0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f

Analysis

max time kernel
152s
max time network
103s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
01-10-2022 23:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe
Size

610KB
MD5

6fe53e055d42ad6afb385b49ae850e50
SHA1

f261a8717b66f88b98d1347032bf87992346e532
SHA256

0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f
SHA512

328d9b2f1eac09d50ce7c919350b423c5ec2666de2e519295e1b8496b55470510f8327c6d225d0238eeebaa60f72b0779f5d557cc6f281a8d1d9bc04bde16356
SSDEEP

12288:WkgPZo90EPFHv7nItXwYxv8ZEw65WAncif6sAZXWPZsl3m:Oo0E5I/xEQKif8Wm

Score

9^/10

collection spyware stealer

Malware Config

Signatures

NirSoft MailPassView 5 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral1/memory/1928-87-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/1928-88-0x0000000000411714-mapping.dmp	MailPassView
behavioral1/memory/1928-92-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/1928-98-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/1928-100-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 4 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral1/memory/1524-110-0x0000000000400000-0x0000000000459000-memory.dmp	WebBrowserPassView
behavioral1/memory/1524-111-0x0000000000442F58-mapping.dmp	WebBrowserPassView
behavioral1/memory/1524-114-0x0000000000400000-0x0000000000459000-memory.dmp	WebBrowserPassView
behavioral1/memory/1524-115-0x0000000000400000-0x0000000000459000-memory.dmp	WebBrowserPassView

Nirsoft 9 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1928-87-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/1928-88-0x0000000000411714-mapping.dmp	Nirsoft
behavioral1/memory/1928-92-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/1928-98-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/1928-100-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/1524-110-0x0000000000400000-0x0000000000459000-memory.dmp	Nirsoft
behavioral1/memory/1524-111-0x0000000000442F58-mapping.dmp	Nirsoft
behavioral1/memory/1524-114-0x0000000000400000-0x0000000000459000-memory.dmp	Nirsoft
behavioral1/memory/1524-115-0x0000000000400000-0x0000000000459000-memory.dmp	Nirsoft

Executes dropped EXE 4 IoCs

Processes:

udpsv.exeagpmgr.exeudpsv.exeagpmgr.exe

pid process

556 udpsv.exe
112 agpmgr.exe
280 udpsv.exe
1168 agpmgr.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exeudpsv.exe

pid process

1048 cmd.exe
556 udpsv.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
556	udpsv.exe
112	agpmgr.exe
280	udpsv.exe
1168	agpmgr.exe

pid	process
1048	cmd.exe
556	udpsv.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exeagpmgr.exe

description	pid	process	target process
PID 1832 set thread context of 1516	1832	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe
PID 1516 set thread context of 1928	1516	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe
PID 1516 set thread context of 1524	1516	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe
PID 112 set thread context of 1168	112	agpmgr.exe	agpmgr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exeudpsv.exeudpsv.exe

pid	process
1832	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe
556	udpsv.exe
1832	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe
556	udpsv.exe
1832	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe
556	udpsv.exe
1832	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe
556	udpsv.exe
1832	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe
556	udpsv.exe
1832	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe
556	udpsv.exe
1832	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe
556	udpsv.exe
1832	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe
556	udpsv.exe
1832	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe
556	udpsv.exe
1832	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe
556	udpsv.exe
1832	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe
556	udpsv.exe
1832	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe
556	udpsv.exe
1832	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe
556	udpsv.exe
1832	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe
556	udpsv.exe
1832	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe
556	udpsv.exe
1832	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe
556	udpsv.exe
1832	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe
556	udpsv.exe
1832	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe
556	udpsv.exe
1832	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe
556	udpsv.exe
1832	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe
556	udpsv.exe
1832	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe
556	udpsv.exe
1832	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe
556	udpsv.exe
1832	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe
556	udpsv.exe
1832	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe
556	udpsv.exe
1832	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe
556	udpsv.exe
1832	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe
556	udpsv.exe
1832	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe
556	udpsv.exe
1832	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe
556	udpsv.exe
1832	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe
556	udpsv.exe
1832	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe
556	udpsv.exe
1832	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe
1832	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe
1832	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe
280	udpsv.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exeagpmgr.exe

pid process

1516 0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe
1168 agpmgr.exe

pid	process
1516	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe
1168	agpmgr.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exeudpsv.exeagpmgr.exeudpsv.exeagpmgr.exe

