blackguard | e98777959f0da84b4346f4d8a9dec025014adc90fb895eee29f6d765ba7e0162

Analysis

max time kernel
136s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
07-08-2023 02:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e98777959f0da84b4346f4d8a9dec025014adc90fb895eee29f6d765ba7e0162.exe
Size

5.6MB
MD5

6cac397492e6bc73d6392ced2325f115
SHA1

030889ffae25d113a8bb4265f4a1b8461f51b1f9
SHA256

e98777959f0da84b4346f4d8a9dec025014adc90fb895eee29f6d765ba7e0162
SHA512

e170b23ac30bae677ecbed36ce4ee3326bacd31d90ee22cd394a4e2a7ae6343f280d058f1cfa2c04eb15726fdb9f8db5111fb6693dc71d8f9a2ccc6c37e44802
SSDEEP

98304:e55jJI0tISNT/YdeZazBT+2WKYpTFjU/Lr6yPjlCM5Q2F3Bi0+:e5lJI0RZazVCTFjgLrXQMi2F3J+

Score

10^/10

blackguard persistence stealer

Malware Config

Extracted

Family

blackguard

http://194.50.153.136

Signatures

BlackGuard
Infostealer first seen in Late 2021.
stealer blackguard

Executes dropped EXE 14 IoCs

pid	Process
2764	7z.exe
2508	7z.exe
4768	7z.exe
888	7z.exe
2296	7z.exe
4044	7z.exe
4652	7z.exe
2184	7z.exe
1584	7z.exe
660	7z.exe
1316	7z.exe
2684	7z.exe
3196	build.exe
2360	.exe

Loads dropped DLL 12 IoCs

pid	Process
2764	7z.exe
2508	7z.exe
4768	7z.exe
888	7z.exe
2296	7z.exe
4044	7z.exe
4652	7z.exe
2184	7z.exe
1584	7z.exe
660	7z.exe
1316	7z.exe
2684	7z.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svhYsbt = "\"C:\\ProgramData\\.exe\""	.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1700	timeout.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

