hawkeye | 34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee

Analysis

max time kernel
151s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
28-11-2022 10:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
Size

679KB
MD5

6ec60f37d746ff3cc4e07bbc22f64992
SHA1

5b4fdb323d57e8041957aa5bdbb9be6277ba09aa
SHA256

34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee
SHA512

91981d858d10fa090f76099b327477ca7fb9d589f121ef23417d96b38cd4970033fc42e1725574e0ad205d2a57b1c016b3ad37210b3635160efcb6adb54f7375
SSDEEP

12288:iRBr52LvaGtEuWGC9hy8DCiPrtNg8mMujqBJvrOjaHpzXdDJ0UjtlaxzyDbvr/XR:iRwvBSuROyCC0rtq8mmH/bYenr/X7z5v

Score

10^/10

hawkeye collection keylogger spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.yandex.com
Port:
587
Username:
doggy.k@yandex.com
Password:
kingsdoggy

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye
Executes dropped EXE 4 IoCs

Processes:

AdobeARMservice.exebthserv.exebthserv.exeAdobeARMservice.exe

pid process

4196 AdobeARMservice.exe
2036 bthserv.exe
2136 bthserv.exe
1908 AdobeARMservice.exe

pid	process
4196	AdobeARMservice.exe
2036	bthserv.exe
2136	bthserv.exe
1908	AdobeARMservice.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exeAdobeARMservice.exebthserv.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	AdobeARMservice.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	bthserv.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 2 IoCs

collection

Email Collection

T1114

Processes:

vbc.exevbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

42 whatismyipaddress.com
44 whatismyipaddress.com
52 whatismyipaddress.com

flow	ioc
42	whatismyipaddress.com
44	whatismyipaddress.com
52	whatismyipaddress.com

Suspicious use of SetThreadContext 6 IoCs

Processes:

34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exebthserv.exebthserv.exe

description	pid	process	target process
PID 2288 set thread context of 3948	2288	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
PID 3948 set thread context of 1252	3948	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe	vbc.exe
PID 3948 set thread context of 3520	3948	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe	vbc.exe
PID 2036 set thread context of 2136	2036	bthserv.exe	bthserv.exe
PID 2136 set thread context of 1404	2136	bthserv.exe	vbc.exe
PID 2136 set thread context of 4476	2136	bthserv.exe	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exeAdobeARMservice.exe

pid	process
2288	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
2288	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
2288	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
2288	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
2288	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
2288	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
2288	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
2288	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
2288	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
2288	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
2288	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
2288	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
2288	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
2288	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
2288	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
2288	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
2288	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
2288	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
2288	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
2288	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
2288	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
2288	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
2288	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
2288	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
2288	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
4196	AdobeARMservice.exe
2288	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
2288	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
2288	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
4196	AdobeARMservice.exe
2288	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
4196	AdobeARMservice.exe
2288	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
4196	AdobeARMservice.exe
2288	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
4196	AdobeARMservice.exe
2288	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
4196	AdobeARMservice.exe
2288	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
4196	AdobeARMservice.exe
2288	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
4196	AdobeARMservice.exe
2288	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
4196	AdobeARMservice.exe
2288	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
4196	AdobeARMservice.exe
2288	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
4196	AdobeARMservice.exe
2288	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
2288	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
4196	AdobeARMservice.exe
4196	AdobeARMservice.exe
2288	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
4196	AdobeARMservice.exe
2288	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
4196	AdobeARMservice.exe
2288	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
4196	AdobeARMservice.exe
2288	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
4196	AdobeARMservice.exe
2288	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
2288	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
4196	AdobeARMservice.exe
2288	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

Processes:

bthserv.exe

pid process

2136 bthserv.exe

pid	process
2136	bthserv.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exeAdobeARMservice.exe34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exevbc.exevbc.exebthserv.exeAdobeARMservice.exebthserv.exevbc.exevbc.exe

description	pid	process
Token: SeDebugPrivilege	2288	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
Token: SeDebugPrivilege	4196	AdobeARMservice.exe
Token: SeDebugPrivilege	3948	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
Token: SeDebugPrivilege	1252	vbc.exe
Token: SeDebugPrivilege	3520	vbc.exe
Token: SeDebugPrivilege	2036	bthserv.exe
Token: SeDebugPrivilege	1908	AdobeARMservice.exe
Token: SeDebugPrivilege	2136	bthserv.exe
Token: SeDebugPrivilege	1404	vbc.exe
Token: SeDebugPrivilege	4476	vbc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exebthserv.exe

pid process

3948 34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
2136 bthserv.exe

pid	process
3948	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
2136	bthserv.exe

