hawkeye | 34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee

Analysis

max time kernel
151s
max time network
96s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
28-11-2022 10:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
Size

679KB
MD5

6ec60f37d746ff3cc4e07bbc22f64992
SHA1

5b4fdb323d57e8041957aa5bdbb9be6277ba09aa
SHA256

34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee
SHA512

91981d858d10fa090f76099b327477ca7fb9d589f121ef23417d96b38cd4970033fc42e1725574e0ad205d2a57b1c016b3ad37210b3635160efcb6adb54f7375
SSDEEP

12288:iRBr52LvaGtEuWGC9hy8DCiPrtNg8mMujqBJvrOjaHpzXdDJ0UjtlaxzyDbvr/XR:iRwvBSuROyCC0rtq8mmH/bYenr/X7z5v

Score

10^/10

hawkeye collection keylogger spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.yandex.com
Port:
587
Username:
doggy.k@yandex.com
Password:
kingsdoggy

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye
Executes dropped EXE 4 IoCs

Processes:

AdobeARMservice.exebthserv.exeAdobeARMservice.exebthserv.exe

pid process

896 AdobeARMservice.exe
1740 bthserv.exe
944 AdobeARMservice.exe
1096 bthserv.exe

pid	process
896	AdobeARMservice.exe
1740	bthserv.exe
944	AdobeARMservice.exe
1096	bthserv.exe

Loads dropped DLL 3 IoCs

Processes:

34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exeAdobeARMservice.exe

pid	process
1492	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
896	AdobeARMservice.exe
1492	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 whatismyipaddress.com
6 whatismyipaddress.com
7 whatismyipaddress.com

flow	ioc
4	whatismyipaddress.com
6	whatismyipaddress.com
7	whatismyipaddress.com

Suspicious use of SetThreadContext 4 IoCs

Processes:

34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exebthserv.exe

description	pid	process	target process
PID 1492 set thread context of 1896	1492	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
PID 1896 set thread context of 1228	1896	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe	vbc.exe
PID 1896 set thread context of 780	1896	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe	vbc.exe
PID 1740 set thread context of 1096	1740	bthserv.exe	bthserv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exeAdobeARMservice.exeAdobeARMservice.exe

pid	process
1492	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
1492	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
1492	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
1492	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
1492	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
1492	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
896	AdobeARMservice.exe
1492	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
896	AdobeARMservice.exe
1492	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
896	AdobeARMservice.exe
1492	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
896	AdobeARMservice.exe
1492	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
896	AdobeARMservice.exe
1492	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
896	AdobeARMservice.exe
1492	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
896	AdobeARMservice.exe
1492	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
896	AdobeARMservice.exe
1492	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
896	AdobeARMservice.exe
1492	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
896	AdobeARMservice.exe
1492	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
896	AdobeARMservice.exe
1492	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
896	AdobeARMservice.exe
1492	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
896	AdobeARMservice.exe
1492	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
896	AdobeARMservice.exe
1492	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
896	AdobeARMservice.exe
1492	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
896	AdobeARMservice.exe
1492	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
896	AdobeARMservice.exe
1492	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
896	AdobeARMservice.exe
1492	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
896	AdobeARMservice.exe
1492	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
896	AdobeARMservice.exe
1492	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
896	AdobeARMservice.exe
1492	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
896	AdobeARMservice.exe
1492	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
896	AdobeARMservice.exe
1492	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
896	AdobeARMservice.exe
1492	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
896	AdobeARMservice.exe
1492	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
896	AdobeARMservice.exe
1492	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
896	AdobeARMservice.exe
1492	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
1492	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
1492	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
944	AdobeARMservice.exe
1492	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exeAdobeARMservice.exe34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exevbc.exebthserv.exevbc.exeAdobeARMservice.exe

description	pid	process
Token: SeDebugPrivilege	1492	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
Token: SeDebugPrivilege	896	AdobeARMservice.exe
Token: SeDebugPrivilege	1896	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
Token: SeDebugPrivilege	1228	vbc.exe
Token: SeDebugPrivilege	1740	bthserv.exe
Token: SeDebugPrivilege	780	vbc.exe
Token: SeDebugPrivilege	944	AdobeARMservice.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exeAdobeARMservice.exe

pid process

1896 34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
896 AdobeARMservice.exe
896 AdobeARMservice.exe

pid	process
1896	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
896	AdobeARMservice.exe
896	AdobeARMservice.exe