description	pid	process
Token: SeDebugPrivilege	1832	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe
Token: SeDebugPrivilege	1516	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe
Token: SeDebugPrivilege	556	udpsv.exe
Token: SeDebugPrivilege	112	agpmgr.exe
Token: SeDebugPrivilege	280	udpsv.exe
Token: SeDebugPrivilege	1168	agpmgr.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exeagpmgr.exe

pid process

1516 0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe
1168 agpmgr.exe

pid	process
1516	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe
1168	agpmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.execmd.exe0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exeudpsv.execmd.execmd.exeagpmgr.exe

description	pid	process	target process
PID 1832 wrote to memory of 1684	1832	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe	cmd.exe
PID 1832 wrote to memory of 1684	1832	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe	cmd.exe
PID 1832 wrote to memory of 1684	1832	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe	cmd.exe
PID 1832 wrote to memory of 1684	1832	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe	cmd.exe
PID 1832 wrote to memory of 1516	1832	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe
PID 1832 wrote to memory of 1516	1832	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe
PID 1832 wrote to memory of 1516	1832	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe
PID 1832 wrote to memory of 1516	1832	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe
PID 1832 wrote to memory of 1516	1832	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe
PID 1832 wrote to memory of 1516	1832	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe
PID 1832 wrote to memory of 1516	1832	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe
PID 1832 wrote to memory of 1516	1832	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe
PID 1832 wrote to memory of 1516	1832	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe
PID 1832 wrote to memory of 1048	1832	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe	cmd.exe
PID 1832 wrote to memory of 1048	1832	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe	cmd.exe
PID 1832 wrote to memory of 1048	1832	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe	cmd.exe
PID 1832 wrote to memory of 1048	1832	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe	cmd.exe
PID 1048 wrote to memory of 556	1048	cmd.exe	udpsv.exe
PID 1048 wrote to memory of 556	1048	cmd.exe	udpsv.exe
PID 1048 wrote to memory of 556	1048	cmd.exe	udpsv.exe
PID 1048 wrote to memory of 556	1048	cmd.exe	udpsv.exe
PID 1516 wrote to memory of 1928	1516	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe
PID 1516 wrote to memory of 1928	1516	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe
PID 1516 wrote to memory of 1928	1516	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe
PID 1516 wrote to memory of 1928	1516	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe
PID 1516 wrote to memory of 1928	1516	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe
PID 1516 wrote to memory of 1928	1516	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe
PID 556 wrote to memory of 796	556	udpsv.exe	cmd.exe
PID 556 wrote to memory of 796	556	udpsv.exe	cmd.exe
PID 556 wrote to memory of 796	556	udpsv.exe	cmd.exe
PID 556 wrote to memory of 796	556	udpsv.exe	cmd.exe
PID 1516 wrote to memory of 1928	1516	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe
PID 1516 wrote to memory of 1928	1516	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe
PID 1516 wrote to memory of 1928	1516	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe
PID 1516 wrote to memory of 1928	1516	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe
PID 796 wrote to memory of 1328	796	cmd.exe	reg.exe
PID 796 wrote to memory of 1328	796	cmd.exe	reg.exe
PID 796 wrote to memory of 1328	796	cmd.exe	reg.exe
PID 796 wrote to memory of 1328	796	cmd.exe	reg.exe
PID 556 wrote to memory of 112	556	udpsv.exe	agpmgr.exe
PID 556 wrote to memory of 112	556	udpsv.exe	agpmgr.exe
PID 556 wrote to memory of 112	556	udpsv.exe	agpmgr.exe
PID 556 wrote to memory of 112	556	udpsv.exe	agpmgr.exe
PID 1516 wrote to memory of 1524	1516	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe
PID 1516 wrote to memory of 1524	1516	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe
PID 1516 wrote to memory of 1524	1516	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe
PID 1516 wrote to memory of 1524	1516	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe
PID 1516 wrote to memory of 1524	1516	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe
PID 1516 wrote to memory of 1524	1516	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe
PID 1516 wrote to memory of 1524	1516	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe
PID 1516 wrote to memory of 1524	1516	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe
PID 1516 wrote to memory of 1524	1516	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe
PID 1516 wrote to memory of 1524	1516	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe
PID 1832 wrote to memory of 472	1832	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe	cmd.exe
PID 1832 wrote to memory of 472	1832	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe	cmd.exe
PID 1832 wrote to memory of 472	1832	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe	cmd.exe
PID 1832 wrote to memory of 472	1832	0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe	cmd.exe
PID 472 wrote to memory of 280	472	cmd.exe	udpsv.exe
PID 472 wrote to memory of 280	472	cmd.exe	udpsv.exe
PID 472 wrote to memory of 280	472	cmd.exe	udpsv.exe
PID 472 wrote to memory of 280	472	cmd.exe	udpsv.exe
PID 112 wrote to memory of 1168	112	agpmgr.exe	agpmgr.exe
PID 112 wrote to memory of 1168	112	agpmgr.exe	agpmgr.exe
PID 112 wrote to memory of 1168	112	agpmgr.exe	agpmgr.exe