Suspicious use of WriteProcessMemory 61 IoCs

Processes:

34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exeAdobeARMservice.exe34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exebthserv.exebthserv.exe

description	pid	process	target process
PID 2288 wrote to memory of 3948	2288	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
PID 2288 wrote to memory of 3948	2288	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
PID 2288 wrote to memory of 3948	2288	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
PID 2288 wrote to memory of 3948	2288	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
PID 2288 wrote to memory of 3948	2288	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
PID 2288 wrote to memory of 3948	2288	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
PID 2288 wrote to memory of 3948	2288	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
PID 2288 wrote to memory of 3948	2288	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
PID 2288 wrote to memory of 4196	2288	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe	AdobeARMservice.exe
PID 2288 wrote to memory of 4196	2288	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe	AdobeARMservice.exe
PID 2288 wrote to memory of 4196	2288	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe	AdobeARMservice.exe
PID 4196 wrote to memory of 2036	4196	AdobeARMservice.exe	bthserv.exe
PID 4196 wrote to memory of 2036	4196	AdobeARMservice.exe	bthserv.exe
PID 4196 wrote to memory of 2036	4196	AdobeARMservice.exe	bthserv.exe
PID 3948 wrote to memory of 1252	3948	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe	vbc.exe
PID 3948 wrote to memory of 1252	3948	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe	vbc.exe
PID 3948 wrote to memory of 1252	3948	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe	vbc.exe
PID 3948 wrote to memory of 1252	3948	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe	vbc.exe
PID 3948 wrote to memory of 1252	3948	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe	vbc.exe
PID 3948 wrote to memory of 1252	3948	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe	vbc.exe
PID 3948 wrote to memory of 1252	3948	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe	vbc.exe
PID 3948 wrote to memory of 1252	3948	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe	vbc.exe
PID 3948 wrote to memory of 1252	3948	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe	vbc.exe
PID 3948 wrote to memory of 3520	3948	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe	vbc.exe
PID 3948 wrote to memory of 3520	3948	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe	vbc.exe
PID 3948 wrote to memory of 3520	3948	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe	vbc.exe
PID 3948 wrote to memory of 3520	3948	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe	vbc.exe
PID 3948 wrote to memory of 3520	3948	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe	vbc.exe
PID 3948 wrote to memory of 3520	3948	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe	vbc.exe
PID 3948 wrote to memory of 3520	3948	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe	vbc.exe
PID 3948 wrote to memory of 3520	3948	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe	vbc.exe
PID 3948 wrote to memory of 3520	3948	34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe	vbc.exe
PID 2036 wrote to memory of 2136	2036	bthserv.exe	bthserv.exe
PID 2036 wrote to memory of 2136	2036	bthserv.exe	bthserv.exe
PID 2036 wrote to memory of 2136	2036	bthserv.exe	bthserv.exe
PID 2036 wrote to memory of 2136	2036	bthserv.exe	bthserv.exe
PID 2036 wrote to memory of 2136	2036	bthserv.exe	bthserv.exe
PID 2036 wrote to memory of 2136	2036	bthserv.exe	bthserv.exe
PID 2036 wrote to memory of 2136	2036	bthserv.exe	bthserv.exe
PID 2036 wrote to memory of 2136	2036	bthserv.exe	bthserv.exe
PID 2036 wrote to memory of 1908	2036	bthserv.exe	AdobeARMservice.exe
PID 2036 wrote to memory of 1908	2036	bthserv.exe	AdobeARMservice.exe
PID 2036 wrote to memory of 1908	2036	bthserv.exe	AdobeARMservice.exe
PID 2136 wrote to memory of 1404	2136	bthserv.exe	vbc.exe
PID 2136 wrote to memory of 1404	2136	bthserv.exe	vbc.exe
PID 2136 wrote to memory of 1404	2136	bthserv.exe	vbc.exe
PID 2136 wrote to memory of 1404	2136	bthserv.exe	vbc.exe
PID 2136 wrote to memory of 1404	2136	bthserv.exe	vbc.exe
PID 2136 wrote to memory of 1404	2136	bthserv.exe	vbc.exe
PID 2136 wrote to memory of 1404	2136	bthserv.exe	vbc.exe
PID 2136 wrote to memory of 1404	2136	bthserv.exe	vbc.exe
PID 2136 wrote to memory of 1404	2136	bthserv.exe	vbc.exe
PID 2136 wrote to memory of 4476	2136	bthserv.exe	vbc.exe
PID 2136 wrote to memory of 4476	2136	bthserv.exe	vbc.exe
PID 2136 wrote to memory of 4476	2136	bthserv.exe	vbc.exe
PID 2136 wrote to memory of 4476	2136	bthserv.exe	vbc.exe
PID 2136 wrote to memory of 4476	2136	bthserv.exe	vbc.exe
PID 2136 wrote to memory of 4476	2136	bthserv.exe	vbc.exe
PID 2136 wrote to memory of 4476	2136	bthserv.exe	vbc.exe
PID 2136 wrote to memory of 4476	2136	bthserv.exe	vbc.exe
PID 2136 wrote to memory of 4476	2136	bthserv.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
"C:\Users\Admin\AppData\Local\Temp\34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2288

C:\Users\Admin\AppData\Local\Temp\34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe
"C:\Users\Admin\AppData\Local\Temp\34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3948

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" -f "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
3⤵
- Accesses Microsoft Outlook accounts
- Suspicious use of AdjustPrivilegeToken
PID:1252

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" -f "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3520

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AdobeARMservice.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AdobeARMservice.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4196

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2036

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2136

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" -f "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
5⤵
- Accesses Microsoft Outlook accounts
- Suspicious use of AdjustPrivilegeToken
PID:1404

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" -f "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4476

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AdobeARMservice.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AdobeARMservice.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1908

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\AdobeARMservice.exe.log
Filesize
676B

MD5
306dcf8451f1d1c4ea678200dba1150d

SHA1
d1d7cbb50687b1dccddc86e10018bb5e3b25fd45

SHA256
a499000e9be82b2f5c2aaec440ace36ea9f22acc18d7117e68de70a7e5743e61

SHA512
f51f6b58115e377619f458838f68d52d316a16c461fdeca721370252266eaf21068053c2a9d278ff551492e8b55b90e3c1fd8f985d6d4442c5d01347d188b414

Download Submit
C:\Users\Admin\AppData\Local\Temp\holdermail.txt
Filesize
271B

MD5
a18df529a77ed1fbd887400151b9728f

SHA1
74912cb5e97566749ccae5f70e52ee87cb4dfa07

SHA256
599ceb2fab753551e7b27340cd3a9d2eb44a887dfb178d1c05015159bb352eb3

SHA512
a446e30992bc63b53952982e06069555e9b65eb25274495470d4410a04bcc9aeaa96b95300fc89512181e0614abf279f439b52f32ffc6ffb3034230c97aa08b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\holdermail.txt
Filesize
327B

MD5
e4f3273432f9167e5f8bd2048206773d

SHA1
139b6566c6f8c6a359dd7e6063f88be24f701c8d

SHA256
b620b529c43ed1dab8db9c63b402958e1a0b65c9110029b92ac8ae2c21c0acb2

SHA512
e1bf722b627cd5f1e1678549d51f9556a1d31c8e5f47dfbe343c81aef7bac279ca2b062751666d650b2c196785a84b0d2edca09d1a04b829f4ae869e513e6941

Download Submit
C:\Users\Admin\AppData\Local\Temp\holdermail.txt
Filesize
346B

MD5
bb9abd3bb64d59d1d53c31e692393855

SHA1
8cd1fc197abb980d1f0e762c53cd49cc9a7d4abf

SHA256
c6aad7f9a9d0f9a3ee369074c014d01b20c3088c1cfebb7f07bd405d175cbcb2

SHA512
0dcafab20d0b7ebbd5057cbb6119566e1ed6d124bdd999cacdd00641193dc93033b9d066e13a9e40ba29ab973ebbbe2303e7eaa9b1a6a85aa2a0d56c863c112d

