blackguard | 364be73be12ad3e8d754ef00f5210ba22601cd5750387a44ea6cb3e2fe7b7ea7

Analysis

max time kernel
42s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
04-11-2022 18:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ArkAngel.exe
Size

22.3MB
MD5

8d448b08db9940dbb1e6104aafb764b5
SHA1

598055150c5ddb564be058a3ebfa5ad643dda286
SHA256

364be73be12ad3e8d754ef00f5210ba22601cd5750387a44ea6cb3e2fe7b7ea7
SHA512

2ff2f047845e49ab028e48fdd44430a664227bbfb0bc1468ecaef0823a492b4486f49e459fefd5c498eb3104ed597a35870ab82ea3787a56bfcaf07fa2d16696
SSDEEP

49152:wTIIOXvsGcGOxHf+fRCWca/+TtiuUHm5n9O8aXhb0:w0NXvhDUmfRCy+pUin98h

Score

10^/10

blackguard neshta persistence spyware stealer vmprotect

Malware Config

Signatures

BlackGuard
Infostealer first seen in Late 2021.
stealer blackguard

Detect Neshta payload 7 IoCs

resource	yara_rule
behavioral1/files/0x0006000000014baa-74.dat	family_neshta
behavioral1/files/0x0006000000014baa-76.dat	family_neshta
behavioral1/memory/1324-89-0x0000000000400000-0x000000000042B000-memory.dmp	family_neshta
behavioral1/files/0x0006000000014baa-78.dat	family_neshta
behavioral1/files/0x0006000000014baa-73.dat	family_neshta
behavioral1/memory/1324-109-0x0000000000400000-0x000000000042B000-memory.dmp	family_neshta
behavioral1/memory/1324-110-0x0000000000400000-0x000000000042B000-memory.dmp	family_neshta

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	External.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

Executes dropped EXE 7 IoCs

pid	Process
1696	sex.exe
856	Pw_External.exe
1440	stealeing.exe
1004	stealer.exe
1324	External.exe
872	External Loader.exe
1840	External.exe

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/files/0x0006000000015330-92.dat	vmprotect
behavioral1/memory/1840-96-0x0000000000CC0000-0x0000000000D1C000-memory.dmp	vmprotect
behavioral1/files/0x0006000000015330-95.dat	vmprotect
behavioral1/files/0x0006000000015330-94.dat	vmprotect

Loads dropped DLL 15 IoCs

pid	Process
1048	ArkAngel.exe
1048	ArkAngel.exe
1696	sex.exe
1696	sex.exe
856	Pw_External.exe
856	Pw_External.exe
856	Pw_External.exe
1324	External.exe
1324	External.exe
1324	External.exe
1324	External.exe
1324	External.exe
1324	External.exe
1324	External.exe
1324	External.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\PixelWorldsCheater Injector.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3582-490\\External.exe"	External.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\Debugger.exe	External.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE	External.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	External.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE	External.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	External.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE	External.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE	External.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wabmig.exe	External.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	External.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE	External.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE	External.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE	External.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE	External.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe	External.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	External.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE	External.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE	External.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	External.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ImagingDevices.exe	External.exe
File opened for modification	C:\PROGRA~2\WI4223~1\sidebar.exe	External.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE	External.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE	External.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	External.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE	External.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE	External.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	External.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	External.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	External.exe
File opened for modification	C:\PROGRA~3\steal\STEALE~1.EXE	External.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	External.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	External.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	External.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE	External.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	External.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe	External.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	External.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	External.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	External.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	External.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	External.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	External.exe
File opened for modification	C:\PROGRA~3\PWLOAD~1\EXTERN~1.EXE	External.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe	External.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe	External.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE	External.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE	External.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe	External.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE	External.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe	External.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\misc.exe	External.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE	External.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE	External.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe	External.exe
File opened for modification	C:\PROGRA~3\sex.exe	External.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE	External.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	External.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE	External.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wab.exe	External.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\WinMail.exe	External.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	External.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	External.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE	External.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE	External.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe	External.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe	External.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	External.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
772	1840	WerFault.exe	34

Modifies registry class 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	External.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1004	stealer.exe
1004	stealer.exe
872	External Loader.exe
872	External Loader.exe
1440	stealeing.exe
1440	stealeing.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1004	stealer.exe
Token: SeDebugPrivilege	872	External Loader.exe
Token: SeDebugPrivilege	1840	External.exe
Token: SeDebugPrivilege	1440	stealeing.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 1048 wrote to memory of 1696	1048	ArkAngel.exe	27
PID 1048 wrote to memory of 1696	1048	ArkAngel.exe	27
PID 1048 wrote to memory of 1696	1048	ArkAngel.exe	27
PID 1048 wrote to memory of 1696	1048	ArkAngel.exe	27
PID 1696 wrote to memory of 1440	1696	sex.exe	29
PID 1696 wrote to memory of 1440	1696	sex.exe	29
PID 1696 wrote to memory of 1440	1696	sex.exe	29
PID 1696 wrote to memory of 1440	1696	sex.exe	29
PID 1048 wrote to memory of 856	1048	ArkAngel.exe	28
PID 1048 wrote to memory of 856	1048	ArkAngel.exe	28
PID 1048 wrote to memory of 856	1048	ArkAngel.exe	28
PID 1048 wrote to memory of 856	1048	ArkAngel.exe	28
PID 1696 wrote to memory of 1004	1696	sex.exe	30
PID 1696 wrote to memory of 1004	1696	sex.exe	30
PID 1696 wrote to memory of 1004	1696	sex.exe	30
PID 1696 wrote to memory of 1004	1696	sex.exe	30
PID 856 wrote to memory of 1324	856	Pw_External.exe	31
PID 856 wrote to memory of 1324	856	Pw_External.exe	31
PID 856 wrote to memory of 1324	856	Pw_External.exe	31
PID 856 wrote to memory of 1324	856	Pw_External.exe	31
PID 856 wrote to memory of 872	856	Pw_External.exe	32
PID 856 wrote to memory of 872	856	Pw_External.exe	32
PID 856 wrote to memory of 872	856	Pw_External.exe	32
PID 856 wrote to memory of 872	856	Pw_External.exe	32
PID 1324 wrote to memory of 1840	1324	External.exe	34
PID 1324 wrote to memory of 1840	1324	External.exe	34
PID 1324 wrote to memory of 1840	1324	External.exe	34
PID 1324 wrote to memory of 1840	1324	External.exe	34
PID 1840 wrote to memory of 772	1840	External.exe	35
PID 1840 wrote to memory of 772	1840	External.exe	35
PID 1840 wrote to memory of 772	1840	External.exe	35

C:\Users\Admin\AppData\Local\Temp\ArkAngel.exe
"C:\Users\Admin\AppData\Local\Temp\ArkAngel.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1048
- C:\ProgramData\sex.exe
  "C:\ProgramData\sex.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1696
- - C:\ProgramData\steal\stealeing.exe
    "C:\ProgramData\steal\stealeing.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1440
- - C:\Users\Admin\AppData\Local\Temp\sex\stealer.exe
    "C:\Users\Admin\AppData\Local\Temp\sex\stealer.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1004
- C:\Users\Admin\AppData\Local\Temp\sex\Pw_External.exe
  "C:\Users\Admin\AppData\Local\Temp\sex\Pw_External.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:856
- - C:\ProgramData\Pw External\External.exe
    "C:\ProgramData\Pw External\External.exe"
    3⤵
    - Modifies system executable filetype association
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1324
  - - C:\Users\Admin\AppData\Local\Temp\3582-490\External.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\External.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1840
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 1840 -s 1096
        5⤵
        Program crash
        
        PID:772
- - C:\ProgramData\Pw Loader\External Loader.exe
    "C:\ProgramData\Pw Loader\External Loader.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:872

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Pw External\External.exe

Filesize
365KB

MD5
0b12fb0a096cbcd668735d7fe3258831

SHA1
4bf9762266cfea1a28008f41b6a30ab5dfd9cb46

SHA256
bda532d5f40c4d0a812ab874b25bf4d7b0bf301aeaa519b83791b18e5611fba2

SHA512
8b2bbeed6731cf966f929f87a9e53ebb58c5d9671fe90d11a4ce3a459bf70ea08176234348c5d8c2b65345427d137becb21b65111e76235fee2a3dd1ea79e5a3

