a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3

Analysis

max time kernel
153s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
01-10-2022 22:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe
Size

747KB
MD5

624efd0390a6b4fbc2d843d830c569b0
SHA1

887b364d5dfdeb1d94bfbb26e906a7dafdc2008c
SHA256

a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3
SHA512

0db13973800062ed9483061fe48155cdbc79844d00a5c8c65405893a8f891bfb2dee01c42d2aec658f1acb0c43bd4a95de76b344cff6b5169c96e2b2a212a631
SSDEEP

12288:SGV+hAV/4KicsXX3Ih5sm6RnP8dLssPQAutqEkVntPoM:zVdCXXppuYAFVntQ

Score

9^/10

collection

Malware Config

Signatures

NirSoft MailPassView 4 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral2/memory/4260-143-0x0000000000800000-0x000000000081B000-memory.dmp	MailPassView
behavioral2/memory/1592-179-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral2/memory/1592-180-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral2/memory/1592-193-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral2/memory/4320-183-0x0000000000530000-0x0000000000589000-memory.dmp	WebBrowserPassView

Nirsoft 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4260-143-0x0000000000800000-0x000000000081B000-memory.dmp	Nirsoft
behavioral2/memory/1592-179-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral2/memory/1592-180-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral2/memory/4320-183-0x0000000000530000-0x0000000000589000-memory.dmp	Nirsoft
behavioral2/memory/1592-193-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft

Executes dropped EXE 7 IoCs

Processes:

AdobeARMservice.exebthserv.exebthserv.exebthserv.exebthserv.exeAdobeARMservice.exebthserv.exe

pid process

3084 AdobeARMservice.exe
3460 bthserv.exe
4116 bthserv.exe
4212 bthserv.exe
1592 bthserv.exe
3668 AdobeARMservice.exe
944 bthserv.exe

pid	process
3084	AdobeARMservice.exe
3460	bthserv.exe
4116	bthserv.exe
4212	bthserv.exe
1592	bthserv.exe
3668	AdobeARMservice.exe
944	bthserv.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exebthserv.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	bthserv.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

bthserv.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	bthserv.exe

Suspicious use of SetThreadContext 8 IoCs

Processes:

a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exea9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exea9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exebthserv.exebthserv.exebthserv.exe

description	pid	process	target process
PID 4860 set thread context of 4456	4860	a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe	a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe
PID 4456 set thread context of 788	4456	a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe	a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe
PID 788 set thread context of 4260	788	a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe	a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe
PID 3460 set thread context of 4116	3460	bthserv.exe	bthserv.exe
PID 4116 set thread context of 4212	4116	bthserv.exe	bthserv.exe
PID 4212 set thread context of 1592	4212	bthserv.exe	bthserv.exe
PID 788 set thread context of 4320	788	a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe	a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe
PID 4212 set thread context of 944	4212	bthserv.exe	bthserv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exeAdobeARMservice.exe