Download Submit
C:\Users\Admin\AppData\Local\Temp\holdermail.txt
Filesize
395B

MD5
e52a3c374b9e03583e14c3e6c1a98b89

SHA1
25de455d7d705407ccbe34ae3c6d0e74cf27d726

SHA256
f52c964bc056d135025366c17d69ab984c8d1a6cbd6d7954539c0dafc575a7b2

SHA512
4aedc2ba516e97a9a3f69ad0f43b1208fa829489221f3f60e7821c02bb1eb4899ac2b27451f69327bc2a17d30f1aea7649235c0c170a82581c7d844a7619e3ae

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AdobeARMservice.exe
Filesize
18KB

MD5
1a0155d1d7ad22047c6ec44b7a702e4f

SHA1
6c107ae88cb2008cc6ff57d7441b33b41e66385d

SHA256
5243b1363c5b4c788aea6bc86b6a5973a451bd02ca3d1ec551b5d4078fdca910

SHA512
39db6102c82aab5b9e6d09a9c080b97bb7308fc97bdd2b9eaa7987b22b0ad3ed5983009e3c7d5d9a03540f1c998dbd3a247a3f05a60dc1f0a3b0f577d746d076

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AdobeARMservice.exe
Filesize
18KB

MD5
1a0155d1d7ad22047c6ec44b7a702e4f

SHA1
6c107ae88cb2008cc6ff57d7441b33b41e66385d

SHA256
5243b1363c5b4c788aea6bc86b6a5973a451bd02ca3d1ec551b5d4078fdca910

SHA512
39db6102c82aab5b9e6d09a9c080b97bb7308fc97bdd2b9eaa7987b22b0ad3ed5983009e3c7d5d9a03540f1c998dbd3a247a3f05a60dc1f0a3b0f577d746d076

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AdobeARMservice.exe
Filesize
18KB

MD5
1a0155d1d7ad22047c6ec44b7a702e4f

SHA1
6c107ae88cb2008cc6ff57d7441b33b41e66385d

SHA256
5243b1363c5b4c788aea6bc86b6a5973a451bd02ca3d1ec551b5d4078fdca910

SHA512
39db6102c82aab5b9e6d09a9c080b97bb7308fc97bdd2b9eaa7987b22b0ad3ed5983009e3c7d5d9a03540f1c998dbd3a247a3f05a60dc1f0a3b0f577d746d076

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AdobeARMservice.exe
Filesize
18KB

MD5
1a0155d1d7ad22047c6ec44b7a702e4f

SHA1
6c107ae88cb2008cc6ff57d7441b33b41e66385d

SHA256
5243b1363c5b4c788aea6bc86b6a5973a451bd02ca3d1ec551b5d4078fdca910

SHA512
39db6102c82aab5b9e6d09a9c080b97bb7308fc97bdd2b9eaa7987b22b0ad3ed5983009e3c7d5d9a03540f1c998dbd3a247a3f05a60dc1f0a3b0f577d746d076

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv.exe
Filesize
679KB

MD5
6ec60f37d746ff3cc4e07bbc22f64992

SHA1
5b4fdb323d57e8041957aa5bdbb9be6277ba09aa

SHA256
34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee

SHA512
91981d858d10fa090f76099b327477ca7fb9d589f121ef23417d96b38cd4970033fc42e1725574e0ad205d2a57b1c016b3ad37210b3635160efcb6adb54f7375

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv.exe
Filesize
679KB

MD5
6ec60f37d746ff3cc4e07bbc22f64992

SHA1
5b4fdb323d57e8041957aa5bdbb9be6277ba09aa

SHA256
34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee

SHA512
91981d858d10fa090f76099b327477ca7fb9d589f121ef23417d96b38cd4970033fc42e1725574e0ad205d2a57b1c016b3ad37210b3635160efcb6adb54f7375