description	pid	Process
Token: SeRestorePrivilege	2764	7z.exe
Token: 35	2764	7z.exe
Token: SeSecurityPrivilege	2764	7z.exe
Token: SeSecurityPrivilege	2764	7z.exe
Token: SeRestorePrivilege	2508	7z.exe
Token: 35	2508	7z.exe
Token: SeSecurityPrivilege	2508	7z.exe
Token: SeSecurityPrivilege	2508	7z.exe
Token: SeRestorePrivilege	4768	7z.exe
Token: 35	4768	7z.exe
Token: SeSecurityPrivilege	4768	7z.exe
Token: SeSecurityPrivilege	4768	7z.exe
Token: SeRestorePrivilege	888	7z.exe
Token: 35	888	7z.exe
Token: SeSecurityPrivilege	888	7z.exe
Token: SeSecurityPrivilege	888	7z.exe
Token: SeRestorePrivilege	2296	7z.exe
Token: 35	2296	7z.exe
Token: SeSecurityPrivilege	2296	7z.exe
Token: SeSecurityPrivilege	2296	7z.exe
Token: SeRestorePrivilege	4044	7z.exe
Token: 35	4044	7z.exe
Token: SeSecurityPrivilege	4044	7z.exe
Token: SeSecurityPrivilege	4044	7z.exe
Token: SeRestorePrivilege	4652	7z.exe
Token: 35	4652	7z.exe
Token: SeSecurityPrivilege	4652	7z.exe
Token: SeSecurityPrivilege	4652	7z.exe
Token: SeRestorePrivilege	2184	7z.exe
Token: 35	2184	7z.exe
Token: SeSecurityPrivilege	2184	7z.exe
Token: SeSecurityPrivilege	2184	7z.exe
Token: SeRestorePrivilege	1584	7z.exe
Token: 35	1584	7z.exe
Token: SeSecurityPrivilege	1584	7z.exe
Token: SeSecurityPrivilege	1584	7z.exe
Token: SeRestorePrivilege	660	7z.exe
Token: 35	660	7z.exe
Token: SeSecurityPrivilege	660	7z.exe
Token: SeSecurityPrivilege	660	7z.exe
Token: SeRestorePrivilege	1316	7z.exe
Token: 35	1316	7z.exe
Token: SeSecurityPrivilege	1316	7z.exe
Token: SeSecurityPrivilege	1316	7z.exe
Token: SeRestorePrivilege	2684	7z.exe
Token: 35	2684	7z.exe
Token: SeSecurityPrivilege	2684	7z.exe
Token: SeSecurityPrivilege	2684	7z.exe
Token: SeDebugPrivilege	3196	build.exe
Token: SeDebugPrivilege	2360	.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 4640 wrote to memory of 3628	4640	e98777959f0da84b4346f4d8a9dec025014adc90fb895eee29f6d765ba7e0162.exe	81
PID 4640 wrote to memory of 3628	4640	e98777959f0da84b4346f4d8a9dec025014adc90fb895eee29f6d765ba7e0162.exe	81
PID 3628 wrote to memory of 4580	3628	cmd.exe	83
PID 3628 wrote to memory of 4580	3628	cmd.exe	83
PID 3628 wrote to memory of 2764	3628	cmd.exe	84
PID 3628 wrote to memory of 2764	3628	cmd.exe	84
PID 3628 wrote to memory of 2508	3628	cmd.exe	85
PID 3628 wrote to memory of 2508	3628	cmd.exe	85
PID 3628 wrote to memory of 4768	3628	cmd.exe	86
PID 3628 wrote to memory of 4768	3628	cmd.exe	86
PID 3628 wrote to memory of 888	3628	cmd.exe	87
PID 3628 wrote to memory of 888	3628	cmd.exe	87
PID 3628 wrote to memory of 2296	3628	cmd.exe	89
PID 3628 wrote to memory of 2296	3628	cmd.exe	89
PID 3628 wrote to memory of 4044	3628	cmd.exe	90
PID 3628 wrote to memory of 4044	3628	cmd.exe	90
PID 3628 wrote to memory of 4652	3628	cmd.exe	98
PID 3628 wrote to memory of 4652	3628	cmd.exe	98
PID 3628 wrote to memory of 2184	3628	cmd.exe	91
PID 3628 wrote to memory of 2184	3628	cmd.exe	91
PID 3628 wrote to memory of 1584	3628	cmd.exe	92
PID 3628 wrote to memory of 1584	3628	cmd.exe	92
PID 3628 wrote to memory of 660	3628	cmd.exe	97
PID 3628 wrote to memory of 660	3628	cmd.exe	97
PID 3628 wrote to memory of 1316	3628	cmd.exe	93
PID 3628 wrote to memory of 1316	3628	cmd.exe	93
PID 3628 wrote to memory of 2684	3628	cmd.exe	96
PID 3628 wrote to memory of 2684	3628	cmd.exe	96
PID 3628 wrote to memory of 2324	3628	cmd.exe	95
PID 3628 wrote to memory of 2324	3628	cmd.exe	95
PID 3628 wrote to memory of 3196	3628	cmd.exe	94
PID 3628 wrote to memory of 3196	3628	cmd.exe	94
PID 3196 wrote to memory of 2360	3196	build.exe	107
PID 3196 wrote to memory of 2360	3196	build.exe	107
PID 3196 wrote to memory of 3240	3196	build.exe	108
PID 3196 wrote to memory of 3240	3196	build.exe	108
PID 3240 wrote to memory of 1700	3240	cmd.exe	110
PID 3240 wrote to memory of 1700	3240	cmd.exe	110

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2324	attrib.exe

C:\Users\Admin\AppData\Local\Temp\e98777959f0da84b4346f4d8a9dec025014adc90fb895eee29f6d765ba7e0162.exe
"C:\Users\Admin\AppData\Local\Temp\e98777959f0da84b4346f4d8a9dec025014adc90fb895eee29f6d765ba7e0162.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4640
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3628
- - C:\Windows\system32\mode.com
    mode 65,10
    3⤵
    PID:4580
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e file.zip -p88302578768222955226656220 -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2764
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_11.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2508
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_10.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:4768
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_9.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:888
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_8.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2296
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_7.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:4044
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_5.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2184
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_4.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:1584
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_2.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:1316
- - C:\Users\Admin\AppData\Local\Temp\main\build.exe
    "build.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3196
  - - C:\ProgramData\.exe
      "C:\ProgramData\.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of AdjustPrivilegeToken
      PID:2360
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp5261.tmp.bat""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3240
    - - C:\Windows\system32\timeout.exe
        
        timeout 7
        5⤵
        Delays execution with timeout.exe
        
        PID:1700
- - C:\Windows\system32\attrib.exe
    attrib +H "build.exe"
    3⤵
    - Views/modifies file attributes
    PID:2324
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_1.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2684
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_3.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:660
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_6.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:4652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\.exe