pid	process
4860	a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe
4860	a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe
4860	a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe
4860	a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe
4860	a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe
3084	AdobeARMservice.exe
4860	a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe
4860	a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe
4860	a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe
4860	a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe
3084	AdobeARMservice.exe
4860	a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe
4860	a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe
3084	AdobeARMservice.exe
3084	AdobeARMservice.exe
4860	a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe
4860	a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe
3084	AdobeARMservice.exe
4860	a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe
3084	AdobeARMservice.exe
4860	a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe
3084	AdobeARMservice.exe
4860	a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe
3084	AdobeARMservice.exe
4860	a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe
3084	AdobeARMservice.exe
3084	AdobeARMservice.exe
4860	a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe
3084	AdobeARMservice.exe
4860	a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe
3084	AdobeARMservice.exe
4860	a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe
4860	a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe
3084	AdobeARMservice.exe
3084	AdobeARMservice.exe
4860	a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe
4860	a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe
3084	AdobeARMservice.exe
4860	a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe
3084	AdobeARMservice.exe
3084	AdobeARMservice.exe
4860	a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe
3084	AdobeARMservice.exe
4860	a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe
4860	a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe
3084	AdobeARMservice.exe
4860	a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe
3084	AdobeARMservice.exe
3084	AdobeARMservice.exe
4860	a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe
3084	AdobeARMservice.exe
4860	a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe
3084	AdobeARMservice.exe
4860	a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe
3084	AdobeARMservice.exe
4860	a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe
3084	AdobeARMservice.exe
4860	a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe
3084	AdobeARMservice.exe
4860	a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe
4860	a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe
3084	AdobeARMservice.exe
4860	a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe
3084	AdobeARMservice.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	4860	a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe
Token: SeDebugPrivilege	4456	a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe
Token: SeDebugPrivilege	788	a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe
Token: SeDebugPrivilege	3084	AdobeARMservice.exe
Token: SeDebugPrivilege	3460	bthserv.exe
Token: SeDebugPrivilege	4116	bthserv.exe
Token: SeDebugPrivilege	4212	bthserv.exe
Token: SeDebugPrivilege	3668	AdobeARMservice.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 4860 wrote to memory of 4456	4860	a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe	a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe
PID 4860 wrote to memory of 4456	4860	a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe	a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe
PID 4860 wrote to memory of 4456	4860	a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe	a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe
PID 4860 wrote to memory of 4456	4860	a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe	a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe
PID 4860 wrote to memory of 4456	4860	a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe	a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe
PID 4860 wrote to memory of 4456	4860	a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe	a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe
PID 4860 wrote to memory of 4456	4860	a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe	a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe
PID 4860 wrote to memory of 4456	4860	a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe	a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe
PID 4456 wrote to memory of 788	4456	a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe	a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe
PID 4456 wrote to memory of 788	4456	a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe	a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe
PID 4456 wrote to memory of 788	4456	a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe	a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe
PID 4456 wrote to memory of 788	4456	a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe	a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe
PID 4456 wrote to memory of 788	4456	a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe	a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe
PID 4456 wrote to memory of 788	4456	a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe	a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe
PID 4456 wrote to memory of 788	4456	a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe	a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe
PID 4456 wrote to memory of 788	4456	a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe	a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe
PID 788 wrote to memory of 4260	788	a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe	a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe
PID 788 wrote to memory of 4260	788	a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe	a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe
PID 788 wrote to memory of 4260	788	a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe	a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe
PID 788 wrote to memory of 4260	788	a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe	a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe
PID 788 wrote to memory of 4260	788	a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe	a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe
PID 788 wrote to memory of 4260	788	a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe	a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe
PID 788 wrote to memory of 4260	788	a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe	a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe
PID 788 wrote to memory of 4260	788	a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe	a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe
PID 788 wrote to memory of 4260	788	a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe	a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe
PID 4860 wrote to memory of 3084	4860	a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe	AdobeARMservice.exe
PID 4860 wrote to memory of 3084	4860	a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe	AdobeARMservice.exe
PID 4860 wrote to memory of 3084	4860	a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe	AdobeARMservice.exe
PID 3084 wrote to memory of 3460	3084	AdobeARMservice.exe	bthserv.exe
PID 3084 wrote to memory of 3460	3084	AdobeARMservice.exe	bthserv.exe
PID 3084 wrote to memory of 3460	3084	AdobeARMservice.exe	bthserv.exe
PID 3460 wrote to memory of 4116	3460	bthserv.exe	bthserv.exe
PID 3460 wrote to memory of 4116	3460	bthserv.exe	bthserv.exe
PID 3460 wrote to memory of 4116	3460	bthserv.exe	bthserv.exe
PID 3460 wrote to memory of 4116	3460	bthserv.exe	bthserv.exe
PID 3460 wrote to memory of 4116	3460	bthserv.exe	bthserv.exe
PID 3460 wrote to memory of 4116	3460	bthserv.exe	bthserv.exe
PID 3460 wrote to memory of 4116	3460	bthserv.exe	bthserv.exe
PID 3460 wrote to memory of 4116	3460	bthserv.exe	bthserv.exe
PID 4116 wrote to memory of 4212	4116	bthserv.exe	bthserv.exe
PID 4116 wrote to memory of 4212	4116	bthserv.exe	bthserv.exe
PID 4116 wrote to memory of 4212	4116	bthserv.exe	bthserv.exe
PID 4116 wrote to memory of 4212	4116	bthserv.exe	bthserv.exe
PID 4116 wrote to memory of 4212	4116	bthserv.exe	bthserv.exe
PID 4116 wrote to memory of 4212	4116	bthserv.exe	bthserv.exe
PID 4116 wrote to memory of 4212	4116	bthserv.exe	bthserv.exe
PID 4116 wrote to memory of 4212	4116	bthserv.exe	bthserv.exe
PID 4212 wrote to memory of 1592	4212	bthserv.exe	bthserv.exe
PID 4212 wrote to memory of 1592	4212	bthserv.exe	bthserv.exe
PID 4212 wrote to memory of 1592	4212	bthserv.exe	bthserv.exe
PID 4212 wrote to memory of 1592	4212	bthserv.exe	bthserv.exe
PID 4212 wrote to memory of 1592	4212	bthserv.exe	bthserv.exe
PID 4212 wrote to memory of 1592	4212	bthserv.exe	bthserv.exe
PID 4212 wrote to memory of 1592	4212	bthserv.exe	bthserv.exe
PID 4212 wrote to memory of 1592	4212	bthserv.exe	bthserv.exe
PID 4212 wrote to memory of 1592	4212	bthserv.exe	bthserv.exe
PID 3460 wrote to memory of 3668	3460	bthserv.exe	AdobeARMservice.exe
PID 3460 wrote to memory of 3668	3460	bthserv.exe	AdobeARMservice.exe
PID 3460 wrote to memory of 3668	3460	bthserv.exe	AdobeARMservice.exe
PID 788 wrote to memory of 4320	788	a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe	a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe
PID 788 wrote to memory of 4320	788	a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe	a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe
PID 788 wrote to memory of 4320	788	a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe	a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe
PID 788 wrote to memory of 4320	788	a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe	a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe
PID 788 wrote to memory of 4320	788	a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe	a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe

C:\Users\Admin\AppData\Local\Temp\a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe
"C:\Users\Admin\AppData\Local\Temp\a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4860

C:\Users\Admin\AppData\Local\Temp\a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe
"C:\Users\Admin\AppData\Local\Temp\a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4456

C:\Users\Admin\AppData\Local\Temp\a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe
"C:\Users\Admin\AppData\Local\Temp\a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:788

C:\Users\Admin\AppData\Local\Temp\a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe
"C:\Users\Admin\AppData\Local\Temp\a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe" /stext C:\ProgramData\Mails.txt
4⤵
PID:4260

C:\Users\Admin\AppData\Local\Temp\a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe
"C:\Users\Admin\AppData\Local\Temp\a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe" /stext C:\ProgramData\Browsers.txt
4⤵
PID:4320

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AdobeARMservice.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AdobeARMservice.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3084

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3460

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4116

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4212

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv.exe" /stext C:\ProgramData\Mails.txt
6⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
PID:1592

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv.exe" /stext C:\ProgramData\Browsers.txt
6⤵
- Executes dropped EXE
PID:944

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AdobeARMservice.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AdobeARMservice.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3668

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\AdobeARMservice.exe.log
Filesize
404B

MD5
15b6596d028baa2a113143d1828bcc36

SHA1
f1be43126c4e765fe499718c388823d44bf1fef1

SHA256
529f9fde2234067382b4c6fb8e5aee49d8a8b1b85c82b0bdae425fa2a0264f75

SHA512
f2a6cb8498f596c7bf9178ea32a245dbb3657f43a179f378ce952ce5cb8580810cd67ef1efb623bcf6cd796d74e2c9b7bc42cb8665ead397546ce3b400181e83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3.exe.log
Filesize
319B

MD5
91046f2e147049d3e53cd9bf9d4d95ed

SHA1
228e347d062840b2edcbd16904475aacad414c62

SHA256
ea92f8291b86440b98162409b1f9f04470455c22be01a1480ea5ebc37eb168dc

SHA512
071a9c6e17760a726c3a4519cf8006f36f17f50946af0129e0e1f3e480f6b7fcc804a7614b044247f2420a8b2b46bec5b8493e4869bb918bc7c0f6aa1346c3e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\bthserv.exe.log
Filesize
319B

