserv.exe
3756	AdobeARMservice.exe

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

bthserv.exeVHJHY.exeAdobeARMservice.exebthserv.exe6a287290942d279952fa0ff4b6cc239e3e4122b24d81105f2207ada9b203b640.exeAdobeARMservice.exebthserv.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	bthserv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	VHJHY.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	AdobeARMservice.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	bthserv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	6a287290942d279952fa0ff4b6cc239e3e4122b24d81105f2207ada9b203b640.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	AdobeARMservice.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	bthserv.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

VHJHY.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	VHJHY.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

53 myip.dnsomatic.com
59 checkip.dyndns.org

flow	ioc
53	myip.dnsomatic.com
59	checkip.dyndns.org

Suspicious use of SetThreadContext 4 IoCs

Processes:

6a287290942d279952fa0ff4b6cc239e3e4122b24d81105f2207ada9b203b640.exebthserv.exeVHJHY.exebthserv.exe

description	pid	process	target process
PID 5000 set thread context of 4044	5000	6a287290942d279952fa0ff4b6cc239e3e4122b24d81105f2207ada9b203b640.exe	6a287290942d279952fa0ff4b6cc239e3e4122b24d81105f2207ada9b203b640.exe
PID 4984 set thread context of 4520	4984	bthserv.exe	bthserv.exe
PID 2072 set thread context of 996	2072	VHJHY.exe	VHJHY.exe
PID 3736 set thread context of 4716	3736	bthserv.exe	bthserv.exe

Drops file in Program Files directory 1 IoCs

Processes:

VHJHY.exe

description ioc process

File created C:\Program Files (x86)\winbuild-15.dat VHJHY.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Program Files (x86)\winbuild-15.dat	VHJHY.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	process	target process
3096	4044	WerFault.exe	6a287290942d279952fa0ff4b6cc239e3e4122b24d81105f2207ada9b203b640.exe
4636	4716	WerFault.exe	bthserv.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

6a287290942d279952fa0ff4b6cc239e3e4122b24d81105f2207ada9b203b640.exeAdobeARMservice.exe

pid	process
5000	6a287290942d279952fa0ff4b6cc239e3e4122b24d81105f2207ada9b203b640.exe
5000	6a287290942d279952fa0ff4b6cc239e3e4122b24d81105f2207ada9b203b640.exe
5000	6a287290942d279952fa0ff4b6cc239e3e4122b24d81105f2207ada9b203b640.exe
5000	6a287290942d279952fa0ff4b6cc239e3e4122b24d81105f2207ada9b203b640.exe
5000	6a287290942d279952fa0ff4b6cc239e3e4122b24d81105f2207ada9b203b640.exe
5000	6a287290942d279952fa0ff4b6cc239e3e4122b24d81105f2207ada9b203b640.exe
5000	6a287290942d279952fa0ff4b6cc239e3e4122b24d81105f2207ada9b203b640.exe
5000	6a287290942d279952fa0ff4b6cc239e3e4122b24d81105f2207ada9b203b640.exe
5000	6a287290942d279952fa0ff4b6cc239e3e4122b24d81105f2207ada9b203b640.exe
5000	6a287290942d279952fa0ff4b6cc239e3e4122b24d81105f2207ada9b203b640.exe
2332	AdobeARMservice.exe
5000	6a287290942d279952fa0ff4b6cc239e3e4122b24d81105f2207ada9b203b640.exe
5000	6a287290942d279952fa0ff4b6cc239e3e4122b24d81105f2207ada9b203b640.exe
5000	6a287290942d279952fa0ff4b6cc239e3e4122b24d81105f2207ada9b203b640.exe
2332	AdobeARMservice.exe
5000	6a287290942d279952fa0ff4b6cc239e3e4122b24d81105f2207ada9b203b640.exe
2332	AdobeARMservice.exe
5000	6a287290942d279952fa0ff4b6cc239e3e4122b24d81105f2207ada9b203b640.exe
2332	AdobeARMservice.exe
5000	6a287290942d279952fa0ff4b6cc239e3e4122b24d81105f2207ada9b203b640.exe
2332	AdobeARMservice.exe
5000	6a287290942d279952fa0ff4b6cc239e3e4122b24d81105f2207ada9b203b640.exe
2332	AdobeARMservice.exe
5000	6a287290942d279952fa0ff4b6cc239e3e4122b24d81105f2207ada9b203b640.exe
2332	AdobeARMservice.exe
5000	6a287290942d279952fa0ff4b6cc239e3e4122b24d81105f2207ada9b203b640.exe
2332	AdobeARMservice.exe
5000	6a287290942d279952fa0ff4b6cc239e3e4122b24d81105f2207ada9b203b640.exe
2332	AdobeARMservice.exe
5000	6a287290942d279952fa0ff4b6cc239e3e4122b24d81105f2207ada9b203b640.exe
2332	AdobeARMservice.exe
5000	6a287290942d279952fa0ff4b6cc239e3e4122b24d81105f2207ada9b203b640.exe
2332	AdobeARMservice.exe
2332	AdobeARMservice.exe
5000	6a287290942d279952fa0ff4b6cc239e3e4122b24d81105f2207ada9b203b640.exe
2332	AdobeARMservice.exe
5000	6a287290942d279952fa0ff4b6cc239e3e4122b24d81105f2207ada9b203b640.exe
2332	AdobeARMservice.exe
5000	6a287290942d279952fa0ff4b6cc239e3e4122b24d81105f2207ada9b203b640.exe
2332	AdobeARMservice.exe
5000	6a287290942d279952fa0ff4b6cc239e3e4122b24d81105f2207ada9b203b640.exe
2332	AdobeARMservice.exe
5000	6a287290942d279952fa0ff4b6cc239e3e4122b24d81105f2207ada9b203b640.exe
2332	AdobeARMservice.exe
5000	6a287290942d279952fa0ff4b6cc239e3e4122b24d81105f2207ada9b203b640.exe
2332	AdobeARMservice.exe
5000	6a287290942d279952fa0ff4b6cc239e3e4122b24d81105f2207ada9b203b640.exe
2332	AdobeARMservice.exe
5000	6a287290942d279952fa0ff4b6cc239e3e4122b24d81105f2207ada9b203b640.exe
2332	AdobeARMservice.exe
5000	6a287290942d279952fa0ff4b6cc239e3e4122b24d81105f2207ada9b203b640.exe
2332	AdobeARMservice.exe
5000	6a287290942d279952fa0ff4b6cc239e3e4122b24d81105f2207ada9b203b640.exe
2332	AdobeARMservice.exe
5000	6a287290942d279952fa0ff4b6cc239e3e4122b24d81105f2207ada9b203b640.exe
2332	AdobeARMservice.exe
5000	6a287290942d279952fa0ff4b6cc239e3e4122b24d81105f2207ada9b203b640.exe
2332	AdobeARMservice.exe
5000	6a287290942d279952fa0ff4b6cc239e3e4122b24d81105f2207ada9b203b640.exe
2332	AdobeARMservice.exe
5000	6a287290942d279952fa0ff4b6cc239e3e4122b24d81105f2207ada9b203b640.exe
5000	6a287290942d279952fa0ff4b6cc239e3e4122b24d81105f2207ada9b203b640.exe
2332	AdobeARMservice.exe
5000	6a287290942d279952fa0ff4b6cc239e3e4122b24d81105f2207ada9b203b640.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

6a287290942d279952fa0ff4b6cc239e3e4122b24d81105f2207ada9b203b640.exeAdobeARMservice.exebthserv.exeAdobeARMservice.exeVHJHY.exeAdobeARMservice.exebthserv.exeAdobeARMservice.exe

description	pid	process
Token: SeDebugPrivilege	5000	6a287290942d279952fa0ff4b6cc239e3e4122b24d81105f2207ada9b203b640.exe
Token: SeDebugPrivilege	2332	AdobeARMservice.exe
Token: SeDebugPrivilege	4984	bthserv.exe
Token: SeDebugPrivilege	812	AdobeARMservice.exe
Token: SeDebugPrivilege	2072	VHJHY.exe
Token: SeDebugPrivilege	4448	AdobeARMservice.exe
Token: SeDebugPrivilege	3736	bthserv.exe
Token: SeDebugPrivilege	3756	AdobeARMservice.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