Filesize
3.2MB

MD5
cb37a6fcc78117455d7c0c04bc6c584f

SHA1
798bf6043837de372aee97e767bf207f99da9863

SHA256
221bdf03272d5d715d20d7828a408e3890a8c94e31a717e52ec78a63db35bdc0

SHA512
accaf2e7ed8d437684c249781799c3d35872efdc1e28438fb66120ec53a487ad58de6128a49b371e9647b092e93f0ea096db6c469dd374f662de9e8e53d3caef

Download Submit
C:\ProgramData\.exe

Filesize
3.2MB

MD5
cb37a6fcc78117455d7c0c04bc6c584f

SHA1
798bf6043837de372aee97e767bf207f99da9863

SHA256
221bdf03272d5d715d20d7828a408e3890a8c94e31a717e52ec78a63db35bdc0

SHA512
accaf2e7ed8d437684c249781799c3d35872efdc1e28438fb66120ec53a487ad58de6128a49b371e9647b092e93f0ea096db6c469dd374f662de9e8e53d3caef

Download Submit
C:\ProgramData\.exe

Filesize
3.2MB

MD5
cb37a6fcc78117455d7c0c04bc6c584f

SHA1
798bf6043837de372aee97e767bf207f99da9863

SHA256
221bdf03272d5d715d20d7828a408e3890a8c94e31a717e52ec78a63db35bdc0

SHA512
accaf2e7ed8d437684c249781799c3d35872efdc1e28438fb66120ec53a487ad58de6128a49b371e9647b092e93f0ea096db6c469dd374f662de9e8e53d3caef

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.dll

Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.dll

Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.dll

Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.dll

Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.dll

Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.dll

Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.dll

Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.dll

Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.dll

Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.dll

Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.dll

Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.dll

Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.dll

Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\build.exe

Filesize
3.2MB

MD5
cb37a6fcc78117455d7c0c04bc6c584f

SHA1
798bf6043837de372aee97e767bf207f99da9863

SHA256
221bdf03272d5d715d20d7828a408e3890a8c94e31a717e52ec78a63db35bdc0

SHA512
accaf2e7ed8d437684c249781799c3d35872efdc1e28438fb66120ec53a487ad58de6128a49b371e9647b092e93f0ea096db6c469dd374f662de9e8e53d3caef

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\ANTIAV~1.DAT

Filesize
2.1MB

MD5
1235228e99f11d085977e7d468b97c55

SHA1
b45b4f18d56597b9d8c337601f78f0c81ea772f0

SHA256
69718106acdd33831ea8555f5507a4c8fdca865f22b2a0e82a681fc9839bce6a

SHA512
2154ff44449ac35ac3c62ba70e50559d774c2ab47c2b2106b52aa0d909c94a05cf133ab9b55b2976b8499f32041f6834cf6f9113bed27212b6d3983dbae35a51

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\build.exe

Filesize
3.2MB

MD5
cb37a6fcc78117455d7c0c04bc6c584f

SHA1
798bf6043837de372aee97e767bf207f99da9863

SHA256
221bdf03272d5d715d20d7828a408e3890a8c94e31a717e52ec78a63db35bdc0

SHA512
accaf2e7ed8d437684c249781799c3d35872efdc1e28438fb66120ec53a487ad58de6128a49b371e9647b092e93f0ea096db6c469dd374f662de9e8e53d3caef

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_1.zip

Filesize
3.1MB

MD5
4b2f6953fe7d8e1af710f676e8ec67f3

SHA1
fa5fb3ec35674509faa62e62a179ae1551f0f964

SHA256
0e499567a91db9ee77dd786e228dbe91a603572f3b2b885fce02cf1d76707959

SHA512
81055341527836133bcdea61487e19fe26366de625599870a0f5a0a949bdb6166c66f3dcfc768395393a4ed10263d287d6cc03eb0096d53f7fdedd7df020bdf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_10.zip