MD5
91046f2e147049d3e53cd9bf9d4d95ed

SHA1
228e347d062840b2edcbd16904475aacad414c62

SHA256
ea92f8291b86440b98162409b1f9f04470455c22be01a1480ea5ebc37eb168dc

SHA512
071a9c6e17760a726c3a4519cf8006f36f17f50946af0129e0e1f3e480f6b7fcc804a7614b044247f2420a8b2b46bec5b8493e4869bb918bc7c0f6aa1346c3e0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AdobeARMservice.exe
Filesize
10KB

MD5
a940b261ec4480bf5c5cdeb063d64b50

SHA1
a528f41956a077f99b9fca2dd862f9462bb08834

SHA256
a5085e4a6b469e14c9386b9e02acc95d80c8ad7431c9c5a7b468a071758f9611

SHA512
d7096cc7b569b2cf0a49270ee0cb011ff7a7c346abdd4a958c8abea21d66a043cf983cee7c8e73c125a21f5b4c0e259194248105549d853f02110f11a512cd45

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AdobeARMservice.exe
Filesize
10KB

MD5
a940b261ec4480bf5c5cdeb063d64b50

SHA1
a528f41956a077f99b9fca2dd862f9462bb08834

SHA256
a5085e4a6b469e14c9386b9e02acc95d80c8ad7431c9c5a7b468a071758f9611

SHA512
d7096cc7b569b2cf0a49270ee0cb011ff7a7c346abdd4a958c8abea21d66a043cf983cee7c8e73c125a21f5b4c0e259194248105549d853f02110f11a512cd45

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AdobeARMservice.exe
Filesize
10KB

MD5
a940b261ec4480bf5c5cdeb063d64b50

SHA1
a528f41956a077f99b9fca2dd862f9462bb08834

SHA256
a5085e4a6b469e14c9386b9e02acc95d80c8ad7431c9c5a7b468a071758f9611

SHA512
d7096cc7b569b2cf0a49270ee0cb011ff7a7c346abdd4a958c8abea21d66a043cf983cee7c8e73c125a21f5b4c0e259194248105549d853f02110f11a512cd45

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AdobeARMservice.exe
Filesize
10KB

MD5
a940b261ec4480bf5c5cdeb063d64b50

SHA1
a528f41956a077f99b9fca2dd862f9462bb08834

SHA256
a5085e4a6b469e14c9386b9e02acc95d80c8ad7431c9c5a7b468a071758f9611

SHA512
d7096cc7b569b2cf0a49270ee0cb011ff7a7c346abdd4a958c8abea21d66a043cf983cee7c8e73c125a21f5b4c0e259194248105549d853f02110f11a512cd45

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv.exe
Filesize
747KB

MD5
624efd0390a6b4fbc2d843d830c569b0

SHA1
887b364d5dfdeb1d94bfbb26e906a7dafdc2008c

SHA256
a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3

SHA512
0db13973800062ed9483061fe48155cdbc79844d00a5c8c65405893a8f891bfb2dee01c42d2aec658f1acb0c43bd4a95de76b344cff6b5169c96e2b2a212a631

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv.exe
Filesize
747KB

MD5
624efd0390a6b4fbc2d843d830c569b0

SHA1
887b364d5dfdeb1d94bfbb26e906a7dafdc2008c

SHA256
a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3

SHA512
0db13973800062ed9483061fe48155cdbc79844d00a5c8c65405893a8f891bfb2dee01c42d2aec658f1acb0c43bd4a95de76b344cff6b5169c96e2b2a212a631

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv.exe
Filesize
747KB

MD5
624efd0390a6b4fbc2d843d830c569b0

SHA1
887b364d5dfdeb1d94bfbb26e906a7dafdc2008c

SHA256
a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3

SHA512
0db13973800062ed9483061fe48155cdbc79844d00a5c8c65405893a8f891bfb2dee01c42d2aec658f1acb0c43bd4a95de76b344cff6b5169c96e2b2a212a631

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv.exe
Filesize
747KB

MD5
624efd0390a6b4fbc2d843d830c569b0

SHA1
887b364d5dfdeb1d94bfbb26e906a7dafdc2008c

SHA256
a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3

SHA512
0db13973800062ed9483061fe48155cdbc79844d00a5c8c65405893a8f891bfb2dee01c42d2aec658f1acb0c43bd4a95de76b344cff6b5169c96e2b2a212a631

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv.exe
Filesize
747KB

MD5
624efd0390a6b4fbc2d843d830c569b0

SHA1
887b364d5dfdeb1d94bfbb26e906a7dafdc2008c

SHA256
a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3

SHA512
0db13973800062ed9483061fe48155cdbc79844d00a5c8c65405893a8f891bfb2dee01c42d2aec658f1acb0c43bd4a95de76b344cff6b5169c96e2b2a212a631

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\bthserv.exe
Filesize
747KB

MD5
624efd0390a6b4fbc2d843d830c569b0

SHA1
887b364d5dfdeb1d94bfbb26e906a7dafdc2008c

SHA256
a9c9e0b446774499b7b7d597d30633f3fd0c6859497471a84b3e9c7efe6e1ba3

SHA512
0db13973800062ed9483061fe48155cdbc79844d00a5c8c65405893a8f891bfb2dee01c42d2aec658f1acb0c43bd4a95de76b344cff6b5169c96e2b2a212a631

Download Submit
memory/788-137-0x0000000000000000-mapping.dmp

Download
memory/788-149-0x00000000749E0000-0x0000000074F91000-memory.dmp

Filesize
5.7MB

Download
memory/788-155-0x00000000749E0000-0x0000000074F91000-memory.dmp

Filesize
5.7MB

Download
memory/944-186-0x0000000000000000-mapping.dmp

Download
memory/1592-179-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1592-169-0x0000000000000000-mapping.dmp

Download
memory/1592-180-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1592-193-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3084-150-0x00000000749E0000-0x0000000074F91000-memory.dmp

Filesize
5.7MB

Download
memory/3084-156-0x00000000749E0000-0x0000000074F91000-memory.dmp

Filesize
5.7MB

Download
memory/3084-158-0x00000000749E0000-0x0000000074F91000-memory.dmp

Filesize
5.7MB

Download
memory/3084-146-0x0000000000000000-mapping.dmp

Download
memory/3460-151-0x0000000000000000-mapping.dmp

Download
memory/3460-154-0x00000000749E0000-0x0000000074F91000-memory.dmp

Filesize
5.7MB

Download
memory/3460-157-0x00000000749E0000-0x0000000074F91000-memory.dmp

Filesize
5.7MB

Download
memory/3668-174-0x0000000000000000-mapping.dmp

Download
memory/3668-194-0x00000000749E0000-0x0000000074F91000-memory.dmp

Filesize
5.7MB

Download
memory/3668-178-0x00000000749E0000-0x0000000074F91000-memory.dmp

Filesize
5.7MB

Download
memory/4116-163-0x00000000749E0000-0x0000000074F91000-memory.dmp

Filesize
5.7MB

Download
memory/4116-168-0x00000000749E0000-0x0000000074F91000-memory.dmp

Filesize
5.7MB

Download
memory/4116-160-0x0000000000000000-mapping.dmp

Download
memory/4212-173-0x00000000749E0000-0x0000000074F91000-memory.dmp

Filesize
5.7MB

Download
memory/4212-164-0x0000000000000000-mapping.dmp

Download
memory/4212-192-0x00000000749E0000-0x0000000074F91000-memory.dmp

Filesize
5.7MB

Download
memory/4260-142-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4260-141-0x0000000000000000-mapping.dmp

Download
memory/4260-143-0x0000000000800000-0x000000000081B000-memory.dmp

Filesize
108KB

Download
memory/4320-181-0x0000000000000000-mapping.dmp

Download
memory/4320-183-0x0000000000530000-0x0000000000589000-memory.dmp

Filesize
356KB

Download
memory/4456-136-0x00000000749E0000-0x0000000074F91000-memory.dmp

Filesize
5.7MB

Download
memory/4456-140-0x00000000749E0000-0x0000000074F91000-memory.dmp

Filesize
5.7MB

Download
memory/4456-135-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4456-134-0x0000000000000000-mapping.dmp

Download
memory/4860-159-0x00000000749E0000-0x0000000074F91000-memory.dmp

Filesize
5.7MB

Download
memory/4860-133-0x00000000749E0000-0x0000000074F91000-memory.dmp

Filesize
5.7MB

Download
memory/4860-132-0x00000000749E0000-0x0000000074F91000-memory.dmp

Filesize
5.7MB

Download