AdobeARMservice.exeAdobeARMservice.exeAdobeARMservice.exe

pid process

2332 AdobeARMservice.exe
2332 AdobeARMservice.exe
812 AdobeARMservice.exe
812 AdobeARMservice.exe
4448 AdobeARMservice.exe
4448 AdobeARMservice.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

6a287290942d279952fa0ff4b6cc239e3e4122b24d81105f2207ada9b203b640.exeAdobeARMservice.exebthserv.exebthserv.exeVHJHY.exeAdobeARMservice.exebthserv.exe

description	pid	process	target process
PID 5000 wrote to memory of 4044	5000	6a287290942d279952fa0ff4b6cc239e3e4122b24d81105f2207ada9b203b640.exe	6a287290942d279952fa0ff4b6cc239e3e4122b24d81105f2207ada9b203b640.exe
PID 5000 wrote to memory of 4044	5000	6a287290942d279952fa0ff4b6cc239e3e4122b24d81105f2207ada9b203b640.exe	6a287290942d279952fa0ff4b6cc239e3e4122b24d81105f2207ada9b203b640.exe
PID 5000 wrote to memory of 4044	5000	6a287290942d279952fa0ff4b6cc239e3e4122b24d81105f2207ada9b203b640.exe	6a287290942d279952fa0ff4b6cc239e3e4122b24d81105f2207ada9b203b640.exe
PID 5000 wrote to memory of 4044	5000	6a287290942d279952fa0ff4b6cc239e3e4122b24d81105f2207ada9b203b640.exe	6a287290942d279952fa0ff4b6cc239e3e4122b24d81105f2207ada9b203b640.exe
PID 5000 wrote to memory of 4044	5000	6a287290942d279952fa0ff4b6cc239e3e4122b24d81105f2207ada9b203b640.exe	6a287290942d279952fa0ff4b6cc239e3e4122b24d81105f2207ada9b203b640.exe
PID 5000 wrote to memory of 4044	5000	6a287290942d279952fa0ff4b6cc239e3e4122b24d81105f2207ada9b203b640.exe	6a287290942d279952fa0ff4b6cc239e3e4122b24d81105f2207ada9b203b640.exe
PID 5000 wrote to memory of 4044	5000	6a287290942d279952fa0ff4b6cc239e3e4122b24d81105f2207ada9b203b640.exe	6a287290942d279952fa0ff4b6cc239e3e4122b24d81105f2207ada9b203b640.exe
PID 5000 wrote to memory of 4044	5000	6a287290942d279952fa0ff4b6cc239e3e4122b24d81105f2207ada9b203b640.exe	6a287290942d279952fa0ff4b6cc239e3e4122b24d81105f2207ada9b203b640.exe
PID 5000 wrote to memory of 4044	5000	6a287290942d279952fa0ff4b6cc239e3e4122b24d81105f2207ada9b203b640.exe	6a287290942d279952fa0ff4b6cc239e3e4122b24d81105f2207ada9b203b640.exe
PID 5000 wrote to memory of 4044	5000	6a287290942d279952fa0ff4b6cc239e3e4122b24d81105f2207ada9b203b640.exe	6a287290942d279952fa0ff4b6cc239e3e4122b24d81105f2207ada9b203b640.exe
PID 5000 wrote to memory of 4044	5000	6a287290942d279952fa0ff4b6cc239e3e4122b24d81105f2207ada9b203b640.exe	6a287290942d279952fa0ff4b6cc239e3e4122b24d81105f2207ada9b203b640.exe
PID 5000 wrote to memory of 2332	5000	6a287290942d279952fa0ff4b6cc239e3e4122b24d81105f2207ada9b203b640.exe	AdobeARMservice.exe
PID 5000 wrote to memory of 2332	5000	6a287290942d279952fa0ff4b6cc239e3e4122b24d81105f2207ada9b203b640.exe	AdobeARMservice.exe
PID 5000 wrote to memory of 2332	5000	6a287290942d279952fa0ff4b6cc239e3e4122b24d81105f2207ada9b203b640.exe	AdobeARMservice.exe
PID 2332 wrote to memory of 4984	2332	AdobeARMservice.exe	bthserv.exe
PID 2332 wrote to memory of 4984	2332	AdobeARMservice.exe	bthserv.exe
PID 2332 wrote to memory of 4984	2332	AdobeARMservice.exe	bthserv.exe
PID 4984 wrote to memory of 4520	4984	bthserv.exe	bthserv.exe
PID 4984 wrote to memory of 4520	4984	bthserv.exe	bthserv.exe
PID 4984 wrote to memory of 4520	4984	bthserv.exe	bthserv.exe
PID 4984 wrote to memory of 4520	4984	bthserv.exe	bthserv.exe
PID 4984 wrote to memory of 4520	4984	bthserv.exe	bthserv.exe
PID 4984 wrote to memory of 4520	4984	bthserv.exe	bthserv.exe
PID 4984 wrote to memory of 4520	4984	bthserv.exe	bthserv.exe
PID 4984 wrote to memory of 4520	4984	bthserv.exe	bthserv.exe
PID 4984 wrote to memory of 4520	4984	bthserv.exe	bthserv.exe
PID 4984 wrote to memory of 4520	4984	bthserv.exe	bthserv.exe
PID 4984 wrote to memory of 4520	4984	bthserv.exe	bthserv.exe
PID 4984 wrote to memory of 812	4984	bthserv.exe	AdobeARMservice.exe
PID 4984 wrote to memory of 812	4984	bthserv.exe	AdobeARMservice.exe
PID 4984 wrote to memory of 812	4984	bthserv.exe	AdobeARMservice.exe
PID 4520 wrote to memory of 2072	4520	bthserv.exe	VHJHY.exe
PID 4520 wrote to memory of 2072	4520	bthserv.exe	VHJHY.exe
PID 4520 wrote to memory of 2072	4520	bthserv.exe	VHJHY.exe
PID 2072 wrote to memory of 996	2072	VHJHY.exe	VHJHY.exe
PID 2072 wrote to memory of 996	2072	VHJHY.exe	VHJHY.exe
PID 2072 wrote to memory of 996	2072	VHJHY.exe	VHJHY.exe
PID 2072 wrote to memory of 996	2072	VHJHY.exe	VHJHY.exe
PID 2072 wrote to memory of 996	2072	VHJHY.exe	VHJHY.exe
PID 2072 wrote to memory of 996	2072	VHJHY.exe	VHJHY.exe
PID 2072 wrote to memory of 996	2072	VHJHY.exe	VHJHY.exe
PID 2072 wrote to memory of 996	2072	VHJHY.exe	VHJHY.exe
PID 2072 wrote to memory of 996	2072	VHJHY.exe	VHJHY.exe
PID 2072 wrote to memory of 996	2072	VHJHY.exe	VHJHY.exe
PID 2072 wrote to memory of 996	2072	VHJHY.exe	VHJHY.exe
PID 2072 wrote to memory of 4448	2072	VHJHY.exe	AdobeARMservice.exe
PID 2072 wrote to memory of 4448	2072	VHJHY.exe	AdobeARMservice.exe
PID 2072 wrote to memory of 4448	2072	VHJHY.exe	AdobeARMservice.exe
PID 4448 wrote to memory of 3736	4448	AdobeARMservice.exe	bthserv.exe
PID 4448 wrote to memory of 3736	4448	AdobeARMservice.exe	bthserv.exe
PID 4448 wrote to memory of 3736	4448	AdobeARMservice.exe	bthserv.exe
PID 3736 wrote to memory of 4716	3736	bthserv.exe	bthserv.exe
PID 3736 wrote to memory of 4716	3736	bthserv.exe	bthserv.exe
PID 3736 wrote to memory of 4716	3736	bthserv.exe	bthserv.exe
PID 3736 wrote to memory of 4716	3736	bthserv.exe	bthserv.exe
PID 3736 wrote to memory of 4716	3736	bthserv.exe	bthserv.exe
PID 3736 wrote to memory of 4716	3736	bthserv.exe	bthserv.exe
PID 3736 wrote to memory of 4716	3736	bthserv.exe	bthserv.exe
PID 3736 wrote to memory of 4716	3736	bthserv.exe	bthserv.exe
PID 3736 wrote to memory of 4716	3736	bthserv.exe	bthserv.exe
PID 3736 wrote to memory of 4716	3736	bthserv.exe	bthserv.exe
PID 3736 wrote to memory of 4716	3736	bthserv.exe	bthserv.exe
PID 3736 wrote to memory of 3756	3736	bthserv.exe	AdobeARMservice.exe
PID 3736 wrote to memory of 3756	3736	bthserv.exe	AdobeARMservice.exe

outlook_win_path 1 IoCs

Processes:

VHJHY.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	VHJHY.exe

C:\Users\Admin\AppData\Local\Temp\6a287290942d279952fa0ff4b6cc239e3e4122b24d81105f2207ada9b203b640.exe
"C:\Users\Admin\AppData\Local\Temp\6a287290942d279952fa0ff4b6cc239e3e4122b24d81105f2207ada9b203b640.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5000

C:\Users\Admin\AppData\Local\Temp\6a287290942d279952fa0ff4b6cc239e3e4122b24d81105f2207ada9b203b640.exe
"C:\Users\Admin\AppData\Local\Temp\6a287290942d279952fa0ff4b6cc239e3e4122b24d81105f2207ada9b203b640.exe"
2⤵
PID:4044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 460
3⤵
- Program crash
PID:3096

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AdobeARMservice.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AdobeARMservice.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2332

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4984

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4520

C:\Users\Admin\AppData\Roaming\Directory\VHJHY.exe
"C:\Users\Admin\AppData\Roaming\Directory\VHJHY.exe"
5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2072

C:\Users\Admin\AppData\Roaming\Directory\VHJHY.exe
"C:\Users\Admin\AppData\Roaming\Directory\VHJHY.exe"
6⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Drops file in Program Files directory
- outlook_win_path
PID:996

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AdobeARMservice.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AdobeARMservice.exe"
6⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4448

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv.exe"
7⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3736

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv.exe"
8⤵
- Executes dropped EXE
PID:4716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4716 -s 480
9⤵
- Program crash
PID:4636

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AdobeARMservice.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AdobeARMservice.exe"
8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3756

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AdobeARMservice.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AdobeARMservice.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4044 -ip 4044
1⤵
PID:3224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4716 -ip 4716
1⤵
PID:1188

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KeyDebug.txt
Filesize
2KB

MD5
5c45c4a69e4d02ff109c6865b06b031b

SHA1
815a35dd3ebc289dee5d14a4f55d06df71791735

SHA256
1fe744bff371b1b3faf973c816eb7624a6ac1c88574b7cfa047036ad54762bf6

SHA512
b3f7a641d3787d8970dd1d42b06ab091c9e13e058b554f1d60182921edd62e3bc094823613f5e5ac17e9e887009ef4107ddbce07a8e088c49533a7dcb5f4598b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\AdobeARMservice.exe.log
Filesize
676B

MD5
306dcf8451f1d1c4ea678200dba1150d

SHA1
d1d7cbb50687b1dccddc86e10018bb5e3b25fd45

SHA256
a499000e9be82b2f5c2aaec440ace36ea9f22acc18d7117e68de70a7e5743e61

SHA512
f51f6b58115e377619f458838f68d52d316a16c461fdeca721370252266eaf21068053c2a9d278ff551492e8b55b90e3c1fd8f985d6d4442c5d01347d188b414

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\bthserv.exe.log
Filesize
676B

MD5
3bc2150211e33cd343b025da5a9b1457

SHA1
a180ee6e62a496a226590390651a1d3708c7b89c

SHA256
ff2e05f53cc9b927bed429bb2df53290223b459c49be1bea6b0ef13c52903787

SHA512
e192903a8d0855203615c2ddd60c45c791492327fcd8a025e1dd1744cc2a526a4e90b8619e19b170f3ed808f3cbe4c839dc86fc70d97c5b0fb86ea529b78442c

Download Submit
C:\Users\Admin\AppData\Roaming\Directory\VHJHY.exe
Filesize
449KB

MD5
205d5d949e8f30087b6c4627976305a7

SHA1
6057323edd66c094604160ffc5c5dda6720084a5

SHA256
6a287290942d279952fa0ff4b6cc239e3e4122b24d81105f2207ada9b203b640

SHA512
b4510659794d40c7764eab3a0e2c235349e7b2123812d233c21fabe6d42a700a9d9451964b97af9007d3fab33f946ab285e963b3b94b2736a353a24928f76d26

Download Submit
C:\Users\Admin\AppData\Roaming\Directory\VHJHY.exe
Filesize
449KB

MD5
205d5d949e8f30087b6c4627976305a7

SHA1
6057323edd66c094604160ffc5c5dda6720084a5

SHA256
6a287290942d279952fa0ff4b6cc239e3e4122b24d81105f2207ada9b203b640

SHA512
b4510659794d40c7764eab3a0e2c235349e7b2123812d233c21fabe6d42a700a9d9451964b97af9007d3fab33f946ab285e963b3b94b2736a353a24928f76d26

Download Submit
C:\Users\Admin\AppData\Roaming\Directory\VHJHY.exe
Filesize
449KB

MD5
205d5d949e8f30087b6c4627976305a7

SHA1
6057323edd66c094604160ffc5c5dda6720084a5

SHA256
6a287290942d279952fa0ff4b6cc239e3e4122b24d81105f2207ada9b203b640

SHA512
b4510659794d40c7764eab3a0e2c235349e7b2123812d233c21fabe6d42a700a9d9451964b97af9007d3fab33f946ab285e963b3b94b2736a353a24928f76d26

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AdobeARMservice.exe
Filesize
14KB

MD5
286a9a6a733340ede2ff87ad38882677

SHA1
ec9d40116d3a4600b95fa30476cf58f582d83bec

SHA256
1db2efb896cfedc854732eb9a7542e1f8ca784c36027db252bf1bf572548a737

SHA512
2db46989857b763bd06636d763cb16aa0ea454ae373844bb1e86e9325e27532f323aa4e235f0aa32d52e1bbc42004bb16e6630a349c2bac4c8a8802873c7e0b6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AdobeARMservice.exe
Filesize
14KB

MD5
286a9a6a733340ede2ff87ad38882677

SHA1
ec9d40116d3a4600b95fa30476cf58f582d83bec

SHA256
1db2efb896cfedc854732eb9a7542e1f8ca784c36027db252bf1bf572548a737

SHA512
2db46989857b763bd06636d763cb16aa0ea454ae373844bb1e86e9325e27532f323aa4e235f0aa32d52e1bbc42004bb16e6630a349c2bac4c8a8802873c7e0b6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AdobeARMservice.exe
Filesize
14KB

MD5
286a9a6a733340ede2ff87ad38882677

SHA1
ec9d40116d3a4600b95fa30476cf58f582d83bec

SHA256
1db2efb896cfedc854732eb9a7542e1f8ca784c36027db252bf1bf572548a737

SHA512
2db46989857b763bd06636d763cb16aa0ea454ae373844bb1e86e9325e27532f323aa4e235f0aa32d52e1bbc42004bb16e6630a349c2bac4c8a8802873c7e0b6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AdobeARMservice.exe
Filesize
14KB

MD5
286a9a6a733340ede2ff87ad38882677

SHA1
ec9d40116d3a4600b95fa30476cf58f582d83bec

SHA256
1db2efb896cfedc854732eb9a7542e1f8ca784c36027db252bf1bf572548a737

SHA512
2db46989857b763bd06636d763cb16aa0ea454ae373844bb1e86e9325e27532f323aa4e235f0aa32d52e1bbc42004bb16e6630a349c2bac4c8a8802873c7e0b6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AdobeARMservice.exe
Filesize
14KB

MD5
286a9a6a733340ede2ff87ad38882677

SHA1
ec9d40116d3a4600b95fa30476cf58f582d83bec

SHA256
1db2efb896cfedc854732eb9a7542e1f8ca784c36027db252bf1bf572548a737

SHA512
2db46989857b763bd06636d763cb16aa0ea454ae373844bb1e86e9325e27532f323aa4e235f0aa32d52e1bbc42004bb16e6630a349c2bac4c8a8802873c7e0b6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AdobeARMservice.exe
Filesize
14KB

MD5
286a9a6a733340ede2ff87ad38882677

SHA1
ec9d40116d3a4600b95fa30476cf58f582d83bec

SHA256
1db2efb896cfedc854732eb9a7542e1f8ca784c36027db252bf1bf572548a737

SHA512
2db46989857b763bd06636d763cb16aa0ea454ae373844bb1e86e9325e27532f323aa4e235f0aa32d52e1bbc42004bb16e6630a349c2bac4c8a8802873c7e0b6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AdobeARMservice.exe
Filesize
14KB

MD5
286a9a6a733340ede2ff87ad38882677

SHA1
ec9d40116d3a4600b95fa30476cf58f582d83bec

SHA256
1db2efb896cfedc854732eb9a7542e1f8ca784c36027db252bf1bf572548a737

SHA512
2db46989857b763bd06636d763cb16aa0ea454ae373844bb1e86e9325e27532f323aa4e235f0aa32d52e1bbc42004bb16e6630a349c2bac4c8a8802873c7e0b6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AdobeARMservice.exe
Filesize
14KB

MD5
286a9a6a733340ede2ff87ad38882677

SHA1
ec9d40116d3a4600b95fa30476cf58f582d83bec

SHA256
1db2efb896cfedc854732eb9a7542e1f8ca784c36027db252bf1bf572548a737

SHA512
2db46989857b763bd06636d763cb16aa0ea454ae373844bb1e86e9325e27532f323aa4e235f0aa32d52e1bbc42004bb16e6630a349c2bac4c8a8802873c7e0b6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv.exe
Filesize
449KB

MD5
205d5d949e8f30087b6c4627976305a7

SHA1
6057323edd66c094604160ffc5c5dda6720084a5

SHA256
6a287290942d279952fa0ff4b6cc239e3e4122b24d81105f2207ada9b203b640

SHA512
b4510659794d40c7764eab3a0e2c235349e7b2123812d233c21fabe6d42a700a9d9451964b97af9007d3fab33f946ab285e963b3b94b2736a353a24928f76d26

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv.exe
Filesize
449KB

MD5
205d5d949e8f30087b6c4627976305a7

SHA1
6057323edd66c094604160ffc5c5dda6720084a5

SHA256
6a287290942d279952fa0ff4b6cc239e3e4122b24d81105f2207ada9b203b640

SHA512
b4510659794d40c7764eab3a0e2c235349e7b2123812d233c21fabe6d42a700a9d9451964b97af9007d3fab33f946ab285e963b3b94b2736a353a24928f76d26

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv.exe
Filesize
449KB

MD5
205d5d949e8f30087b6c4627976305a7

SHA1
6057323edd66c094604160ffc5c5dda6720084a5

SHA256
6a287290942d279952fa0ff4b6cc239e3e4122b24d81105f2207ada9b203b640

SHA512
b4510659794d40c7764eab3a0e2c235349e7b2123812d233c21fabe6d42a700a9d9451964b97af9007d3fab33f946ab285e963b3b94b2736a353a24928f76d26

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv.exe
Filesize
449KB

MD5
205d5d949e8f30087b6c4627976305a7

SHA1
6057323edd66c094604160ffc5c5dda6720084a5

SHA256
6a287290942d279952fa0ff4b6cc239e3e4122b24d81105f2207ada9b203b640

SHA512
b4510659794d40c7764eab3a0e2c235349e7b2123812d233c21fabe6d42a700a9d9451964b97af9007d3fab33f946ab285e963b3b94b2736a353a24928f76d26

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv.exe
Filesize
449KB

MD5
205d5d949e8f30087b6c4627976305a7

SHA1
6057323edd66c094604160ffc5c5dda6720084a5

SHA256
6a287290942d279952fa0ff4b6cc239e3e4122b24d81105f2207ada9b203b640

SHA512
b4510659794d40c7764eab3a0e2c235349e7b2123812d233c21fabe6d42a700a9d9451964b97af9007d3fab33f946ab285e963b3b94b2736a353a24928f76d26

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv.exe
Filesize
449KB

MD5
205d5d949e8f30087b6c4627976305a7

SHA1
6057323edd66c094604160ffc5c5dda6720084a5

SHA256
6a287290942d279952fa0ff4b6cc239e3e4122b24d81105f2207ada9b203b640

SHA512
b4510659794d40c7764eab3a0e2c235349e7b2123812d233c21fabe6d42a700a9d9451964b97af9007d3fab33f946ab285e963b3b94b2736a353a24928f76d26

Download Submit
memory/812-164-0x0000000000000000-mapping.dmp

Download
memory/812-171-0x0000000074770000-0x0000000074D21000-memory.dmp

Filesize
5.7MB

Download
memory/812-173-0x0000000074770000-0x0000000074D21000-memory.dmp

Filesize
5.7MB

Download
memory/812-176-0x0000000074770000-0x0000000074D21000-memory.dmp

Filesize
5.7MB

Download
memory/996-186-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/996-177-0x0000000000000000-mapping.dmp

Download
memory/996-181-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/996-187-0x0000000002F00000-0x0000000002F0C000-memory.dmp

Filesize
48KB

Download
memory/996-194-0x0000000003690000-0x000000000369C000-memory.dmp

Filesize
48KB

Download
memory/996-195-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2072-172-0x0000000074770000-0x0000000074D21000-memory.dmp

Filesize
5.7MB

Download
memory/2072-168-0x0000000000000000-mapping.dmp

Download
memory/2072-174-0x0000000074770000-0x0000000074D21000-memory.dmp

Filesize
5.7MB

Download
memory/2072-198-0x0000000074770000-0x0000000074D21000-memory.dmp

Filesize
5.7MB

Download
memory/2332-157-0x0000000074770000-0x0000000074D21000-memory.dmp

Filesize
5.7MB

Download
memory/2332-145-0x0000000000000000-mapping.dmp

Download
memory/2332-148-0x0000000074770000-0x0000000074D21000-memory.dmp

Filesize
5.7MB

Download
memory/2332-154-0x0000000074770000-0x0000000074D21000-memory.dmp

Filesize
5.7MB

Download
memory/3736-190-0x0000000000000000-mapping.dmp

Download
memory/3736-193-0x0000000074770000-0x0000000074D21000-memory.dmp

Filesize
5.7MB

Download
memory/3736-197-0x0000000074770000-0x0000000074D21000-memory.dmp

Filesize
5.7MB

Download
memory/3756-216-0x0000000074770000-0x0000000074D21000-memory.dmp

Filesize
5.7MB

Download
memory/3756-215-0x0000000074770000-0x0000000074D21000-memory.dmp

Filesize
5.7MB

Download
memory/3756-212-0x0000000000000000-mapping.dmp

Download
memory/4044-134-0x0000000000000000-mapping.dmp

Download
memory/4044-136-0x0000000000730000-0x0000000000750000-memory.dmp

Filesize
128KB

Download
memory/4044-140-0x0000000000730000-0x0000000000750000-memory.dmp

Filesize
128KB

Download
memory/4044-144-0x0000000000730000-0x0000000000750000-memory.dmp

Filesize
128KB

Download
memory/4448-188-0x0000000074770000-0x0000000074D21000-memory.dmp

Filesize
5.7MB

Download
memory/4448-199-0x0000000074770000-0x0000000074D21000-memory.dmp

Filesize
5.7MB

Download
memory/4448-183-0x0000000000000000-mapping.dmp

Download
memory/4448-196-0x0000000074770000-0x0000000074D21000-memory.dmp

Filesize
5.7MB

Download
memory/4520-162-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4520-158-0x0000000000000000-mapping.dmp

Download
memory/4520-163-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4716-200-0x0000000000000000-mapping.dmp

Download
memory/4716-207-0x00000000001D0000-0x00000000001F0000-memory.dmp

Filesize
128KB

Download
memory/4716-211-0x00000000001D0000-0x00000000001F0000-memory.dmp

Filesize
128KB

Download
memory/4984-175-0x0000000074770000-0x0000000074D21000-memory.dmp

Filesize
5.7MB

Download
memory/4984-152-0x0000000074770000-0x0000000074D21000-memory.dmp

Filesize
5.7MB

Download
memory/4984-153-0x0000000074770000-0x0000000074D21000-memory.dmp

Filesize
5.7MB

Download
memory/4984-150-0x0000000000000000-mapping.dmp

Download
memory/4984-155-0x0000000074770000-0x0000000074D21000-memory.dmp

Filesize
5.7MB

Download
memory/5000-156-0x0000000074770000-0x0000000074D21000-memory.dmp

Filesize
5.7MB

Download
memory/5000-133-0x0000000074770000-0x0000000074D21000-memory.dmp

Filesize
5.7MB

Download
memory/5000-132-0x0000000074770000-0x0000000074D21000-memory.dmp

Filesize
5.7MB

Download