Filesize
3.1MB

MD5
cf6d2a3c8f1283cebaa71fde0e4a4176

SHA1
e3ef09ca302e341b5d60de30e28ec3b4f812ea88

SHA256
e2adcf688cb1e515e72d25d7e9ce0c3c4797756da0baf2b0d53cacff7ac36069

SHA512
09fd7857a62507d3bcf8628b0ce7d625bc20530bffbebf361a00a3807d0f6b748bd91b9d664918555fbc45a59c40437a6903c3b61a84d24b191ec6dfb226811d

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_11.zip

Filesize
4.6MB

MD5
b56f74497c439e0fcc43ce51a8878bc0

SHA1
5dea26c2c85495dfca4e362f0c0b46dcc2af5449

SHA256
3f1ca4d158fe1b1172b2e606b1b5150c03fdcdaca969966ce27b33fae47c8b3d

SHA512
932d6bd1c31f38cdfc95814b66c9c04f2b3316e8ed2978f44f2a60ffda76fd8bf857b21984b75673e0b718aa6e5bef1611bb1feda861fb8c54c8ec51e7f0d8ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_2.zip

Filesize
3.1MB

MD5
00a8c662248a7dff92229a9a7ece23d8

SHA1
38b23d60ea049b5ea941ddc078f577e73a3b399c

SHA256
7903c80f93c77938c13285eb6464733394d07f6f3c8408b9322af16a43d4dfb2

SHA512
9f759e509518942e888b9011b9456aad9c3ca6281f90c1d5c62ab8248326b716aa2517161a1bf61b1533683cf7fa805b29e102d9d76b60e388a9620e8f1ede69

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_3.zip

Filesize
3.1MB

MD5
5d752ab0ed477858f37d29780cb4fd85

SHA1
67581409efe9c6b948feef23f6f72c274779ca18

SHA256
9939d6ec38329c889a6cc10b7419e80f05c99c9a3abde26a6a845874a821c010

SHA512
2bb81f3800889b68612aea9bec883518e7719d36ef6bd522a0e0b6af4f3ef8e03f79f8570e484766bed6a14ce538a566e246ac4b7fe4d2c3090770b3d02599a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_4.zip

Filesize
3.1MB

MD5
cdbb144d27565e70de639b593917d838

SHA1
327e4a17b4b78d80097daebbed838863429c794b

SHA256
c147824df37bd549812268ba4b180512f5c03a2b408d8aa2134e4a4a70b4d8e6

SHA512
42c1a6c16a93e9c0723d20134068fd99668aa92b34cad789d75b312610c24d53e26899679f9219c0a2400fe2d2fdeb4d4d36dc987ddf36e8d89d885ea28ec8ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_5.zip

Filesize
3.1MB

MD5
799be7842a8481c238e5474c685bfd8d

SHA1
25cdfc82c537c88ce5eaef23c8db0372a3be52dc

SHA256
1263106bbc53095076fee1b3d7906d60418497b039334adfd380b83c2cc22c92

SHA512
102546cc5f01e2834f29801ab9da056ad589456bb640ae541bb590eaf1abda5e5ab66495a34f5f458d8dc3fef887d00a34ee891389494b2cd0100ad77a402f09

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_6.zip

Filesize
3.1MB

MD5
9e5c3477181fe9148ba9996aaab4cc6e

SHA1
dc6b9dfbdf5606eb22fa1c329b2d325dd598e61f

SHA256
4401d289ebd9809fc1db2ed89bb1fd84eec6743987027a74f7680db003b2ec92

SHA512
622d254f1e43ecd47d1d1d8dae89541826b8cd1a2613613c1316f9973897c91d67a7c8ce50d4d00a2a5be90815f8397272f577a90369172f68b5ee43fffc7cad

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_7.zip

Filesize
3.1MB

MD5
92a55900515dd1fad09b2d13fd3d270c

SHA1
99ac274e3af2a3679ac6a610293932927f8a0a2a

SHA256
4d89e0e1910d309f6d92eed7058210f007503ddc646233d76b17a1a1f3fb756c

SHA512
4da0ee68bff2ad89ea46ada2cd36713183071532341eb913136b277f059bb4ac147c4b8b75241068c7028ce752b24c07f418cfae2f28292711d63b2d9ec87752

