Malware Analysis Report

2024-10-19 07:07

Sample ID 231005-xs3qwaed9s
Target e5e92ec5d1d5be22b05694956de0321475105789279acbc9e83d7796026ec385exe_JC.exe
SHA256 e5e92ec5d1d5be22b05694956de0321475105789279acbc9e83d7796026ec385
Tags
phemedrone stealer upx spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e5e92ec5d1d5be22b05694956de0321475105789279acbc9e83d7796026ec385

Threat Level: Known bad

The file e5e92ec5d1d5be22b05694956de0321475105789279acbc9e83d7796026ec385exe_JC.exe was found to be: Known bad.

Malicious Activity Summary

phemedrone stealer upx spyware

Phemedrone

Checks computer location settings

UPX packed file

Executes dropped EXE

Reads user/profile data of web browsers

Looks up external IP address via web service

Unsigned PE

Program crash

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-05 19:07

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-05 19:07

Reported

2023-10-05 19:10

Platform

win7-20230831-en

Max time kernel

143s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e5e92ec5d1d5be22b05694956de0321475105789279acbc9e83d7796026ec385exe_JC.exe"

Signatures

Phemedrone

stealer phemedrone

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Users\Admin\AppData\Roaming\Adobe\M5YJ7VAH.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Roaming\Adobe\M5YJ7VAH.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl C:\Users\Admin\AppData\Roaming\Adobe\M5YJ7VAH.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Users\Admin\AppData\Roaming\Adobe\M5YJ7VAH.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\M5YJ7VAH.exe = "11001" C:\Users\Admin\AppData\Roaming\Adobe\M5YJ7VAH.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Roaming\Adobe\M5YJ7VAH.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Roaming\Adobe\M5YJ7VAH.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Roaming\Adobe\M5YJ7VAH.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Roaming\Adobe\M5YJ7VAH.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Roaming\Adobe\M5YJ7VAH.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Roaming\Adobe\M5YJ7VAH.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Roaming\Adobe\M5YJ7VAH.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Roaming\Adobe\M5YJ7VAH.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Roaming\Adobe\M5YJ7VAH.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Roaming\Adobe\M5YJ7VAH.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Roaming\Adobe\M5YJ7VAH.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Roaming\Adobe\M5YJ7VAH.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Roaming\Adobe\M5YJ7VAH.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Roaming\Adobe\M5YJ7VAH.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Adobe\M5YJ7VAH.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Adobe\M5YJ7VAH.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2228 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\e5e92ec5d1d5be22b05694956de0321475105789279acbc9e83d7796026ec385exe_JC.exe C:\Users\Admin\AppData\Roaming\Adobe\M5YJ7VAH.exe
PID 2228 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\e5e92ec5d1d5be22b05694956de0321475105789279acbc9e83d7796026ec385exe_JC.exe C:\Users\Admin\AppData\Roaming\Adobe\M5YJ7VAH.exe
PID 2228 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\e5e92ec5d1d5be22b05694956de0321475105789279acbc9e83d7796026ec385exe_JC.exe C:\Users\Admin\AppData\Roaming\Adobe\M5YJ7VAH.exe
PID 2228 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\e5e92ec5d1d5be22b05694956de0321475105789279acbc9e83d7796026ec385exe_JC.exe C:\Users\Admin\AppData\Roaming\Adobe\M5YJ7VAH.exe
PID 2228 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\e5e92ec5d1d5be22b05694956de0321475105789279acbc9e83d7796026ec385exe_JC.exe C:\Users\Admin\AppData\Roaming\Adobe\M5YJ7VAH.exe
PID 2228 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\e5e92ec5d1d5be22b05694956de0321475105789279acbc9e83d7796026ec385exe_JC.exe C:\Users\Admin\AppData\Roaming\Adobe\M5YJ7VAH.exe
PID 2228 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\e5e92ec5d1d5be22b05694956de0321475105789279acbc9e83d7796026ec385exe_JC.exe C:\Users\Admin\AppData\Roaming\Adobe\M5YJ7VAH.exe
PID 2228 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\e5e92ec5d1d5be22b05694956de0321475105789279acbc9e83d7796026ec385exe_JC.exe C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\34QM83HF.exe
PID 2228 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\e5e92ec5d1d5be22b05694956de0321475105789279acbc9e83d7796026ec385exe_JC.exe C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\34QM83HF.exe
PID 2228 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\e5e92ec5d1d5be22b05694956de0321475105789279acbc9e83d7796026ec385exe_JC.exe C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\34QM83HF.exe
PID 2632 wrote to memory of 2508 N/A C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\34QM83HF.exe C:\Windows\system32\WerFault.exe
PID 2632 wrote to memory of 2508 N/A C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\34QM83HF.exe C:\Windows\system32\WerFault.exe
PID 2632 wrote to memory of 2508 N/A C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\34QM83HF.exe C:\Windows\system32\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e5e92ec5d1d5be22b05694956de0321475105789279acbc9e83d7796026ec385exe_JC.exe

"C:\Users\Admin\AppData\Local\Temp\e5e92ec5d1d5be22b05694956de0321475105789279acbc9e83d7796026ec385exe_JC.exe"

C:\Users\Admin\AppData\Roaming\Adobe\M5YJ7VAH.exe

"C:\Users\Admin\AppData\Roaming\Adobe\M5YJ7VAH.exe"

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\34QM83HF.exe

"C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\34QM83HF.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2632 -s 520

Network

Country Destination Domain Proto
US 8.8.8.8:53 cc-api-data.adobe.io udp
US 8.8.8.8:53 na1e-acc.services.adobe.com udp
US 8.8.8.8:53 cc-api-data.adobe.io udp
US 52.39.35.24:443 na1e-acc.services.adobe.com tcp
US 50.16.47.176:443 cc-api-data.adobe.io tcp
US 52.6.155.20:443 cc-api-data.adobe.io tcp
US 50.16.47.176:443 cc-api-data.adobe.io tcp
US 52.6.155.20:443 cc-api-data.adobe.io tcp
US 52.39.35.24:443 na1e-acc.services.adobe.com tcp
US 52.39.35.24:443 na1e-acc.services.adobe.com tcp
US 52.39.35.24:443 na1e-acc.services.adobe.com tcp
US 52.6.155.20:443 cc-api-data.adobe.io tcp
US 52.6.155.20:443 cc-api-data.adobe.io tcp
US 52.39.35.24:443 na1e-acc.services.adobe.com tcp
US 52.39.35.24:443 na1e-acc.services.adobe.com tcp
US 52.6.155.20:443 cc-api-data.adobe.io tcp
US 52.6.155.20:443 cc-api-data.adobe.io tcp
US 52.6.155.20:443 cc-api-data.adobe.io tcp
US 52.6.155.20:443 cc-api-data.adobe.io tcp

Files

memory/2228-0-0x0000000000CC0000-0x0000000001374000-memory.dmp

memory/2228-1-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

C:\Users\Admin\AppData\Roaming\Adobe\M5YJ7VAH.exe

MD5 0df3a35807f6a4f361d03c4d66b915e2
SHA1 75ddf979ab97871cd8980afdf0a83251ac21066b
SHA256 e043cecdb27140a347daf9d655b15d68adbcee3a3a7a26a4ba0bd6f581aac62c
SHA512 1a2a286ecbc9a151bb47c1ecf2abefc2e54b04b70a94679835ee457205c2cc37713b558a7d33da697191e23c81c3ba7ae9dc421d46ce4d4145ec693d46a14f28

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\34QM83HF.exe

MD5 e025c7bfa143c476a648e9daa3cfda2f
SHA1 d4f90ae2727cd20c19802eeee5589fc4e7b36ec3
SHA256 95ddb8a73ba1d02c13735fe21f335599e0659b3da7b42e23654650b89d4ddf60
SHA512 f9812370e7855acaa15f70a5ee71fa2b78040be72553cc4109276429731ab3a10924fd8e08b8ff91e9c3b0dc57c4bc32168c29416e4a401208fd2574dbd9b8f3

memory/2144-13-0x0000000000E40000-0x00000000015CA000-memory.dmp

memory/2632-12-0x0000000000A50000-0x0000000000A6C000-memory.dmp

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\34QM83HF.exe

MD5 e025c7bfa143c476a648e9daa3cfda2f
SHA1 d4f90ae2727cd20c19802eeee5589fc4e7b36ec3
SHA256 95ddb8a73ba1d02c13735fe21f335599e0659b3da7b42e23654650b89d4ddf60
SHA512 f9812370e7855acaa15f70a5ee71fa2b78040be72553cc4109276429731ab3a10924fd8e08b8ff91e9c3b0dc57c4bc32168c29416e4a401208fd2574dbd9b8f3

memory/2632-14-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

C:\Users\Admin\AppData\Roaming\Adobe\M5YJ7VAH.exe

MD5 0df3a35807f6a4f361d03c4d66b915e2
SHA1 75ddf979ab97871cd8980afdf0a83251ac21066b
SHA256 e043cecdb27140a347daf9d655b15d68adbcee3a3a7a26a4ba0bd6f581aac62c
SHA512 1a2a286ecbc9a151bb47c1ecf2abefc2e54b04b70a94679835ee457205c2cc37713b558a7d33da697191e23c81c3ba7ae9dc421d46ce4d4145ec693d46a14f28

memory/2144-28-0x0000000000420000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{D62B3D02-D62E-473B-B92C-81A3383F65F4}\index.html

MD5 a28ab17b18ff254173dfeef03245efd0
SHA1 c6ce20924565644601d4e0dd0fba9dde8dea5c77
SHA256 886c0ab69e6e9d9d5b5909451640ea587accfcdf11b8369cad8542d1626ac375
SHA512 9371a699921b028bd93c35f9f2896d9997b906c8aba90dd4279abba0ae1909a8808a43bf829584e552ccfe534b2c991a5a7e3e3de7618343f50b1c47cff269d6

C:\Users\Admin\AppData\Local\Temp\{D62B3D02-D62E-473B-B92C-81A3383F65F4}\CCDInstaller.js

MD5 fbc34da120e8a3ad11b3ad1404b6c51a
SHA1 fe3e36de12e0bdd0a7731e572e862c50ee89207c
SHA256 9701b3ba335b5a11be32dd63ea3a466a14e048c1e5881cac81352b459be0f202
SHA512 f3f0452d16a7cd0600a8ffced5167783d3f31e51dce512872ade5031c97b14366af0343bfe2c822c8ac4a281f27f5eeb00fe7d0e8cbe90434f79bacf3ecb42d2

memory/2144-45-0x00000000049B0000-0x00000000049D0000-memory.dmp

memory/2228-46-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

memory/2144-47-0x00000000049B0000-0x00000000049D0000-memory.dmp

memory/2144-48-0x0000000000E40000-0x00000000015CA000-memory.dmp

memory/2632-66-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

memory/2228-67-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

memory/2144-68-0x0000000000E40000-0x00000000015CA000-memory.dmp

memory/2144-69-0x0000000000420000-0x0000000000421000-memory.dmp

memory/2144-70-0x00000000049B0000-0x00000000049D0000-memory.dmp

memory/2144-80-0x0000000000E40000-0x00000000015CA000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-05 19:07

Reported

2023-10-05 19:10

Platform

win10v2004-20230915-en

Max time kernel

142s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e5e92ec5d1d5be22b05694956de0321475105789279acbc9e83d7796026ec385exe_JC.exe"

Signatures

Phemedrone

stealer phemedrone

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e5e92ec5d1d5be22b05694956de0321475105789279acbc9e83d7796026ec385exe_JC.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\IXB60NUE.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Adobe\N658BDH1.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Users\Admin\AppData\Roaming\Microsoft\IXB60NUE.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\IXB60NUE.exe = "11001" C:\Users\Admin\AppData\Roaming\Microsoft\IXB60NUE.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\IXB60NUE.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\IXB60NUE.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\IXB60NUE.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\IXB60NUE.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\IXB60NUE.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\IXB60NUE.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\IXB60NUE.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\IXB60NUE.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\IXB60NUE.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\IXB60NUE.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\IXB60NUE.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\IXB60NUE.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\IXB60NUE.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\IXB60NUE.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\IXB60NUE.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\IXB60NUE.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Adobe\N658BDH1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Adobe\N658BDH1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Adobe\N658BDH1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Adobe\N658BDH1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Adobe\N658BDH1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Adobe\N658BDH1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Adobe\N658BDH1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Adobe\N658BDH1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Adobe\N658BDH1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Adobe\N658BDH1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Adobe\N658BDH1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Adobe\N658BDH1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Adobe\N658BDH1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Adobe\N658BDH1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Adobe\N658BDH1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Adobe\N658BDH1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Adobe\N658BDH1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Adobe\N658BDH1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Adobe\N658BDH1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Adobe\N658BDH1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Adobe\N658BDH1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Adobe\N658BDH1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Adobe\N658BDH1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Adobe\N658BDH1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Adobe\N658BDH1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Adobe\N658BDH1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Adobe\N658BDH1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Adobe\N658BDH1.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\IXB60NUE.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\IXB60NUE.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Adobe\N658BDH1.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\IXB60NUE.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\IXB60NUE.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\IXB60NUE.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\IXB60NUE.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\IXB60NUE.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\IXB60NUE.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\IXB60NUE.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\IXB60NUE.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e5e92ec5d1d5be22b05694956de0321475105789279acbc9e83d7796026ec385exe_JC.exe

"C:\Users\Admin\AppData\Local\Temp\e5e92ec5d1d5be22b05694956de0321475105789279acbc9e83d7796026ec385exe_JC.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\IXB60NUE.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\IXB60NUE.exe"

C:\Users\Admin\AppData\Roaming\Adobe\N658BDH1.exe

"C:\Users\Admin\AppData\Roaming\Adobe\N658BDH1.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2300 -ip 2300

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2300 -s 2500

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 163.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 cc-api-data.adobe.io udp
US 8.8.8.8:53 na1e-acc.services.adobe.com udp
US 8.8.8.8:53 ip-api.com udp
US 52.88.227.50:443 na1e-acc.services.adobe.com tcp
US 52.6.155.20:443 cc-api-data.adobe.io tcp
US 52.6.155.20:443 cc-api-data.adobe.io tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 20.155.6.52.in-addr.arpa udp
US 8.8.8.8:53 50.227.88.52.in-addr.arpa udp
US 52.6.155.20:443 cc-api-data.adobe.io tcp
US 52.88.227.50:443 na1e-acc.services.adobe.com tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 rakishev.net udp
US 104.21.88.34:80 rakishev.net tcp
US 8.8.8.8:53 34.88.21.104.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 126.21.238.8.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 199.111.78.13.in-addr.arpa udp

Files

memory/1500-0-0x0000000000500000-0x0000000000BB4000-memory.dmp

memory/1500-1-0x00007FF96C630000-0x00007FF96D0F1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\IXB60NUE.exe

MD5 0df3a35807f6a4f361d03c4d66b915e2
SHA1 75ddf979ab97871cd8980afdf0a83251ac21066b
SHA256 e043cecdb27140a347daf9d655b15d68adbcee3a3a7a26a4ba0bd6f581aac62c
SHA512 1a2a286ecbc9a151bb47c1ecf2abefc2e54b04b70a94679835ee457205c2cc37713b558a7d33da697191e23c81c3ba7ae9dc421d46ce4d4145ec693d46a14f28

C:\Users\Admin\AppData\Roaming\Microsoft\IXB60NUE.exe

MD5 0df3a35807f6a4f361d03c4d66b915e2
SHA1 75ddf979ab97871cd8980afdf0a83251ac21066b
SHA256 e043cecdb27140a347daf9d655b15d68adbcee3a3a7a26a4ba0bd6f581aac62c
SHA512 1a2a286ecbc9a151bb47c1ecf2abefc2e54b04b70a94679835ee457205c2cc37713b558a7d33da697191e23c81c3ba7ae9dc421d46ce4d4145ec693d46a14f28

C:\Users\Admin\AppData\Roaming\Adobe\N658BDH1.exe

MD5 e025c7bfa143c476a648e9daa3cfda2f
SHA1 d4f90ae2727cd20c19802eeee5589fc4e7b36ec3
SHA256 95ddb8a73ba1d02c13735fe21f335599e0659b3da7b42e23654650b89d4ddf60
SHA512 f9812370e7855acaa15f70a5ee71fa2b78040be72553cc4109276429731ab3a10924fd8e08b8ff91e9c3b0dc57c4bc32168c29416e4a401208fd2574dbd9b8f3

memory/2300-20-0x0000000000110000-0x000000000089A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Adobe\N658BDH1.exe

MD5 e025c7bfa143c476a648e9daa3cfda2f
SHA1 d4f90ae2727cd20c19802eeee5589fc4e7b36ec3
SHA256 95ddb8a73ba1d02c13735fe21f335599e0659b3da7b42e23654650b89d4ddf60
SHA512 f9812370e7855acaa15f70a5ee71fa2b78040be72553cc4109276429731ab3a10924fd8e08b8ff91e9c3b0dc57c4bc32168c29416e4a401208fd2574dbd9b8f3

memory/2560-24-0x0000000000C30000-0x0000000000C4C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Adobe\N658BDH1.exe

MD5 e025c7bfa143c476a648e9daa3cfda2f
SHA1 d4f90ae2727cd20c19802eeee5589fc4e7b36ec3
SHA256 95ddb8a73ba1d02c13735fe21f335599e0659b3da7b42e23654650b89d4ddf60
SHA512 f9812370e7855acaa15f70a5ee71fa2b78040be72553cc4109276429731ab3a10924fd8e08b8ff91e9c3b0dc57c4bc32168c29416e4a401208fd2574dbd9b8f3

memory/2560-25-0x00007FF96C630000-0x00007FF96D0F1000-memory.dmp

memory/2560-26-0x000000001BB10000-0x000000001BB20000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\IXB60NUE.exe

MD5 0df3a35807f6a4f361d03c4d66b915e2
SHA1 75ddf979ab97871cd8980afdf0a83251ac21066b
SHA256 e043cecdb27140a347daf9d655b15d68adbcee3a3a7a26a4ba0bd6f581aac62c
SHA512 1a2a286ecbc9a151bb47c1ecf2abefc2e54b04b70a94679835ee457205c2cc37713b558a7d33da697191e23c81c3ba7ae9dc421d46ce4d4145ec693d46a14f28

C:\Users\Admin\AppData\Local\Temp\{6B5D24E6-517D-43C6-A40B-423E32426257}\index.html

MD5 a28ab17b18ff254173dfeef03245efd0
SHA1 c6ce20924565644601d4e0dd0fba9dde8dea5c77
SHA256 886c0ab69e6e9d9d5b5909451640ea587accfcdf11b8369cad8542d1626ac375
SHA512 9371a699921b028bd93c35f9f2896d9997b906c8aba90dd4279abba0ae1909a8808a43bf829584e552ccfe534b2c991a5a7e3e3de7618343f50b1c47cff269d6

C:\Users\Admin\AppData\Local\Temp\{6B5D24E6-517D-43C6-A40B-423E32426257}\CCDInstaller.js

MD5 fbc34da120e8a3ad11b3ad1404b6c51a
SHA1 fe3e36de12e0bdd0a7731e572e862c50ee89207c
SHA256 9701b3ba335b5a11be32dd63ea3a466a14e048c1e5881cac81352b459be0f202
SHA512 f3f0452d16a7cd0600a8ffced5167783d3f31e51dce512872ade5031c97b14366af0343bfe2c822c8ac4a281f27f5eeb00fe7d0e8cbe90434f79bacf3ecb42d2

memory/2300-52-0x0000000007080000-0x00000000070A0000-memory.dmp

memory/2300-54-0x0000000000110000-0x000000000089A000-memory.dmp

memory/1500-55-0x00007FF96C630000-0x00007FF96D0F1000-memory.dmp

memory/2560-56-0x00007FF96C630000-0x00007FF96D0F1000-memory.dmp

memory/1500-58-0x00007FF96C630000-0x00007FF96D0F1000-memory.dmp

memory/2560-59-0x00007FF96C630000-0x00007FF96D0F1000-memory.dmp