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exeAdobeARMservice.exe34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exebthserv.exe

description	pid	process	target process
PID 1492 wrote to memory of 1896	1492	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
PID 1492 wrote to memory of 1896	1492	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
PID 1492 wrote to memory of 1896	1492	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
PID 1492 wrote to memory of 1896	1492	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
PID 1492 wrote to memory of 1896	1492	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
PID 1492 wrote to memory of 1896	1492	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
PID 1492 wrote to memory of 1896	1492	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
PID 1492 wrote to memory of 1896	1492	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
PID 1492 wrote to memory of 1896	1492	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
PID 1492 wrote to memory of 896	1492	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe	AdobeARMservice.exe
PID 1492 wrote to memory of 896	1492	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe	AdobeARMservice.exe
PID 1492 wrote to memory of 896	1492	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe	AdobeARMservice.exe
PID 1492 wrote to memory of 896	1492	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe	AdobeARMservice.exe
PID 1492 wrote to memory of 896	1492	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe	AdobeARMservice.exe
PID 1492 wrote to memory of 896	1492	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe	AdobeARMservice.exe
PID 1492 wrote to memory of 896	1492	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe	AdobeARMservice.exe
PID 896 wrote to memory of 1740	896	AdobeARMservice.exe	bthserv.exe
PID 896 wrote to memory of 1740	896	AdobeARMservice.exe	bthserv.exe
PID 896 wrote to memory of 1740	896	AdobeARMservice.exe	bthserv.exe
PID 896 wrote to memory of 1740	896	AdobeARMservice.exe	bthserv.exe
PID 1896 wrote to memory of 1228	1896	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe	vbc.exe
PID 1896 wrote to memory of 1228	1896	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe	vbc.exe
PID 1896 wrote to memory of 1228	1896	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe	vbc.exe
PID 1896 wrote to memory of 1228	1896	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe	vbc.exe
PID 1896 wrote to memory of 1228	1896	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe	vbc.exe
PID 1896 wrote to memory of 1228	1896	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe	vbc.exe
PID 1896 wrote to memory of 1228	1896	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe	vbc.exe
PID 1896 wrote to memory of 1228	1896	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe	vbc.exe
PID 1896 wrote to memory of 1228	1896	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe	vbc.exe
PID 1896 wrote to memory of 1228	1896	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe	vbc.exe
PID 1896 wrote to memory of 780	1896	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe	vbc.exe
PID 1896 wrote to memory of 780	1896	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe	vbc.exe
PID 1896 wrote to memory of 780	1896	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe	vbc.exe
PID 1896 wrote to memory of 780	1896	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe	vbc.exe
PID 1896 wrote to memory of 780	1896	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe	vbc.exe
PID 1896 wrote to memory of 780	1896	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe	vbc.exe
PID 1896 wrote to memory of 780	1896	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe	vbc.exe
PID 1896 wrote to memory of 780	1896	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe	vbc.exe
PID 1896 wrote to memory of 780	1896	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe	vbc.exe
PID 1896 wrote to memory of 780	1896	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe	vbc.exe
PID 1492 wrote to memory of 944	1492	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe	AdobeARMservice.exe
PID 1492 wrote to memory of 944	1492	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe	AdobeARMservice.exe
PID 1492 wrote to memory of 944	1492	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe	AdobeARMservice.exe
PID 1492 wrote to memory of 944	1492	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe	AdobeARMservice.exe
PID 1492 wrote to memory of 944	1492	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe	AdobeARMservice.exe
PID 1492 wrote to memory of 944	1492	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe	AdobeARMservice.exe
PID 1492 wrote to memory of 944	1492	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe	AdobeARMservice.exe
PID 1740 wrote to memory of 1096	1740	bthserv.exe	bthserv.exe
PID 1740 wrote to memory of 1096	1740	bthserv.exe	bthserv.exe
PID 1740 wrote to memory of 1096	1740	bthserv.exe	bthserv.exe
PID 1740 wrote to memory of 1096	1740	bthserv.exe	bthserv.exe
PID 1740 wrote to memory of 1096	1740	bthserv.exe	bthserv.exe
PID 1740 wrote to memory of 1096	1740	bthserv.exe	bthserv.exe
PID 1740 wrote to memory of 1096	1740	bthserv.exe	bthserv.exe
PID 1740 wrote to memory of 1096	1740	bthserv.exe	bthserv.exe
PID 1740 wrote to memory of 1096	1740	bthserv.exe	bthserv.exe

C:\Users\Admin\AppData\Local\Temp\34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
"C:\Users\Admin\AppData\Local\Temp\34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1492

C:\Users\Admin\AppData\Local\Temp\34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
"C:\Users\Admin\AppData\Local\Temp\34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1896

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" -f "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
3⤵
- Accesses Microsoft Outlook accounts
- Suspicious use of AdjustPrivilegeToken
PID:1228

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" -f "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:780

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AdobeARMservice.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AdobeARMservice.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:896

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1740

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv.exe"
4⤵
- Executes dropped EXE
PID:1096

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AdobeARMservice.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AdobeARMservice.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:944

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\holdermail.txt
Filesize
271B

MD5
a18df529a77ed1fbd887400151b9728f

SHA1
74912cb5e97566749ccae5f70e52ee87cb4dfa07

SHA256
599ceb2fab753551e7b27340cd3a9d2eb44a887dfb178d1c05015159bb352eb3

SHA512
a446e30992bc63b53952982e06069555e9b65eb25274495470d4410a04bcc9aeaa96b95300fc89512181e0614abf279f439b52f32ffc6ffb3034230c97aa08b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\holdermail.txt
Filesize
327B

MD5
e4f3273432f9167e5f8bd2048206773d

SHA1
139b6566c6f8c6a359dd7e6063f88be24f701c8d

SHA256
b620b529c43ed1dab8db9c63b402958e1a0b65c9110029b92ac8ae2c21c0acb2

SHA512
e1bf722b627cd5f1e1678549d51f9556a1d31c8e5f47dfbe343c81aef7bac279ca2b062751666d650b2c196785a84b0d2edca09d1a04b829f4ae869e513e6941

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AdobeARMservice.exe
Filesize
18KB

MD5
1a0155d1d7ad22047c6ec44b7a702e4f

SHA1
6c107ae88cb2008cc6ff57d7441b33b41e66385d

SHA256
5243b1363c5b4c788aea6bc86b6a5973a451bd02ca3d1ec551b5d4078fdca910

SHA512
39db6102c82aab5b9e6d09a9c080b97bb7308fc97bdd2b9eaa7987b22b0ad3ed5983009e3c7d5d9a03540f1c998dbd3a247a3f05a60dc1f0a3b0f577d746d076

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AdobeARMservice.exe
Filesize
18KB

MD5
1a0155d1d7ad22047c6ec44b7a702e4f

SHA1
6c107ae88cb2008cc6ff57d7441b33b41e66385d

SHA256
5243b1363c5b4c788aea6bc86b6a5973a451bd02ca3d1ec551b5d4078fdca910

SHA512
39db6102c82aab5b9e6d09a9c080b97bb7308fc97bdd2b9eaa7987b22b0ad3ed5983009e3c7d5d9a03540f1c998dbd3a247a3f05a60dc1f0a3b0f577d746d076

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AdobeARMservice.exe
Filesize
18KB

MD5
1a0155d1d7ad22047c6ec44b7a702e4f

SHA1
6c107ae88cb2008cc6ff57d7441b33b41e66385d

SHA256
5243b1363c5b4c788aea6bc86b6a5973a451bd02ca3d1ec551b5d4078fdca910

SHA512
39db6102c82aab5b9e6d09a9c080b97bb7308fc97bdd2b9eaa7987b22b0ad3ed5983009e3c7d5d9a03540f1c998dbd3a247a3f05a60dc1f0a3b0f577d746d076

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv.exe
Filesize
679KB

MD5
6ec60f37d746ff3cc4e07bbc22f64992

SHA1
5b4fdb323d57e8041957aa5bdbb9be6277ba09aa

SHA256
34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee

SHA512
91981d858d10fa090f76099b327477ca7fb9d589f121ef23417d96b38cd4970033fc42e1725574e0ad205d2a57b1c016b3ad37210b3635160efcb6adb54f7375

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv.exe
Filesize
679KB

MD5
6ec60f37d746ff3cc4e07bbc22f64992

SHA1
5b4fdb323d57e8041957aa5bdbb9be6277ba09aa

SHA256
34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee

SHA512
91981d858d10fa090f76099b327477ca7fb9d589f121ef23417d96b38cd4970033fc42e1725574e0ad205d2a57b1c016b3ad37210b3635160efcb6adb54f7375

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv.exe
Filesize
679KB

MD5
6ec60f37d746ff3cc4e07bbc22f64992

SHA1
5b4fdb323d57e8041957aa5bdbb9be6277ba09aa

SHA256
34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee

SHA512
91981d858d10fa090f76099b327477ca7fb9d589f121ef23417d96b38cd4970033fc42e1725574e0ad205d2a57b1c016b3ad37210b3635160efcb6adb54f7375

Download Submit
C:\Users\Admin\AppData\Roaming\pid.txt
Filesize
4B

MD5
e06f967fb0d355592be4e7674fa31d26

SHA1
1337657643fd0d52ac5e7876743a129134fb40a7

SHA256
9ce04d52aafc9d73c0cedd9a3b5841faa7fa2f28ea1b88068c910ef66c610be1

SHA512
3c064942ff5ef92ee8c416589cdedbf92b3cb28aba375583f6388c261f2ea7161b38afa62f62ad478cc01822a0b42c271215ae9bb1d00a4067356cb6efc898a7

Download Submit
C:\Users\Admin\AppData\Roaming\pidloc.txt
Filesize
102B

MD5
0371f22ad497731db822070771a18cea

SHA1
acac84aa2f7007461e63f8128655b8d6ee8627e2

SHA256
7a957fae4138b72ac574fe32dda8f8285f7c12d66480bbe5f9958bbe5864d32c

SHA512
eb774332d1b84bae7616f836cccee786469f31da09cef3cd26fbe78b567a75c7948df1695cfdb2729f4797d5197ed639796c1f565699fefc854c87a8a63e4b5e

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\AdobeARMservice.exe
Filesize
18KB

MD5
1a0155d1d7ad22047c6ec44b7a702e4f

SHA1
6c107ae88cb2008cc6ff57d7441b33b41e66385d

SHA256
5243b1363c5b4c788aea6bc86b6a5973a451bd02ca3d1ec551b5d4078fdca910

SHA512
39db6102c82aab5b9e6d09a9c080b97bb7308fc97bdd2b9eaa7987b22b0ad3ed5983009e3c7d5d9a03540f1c998dbd3a247a3f05a60dc1f0a3b0f577d746d076

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\AdobeARMservice.exe
Filesize
18KB

MD5
1a0155d1d7ad22047c6ec44b7a702e4f

SHA1
6c107ae88cb2008cc6ff57d7441b33b41e66385d

SHA256
5243b1363c5b4c788aea6bc86b6a5973a451bd02ca3d1ec551b5d4078fdca910

SHA512
39db6102c82aab5b9e6d09a9c080b97bb7308fc97bdd2b9eaa7987b22b0ad3ed5983009e3c7d5d9a03540f1c998dbd3a247a3f05a60dc1f0a3b0f577d746d076

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv.exe
Filesize
679KB

MD5
6ec60f37d746ff3cc4e07bbc22f64992

SHA1
5b4fdb323d57e8041957aa5bdbb9be6277ba09aa

SHA256
34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee

SHA512
91981d858d10fa090f76099b327477ca7fb9d589f121ef23417d96b38cd4970033fc42e1725574e0ad205d2a57b1c016b3ad37210b3635160efcb6adb54f7375

Download Submit
memory/780-111-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/780-110-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/780-108-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/780-106-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/780-112-0x0000000000442872-mapping.dmp

Download
memory/780-115-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/780-104-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/780-117-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/780-103-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/896-76-0x00000000748B0000-0x0000000074E5B000-memory.dmp

Filesize
5.7MB

Download
memory/896-119-0x0000000000425000-0x0000000000436000-memory.dmp

Filesize
68KB

Download
memory/896-118-0x00000000748B0000-0x0000000074E5B000-memory.dmp

Filesize
5.7MB

Download
memory/896-71-0x0000000000000000-mapping.dmp

Download
memory/896-82-0x0000000000425000-0x0000000000436000-memory.dmp

Filesize
68KB

Download
memory/896-99-0x00000000748B0000-0x0000000074E5B000-memory.dmp

Filesize
5.7MB

Download
memory/944-121-0x0000000000000000-mapping.dmp

Download
memory/944-124-0x00000000748B0000-0x0000000074E5B000-memory.dmp

Filesize
5.7MB

Download
memory/944-125-0x0000000000FC5000-0x0000000000FD6000-memory.dmp

Filesize
68KB

Download
memory/944-144-0x00000000748B0000-0x0000000074E5B000-memory.dmp

Filesize
5.7MB

Download
memory/1096-133-0x0000000000494EDE-mapping.dmp

Download
memory/1096-140-0x00000000748B0000-0x0000000074E5B000-memory.dmp

Filesize
5.7MB

Download
memory/1096-145-0x00000000748B0000-0x0000000074E5B000-memory.dmp

Filesize
5.7MB

Download
memory/1228-102-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1228-93-0x000000000040582F-mapping.dmp

Download
memory/1228-85-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1228-84-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1228-87-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1228-89-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1228-97-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1228-95-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1228-91-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1228-92-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1492-56-0x00000000748B0000-0x0000000074E5B000-memory.dmp

Filesize
5.7MB

Download
memory/1492-55-0x00000000748B0000-0x0000000074E5B000-memory.dmp

Filesize
5.7MB

Download
memory/1492-54-0x0000000076121000-0x0000000076123000-memory.dmp

Filesize
8KB

Download
memory/1740-83-0x00000000748B0000-0x0000000074E5B000-memory.dmp

Filesize
5.7MB

Download
memory/1740-79-0x0000000000000000-mapping.dmp

Download
memory/1740-100-0x00000000748B0000-0x0000000074E5B000-memory.dmp

Filesize
5.7MB

Download
memory/1896-98-0x00000000748B0000-0x0000000074E5B000-memory.dmp

Filesize
5.7MB

Download
memory/1896-58-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/1896-60-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/1896-62-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/1896-63-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/1896-57-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/1896-64-0x0000000000494EDE-mapping.dmp

Download
memory/1896-66-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/1896-68-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/1896-143-0x0000000002315000-0x0000000002326000-memory.dmp

Filesize
68KB

Download
memory/1896-75-0x00000000748B0000-0x0000000074E5B000-memory.dmp

Filesize
5.7MB

Download
memory/1896-96-0x0000000002315000-0x0000000002326000-memory.dmp

Filesize
68KB

Download