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_8.zip

Filesize
3.1MB

MD5
40bad7af037bf38b1f544a9894289c5b

SHA1
5f8dcc1e01365f6d083a652019fab79f53dd205e

SHA256
097c9ace05268ca6d016e3d1a6123948041a2422c67a04720cfe9b5efa5fd08f

SHA512
4c4dc8ebebe5130e17b7525f587399e4b4e479033fc39e4c156d4b1abfa885f560437e2d0303abe2189bed98acbe2ba4fed94629783076dd0bf52c3a8bef3cca

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_9.zip

Filesize
3.1MB

MD5
bb55f4bf9098fb76c273a1e5b2eaa9c1

SHA1
36706828cd43f0d08c67e69c1494a6189f184839

SHA256
8638562bddf68b070a28d315e9eaf3a0dba14855f9c664af2228bda2b53f642f

SHA512
33b87641a79da701b4d034f3f6f755d693d46c82b89e5f2ac1fbb539330a7281fee39b5871714ec5f770cb9f887d7fb2cffc3cbe290797ea763f59cb1af189f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\file.bin

Filesize
4.6MB

MD5
bc3f80e6508d1640b349a3c3f8779080

SHA1
8e52c6116d84e96276459b690902407f48218708

SHA256
7e22d4030c668da11365147d3a9c12801cc608540f0826a534eebfb876b12e2d

SHA512
a1565909c7fef93d05b873a386bacbebaa4a0bca8dbcc71dddca508ec3b70884b1e5e6170b7a8176752b344c3eeb9690217400146e510ab533f7401538543426

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\main.bat

Filesize
453B

MD5
3744e6035c9ff6c3a936af379ab62dc9

SHA1
8ba8eb862ba076fd04cebe18a6b5cde27ae4e04a

SHA256
b35032a1b51bee64266d85fc30c2db64ac793e5e0ca39416951ea61978c742d5

SHA512
dd881783b7656a1467155c4a5f90ff879924bf41ad5db82cce07ad5eddddbc6294ac458471de69e0cdea3f8259b9530319312e429e1b90ab324aef789522748d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5261.tmp.bat

Filesize
162B

MD5
bc58b00048efdb1057a2b42b09e0b9cc

SHA1
dc6c426abaa42d5935a06339a72d40be3b06d42e

SHA256
dadc0854d9f28ca95fdc410fab2bfb047ce2d2c4c42f7b00a5079c5adfa35689

SHA512
bc30e36b1f08db4e0412b34f972c7ac4a74194904090b9d19c321b1b794d3dfb184b7ad40e83d2a6dfe241fa9ce28335d0a5ba00bd320679e4fa5df54817e378

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFAB8.tmp

Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
memory/2360-247-0x00007FFF8ADC0000-0x00007FFF8B881000-memory.dmp

Filesize
10.8MB

Download
memory/2360-252-0x000001C078ED0000-0x000001C0793F8000-memory.dmp

Filesize
5.2MB

Download
memory/2360-251-0x000001C0787D0000-0x000001C078992000-memory.dmp

Filesize
1.8MB

Download
memory/2360-243-0x00007FFF8ADC0000-0x00007FFF8B881000-memory.dmp

Filesize
10.8MB

Download
memory/2360-244-0x000001C0784F0000-0x000001C078500000-memory.dmp

Filesize
64KB

Download
memory/2360-248-0x000001C0784F0000-0x000001C078500000-memory.dmp

Filesize
64KB

Download
memory/3196-227-0x00007FFF8ADC0000-0x00007FFF8B881000-memory.dmp

Filesize
10.8MB

Download
memory/3196-226-0x0000019E40BF0000-0x0000019E40C00000-memory.dmp

Filesize
64KB

Download
memory/3196-245-0x00007FFF8ADC0000-0x00007FFF8B881000-memory.dmp

Filesize
10.8MB

Download
memory/3196-228-0x0000019E40BF0000-0x0000019E40C00000-memory.dmp

Filesize
64KB

Download
memory/3196-224-0x0000019E26430000-0x0000019E2676A000-memory.dmp

Filesize
3.2MB

Download
memory/3196-225-0x00007FFF8ADC0000-0x00007FFF8B881000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads