ae34953160fc00c0b415e3e8d9acccf7d03287da2ad7ea9428fe776f1ca8fc76

Analysis

max time kernel
120s
max time network
127s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
11/10/2023, 08:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

EdgeGuard_Stealer.exe
Size

4.8MB
MD5

36e6920adf89e5f1b25b5fb0c97257ed
SHA1

8763ca48aadcc609d9041a4c730e47b7bafd650c
SHA256

ae34953160fc00c0b415e3e8d9acccf7d03287da2ad7ea9428fe776f1ca8fc76
SHA512

bf81047b48c7078845b1f3525fccf4eeb1a60f3f0b29cda7ef6df34a94b5a343769d9af8ee02ac5437b6dadac30fee08ac91d96d75130cc4a8ee3614f6c4ed77
SSDEEP

49152:ahUiSRv3UJOrb/TkvO90d7HjmAFd4A64nsfJMES/OoK6OCLmMWNa5lpEZe8Rcs5D:p3UJLbRyWfwEHKM8b

Score

9^/10

collection spyware stealer upx

Malware Config

Signatures

Nirsoft 2 IoCs

resource	yara_rule
behavioral1/memory/1368-711-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/2808-716-0x0000000000400000-0x0000000000479000-memory.dmp	Nirsoft

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0010000000015dde-692.dat	acprotect
behavioral1/files/0x0010000000015dde-693.dat	acprotect

Executes dropped EXE 4 IoCs

pid	Process
2552	myapp.exe
1368	mzcv.exe
2808	ChromeCookiesView.exe
1648	WebBrowserBookmarksView.exe

Loads dropped DLL 1 IoCs

pid	Process
2552	myapp.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000a000000016cde-687.dat	upx
behavioral1/memory/2552-688-0x0000000000400000-0x0000000000939000-memory.dmp	upx
behavioral1/memory/2552-689-0x0000000000400000-0x0000000000939000-memory.dmp	upx
behavioral1/memory/2552-690-0x0000000000400000-0x0000000000939000-memory.dmp	upx
behavioral1/files/0x0010000000015dde-692.dat	upx
behavioral1/memory/2552-694-0x0000000074300000-0x0000000074529000-memory.dmp	upx
behavioral1/files/0x0010000000015dde-693.dat	upx
behavioral1/memory/2552-703-0x0000000000400000-0x0000000000939000-memory.dmp	upx
behavioral1/memory/2552-704-0x0000000074300000-0x0000000074529000-memory.dmp	upx
behavioral1/files/0x000a000000016c24-705.dat	upx
behavioral1/files/0x000a000000016c24-706.dat	upx
behavioral1/memory/1368-707-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral1/memory/1368-711-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral1/files/0x000a000000016ca2-712.dat	upx
behavioral1/memory/2808-714-0x0000000000400000-0x0000000000479000-memory.dmp	upx
behavioral1/files/0x000a000000016ca2-713.dat	upx
behavioral1/memory/2808-716-0x0000000000400000-0x0000000000479000-memory.dmp	upx

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	myapp.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	api.ipify.org
3	api.ipify.org

Kills process with taskkill 1 IoCs

evasion

pid	Process
2768	taskkill.exe

Modifies system certificate store 2 TTPs 7 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	EdgeGuard_Stealer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	EdgeGuard_Stealer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	EdgeGuard_Stealer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	EdgeGuard_Stealer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	EdgeGuard_Stealer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	EdgeGuard_Stealer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	EdgeGuard_Stealer.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 3 IoCs

pid	Process
1368	mzcv.exe
2808	ChromeCookiesView.exe
1648	WebBrowserBookmarksView.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2552	myapp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2768	taskkill.exe
Token: SeDebugPrivilege	2552	myapp.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2552	myapp.exe
2552	myapp.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 1676 wrote to memory of 2648	1676	EdgeGuard_Stealer.exe	28
PID 1676 wrote to memory of 2648	1676	EdgeGuard_Stealer.exe	28
PID 1676 wrote to memory of 2648	1676	EdgeGuard_Stealer.exe	28
PID 2648 wrote to memory of 2768	2648	cmd.exe	30
PID 2648 wrote to memory of 2768	2648	cmd.exe	30
PID 2648 wrote to memory of 2768	2648	cmd.exe	30
PID 1676 wrote to memory of 2552	1676	EdgeGuard_Stealer.exe	32
PID 1676 wrote to memory of 2552	1676	EdgeGuard_Stealer.exe	32
PID 1676 wrote to memory of 2552	1676	EdgeGuard_Stealer.exe	32
PID 1676 wrote to memory of 2552	1676	EdgeGuard_Stealer.exe	32
PID 1676 wrote to memory of 2556	1676	EdgeGuard_Stealer.exe	36
PID 1676 wrote to memory of 2556	1676	EdgeGuard_Stealer.exe	36
PID 1676 wrote to memory of 2556	1676	EdgeGuard_Stealer.exe	36
PID 2556 wrote to memory of 1368	2556	cmd.exe	38
PID 2556 wrote to memory of 1368	2556	cmd.exe	38
PID 2556 wrote to memory of 1368	2556	cmd.exe	38
PID 2556 wrote to memory of 1368	2556	cmd.exe	38
PID 1676 wrote to memory of 2040	1676	EdgeGuard_Stealer.exe	39
PID 1676 wrote to memory of 2040	1676	EdgeGuard_Stealer.exe	39
PID 1676 wrote to memory of 2040	1676	EdgeGuard_Stealer.exe	39
PID 2040 wrote to memory of 2808	2040	cmd.exe	41
PID 2040 wrote to memory of 2808	2040	cmd.exe	41
PID 2040 wrote to memory of 2808	2040	cmd.exe	41
PID 2040 wrote to memory of 2808	2040	cmd.exe	41
PID 1676 wrote to memory of 1468	1676	EdgeGuard_Stealer.exe	42
PID 1676 wrote to memory of 1468	1676	EdgeGuard_Stealer.exe	42
PID 1676 wrote to memory of 1468	1676	EdgeGuard_Stealer.exe	42
PID 1468 wrote to memory of 1648	1468	cmd.exe	44
PID 1468 wrote to memory of 1648	1468	cmd.exe	44
PID 1468 wrote to memory of 1648	1468	cmd.exe	44
PID 1468 wrote to memory of 1648	1468	cmd.exe	44

C:\Users\Admin\AppData\Local\Temp\EdgeGuard_Stealer.exe
"C:\Users\Admin\AppData\Local\Temp\EdgeGuard_Stealer.exe"
1⤵
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1676
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /F /IM thunderbird.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2648
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM thunderbird.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2768
- C:\Users\Admin\AppData\myapp.exe
  C:\Users\Admin\AppData\myapp.exe passwords.json
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Accesses Microsoft Outlook accounts
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2552
- C:\Windows\system32\cmd.exe
  cmd /C "mzcv.exe /scookiestxt firefoxcookies.txt"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2556
- - C:\Users\Admin\AppData\mzcv.exe
    mzcv.exe /scookiestxt firefoxcookies.txt
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:1368
- C:\Windows\system32\cmd.exe
  cmd /C "ChromeCookiesView.exe /scookiestxt ChromeCookies.txt"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Users\Admin\AppData\ChromeCookiesView.exe
    ChromeCookiesView.exe /scookiestxt ChromeCookies.txt
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:2808
- C:\Windows\system32\cmd.exe
  cmd /C "WebBrowserBookmarksView.exe /stext Bookmarks.txt"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1468
- - C:\Users\Admin\AppData\WebBrowserBookmarksView.exe
    WebBrowserBookmarksView.exe /stext Bookmarks.txt
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:1648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\ChromeCookiesView.exe

Filesize
221KB

MD5
b9f7fbe36aeeeb647258376d7e020d4d

SHA1
b3dd62c120e96dfd2146b77f4d2b09789f907071

SHA256
16d01afe6470143e90aecfe39b1e8bea5fc8caf5f73e11422404a899bb36d616

SHA512
1e24a87adc5107811aacf13275f2ebbb63e2c8357ecfecaa0cc2284a07c20c1f971a0524ca5c7c77a8efd5ea3276fdafec51ae3502d306592c3da2cd75f3e894

Download Submit
C:\Users\Admin\AppData\ChromeCookiesView.exe

Filesize
221KB

MD5
b9f7fbe36aeeeb647258376d7e020d4d

SHA1
b3dd62c120e96dfd2146b77f4d2b09789f907071

SHA256
16d01afe6470143e90aecfe39b1e8bea5fc8caf5f73e11422404a899bb36d616

SHA512
1e24a87adc5107811aacf13275f2ebbb63e2c8357ecfecaa0cc2284a07c20c1f971a0524ca5c7c77a8efd5ea3276fdafec51ae3502d306592c3da2cd75f3e894

Download Submit
C:\Users\Admin\AppData\License.XenArmor

Filesize
104B

MD5
c9856e4aa6da989786db955602846b41

SHA1
f1b04a932e1d979e11bc58623ad3e7a972b21b89

SHA256
ea905276db64e16ce3d867d5d4bb7a276083d9e0b07e0781fbdd32b9d352603f

SHA512
7d151687a6149cdb150c8d6971066c955a5d8e898be1e22dbc0062971dd9438cb1427ac9141b7d7967212714536bb8dba057dbe91a333e24ec122555fa96410a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A

Filesize
893B

MD5
d4ae187b4574036c2d76b6df8a8c1a30

SHA1
b06f409fa14bab33cbaf4a37811b8740b624d9e5

SHA256
a2ce3a0fa7d2a833d1801e01ec48e35b70d84f3467cc9f8fab370386e13879c7

SHA512
1f44a360e8bb8ada22bc5bfe001f1babb4e72005a46bc2a94c33c4bd149ff256cce6f35d65ca4f7fc2a5b9e15494155449830d2809c8cf218d0b9196ec646b0c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
891951deaf661ad74b0c413f347f46c0

SHA1
331f2c03c209723f4820892330c4571db586abd2

SHA256
5589f6aa8dbe62ef0cba22791a501efd8b6af8881af1cf04dc4d2f7d19bb732d

SHA512
6a2b7c4d6140ff6ed90c8830dea8e022a466204b06e4307d3b1f66a01c7bc540bb39cee1403b629fa386ef266073660357152c6e8135a6a739d645438035b263

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4b0c79724cf7ad5b4dcccb94c74c18d1

SHA1
5294da086f9d4dff32f35c6b4614707a6b2c1616

SHA256
985aef94ff85625449896c1872ae0782ecad9cfa6842bd6299a8ccc3805e768f

SHA512
a4b6c4a4386ed58ead9953bfff98ac2f228e48268ce99919e3b22edf1415f9a09adf41de1fce6eb517424193caa68c55df323244ba700577ace51718aa9b79d1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a7fbdf295b948d3cb2e35901708d5270

SHA1
22211fd0b66da3533a2c715cde7820cc25866891

SHA256
08516829956aa44ab44ac67ac51d285c138bf03338dfce5739726d73600a2fd1

SHA512
1e4521aa9a0d585f013470ad326e37bf0a0314e1216ea41aaf4d8bebeebe2bd4dba8af912f2a0183796b070105f481c111f6f7d7efbad42f343848d40874a774

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
749948ed7fe89c3c2e8b8799c126bb9e

SHA1
23164eb353e130a6277cca2cacf550d4881382c5

SHA256
ffa067d64ca12ce1e9228374d5287e951fa3c9fb267cbd019b3c7a48d05bd711

SHA512
41b38fe6e92bbac0c21a5a37ae793a683e7cdf6ebaa5669c74b37ee8d3507f4382aadd34ca5a86e60bf7864671dd756435d1722bbed4bdd0a7bb47c0bd290ba0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b973cbd3c21cd2982e541179af04cc10

SHA1
24bf8c6fcd30b4ffa43ad610e2c1bfcf398329c0

SHA256
37bdfd1d6ad3b8abb3286ca301028ec5a939f44eb3e502e6e7f3c6f8a664d221

SHA512
aae89b0378dedf95c44c52c72939df41d5ff9c40d9d61c18e277a3473b0a04f6e102c340b0528061ffc970ff8f2be5c1a2ba31dc41b77a9855e828dd30cf150f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d45e59fae201ddfe570d7a6c65722fcc

SHA1
39f5fdafca2a43dab6332d5afbaad09647ba7382

SHA256
0426dd68f1b01546c3d4ece9ad274ca4a69dd37ac701e76d34943d305b77cbd3

SHA512
aeefa76dad00c18bb92bf80332daee8a5de7050490628a954d281791a61f07baeab040586514a6525223044588ad1f31721ac3c165eff4b75de2597b77be74fd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e27d5ad05f883d5e5b01e8c7a64c7166

SHA1
e2e95ef9d22604e59b1b5a993925ef06d5024bb2

SHA256
623b941672724b63fe69b764093e371fad560017cf7b4336bdf15f68d2716e08

SHA512
7bbd529d7b3ac9838ad1972b2a71c1a20d4f4b905c819d45df6b2e2ba29830decc2e3b987a9431cf4f89296b07b958e5b11ae8670d6ddca189da1a9bc695e3f5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e15c36705ef2683548de775c8007d21b

SHA1
d6f7319b91bcf199bcc0bbdddf98c813d1e016b4

SHA256
ae31ae52142a83c2b3e69c92692c698d13b58b5500f46b3a291f1242a0f40768

SHA512
c240de2be2cfe799ff7589890bfb76997dff7e22e8dfebba5047814bb1959e8c07dd887fc4ba8ab8971904d19ce9eaabd9915603e994c2c6f4a4f9bed1dd97d9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
20e548537ead5a5e1090b8fa35c8919c

SHA1
b45c09fcbd4119b5c2cf920a4902bf548e225896

SHA256
4aac0402e521cb100cf081ea8b286b13c6180a2e9204aed915605e507c271906

SHA512
5c1674166af51c03012f5c174ab526a5e4e0d12795507d5225f6ab9b11a6d5e87164a555d0143c4cdd772d023ace5399d6fd3fb4e5fd56d10af558e76159d35a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f99f62533b9a79fb460b35a0a375499a

SHA1
defb6c40d9f67da8c1265ae09f3ca96784fd8352

SHA256
4dc846ec2880c5a65b3691b9c74066429d3a9d1cb3500c3fc7aae7a8e1e98147

SHA512
3b2666e65c1271f766fef43e4a3b1ec67a04c8bbc17fd3978aea09504f63190b2241a53c7099ead9c0151d5c7cf8106b2f118d0069ca24136f9138a5cddbcf68

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
61f4883335d9409caed08b9a409d1668

SHA1
d92aba26434c448044d13e603ca548c6ed01f858

SHA256
f0c991ecc9fa31394df7ca7750b20404368a72f827aee6af3ec24eec65615b8e

SHA512
38e4f550a6a313f53dec63ba4bf001fcd0ab8c8127f1e1596e8e9bba9e6193b56347c3aea4be1d04cb014c8ab4aa2b4f5161757d1aaed2e675f7fe8f41bdd5e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A

Filesize
252B

MD5
e987ab3294c0c711a870db0df12de1ae

SHA1
0ce58df4457061e7c3c43f2d909ca7002363e8dc

SHA256
3beb99e1416dbad9b401d8af909fc1d3fc9c801f86c432d7537a39af659d1e5e

SHA512
ce82e884dc95e2590d27ac30a37f8b678311685ee638fabca6a1c8131da2fb30b236eed9c3ca3bdbf8f15e56021eb309c58b02c83c58308d391f525a02e7d4b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5266.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar55A4.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Users\Admin\AppData\WebBrowserBookmarksView.exe

Filesize
350KB

MD5
adb672eac3bbf16ebed56be75b86806c

SHA1
e972132de2710799ebac3732696608346d1811e4

SHA256
d335d0e7759b9b66923c90de78d011af384b0b187913f41ffa892a4d7ef41d69

SHA512
9118dda64e8f7e7055005320371cf23cc8a3cc17d2bdcc63fb025c1541b3babc14e4fd4f3310f3ac88bcaba978b27de7190aeb1dd5b1e245f59cc552377bf89b

Download Submit
C:\Users\Admin\AppData\WebBrowserBookmarksView.exe

Filesize
350KB

MD5
adb672eac3bbf16ebed56be75b86806c

SHA1
e972132de2710799ebac3732696608346d1811e4

SHA256
d335d0e7759b9b66923c90de78d011af384b0b187913f41ffa892a4d7ef41d69

SHA512
9118dda64e8f7e7055005320371cf23cc8a3cc17d2bdcc63fb025c1541b3babc14e4fd4f3310f3ac88bcaba978b27de7190aeb1dd5b1e245f59cc552377bf89b

Download Submit
C:\Users\Admin\AppData\XenManager.dll

Filesize
696KB

MD5
3d5e1b42e41f2e39b77db350329643dd

SHA1
6900e0b10b97768c4e7659bf0f3c7f3db1abe77b

SHA256
ae5f98da2face8f7c050a562cb3640280790db6c0601e78aa57b2799820dafff

SHA512
2a28f6a62b025471b6613c96ef7e49a0dcd7789a6dd74bddc40483ab821570c147182f256e018e330df1e08c80744d31a87e34878013cd874e4d5913dad73a29

Download Submit
C:\Users\Admin\AppData\myapp.exe

Filesize
1.3MB

MD5
f66df7e53df23979743957d5695fba69

SHA1
60e1c99bc1390b065ed5d0f20f51a64832eda842

SHA256
940f0a6101217af4ab76f0d2e76451e3f20dcf343f6a3dad3de76748078581ab

SHA512
bc01bc616c55290df3261da2e389265ac97c5a4f53d64c74bc42ab2ecc8e1a423b27b39b4e2b26d431157fcc67770c9e404299031dea7175ae13f31fb49c1b90

Download Submit
C:\Users\Admin\AppData\mzcv.exe

Filesize
50KB

MD5
976112f26cfa4f84393c9767bc15d8e9

SHA1
971a190e569c687bfeb85338cd8838953d160a88

SHA256
72101fa019e4e1299c6170c466e6006875e46205dab07144c9c35f41f60b0be6

SHA512
672eb51b71c6930046b2b6beb75b31dfb1a37ccda109a7eed8c0d0accf56ed66d0b30a9af24ffdcbf2aa232ec83ba6d5fc873821c792466c684a4714fec5f0e3

Download Submit
C:\Users\Admin\AppData\mzcv.exe

Filesize
50KB

MD5
976112f26cfa4f84393c9767bc15d8e9

SHA1
971a190e569c687bfeb85338cd8838953d160a88

SHA256
72101fa019e4e1299c6170c466e6006875e46205dab07144c9c35f41f60b0be6

SHA512
672eb51b71c6930046b2b6beb75b31dfb1a37ccda109a7eed8c0d0accf56ed66d0b30a9af24ffdcbf2aa232ec83ba6d5fc873821c792466c684a4714fec5f0e3

Download Submit
C:\Users\Admin\AppData\outlooks\License.XenArmor

Filesize
1KB

MD5
30a9aa3e2018df9e4d5a7dea65c283f6

SHA1
6abb0707a87dd0140ae3488c3f2a378726e2ca53

SHA256
230d91b44ffd4de6a3cfe521b2560e5ed59763df51a5de76fc01513787fb1682

SHA512
8f81262c4a373aac14e4bb31bcd26fc4e706d7a2d8b2f71b7822444307d2d3ffa44f6602b6902a2d471bc2ecb96f48a43a4901b3c63e940f68c949a3b9f18e7f

Download Submit
C:\Users\Admin\AppData\settings.db

Filesize
28KB

MD5
f72060de3dbbe0db1683245754da72df

SHA1
341f0a17c7c73b59741bfaacfda0f2404df4365f

SHA256
f56e06652b0fad4220732450508ba069634f895bfcada8e12de7a689e8b3a78d

SHA512
f820d59b1c8aa0ed23baa1b9f6682c2cda5baac85b74ec6911f612530bda0f70abc4cd8f4b7d6676a007fcc7d3c57906dc84f8408759cd3bceb1074aa9198f82

Download Submit
\Users\Admin\AppData\XenManager.dll

Filesize
696KB

MD5
3d5e1b42e41f2e39b77db350329643dd

SHA1
6900e0b10b97768c4e7659bf0f3c7f3db1abe77b

SHA256
ae5f98da2face8f7c050a562cb3640280790db6c0601e78aa57b2799820dafff

SHA512
2a28f6a62b025471b6613c96ef7e49a0dcd7789a6dd74bddc40483ab821570c147182f256e018e330df1e08c80744d31a87e34878013cd874e4d5913dad73a29

Download Submit
memory/1368-707-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1368-711-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2552-704-0x0000000074300000-0x0000000074529000-memory.dmp

Filesize
2.2MB

Download
memory/2552-703-0x0000000000400000-0x0000000000939000-memory.dmp

Filesize
5.2MB

Download
memory/2552-690-0x0000000000400000-0x0000000000939000-memory.dmp

Filesize
5.2MB

Download
memory/2552-689-0x0000000000400000-0x0000000000939000-memory.dmp

Filesize
5.2MB

Download
memory/2552-688-0x0000000000400000-0x0000000000939000-memory.dmp

Filesize
5.2MB

Download
memory/2552-694-0x0000000074300000-0x0000000074529000-memory.dmp

Filesize
2.2MB

Download
memory/2808-714-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2808-716-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download