Malware Analysis Report

2024-10-19 07:08

Sample ID 231004-t1c9eada5z
Target ccec9f6516e38c852b1df13c836e5430.exe
SHA256 e5e92ec5d1d5be22b05694956de0321475105789279acbc9e83d7796026ec385
Tags
phemedrone stealer upx spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e5e92ec5d1d5be22b05694956de0321475105789279acbc9e83d7796026ec385

Threat Level: Known bad

The file ccec9f6516e38c852b1df13c836e5430.exe was found to be: Known bad.

Malicious Activity Summary

phemedrone stealer upx spyware

Phemedrone

Reads user/profile data of web browsers

UPX packed file

Checks computer location settings

Executes dropped EXE

Looks up external IP address via web service

Unsigned PE

Program crash

Enumerates physical storage devices

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-04 16:31

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-04 16:31

Reported

2023-10-04 16:33

Platform

win7-20230831-en

Max time kernel

143s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ccec9f6516e38c852b1df13c836e5430.exe"

Signatures

Phemedrone

stealer phemedrone

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\Desktop\83AVV42L.exe N/A
N/A N/A C:\ProgramData\Package Cache\4JVTTSCG.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\ProgramData\Desktop\83AVV42L.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\83AVV42L.exe = "11001" C:\ProgramData\Desktop\83AVV42L.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\ProgramData\Desktop\83AVV42L.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main C:\ProgramData\Desktop\83AVV42L.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl C:\ProgramData\Desktop\83AVV42L.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\ProgramData\Desktop\83AVV42L.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\ProgramData\Desktop\83AVV42L.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\ProgramData\Desktop\83AVV42L.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\ProgramData\Desktop\83AVV42L.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\ProgramData\Desktop\83AVV42L.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\ProgramData\Desktop\83AVV42L.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\ProgramData\Desktop\83AVV42L.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\ProgramData\Desktop\83AVV42L.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\ProgramData\Desktop\83AVV42L.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\ProgramData\Desktop\83AVV42L.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\ProgramData\Desktop\83AVV42L.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\ProgramData\Desktop\83AVV42L.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\ProgramData\Desktop\83AVV42L.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\ProgramData\Desktop\83AVV42L.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\ProgramData\Desktop\83AVV42L.exe N/A
N/A N/A C:\ProgramData\Desktop\83AVV42L.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ccec9f6516e38c852b1df13c836e5430.exe

"C:\Users\Admin\AppData\Local\Temp\ccec9f6516e38c852b1df13c836e5430.exe"

C:\ProgramData\Desktop\83AVV42L.exe

"C:\ProgramData\Desktop\83AVV42L.exe"

C:\ProgramData\Package Cache\4JVTTSCG.exe

"C:\ProgramData\Package Cache\4JVTTSCG.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2732 -s 520

Network

Country Destination Domain Proto
US 8.8.8.8:53 cc-api-data.adobe.io udp
US 8.8.8.8:53 na1e-acc.services.adobe.com udp
US 3.233.129.217:443 cc-api-data.adobe.io tcp
US 54.200.76.247:443 na1e-acc.services.adobe.com tcp
US 3.233.129.217:443 cc-api-data.adobe.io tcp
US 3.233.129.217:443 cc-api-data.adobe.io tcp
US 3.233.129.217:443 cc-api-data.adobe.io tcp
US 54.200.76.247:443 na1e-acc.services.adobe.com tcp
US 8.8.8.8:53 client.messaging.adobe.com udp
US 18.65.39.7:443 client.messaging.adobe.com tcp
US 18.65.39.7:443 client.messaging.adobe.com tcp
US 54.200.76.247:443 na1e-acc.services.adobe.com tcp
US 54.200.76.247:443 na1e-acc.services.adobe.com tcp
US 3.233.129.217:443 cc-api-data.adobe.io tcp
US 3.233.129.217:443 cc-api-data.adobe.io tcp
US 18.65.39.7:443 client.messaging.adobe.com tcp
US 18.65.39.7:443 client.messaging.adobe.com tcp
US 54.200.76.247:443 na1e-acc.services.adobe.com tcp
US 3.233.129.217:443 cc-api-data.adobe.io tcp
US 54.200.76.247:443 na1e-acc.services.adobe.com tcp
US 3.233.129.217:443 cc-api-data.adobe.io tcp
US 3.233.129.217:443 cc-api-data.adobe.io tcp
US 3.233.129.217:443 cc-api-data.adobe.io tcp

Files

memory/1732-0-0x0000000000B60000-0x0000000001214000-memory.dmp

memory/1732-1-0x000007FEF5F00000-0x000007FEF68EC000-memory.dmp

C:\Users\Public\Desktop\83AVV42L.exe

MD5 0df3a35807f6a4f361d03c4d66b915e2
SHA1 75ddf979ab97871cd8980afdf0a83251ac21066b
SHA256 e043cecdb27140a347daf9d655b15d68adbcee3a3a7a26a4ba0bd6f581aac62c
SHA512 1a2a286ecbc9a151bb47c1ecf2abefc2e54b04b70a94679835ee457205c2cc37713b558a7d33da697191e23c81c3ba7ae9dc421d46ce4d4145ec693d46a14f28

C:\ProgramData\Package Cache\4JVTTSCG.exe

MD5 e025c7bfa143c476a648e9daa3cfda2f
SHA1 d4f90ae2727cd20c19802eeee5589fc4e7b36ec3
SHA256 95ddb8a73ba1d02c13735fe21f335599e0659b3da7b42e23654650b89d4ddf60
SHA512 f9812370e7855acaa15f70a5ee71fa2b78040be72553cc4109276429731ab3a10924fd8e08b8ff91e9c3b0dc57c4bc32168c29416e4a401208fd2574dbd9b8f3

memory/2732-12-0x0000000000340000-0x000000000035C000-memory.dmp

memory/2104-11-0x00000000001C0000-0x000000000094A000-memory.dmp

C:\ProgramData\Package Cache\4JVTTSCG.exe

MD5 e025c7bfa143c476a648e9daa3cfda2f
SHA1 d4f90ae2727cd20c19802eeee5589fc4e7b36ec3
SHA256 95ddb8a73ba1d02c13735fe21f335599e0659b3da7b42e23654650b89d4ddf60
SHA512 f9812370e7855acaa15f70a5ee71fa2b78040be72553cc4109276429731ab3a10924fd8e08b8ff91e9c3b0dc57c4bc32168c29416e4a401208fd2574dbd9b8f3

memory/2732-13-0x000007FEF5F00000-0x000007FEF68EC000-memory.dmp

C:\ProgramData\Desktop\83AVV42L.exe

MD5 0df3a35807f6a4f361d03c4d66b915e2
SHA1 75ddf979ab97871cd8980afdf0a83251ac21066b
SHA256 e043cecdb27140a347daf9d655b15d68adbcee3a3a7a26a4ba0bd6f581aac62c
SHA512 1a2a286ecbc9a151bb47c1ecf2abefc2e54b04b70a94679835ee457205c2cc37713b558a7d33da697191e23c81c3ba7ae9dc421d46ce4d4145ec693d46a14f28

memory/2104-27-0x00000000024F0000-0x00000000024F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{D8B07743-4B98-4371-8C65-963FB7759253}\index.html

MD5 a28ab17b18ff254173dfeef03245efd0
SHA1 c6ce20924565644601d4e0dd0fba9dde8dea5c77
SHA256 886c0ab69e6e9d9d5b5909451640ea587accfcdf11b8369cad8542d1626ac375
SHA512 9371a699921b028bd93c35f9f2896d9997b906c8aba90dd4279abba0ae1909a8808a43bf829584e552ccfe534b2c991a5a7e3e3de7618343f50b1c47cff269d6

C:\Users\Admin\AppData\Local\Temp\{D8B07743-4B98-4371-8C65-963FB7759253}\CCDInstaller.js

MD5 fbc34da120e8a3ad11b3ad1404b6c51a
SHA1 fe3e36de12e0bdd0a7731e572e862c50ee89207c
SHA256 9701b3ba335b5a11be32dd63ea3a466a14e048c1e5881cac81352b459be0f202
SHA512 f3f0452d16a7cd0600a8ffced5167783d3f31e51dce512872ade5031c97b14366af0343bfe2c822c8ac4a281f27f5eeb00fe7d0e8cbe90434f79bacf3ecb42d2

memory/2104-44-0x00000000055E0000-0x0000000005600000-memory.dmp

memory/1732-75-0x000007FEF5F00000-0x000007FEF68EC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab5A27.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\Tar5B35.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4b231497342b40d4456589b977161069
SHA1 008bc03ae02c20a05a029d88629472f844af5d38
SHA256 79950537591d5bc61e65c9197ccf7f0ddd658f32a8ad020cc7656208a07041fc
SHA512 03429c67f5915981da28e33d82b15fbdbe384c5f605accee8f497cd121663c6097289fcb6609391ea8865f0ab7beb5c5114131c06f92c891872affdfefe76b91

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f0b81711c92e469937af667d7ee5ca8f
SHA1 46449e59dcf20eb81ea195e091d5fa69c3095d8c
SHA256 23d3b69ecaf47550fa99131d39a299536d2bcd96fc20b2223522c6f12cfdea11
SHA512 0806e787dedb6048fc3a66bbd18aa9d6c26197068a0ae4c528535bbf3291026feb0bb907fee8109ea70b4cf15cdacb67d3afbc72fd3a2e6ce2816cb0e3d905a1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 08c371fa17357158273dcad3edc29b4b
SHA1 68fde7bd535ec2851ba0f02cca71c687e0909ad3
SHA256 c4f249acbfee114fd3fc3f94e2fcc00dab162732408eaa71fdf3e13a52321ea6
SHA512 8432bf86c5d65f9f94bc9727f6f5bcc2c141594dc96c6f0fd52c066032ef7840bf6b3196040990cab72c43132baba165aa3e94d45a78e6060b97c9944906a9de

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b42731c334e49cc119c0bb035cd10d5b
SHA1 5c068cdd28507f2dcdff3eef6ef6dcbfcc8d1d56
SHA256 ec4956883bf0dd096d782e45c1717f65a99918a081aa1ce61efd762d5228b29f
SHA512 f80ccb60e15cb48355ca7418bd8180f99f844b0b72eb386c21db7b23c74a62774586bb9098769e9fc8eb5f69f32336eb6cc65c7c46f52b492c9ba71f7e4a3817

memory/2104-215-0x00000000001C0000-0x000000000094A000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 067cfdda55d887903e8bf1ef9b16184c
SHA1 bc36eed592154800f4201ba5b67baa472943fc83
SHA256 b9cea19c5304a2a83effb5664ca77fa4d00d53cb704cf057c1dfe1eee6066c47
SHA512 b8e5e56dc55366a2ea24a0331bd8650020eda3583cd74e566fcc3c3faafc4b443c25a507fe2f9917efbc4572627d67871e8b51bd21ac82eb2dd924204c75f0e8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cca6c1d888c76e9657f9a1a4759953cf
SHA1 2aad77529d87f3741dc456cd8497978126876923
SHA256 adeb423d51192c4e12f2a2b4bb5a5d16ec2530acbe848f1346f76b9c01ee27dd
SHA512 72a0583cfc950ff5b853127fde65a8f3967b4c91d672babf86c29e9af662f07a775ee856d29c142fc5a134221f38518dbebc74b618b604b07504d9bb7db2d6ce

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 329c442704a7d2b187d989ca1ca89719
SHA1 0a9f5ecaf34991f017938f10995d8924af2a6859
SHA256 664495b73b878ed348f491dcdeddbd291caa8f1372f2fe656853497104f3705c
SHA512 30d74bdf7c20164357df1e9f30864b313f005d064d1a0165400728f23a88a5adcc3d4568ad44de21c85f57e6f36179ac1879fe303cc6660a316cc3fe06b1b179

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 990d2300766a899a9da5de3fb48fa37c
SHA1 30fd3ba774a05d0439790d80ec7a400ab97a94cb
SHA256 29c5a99d7f1413a8b2ae8463c3101adca4644c2946b5b2192d4b3bcae412b60e
SHA512 8704ad93370f3f071a86620cb5d2346a9fcf5f40d5c2e25b12c8504ecf295956529297eeb9284ee4df1d5d1d7556bc34e2de2b5095294bb6f4f5caec8dacdd5e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2e15160e5890d5afe16de937b0a7727e
SHA1 5b84a40ef47726a06fafc255327167d6ede14bf8
SHA256 a4622ef39bde72fed006efbc715b2a6f178ce0bf44065106e85d28c844953cf8
SHA512 0409f7d30457ebc653cb15ab2272c49fba372eadd505baaaa94cb9d173dd6b7d8ed4adae91d67820a14252ab6ff7c0610943038aef38ccef3ca4c01f015478cc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9b11d26a1f17aecd78c029e9ecd27abf
SHA1 99fa79f96f1b8eb68cca2667ee629394aaa574a6
SHA256 5b9037bdcba2546e05a00aba42230c7f2cae79c66296e990dfa545e0cddcb76c
SHA512 6b69dafc0a112e4ea4f5ef5b8cc1e877356ee07d6c3e7c06f3830c893c564b531c7cbe1d035fe13e23d0667a0d559e4e0c9fd11728caea84c2e9833cff71ebe5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 079d786c48ed7859741d81080f28497c
SHA1 af66ed2a4eaf40464de233a1e45abc7cdff4d29b
SHA256 27055edb92af65549aca67270c9261818cb63c05576b63313b93eb933a7dd0c5
SHA512 f3d410808c61ffa1310721ae698403a584b5323fff199e2c0d492ede74c5dc077e8835f6dfa61110e52dcd76c6cc64686d408b87f7f55f8f67fe966abcf1562a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a6eff272c1cacf173b6ee695ad6a257c
SHA1 7acf9a3eef2e59ad4355c6c573bbe08c77337f5d
SHA256 ede1c3eecb01c9a7fe1c5618fc2e489bad5b65f3accd4064f02f1260dce0c990
SHA512 cc9881627189ff2136be7169ad27a2e12fb78e7d5ba5040f46a45c6f641994dec64d8a92bc85bad02084dc8886214d050e368b2461f5575e1b13d286b5c45efb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4c4669dd3c1505e9931f54519d13f9bc
SHA1 22cc6a7c5131873bdebeb05691edd76aa475313b
SHA256 b8a8bf1e9ac8addea3fe88e462d0ce2f4456b6cb9cba51d08a6daa20ad08a61e
SHA512 6c6dd7c64a2bc03367f617b22c869a6dd36036d54b6c553b5a14bddcd00bd84bc3d3f32f75f97ab62f0d4e8eb657607e550fcfd8211ea422a528d495e3ee46d6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 89f440ee46b46b644fab1e28817c80cf
SHA1 96a28921fee279cfee63e0b9d987b0e960989f1e
SHA256 03a9e8f3e2ef37e3755e917bea792a95758fc9e40b64abe41d13bbd69e06ef0c
SHA512 18fb588930c487cc5697487d204bac0183d9da4ff4ea040d95d8ebba31c40847c34ca4c20762250c2b0955f9e909f5c39ba8e09d12bb22070fab43c727b30802

memory/2104-595-0x00000000001C0000-0x000000000094A000-memory.dmp

memory/2732-604-0x000007FEF5F00000-0x000007FEF68EC000-memory.dmp

memory/1732-615-0x000007FEF5F00000-0x000007FEF68EC000-memory.dmp

memory/2104-616-0x00000000024F0000-0x00000000024F1000-memory.dmp

memory/2104-617-0x00000000055E0000-0x0000000005600000-memory.dmp

memory/2104-618-0x00000000001C0000-0x000000000094A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-04 16:31

Reported

2023-10-04 16:33

Platform

win10v2004-20230915-en

Max time kernel

146s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ccec9f6516e38c852b1df13c836e5430.exe"

Signatures

Phemedrone

stealer phemedrone

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ccec9f6516e38c852b1df13c836e5430.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Adobe\1L6APO5M.exe N/A
N/A N/A C:\ProgramData\Templates\RLCVLWWR.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\Adobe\1L6APO5M.exe

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Users\Admin\AppData\Roaming\Adobe\1L6APO5M.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\1L6APO5M.exe = "11001" C:\Users\Admin\AppData\Roaming\Adobe\1L6APO5M.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Adobe\1L6APO5M.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Adobe\1L6APO5M.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Adobe\1L6APO5M.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Adobe\1L6APO5M.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Adobe\1L6APO5M.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Adobe\1L6APO5M.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Adobe\1L6APO5M.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Adobe\1L6APO5M.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Adobe\1L6APO5M.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Adobe\1L6APO5M.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Adobe\1L6APO5M.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Adobe\1L6APO5M.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Adobe\1L6APO5M.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Adobe\1L6APO5M.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Adobe\1L6APO5M.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Adobe\1L6APO5M.exe N/A
N/A N/A C:\ProgramData\Templates\RLCVLWWR.exe N/A
N/A N/A C:\ProgramData\Templates\RLCVLWWR.exe N/A
N/A N/A C:\ProgramData\Templates\RLCVLWWR.exe N/A
N/A N/A C:\ProgramData\Templates\RLCVLWWR.exe N/A
N/A N/A C:\ProgramData\Templates\RLCVLWWR.exe N/A
N/A N/A C:\ProgramData\Templates\RLCVLWWR.exe N/A
N/A N/A C:\ProgramData\Templates\RLCVLWWR.exe N/A
N/A N/A C:\ProgramData\Templates\RLCVLWWR.exe N/A
N/A N/A C:\ProgramData\Templates\RLCVLWWR.exe N/A
N/A N/A C:\ProgramData\Templates\RLCVLWWR.exe N/A
N/A N/A C:\ProgramData\Templates\RLCVLWWR.exe N/A
N/A N/A C:\ProgramData\Templates\RLCVLWWR.exe N/A
N/A N/A C:\ProgramData\Templates\RLCVLWWR.exe N/A
N/A N/A C:\ProgramData\Templates\RLCVLWWR.exe N/A
N/A N/A C:\ProgramData\Templates\RLCVLWWR.exe N/A
N/A N/A C:\ProgramData\Templates\RLCVLWWR.exe N/A
N/A N/A C:\ProgramData\Templates\RLCVLWWR.exe N/A
N/A N/A C:\ProgramData\Templates\RLCVLWWR.exe N/A
N/A N/A C:\ProgramData\Templates\RLCVLWWR.exe N/A
N/A N/A C:\ProgramData\Templates\RLCVLWWR.exe N/A
N/A N/A C:\ProgramData\Templates\RLCVLWWR.exe N/A
N/A N/A C:\ProgramData\Templates\RLCVLWWR.exe N/A
N/A N/A C:\ProgramData\Templates\RLCVLWWR.exe N/A
N/A N/A C:\ProgramData\Templates\RLCVLWWR.exe N/A
N/A N/A C:\ProgramData\Templates\RLCVLWWR.exe N/A
N/A N/A C:\ProgramData\Templates\RLCVLWWR.exe N/A
N/A N/A C:\ProgramData\Templates\RLCVLWWR.exe N/A
N/A N/A C:\ProgramData\Templates\RLCVLWWR.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\ProgramData\Templates\RLCVLWWR.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Roaming\Adobe\1L6APO5M.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Roaming\Adobe\1L6APO5M.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Roaming\Adobe\1L6APO5M.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Roaming\Adobe\1L6APO5M.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Roaming\Adobe\1L6APO5M.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Roaming\Adobe\1L6APO5M.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Roaming\Adobe\1L6APO5M.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Roaming\Adobe\1L6APO5M.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Adobe\1L6APO5M.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Adobe\1L6APO5M.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ccec9f6516e38c852b1df13c836e5430.exe

"C:\Users\Admin\AppData\Local\Temp\ccec9f6516e38c852b1df13c836e5430.exe"

C:\Users\Admin\AppData\Roaming\Adobe\1L6APO5M.exe

"C:\Users\Admin\AppData\Roaming\Adobe\1L6APO5M.exe"

C:\ProgramData\Templates\RLCVLWWR.exe

"C:\ProgramData\Templates\RLCVLWWR.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1100 -ip 1100

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1100 -s 1996

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 126.20.238.8.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 cc-api-data.adobe.io udp
US 8.8.8.8:53 na1e-acc.services.adobe.com udp
US 208.95.112.1:80 ip-api.com tcp
US 34.215.32.195:443 na1e-acc.services.adobe.com tcp
US 54.224.241.105:443 cc-api-data.adobe.io tcp
US 54.224.241.105:443 cc-api-data.adobe.io tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 54.224.241.105:443 cc-api-data.adobe.io tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 105.241.224.54.in-addr.arpa udp
US 8.8.8.8:53 195.32.215.34.in-addr.arpa udp
US 34.215.32.195:443 na1e-acc.services.adobe.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 rakishev.net udp
US 104.21.88.34:80 rakishev.net tcp
US 8.8.8.8:53 34.88.21.104.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 142.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 3.173.189.20.in-addr.arpa udp

Files

memory/2436-0-0x0000000000050000-0x0000000000704000-memory.dmp

memory/2436-1-0x00007FFCBE2D0000-0x00007FFCBED91000-memory.dmp

C:\Users\Admin\AppData\Roaming\Adobe\1L6APO5M.exe

MD5 0df3a35807f6a4f361d03c4d66b915e2
SHA1 75ddf979ab97871cd8980afdf0a83251ac21066b
SHA256 e043cecdb27140a347daf9d655b15d68adbcee3a3a7a26a4ba0bd6f581aac62c
SHA512 1a2a286ecbc9a151bb47c1ecf2abefc2e54b04b70a94679835ee457205c2cc37713b558a7d33da697191e23c81c3ba7ae9dc421d46ce4d4145ec693d46a14f28

C:\Users\Admin\AppData\Roaming\Adobe\1L6APO5M.exe

MD5 0df3a35807f6a4f361d03c4d66b915e2
SHA1 75ddf979ab97871cd8980afdf0a83251ac21066b
SHA256 e043cecdb27140a347daf9d655b15d68adbcee3a3a7a26a4ba0bd6f581aac62c
SHA512 1a2a286ecbc9a151bb47c1ecf2abefc2e54b04b70a94679835ee457205c2cc37713b558a7d33da697191e23c81c3ba7ae9dc421d46ce4d4145ec693d46a14f28

C:\ProgramData\Microsoft\Windows\Templates\RLCVLWWR.exe

MD5 e025c7bfa143c476a648e9daa3cfda2f
SHA1 d4f90ae2727cd20c19802eeee5589fc4e7b36ec3
SHA256 95ddb8a73ba1d02c13735fe21f335599e0659b3da7b42e23654650b89d4ddf60
SHA512 f9812370e7855acaa15f70a5ee71fa2b78040be72553cc4109276429731ab3a10924fd8e08b8ff91e9c3b0dc57c4bc32168c29416e4a401208fd2574dbd9b8f3

memory/4884-24-0x0000000000F00000-0x0000000000F1C000-memory.dmp

C:\ProgramData\Templates\RLCVLWWR.exe

MD5 e025c7bfa143c476a648e9daa3cfda2f
SHA1 d4f90ae2727cd20c19802eeee5589fc4e7b36ec3
SHA256 95ddb8a73ba1d02c13735fe21f335599e0659b3da7b42e23654650b89d4ddf60
SHA512 f9812370e7855acaa15f70a5ee71fa2b78040be72553cc4109276429731ab3a10924fd8e08b8ff91e9c3b0dc57c4bc32168c29416e4a401208fd2574dbd9b8f3

C:\ProgramData\Microsoft\Windows\Templates\RLCVLWWR.exe

MD5 e025c7bfa143c476a648e9daa3cfda2f
SHA1 d4f90ae2727cd20c19802eeee5589fc4e7b36ec3
SHA256 95ddb8a73ba1d02c13735fe21f335599e0659b3da7b42e23654650b89d4ddf60
SHA512 f9812370e7855acaa15f70a5ee71fa2b78040be72553cc4109276429731ab3a10924fd8e08b8ff91e9c3b0dc57c4bc32168c29416e4a401208fd2574dbd9b8f3

memory/1100-25-0x0000000000230000-0x00000000009BA000-memory.dmp

memory/4884-26-0x000000001BE60000-0x000000001BE70000-memory.dmp

memory/4884-27-0x00007FFCBE2D0000-0x00007FFCBED91000-memory.dmp

C:\Users\Admin\AppData\Roaming\Adobe\1L6APO5M.exe

MD5 0df3a35807f6a4f361d03c4d66b915e2
SHA1 75ddf979ab97871cd8980afdf0a83251ac21066b
SHA256 e043cecdb27140a347daf9d655b15d68adbcee3a3a7a26a4ba0bd6f581aac62c
SHA512 1a2a286ecbc9a151bb47c1ecf2abefc2e54b04b70a94679835ee457205c2cc37713b558a7d33da697191e23c81c3ba7ae9dc421d46ce4d4145ec693d46a14f28

C:\Users\Admin\AppData\Local\Temp\{E2F03368-0A82-4EAB-A62D-A7EF4377E109}\index.html

MD5 a28ab17b18ff254173dfeef03245efd0
SHA1 c6ce20924565644601d4e0dd0fba9dde8dea5c77
SHA256 886c0ab69e6e9d9d5b5909451640ea587accfcdf11b8369cad8542d1626ac375
SHA512 9371a699921b028bd93c35f9f2896d9997b906c8aba90dd4279abba0ae1909a8808a43bf829584e552ccfe534b2c991a5a7e3e3de7618343f50b1c47cff269d6

C:\Users\Admin\AppData\Local\Temp\{E2F03368-0A82-4EAB-A62D-A7EF4377E109}\CCDInstaller.js

MD5 fbc34da120e8a3ad11b3ad1404b6c51a
SHA1 fe3e36de12e0bdd0a7731e572e862c50ee89207c
SHA256 9701b3ba335b5a11be32dd63ea3a466a14e048c1e5881cac81352b459be0f202
SHA512 f3f0452d16a7cd0600a8ffced5167783d3f31e51dce512872ade5031c97b14366af0343bfe2c822c8ac4a281f27f5eeb00fe7d0e8cbe90434f79bacf3ecb42d2

memory/1100-53-0x0000000000230000-0x00000000009BA000-memory.dmp

memory/2436-54-0x00007FFCBE2D0000-0x00007FFCBED91000-memory.dmp

memory/4884-55-0x000000001BE60000-0x000000001BE70000-memory.dmp

memory/2436-57-0x00007FFCBE2D0000-0x00007FFCBED91000-memory.dmp

memory/4884-59-0x00007FFCBE2D0000-0x00007FFCBED91000-memory.dmp