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv.exe
Filesize
679KB

MD5
6ec60f37d746ff3cc4e07bbc22f64992

SHA1
5b4fdb323d57e8041957aa5bdbb9be6277ba09aa

SHA256
34af6025848f06edccbbedd2d9ab61e7cb3c2d03b945cf1f63300abd5c1879ee

SHA512
91981d858d10fa090f76099b327477ca7fb9d589f121ef23417d96b38cd4970033fc42e1725574e0ad205d2a57b1c016b3ad37210b3635160efcb6adb54f7375

Download Submit
C:\Users\Admin\AppData\Roaming\pid.txt
Filesize
4B

MD5
6df182582740607da754e4515b70e32d

SHA1
1e8d0db4d285c13611cf3affd3dc3119d6569574

SHA256
24a47a476d5cbb0d00f5c33a6820e22ed99c1308b1e9679c0407148b4e93dcdb

SHA512
9d103065dab5dabb5addc996d73f26ac2e05f102a37dd56cdda0351e690e68e9cca80bd4ef7598927d2207743db271eea9697945951ba221febdb802baa44034

Download Submit
C:\Users\Admin\AppData\Roaming\pidloc.txt
Filesize
102B

MD5
0371f22ad497731db822070771a18cea

SHA1
acac84aa2f7007461e63f8128655b8d6ee8627e2

SHA256
7a957fae4138b72ac574fe32dda8f8285f7c12d66480bbe5f9958bbe5864d32c

SHA512
eb774332d1b84bae7616f836cccee786469f31da09cef3cd26fbe78b567a75c7948df1695cfdb2729f4797d5197ed639796c1f565699fefc854c87a8a63e4b5e

Download Submit
memory/1252-147-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1252-146-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1252-148-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1252-145-0x0000000000000000-mapping.dmp

Download
memory/1252-150-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1404-174-0x0000000000000000-mapping.dmp

Download
memory/1404-176-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1404-179-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1404-177-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1908-173-0x0000000075470000-0x0000000075A21000-memory.dmp

Filesize
5.7MB

Download
memory/1908-181-0x0000000075470000-0x0000000075A21000-memory.dmp

Filesize
5.7MB

Download
memory/1908-168-0x0000000000000000-mapping.dmp

Download
memory/2036-153-0x0000000075470000-0x0000000075A21000-memory.dmp

Filesize
5.7MB

Download
memory/2036-142-0x0000000000000000-mapping.dmp

Download
memory/2036-144-0x0000000075470000-0x0000000075A21000-memory.dmp

Filesize
5.7MB

Download
memory/2136-163-0x0000000000000000-mapping.dmp

Download
memory/2136-172-0x0000000075470000-0x0000000075A21000-memory.dmp

Filesize
5.7MB

Download
memory/2136-180-0x0000000075470000-0x0000000075A21000-memory.dmp

Filesize
5.7MB

Download
memory/2288-133-0x0000000075470000-0x0000000075A21000-memory.dmp

Filesize
5.7MB

Download
memory/2288-161-0x0000000075470000-0x0000000075A21000-memory.dmp

Filesize
5.7MB

Download
memory/2288-132-0x0000000075470000-0x0000000075A21000-memory.dmp

Filesize
5.7MB

Download
memory/3520-160-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3520-155-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3520-158-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3520-156-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3520-157-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3520-154-0x0000000000000000-mapping.dmp

Download
memory/3948-134-0x0000000000000000-mapping.dmp

Download
memory/3948-151-0x0000000075470000-0x0000000075A21000-memory.dmp

Filesize
5.7MB

Download
memory/3948-136-0x0000000075470000-0x0000000075A21000-memory.dmp

Filesize
5.7MB

Download
memory/3948-135-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/4196-152-0x0000000075470000-0x0000000075A21000-memory.dmp

Filesize
5.7MB

Download
memory/4196-137-0x0000000000000000-mapping.dmp

Download
memory/4196-140-0x0000000075470000-0x0000000075A21000-memory.dmp

Filesize
5.7MB

Download
memory/4196-162-0x0000000075470000-0x0000000075A21000-memory.dmp

Filesize
5.7MB

Download
memory/4476-182-0x0000000000000000-mapping.dmp

Download
memory/4476-184-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4476-185-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4476-187-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download