Download Submit
C:\ProgramData\Pw External\External.exe

Filesize
365KB

MD5
0b12fb0a096cbcd668735d7fe3258831

SHA1
4bf9762266cfea1a28008f41b6a30ab5dfd9cb46

SHA256
bda532d5f40c4d0a812ab874b25bf4d7b0bf301aeaa519b83791b18e5611fba2

SHA512
8b2bbeed6731cf966f929f87a9e53ebb58c5d9671fe90d11a4ce3a459bf70ea08176234348c5d8c2b65345427d137becb21b65111e76235fee2a3dd1ea79e5a3

Download Submit
C:\ProgramData\Pw Loader\External Loader.exe

Filesize
720KB

MD5
d84df172ab64501480ed1fed2cd4e44d

SHA1
628cd1fbfa5b3bf2c833f865b1d20df61bed9e09

SHA256
3d4dee919dbf0c90207789de0bce40451ebc8611041a0f5dd7008535549d0d1d

SHA512
4d16d3872ae0bc4a023fca620eff7338896de5c6df21a1bfc196a49eccc379a4c7c0ac7bb0393345341099f928f4fdcd209ee37160a4134f39f2f8358bd9b863

Download Submit
C:\ProgramData\Pw Loader\External Loader.exe

Filesize
720KB

MD5
d84df172ab64501480ed1fed2cd4e44d

SHA1
628cd1fbfa5b3bf2c833f865b1d20df61bed9e09

SHA256
3d4dee919dbf0c90207789de0bce40451ebc8611041a0f5dd7008535549d0d1d

SHA512
4d16d3872ae0bc4a023fca620eff7338896de5c6df21a1bfc196a49eccc379a4c7c0ac7bb0393345341099f928f4fdcd209ee37160a4134f39f2f8358bd9b863

Download Submit
C:\ProgramData\sex.exe

Filesize
960KB

MD5
ae426bb3599515f544541fff8340bd3f

SHA1
52fcdc1d8bf01e946832c8c09ff64522ad8bc176

SHA256
72afd2f386b9f8e7e95678cafdfcff0fb6cf4faf401a4e3dcccb9daa15145c7d

SHA512
1399bea88d665e0cfa8a67ac06ec66f8eaa6221d95b220ff18a9fb92cb61cc96b0bd012dc1b31af215f82097c87dd8a183dfc56dcd2809b55bb214fff91bee7c

Download Submit
C:\ProgramData\sex.exe

Filesize
960KB

MD5
ae426bb3599515f544541fff8340bd3f

SHA1
52fcdc1d8bf01e946832c8c09ff64522ad8bc176

SHA256
72afd2f386b9f8e7e95678cafdfcff0fb6cf4faf401a4e3dcccb9daa15145c7d

SHA512
1399bea88d665e0cfa8a67ac06ec66f8eaa6221d95b220ff18a9fb92cb61cc96b0bd012dc1b31af215f82097c87dd8a183dfc56dcd2809b55bb214fff91bee7c

Download Submit
C:\ProgramData\steal\stealeing.exe

Filesize
783KB

MD5
155d596f25851ebfb3f3a46b29b2e393

SHA1
db233660a0c366c7e0a1bfe4e42e50414f2b08d0

SHA256
5883dc5f624e23c4b2525085d065da0a272646116ce74a35f85101195625bb7f

SHA512
54e73d412912dbdeb1b3abe9ee2dcfda8c1f09f08625ac6667995b61c1cc49d3dc2364bfea60003cdac8474e837587e757e69ec26f2e4f515119d405603a41d9

Download Submit
C:\ProgramData\steal\stealeing.exe

Filesize
783KB

MD5
155d596f25851ebfb3f3a46b29b2e393

SHA1
db233660a0c366c7e0a1bfe4e42e50414f2b08d0

SHA256
5883dc5f624e23c4b2525085d065da0a272646116ce74a35f85101195625bb7f

SHA512
54e73d412912dbdeb1b3abe9ee2dcfda8c1f09f08625ac6667995b61c1cc49d3dc2364bfea60003cdac8474e837587e757e69ec26f2e4f515119d405603a41d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\External.exe

Filesize
325KB

MD5
4865d00040c23db70eedf36afb8d8bd5

SHA1
fc178d9b35510d0aeb62d43e53636d4ea4ca057d

SHA256
e29ed05b16dd9d2c965cb8e1c19d8efbdaf696e050bf83b593f703ec8f797852

SHA512
6c2ce4d739db181e2114360d59ad76d00da33689e3f70155e0f4c2fd37afb8fd373aa541240d93af63f9ac7cdff0f2fc5b4003cc898c7fbc57c28dc29068803c

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\External.exe

Filesize
325KB

MD5
4865d00040c23db70eedf36afb8d8bd5

SHA1
fc178d9b35510d0aeb62d43e53636d4ea4ca057d

SHA256
e29ed05b16dd9d2c965cb8e1c19d8efbdaf696e050bf83b593f703ec8f797852

SHA512
6c2ce4d739db181e2114360d59ad76d00da33689e3f70155e0f4c2fd37afb8fd373aa541240d93af63f9ac7cdff0f2fc5b4003cc898c7fbc57c28dc29068803c

Download Submit
C:\Users\Admin\AppData\Local\Temp\sex\Pw_External.exe

Filesize
1016KB

MD5
b51bbbef95e592e828a96265e1f4a1a3

SHA1
8a5d42651cb0b31879b58c1fefdec63f7ca6a9d2

SHA256
7fb53defbc52a007babaadac3bb8371cca58c0c3ffdf74572bd60515ac0f2578

SHA512
ff228a28377a0a6a2d13922ea9e3ec6370b81262987cd0e96502058a7950971e70fde4f7fec0f3d7cf616a30965d2b795292da9d950180a5d3f0fba14b0efbe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\sex\Pw_External.exe

Filesize
1016KB

MD5
b51bbbef95e592e828a96265e1f4a1a3

SHA1
8a5d42651cb0b31879b58c1fefdec63f7ca6a9d2

SHA256
7fb53defbc52a007babaadac3bb8371cca58c0c3ffdf74572bd60515ac0f2578

SHA512
ff228a28377a0a6a2d13922ea9e3ec6370b81262987cd0e96502058a7950971e70fde4f7fec0f3d7cf616a30965d2b795292da9d950180a5d3f0fba14b0efbe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\sex\stealer.exe

Filesize
303KB

MD5
0c430a6beaadb67656b448a524a81fad

SHA1
29fb2ca19abb7d5de7545209d4ee9b9807eda935

SHA256
79c1166d2a8695dfea7fb45d98b2872e8ac8fde129b23d43a72a22928dad8ba4

SHA512
b24b86cbefdf3ba8b56b596ea26102d535e31051a9e7fb26ab566ddf57202755b5f8f132f8500d1d470ce5eda1799f0838ff979765ce6b7edeeb6c97cb6390f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\sex\stealer.exe

Filesize
303KB

MD5
0c430a6beaadb67656b448a524a81fad

SHA1
29fb2ca19abb7d5de7545209d4ee9b9807eda935

SHA256
79c1166d2a8695dfea7fb45d98b2872e8ac8fde129b23d43a72a22928dad8ba4

SHA512
b24b86cbefdf3ba8b56b596ea26102d535e31051a9e7fb26ab566ddf57202755b5f8f132f8500d1d470ce5eda1799f0838ff979765ce6b7edeeb6c97cb6390f3

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\ProgramData\Pw External\External.exe

Filesize
365KB

MD5
0b12fb0a096cbcd668735d7fe3258831

SHA1
4bf9762266cfea1a28008f41b6a30ab5dfd9cb46

SHA256
bda532d5f40c4d0a812ab874b25bf4d7b0bf301aeaa519b83791b18e5611fba2

SHA512
8b2bbeed6731cf966f929f87a9e53ebb58c5d9671fe90d11a4ce3a459bf70ea08176234348c5d8c2b65345427d137becb21b65111e76235fee2a3dd1ea79e5a3

Download Submit
\ProgramData\Pw External\External.exe

Filesize
365KB

MD5
0b12fb0a096cbcd668735d7fe3258831

SHA1
4bf9762266cfea1a28008f41b6a30ab5dfd9cb46

SHA256
bda532d5f40c4d0a812ab874b25bf4d7b0bf301aeaa519b83791b18e5611fba2

SHA512
8b2bbeed6731cf966f929f87a9e53ebb58c5d9671fe90d11a4ce3a459bf70ea08176234348c5d8c2b65345427d137becb21b65111e76235fee2a3dd1ea79e5a3

Download Submit
\ProgramData\Pw Loader\External Loader.exe

Filesize
720KB

MD5
d84df172ab64501480ed1fed2cd4e44d

SHA1
628cd1fbfa5b3bf2c833f865b1d20df61bed9e09

SHA256
3d4dee919dbf0c90207789de0bce40451ebc8611041a0f5dd7008535549d0d1d

SHA512
4d16d3872ae0bc4a023fca620eff7338896de5c6df21a1bfc196a49eccc379a4c7c0ac7bb0393345341099f928f4fdcd209ee37160a4134f39f2f8358bd9b863

Download Submit
\ProgramData\Pw Loader\External Loader.exe

Filesize
720KB

MD5
d84df172ab64501480ed1fed2cd4e44d

SHA1
628cd1fbfa5b3bf2c833f865b1d20df61bed9e09

SHA256
3d4dee919dbf0c90207789de0bce40451ebc8611041a0f5dd7008535549d0d1d

SHA512
4d16d3872ae0bc4a023fca620eff7338896de5c6df21a1bfc196a49eccc379a4c7c0ac7bb0393345341099f928f4fdcd209ee37160a4134f39f2f8358bd9b863

Download Submit
\ProgramData\Pw Loader\External Loader.exe

Filesize
720KB

MD5
d84df172ab64501480ed1fed2cd4e44d

SHA1
628cd1fbfa5b3bf2c833f865b1d20df61bed9e09

SHA256
3d4dee919dbf0c90207789de0bce40451ebc8611041a0f5dd7008535549d0d1d

SHA512
4d16d3872ae0bc4a023fca620eff7338896de5c6df21a1bfc196a49eccc379a4c7c0ac7bb0393345341099f928f4fdcd209ee37160a4134f39f2f8358bd9b863

Download Submit
\ProgramData\sex.exe

Filesize
960KB

MD5
ae426bb3599515f544541fff8340bd3f

SHA1
52fcdc1d8bf01e946832c8c09ff64522ad8bc176

SHA256
72afd2f386b9f8e7e95678cafdfcff0fb6cf4faf401a4e3dcccb9daa15145c7d

SHA512
1399bea88d665e0cfa8a67ac06ec66f8eaa6221d95b220ff18a9fb92cb61cc96b0bd012dc1b31af215f82097c87dd8a183dfc56dcd2809b55bb214fff91bee7c

Download Submit
\ProgramData\sex.exe

Filesize
960KB

MD5
ae426bb3599515f544541fff8340bd3f

SHA1
52fcdc1d8bf01e946832c8c09ff64522ad8bc176

SHA256
72afd2f386b9f8e7e95678cafdfcff0fb6cf4faf401a4e3dcccb9daa15145c7d

SHA512
1399bea88d665e0cfa8a67ac06ec66f8eaa6221d95b220ff18a9fb92cb61cc96b0bd012dc1b31af215f82097c87dd8a183dfc56dcd2809b55bb214fff91bee7c

Download Submit
\ProgramData\sex.exe

Filesize
960KB

MD5
ae426bb3599515f544541fff8340bd3f

SHA1
52fcdc1d8bf01e946832c8c09ff64522ad8bc176

SHA256
72afd2f386b9f8e7e95678cafdfcff0fb6cf4faf401a4e3dcccb9daa15145c7d

SHA512
1399bea88d665e0cfa8a67ac06ec66f8eaa6221d95b220ff18a9fb92cb61cc96b0bd012dc1b31af215f82097c87dd8a183dfc56dcd2809b55bb214fff91bee7c

Download Submit
\ProgramData\steal\stealeing.exe

Filesize
783KB

MD5
155d596f25851ebfb3f3a46b29b2e393

SHA1
db233660a0c366c7e0a1bfe4e42e50414f2b08d0

SHA256
5883dc5f624e23c4b2525085d065da0a272646116ce74a35f85101195625bb7f

SHA512
54e73d412912dbdeb1b3abe9ee2dcfda8c1f09f08625ac6667995b61c1cc49d3dc2364bfea60003cdac8474e837587e757e69ec26f2e4f515119d405603a41d9

Download Submit
\ProgramData\steal\stealeing.exe

Filesize
783KB

MD5
155d596f25851ebfb3f3a46b29b2e393

SHA1
db233660a0c366c7e0a1bfe4e42e50414f2b08d0

SHA256
5883dc5f624e23c4b2525085d065da0a272646116ce74a35f85101195625bb7f

SHA512
54e73d412912dbdeb1b3abe9ee2dcfda8c1f09f08625ac6667995b61c1cc49d3dc2364bfea60003cdac8474e837587e757e69ec26f2e4f515119d405603a41d9

Download Submit
\ProgramData\steal\stealeing.exe

Filesize
783KB

MD5
155d596f25851ebfb3f3a46b29b2e393

SHA1
db233660a0c366c7e0a1bfe4e42e50414f2b08d0

SHA256
5883dc5f624e23c4b2525085d065da0a272646116ce74a35f85101195625bb7f

SHA512
54e73d412912dbdeb1b3abe9ee2dcfda8c1f09f08625ac6667995b61c1cc49d3dc2364bfea60003cdac8474e837587e757e69ec26f2e4f515119d405603a41d9

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\External.exe

Filesize
325KB

MD5
4865d00040c23db70eedf36afb8d8bd5

SHA1
fc178d9b35510d0aeb62d43e53636d4ea4ca057d

SHA256
e29ed05b16dd9d2c965cb8e1c19d8efbdaf696e050bf83b593f703ec8f797852

SHA512
6c2ce4d739db181e2114360d59ad76d00da33689e3f70155e0f4c2fd37afb8fd373aa541240d93af63f9ac7cdff0f2fc5b4003cc898c7fbc57c28dc29068803c

Download Submit
\Users\Admin\AppData\Local\Temp\sex\Pw_External.exe

Filesize
1016KB

MD5
b51bbbef95e592e828a96265e1f4a1a3

SHA1
8a5d42651cb0b31879b58c1fefdec63f7ca6a9d2

SHA256
7fb53defbc52a007babaadac3bb8371cca58c0c3ffdf74572bd60515ac0f2578

SHA512
ff228a28377a0a6a2d13922ea9e3ec6370b81262987cd0e96502058a7950971e70fde4f7fec0f3d7cf616a30965d2b795292da9d950180a5d3f0fba14b0efbe7

Download Submit
\Users\Admin\AppData\Local\Temp\sex\stealer.exe

Filesize
303KB

MD5
0c430a6beaadb67656b448a524a81fad

SHA1
29fb2ca19abb7d5de7545209d4ee9b9807eda935

SHA256
79c1166d2a8695dfea7fb45d98b2872e8ac8fde129b23d43a72a22928dad8ba4

SHA512
b24b86cbefdf3ba8b56b596ea26102d535e31051a9e7fb26ab566ddf57202755b5f8f132f8500d1d470ce5eda1799f0838ff979765ce6b7edeeb6c97cb6390f3

Download Submit
memory/856-85-0x0000000000AB0000-0x0000000000ADB000-memory.dmp

Filesize
172KB

Download
memory/856-91-0x0000000074DA0000-0x000000007534B000-memory.dmp

Filesize
5.7MB

Download
memory/856-88-0x0000000000AB0000-0x0000000000ADB000-memory.dmp

Filesize
172KB

Download
memory/872-86-0x0000000000E80000-0x0000000000F3A000-memory.dmp

Filesize
744KB

Download
memory/1004-82-0x00000000013D0000-0x0000000001422000-memory.dmp

Filesize
328KB

Download
memory/1048-108-0x0000000074DA0000-0x000000007534B000-memory.dmp

Filesize
5.7MB

Download
memory/1048-54-0x0000000076171000-0x0000000076173000-memory.dmp

Filesize
8KB

Download
memory/1048-79-0x0000000074DA0000-0x000000007534B000-memory.dmp

Filesize
5.7MB

Download
memory/1324-109-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1324-110-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1324-89-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1440-99-0x0000000000250000-0x0000000000256000-memory.dmp

Filesize
24KB

Download
memory/1440-98-0x000000001B540000-0x000000001B658000-memory.dmp

Filesize
1.1MB

Download
memory/1440-97-0x0000000000140000-0x0000000000146000-memory.dmp

Filesize
24KB

Download
memory/1440-87-0x0000000000CD0000-0x0000000000D9C000-memory.dmp

Filesize
816KB

Download
memory/1696-90-0x0000000074DA0000-0x000000007534B000-memory.dmp

Filesize
5.7MB

Download
memory/1840-96-0x0000000000CC0000-0x0000000000D1C000-memory.dmp

Filesize
368KB

Download