C:\Users\Admin\AppData\Local\Temp\0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe
"C:\Users\Admin\AppData\Local\Temp\0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1832
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\agpmgr.exe"
  2⤵
  PID:1684
- C:\Users\Admin\AppData\Local\Temp\0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe
  "C:\Users\Admin\AppData\Local\Temp\0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1516
- - C:\Users\Admin\AppData\Local\Temp\0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe
    "C:\Users\Admin\AppData\Local\Temp\0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe" /stext C:\ProgramData\Mails.txt
    3⤵
    - Accesses Microsoft Outlook accounts
    PID:1928
- - C:\Users\Admin\AppData\Local\Temp\0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe
    "C:\Users\Admin\AppData\Local\Temp\0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f.exe" /stext C:\ProgramData\Browsers.txt
    3⤵
    PID:1524
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\udpsv.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1048
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\udpsv.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\udpsv.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:556
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v "Load" /d "cmd /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\udpsv.exe" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:796
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v "Load" /d "cmd /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\udpsv.exe" /f
        5⤵
        
        PID:1328
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\agpmgr.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\agpmgr.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:112
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\agpmgr.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\agpmgr.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1168
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\udpsv.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:472
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\udpsv.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\udpsv.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:280

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Browsers.txt

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\agpmgr.exe

Filesize
610KB

MD5
6fe53e055d42ad6afb385b49ae850e50

SHA1
f261a8717b66f88b98d1347032bf87992346e532

SHA256
0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f

SHA512
328d9b2f1eac09d50ce7c919350b423c5ec2666de2e519295e1b8496b55470510f8327c6d225d0238eeebaa60f72b0779f5d557cc6f281a8d1d9bc04bde16356

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\agpmgr.exe

Filesize
610KB

MD5
6fe53e055d42ad6afb385b49ae850e50

SHA1
f261a8717b66f88b98d1347032bf87992346e532

SHA256
0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f

SHA512
328d9b2f1eac09d50ce7c919350b423c5ec2666de2e519295e1b8496b55470510f8327c6d225d0238eeebaa60f72b0779f5d557cc6f281a8d1d9bc04bde16356

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\agpmgr.exe

Filesize
610KB

MD5
6fe53e055d42ad6afb385b49ae850e50

SHA1
f261a8717b66f88b98d1347032bf87992346e532

SHA256
0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f

SHA512
328d9b2f1eac09d50ce7c919350b423c5ec2666de2e519295e1b8496b55470510f8327c6d225d0238eeebaa60f72b0779f5d557cc6f281a8d1d9bc04bde16356

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\udpsv.exe

Filesize
13KB

MD5
255464529f32f1c46d802a774c132401

SHA1
b0838bea26c893a8ad85e3d1b09a2731c577554e

SHA256
4864377ebd90463b1ef1a39aaf4f953f3ea03285d515514cdb074f8839087efd

SHA512
15a464ea207a1cf319096b12adc212ecfd0e705e487cd23779dfe835b68cdbb38deef5db93b142f04dc0e729ac4ae367e05cb6177797aa6d08e92f41f52e382f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\udpsv.exe

Filesize
13KB

MD5
255464529f32f1c46d802a774c132401

SHA1
b0838bea26c893a8ad85e3d1b09a2731c577554e

SHA256
4864377ebd90463b1ef1a39aaf4f953f3ea03285d515514cdb074f8839087efd

SHA512
15a464ea207a1cf319096b12adc212ecfd0e705e487cd23779dfe835b68cdbb38deef5db93b142f04dc0e729ac4ae367e05cb6177797aa6d08e92f41f52e382f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\udpsv.exe

Filesize
13KB

MD5
255464529f32f1c46d802a774c132401

SHA1
b0838bea26c893a8ad85e3d1b09a2731c577554e

SHA256
4864377ebd90463b1ef1a39aaf4f953f3ea03285d515514cdb074f8839087efd

SHA512
15a464ea207a1cf319096b12adc212ecfd0e705e487cd23779dfe835b68cdbb38deef5db93b142f04dc0e729ac4ae367e05cb6177797aa6d08e92f41f52e382f

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\agpmgr.exe

Filesize
610KB

MD5
6fe53e055d42ad6afb385b49ae850e50

SHA1
f261a8717b66f88b98d1347032bf87992346e532

SHA256
0aaceac4735ee5d5b38ab6d1c93e9f8f9e4e6bba0b34b14ee102fc62f8a1662f

SHA512
328d9b2f1eac09d50ce7c919350b423c5ec2666de2e519295e1b8496b55470510f8327c6d225d0238eeebaa60f72b0779f5d557cc6f281a8d1d9bc04bde16356

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\udpsv.exe

Filesize
13KB

MD5
255464529f32f1c46d802a774c132401

SHA1
b0838bea26c893a8ad85e3d1b09a2731c577554e

SHA256
4864377ebd90463b1ef1a39aaf4f953f3ea03285d515514cdb074f8839087efd

SHA512
15a464ea207a1cf319096b12adc212ecfd0e705e487cd23779dfe835b68cdbb38deef5db93b142f04dc0e729ac4ae367e05cb6177797aa6d08e92f41f52e382f

Download Submit
memory/112-119-0x0000000074690000-0x0000000074C3B000-memory.dmp

Filesize
5.7MB

Download
memory/112-99-0x0000000074690000-0x0000000074C3B000-memory.dmp

Filesize
5.7MB

Download
memory/112-95-0x0000000000000000-mapping.dmp

Download
memory/280-122-0x0000000000000000-mapping.dmp

Download
memory/280-140-0x0000000074690000-0x0000000074C3B000-memory.dmp

Filesize
5.7MB

Download
memory/280-125-0x0000000074690000-0x0000000074C3B000-memory.dmp

Filesize
5.7MB

Download
memory/472-121-0x0000000000000000-mapping.dmp

Download
memory/556-77-0x0000000074690000-0x0000000074C3B000-memory.dmp

Filesize
5.7MB

Download
memory/556-74-0x0000000000000000-mapping.dmp

Download
memory/556-118-0x0000000074690000-0x0000000074C3B000-memory.dmp

Filesize
5.7MB

Download
memory/556-120-0x0000000074690000-0x0000000074C3B000-memory.dmp

Filesize
5.7MB

Download
memory/796-83-0x0000000000000000-mapping.dmp

Download
memory/1048-67-0x0000000000000000-mapping.dmp

Download
memory/1168-132-0x0000000000477D1E-mapping.dmp

Download
memory/1168-139-0x0000000074690000-0x0000000074C3B000-memory.dmp

Filesize
5.7MB

Download
memory/1168-141-0x0000000074690000-0x0000000074C3B000-memory.dmp

Filesize
5.7MB

Download
memory/1328-90-0x0000000000000000-mapping.dmp

Download
memory/1516-117-0x0000000074690000-0x0000000074C3B000-memory.dmp

Filesize
5.7MB

Download
memory/1516-58-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1516-59-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1516-61-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1516-62-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1516-63-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1516-64-0x0000000000477D1E-mapping.dmp

Download
memory/1516-66-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1516-69-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1516-71-0x0000000074690000-0x0000000074C3B000-memory.dmp

Filesize
5.7MB

Download
memory/1524-111-0x0000000000442F58-mapping.dmp

Download
memory/1524-104-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1524-106-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1524-108-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1524-110-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1524-114-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1524-115-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1524-101-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1524-102-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1684-57-0x0000000000000000-mapping.dmp

Download
memory/1832-54-0x00000000751A1000-0x00000000751A3000-memory.dmp

Filesize
8KB

Download
memory/1832-55-0x0000000074690000-0x0000000074C3B000-memory.dmp

Filesize
5.7MB

Download
memory/1832-56-0x0000000074690000-0x0000000074C3B000-memory.dmp

Filesize
5.7MB

Download
memory/1928-100-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1928-81-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1928-79-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1928-78-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1928-87-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1928-92-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1928-98-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1928-85-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1928-84-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1928-88-0x0000000000411714-mapping.dmp

Download