blackguard | 493c80e25021389cf0f7c03d0ba7af14bcffd20ba1e50753eca5d69f6789f3be

Analysis

max time kernel
3s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
18-01-2024 10:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6520075cebaaf79e5fda5bb7d77d3a72.exe
Size

11.2MB
MD5

6520075cebaaf79e5fda5bb7d77d3a72
SHA1

d12f23b92be59ff0d5fea73f15330e65779269ac
SHA256

493c80e25021389cf0f7c03d0ba7af14bcffd20ba1e50753eca5d69f6789f3be
SHA512

3ae6cfd1bd185aecca933c01dc41d2554ada1bd6d0c7f08cba391dc51a6e154f9bd47fe19d00c8d879bdd19cd5af4ed89ef76d6a8e744b61d940883a24232815
SSDEEP

196608:uhPtKEX9/rijfGV2CXBtlXu90HRmPtnHaOA9m6l/AQsscwFZ9q:uhPtljqGVLBG2QFnSFlTcwD9

Score

10^/10

blackguard dcrat xmrig infostealer miner rat stealer themida

Malware Config

Extracted

Family

blackguard

https://api.telegram.org/bot1909916945:AAH0pLjSkBmQT4Vr_17-JSMoF4Lt_xOH9N8/sendMessage?chat_id=1640241476

Signatures

BlackGuard
Infostealer first seen in Late 2021.
stealer blackguard
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4468	4800	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4112	4800	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3128	4800	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5024	4800	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	4800	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4152	4800	schtasks.exe	94

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/2612-75-0x00000000008B0000-0x0000000000948000-memory.dmp	dcrat
behavioral2/memory/820-88-0x0000000075C00000-0x0000000075CF0000-memory.dmp	dcrat
behavioral2/files/0x0008000000023229-183.dat	dcrat
behavioral2/files/0x0008000000023229-184.dat	dcrat
behavioral2/files/0x0006000000023215-54.dat	dcrat

XMRig Miner payload 12 IoCs

miner

resource	yara_rule
behavioral2/memory/5104-371-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral2/memory/5104-369-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral2/memory/5104-367-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral2/memory/5104-378-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral2/memory/5104-380-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral2/memory/5104-381-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral2/memory/5104-382-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral2/memory/5104-379-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral2/memory/5104-383-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral2/memory/5104-388-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral2/memory/5104-389-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral2/memory/5104-387-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig

Themida packer 11 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/files/0x0006000000023214-30.dat	themida
behavioral2/files/0x0006000000023214-36.dat	themida
behavioral2/memory/820-99-0x0000000000520000-0x0000000000D36000-memory.dmp	themida
behavioral2/memory/1576-363-0x0000000000F30000-0x000000000178E000-memory.dmp	themida
behavioral2/memory/1576-100-0x0000000000F30000-0x000000000178E000-memory.dmp	themida
behavioral2/memory/1576-96-0x0000000000F30000-0x000000000178E000-memory.dmp	themida
behavioral2/memory/820-94-0x0000000000520000-0x0000000000D36000-memory.dmp	themida
behavioral2/files/0x0006000000023217-77.dat	themida
behavioral2/files/0x0006000000023217-76.dat	themida
behavioral2/files/0x0006000000023217-61.dat	themida
behavioral2/files/0x0006000000023214-39.dat	themida

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
45	freegeoip.app
46	freegeoip.app

Creates scheduled task(s) 1 TTPs 10 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4468	schtasks.exe
3128	schtasks.exe
2020	schtasks.exe
3372	schtasks.exe
4112	schtasks.exe
5024	schtasks.exe
4128	schtasks.exe
1048	schtasks.exe
4152	schtasks.exe
2920	schtasks.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2780	Internalprosecc.exe

C:\Users\Admin\AppData\Local\Temp\6520075cebaaf79e5fda5bb7d77d3a72.exe
"C:\Users\Admin\AppData\Local\Temp\6520075cebaaf79e5fda5bb7d77d3a72.exe"
1⤵
PID:2780
- C:\Users\Admin\AppData\Local\Temp\wYWDPpUIxkTJ.exe
  "C:\Users\Admin\AppData\Local\Temp\wYWDPpUIxkTJ.exe"
  2⤵
  PID:1048
- - C:\Users\Admin\AppData\Local\Temp\Intilizate.exe
    "C:\Users\Admin\AppData\Local\Temp\Intilizate.exe"
    3⤵
    PID:820
- - C:\Users\Admin\AppData\Local\Temp\SystemPropertiesAdvance.exe
    "C:\Users\Admin\AppData\Local\Temp\SystemPropertiesAdvance.exe"
    3⤵
    PID:2612
  - - C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\sihost.exe
      "C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\sihost.exe"
      4⤵
      PID:4484
- - C:\Users\Admin\AppData\Local\Temp\WindscribeLauncher.exe
    "C:\Users\Admin\AppData\Local\Temp\WindscribeLauncher.exe"
    3⤵
    PID:1576
- C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
  2⤵
  PID:2792
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=mine.bmpool.org:6004 --user=6031730 --pass=nixwaree --cpu-max-threads-hint=40 --cinit-idle-wait=1 --cinit-idle-cpu=80 --cinit-stealth
  2⤵
  PID:5104
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Internalprosecc" /tr '"C:\Users\Admin\AppData\Roaming\Internalprosecc.exe"' & exit
  2⤵
  PID:1696

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Internalprosecc" /tr '"C:\Users\Admin\AppData\Roaming\Internalprosecc.exe"'
1⤵
- Creates scheduled task(s)
PID:2920

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "WindowsInternal" /tr '"C:\Users\Admin\AppData\Roaming\WindowsInternal.exe"'
1⤵
- Creates scheduled task(s)
PID:3372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\System32\Windows.Energy\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\notepad\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\odt\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2020

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "WindowsInternal" /tr '"C:\Users\Admin\AppData\Roaming\WindowsInternal.exe"'
1⤵
- Creates scheduled task(s)
PID:4128

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Internalprosecc" /tr '"C:\Users\Admin\AppData\Roaming\Internalprosecc.exe"'
1⤵
- Creates scheduled task(s)
PID:1048
- C:\Users\Admin\AppData\Local\Temp\HashModule.exe
  "C:\Users\Admin\AppData\Local\Temp\HashModule.exe"
  2⤵
  PID:2828
- C:\Users\Admin\AppData\Local\Temp\WindowsInternal.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsInternal.exe"
  2⤵
  PID:728

C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe"
1⤵
PID:2964

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "WindowsInternal" /tr '"C:\Users\Admin\AppData\Roaming\WindowsInternal.exe"' & exit
1⤵
PID:3960

C:\Users\Admin\AppData\Roaming\Internalprosecc.exe
"C:\Users\Admin\AppData\Roaming\Internalprosecc.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2780

C:\Users\Admin\AppData\Roaming\WindowsInternal.exe
"C:\Users\Admin\AppData\Roaming\WindowsInternal.exe"
1⤵
PID:4684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4152

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Internalprosecc" /tr '"C:\Users\Admin\AppData\Roaming\Internalprosecc.exe"' & exit
1⤵
PID:3972

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "WindowsInternal" /tr '"C:\Users\Admin\AppData\Roaming\WindowsInternal.exe"' & exit
1⤵
PID:2112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\sihost.exe

Filesize
42KB

MD5
efe8178a80ea49d1dc42e4dbd0561062

SHA1
5ac463f3d36b0916a1ac9a022a11dfcf416243c0

SHA256
512b65f3c70c2266b4605f15690835a4460184c2bfd0520d99b3eb82cedf1bdb

SHA512
0386c2dfe83c45b80b92996e0764b1173abf326a48fcb7413ab029740daec5ece47389bb75a9f23e2c0fb3713b35cd8ac0ff5371a015be911580c5191e638ef7

Download Submit
C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\sihost.exe

Filesize
55KB

MD5
99c1fc333f3b713c438e676fa2c3816b

SHA1
0eef92325ead820041f1f5b10844e0e07bed19f5

SHA256
003ea162e9b76c96d03289b1b7d7d049772e9b98cf575bbffde7e1f836469e62

SHA512
6c91a7cab6fe8236f4fe7ea9fb5a00e675d54872c6d2d2d068af062dce68a184d6424e36b6a368678a4ed35703b71dc3ffdf1a06ac959e63e30236645bea4daa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\WindowsInternal.exe.log

Filesize
539B

MD5
b245679121623b152bea5562c173ba11

SHA1
47cb7fc4cf67e29a87016a7308cdb8b1b4dc8e3d

SHA256
73d84fd03e38f1bbf8b2218f8a454f0879051855252fc76b63f20f46e7fd877f

SHA512
75e46843b1eafcc7dc4362630838895b7f399e57662a12bf0305a912c8e726b02e0a760b1b97a2c262b2d05fdb944b9ed81c338ad93e5eb5cb57bc651602e42c

Download Submit
C:\Users\Admin\AppData\Local\Temp\HashModule.exe

Filesize
130KB

MD5
66f881a1df281b0e329b05126b4335e8

SHA1
4ffd59beff82a1df6138e066a57ac9c076c1c10b

SHA256
485b88add8e74598fdb0ac6444f3773ae491a5593dc7b7852ad714488e0868ba

SHA512
a358688352d3c8b2f2f34445c8526a2d3ec2d20a3cce7cbab251418297a28834a24f0b5659cf9d36c6dd4a573e80187711a25f0acd10b09957a469c0ea608aff

Download Submit
C:\Users\Admin\AppData\Local\Temp\HashModule.exe

Filesize
538KB

MD5
e1bdd171b500888480b6a4f3d7030464

SHA1
7964bc7c18ebb62186f88b02ac6cd6568226d998

SHA256
4c24a703e4942ba3aaeb471ef6c7545d8b61c7c6f310cb3b003c1020ce833658

SHA512
7fe07b5646d951642b7d70f1adc221c390d26531edd21e89dcd9d072ba3130d98b504c67ac2512185cc58048fe00e58f3daf1aa3d11bc8dfc28375b32df8be7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\HashModule.exe

Filesize
533KB

MD5
5df55f27ac018376f08b0b1b34e517a9

SHA1
5d1ebe2517f7c5dcf6d1ff665ee2099f65fe4974

SHA256
4cb40288b478bd9fb244c4a98a2eafff481e99de27ec21fd2b933767ebd6fd63

SHA512
43cf1dc7ef55d302224fb2269c4a3a449b643000d68b8223492cd01fa4545ba1c4b839448b9d88a092587c8e3fa99ff7c868eede3023cb8d43d5f0c7a51b8c65

Download Submit
C:\Users\Admin\AppData\Local\Temp\Intilizate.exe

Filesize
252KB

MD5
3789b5c986e42d2129d22eeb97391e53

SHA1
9e9fb67cb575b92e9ec807ded4ef4a438851ab22

SHA256
113a531015976195be7f1898942e3e06fb1d8694b3faddcb6568b2b35a01344a

SHA512
8d9dca2de588cde4fbd3215811e0034419e70e00d3a8f61c2dfda2a2e66c633d7fb1c110656955b4a518684f8c04c665b6410c4f7864e29fd410663c12b82887

Download Submit
C:\Users\Admin\AppData\Local\Temp\Intilizate.exe

Filesize
182KB

MD5
4da90c6626c5ee66800959e74aff19ef

SHA1
f768e8126c8f183d002bb51476456ada2a2463c0

SHA256
f47e4c2807bb9e633ee0eaaaff38dac3867d47c08e7a3a6637e14d4411aebca3

SHA512
f71aeee54d15dee8ed5a38f4540c8e03dabdc2052fc4d9870262e900166824755d38858e7a9512388e5f4f838c0d3c86f76a5b1250e3d08c08421b50c00d8584

Download Submit
C:\Users\Admin\AppData\Local\Temp\Intilizate.exe

Filesize
711KB

MD5
16d6c443968969016ebcde598ea0af0f

SHA1
61e5fc703e3e4c08a1270ca2d2fac8c1a8742964

SHA256
73b8fc69f7fcc79f1d58f1f99b46ea03a815a40e1a35301deeb1749747273ff3

SHA512
ede1ea2c90679fcc55453a4e2ca9ed9f0e4bccf3303e2ae4e9c859ee2eafafb6a1244b049c300c5fbd1ecb680c1a9ab5f560aea18b97600491d65c6ab27de4b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\SystemPropertiesAdvance.exe

Filesize
585KB

MD5
1b942194465c8ebe8db0f98539d3ea63

SHA1
f59928ba65b4a718cb05a40696f191db75c3b949

SHA256
2ef3c48dcc895ea8fd3476f43a87ec6a3a38d648db26fa6a3e48d3042c2c081a

SHA512
f5874a852296f6973923cccc41f231df5f684914449503e54b80cf5e187f64401c8e328e7e28cf712458a733b8695ddc31d29195d1cd5bb062f21539bb8bbfae

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsInternal.exe

Filesize
628KB

MD5
9b64d95186f80b1f8137b5b3083ed75c

SHA1
af9c5ad7202c9d224725c590b8a42a670958b5d5

SHA256
3ed6ca2fbe69d5ef891de62da9445cebb07d3c6139197a73ecf9736ad3c25a94

SHA512
4672fc1ef85d06c86939499298024e72923bbf1bb40423cf82962bb6788e2354ee66ada87ee91427bfd6c02ecd9b80f5190a98c61bd89598046d7f86e3f2f32a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsInternal.exe

Filesize
516KB

MD5
3c06cb14ef24a35d76189c9d62437be5

SHA1
62f20b5e7763429e5cdc5f54cfd777993b35648e

SHA256
be71bd821877be704d774f152fa1df97a471d6fb5515c1a532f55648a7920571

SHA512
5412e16290aafaa63af24f5dd3afcf2390a480dafe6e9f2a6ffdf168307c397cfe28e15a3a4e6fc87f65006d23737bec5ddef946b505232f642e90ee04e9422c

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsInternal.exe

Filesize
680KB

MD5
3ad3236a3af81e88263e1e86241e5b9e

SHA1
db7e23455cc013b4f1dd32a52d547345ab2829e9

SHA256
3f60076480c60de792f014e5f7d2ff5cdc9368425863318027c8308b505182ee

SHA512
3e9450a49c2f078f8eeed1d2ae47b11b89db12a40900e9cb675decfd56280d4261e4b8c74c8eef03c48088d80a43418f11640a6e55ecf1326365466b0c1e9f1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindscribeLauncher.exe

Filesize
568KB

MD5
d8c3a6b36daa7244b6cd153f516810d3

SHA1
004b9178ca465b449881cb13104d8bf230dca4f8

SHA256
3c868a0babaef1cd32e2a88d6d63434f8c918b9293ad270cbde3f47ec79178ca

SHA512
78270c924f80c92e74c035cbddbf3e0f1c1892a4a0536cd8ab87cff1f0f6f420f608e9db2bf4343d733bcde44d2d848457cab9b97f319e52159a0575b14d3a79

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindscribeLauncher.exe

Filesize
416KB

MD5
2c4db2fec075fc11b57a7c3b1a248795

SHA1
2a3803001331fa26b88663e1796a5308a5838316

SHA256
95a0b98a20750c98954e7c75620b8aad70c566e72c96203f8c44a9945653d8c7

SHA512
1b9e64572dd9ee7b49e0b91ab9c1149aff3dc7fa6bbde36a0716319dd903dd772f9014f79404bc45a792ad4221fc11ce83d6b3312092e359e2a224b3bd6c2a51

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindscribeLauncher.exe

Filesize
457KB

MD5
13990ca050d0419d27da5aad8d14247d

SHA1
b31bc335cba6ee1366157760a1394367dc06af00

SHA256
a18a4962ee848dabca785895639cbdef962d14c98052da5f82b5ff562833a593

SHA512
91d3cecc4ca4c1f278d0830508be1442925d13814a609030a590730168a37cbe621bdcc6872610eeecea64bdb7dd85759ccb4b2dd171c1e05e0da22406acc809

Download Submit
C:\Users\Admin\AppData\Local\Temp\wYWDPpUIxkTJ.exe

Filesize
481KB

MD5
42764a60964ad85eb2a321d71ff31c87

SHA1
27b51e2fa0eba4e4dcffa66f71d3c985250f81d1

SHA256
ad18a920c9707161fc85ad08211507da85b3f96f7bcd61511646cc7c139c04a4

SHA512
5097226e4bcfae5f6a6d71e5dc8222ccf759f3185220a44f1f87482110b1d524673e5ceda08372a4409df8573473ae6602ac5d0ca045cb332fc20b4f42c2ec0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wYWDPpUIxkTJ.exe

Filesize
522KB

MD5
2d1fc365c654fbb1688e525d6d2cf38e

SHA1
7258e35d01d2d204cd13724d26c2b9828bca18ad

SHA256
95a0ccad33d93561aa0de3a930ccf56170b40499851ba8e3a2b0f53dc4799b1a

SHA512
9e71935d9e1c9d843475a75a8495f34818b61b1e08daea6f4ca9f6b1092cf6a311d0a9342674f5932ee22585bed78a0189d294c36af7a48a7d6c899a7c9c59ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\wYWDPpUIxkTJ.exe

Filesize
154KB

MD5
c892752cc0121f155b80fd82b1c03b2c

SHA1
91a623ff1819d3dda30561de552eaaa9e1cc4a4f

SHA256
ce9856e23ad664e04a00c033b988b0cd4079de7e33d1a4f258ce17cda33a687c

SHA512
d25b9a0b94bcdf115ee9a7ccc2d371e20e950be660461c146ff9bcc8e67d4cca4e06a3dc8ef731afb2c335f04cdfbafb1efa17cb43b27ebe4ba1f801ab049f59

Download Submit
C:\Users\Admin\AppData\Roaming\HBNNHHBNXZNJHTHRRPJTJBZHCNTALV.Admin\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Roaming\HBNNHHBNXZNJHTHRRPJTJBZHCNTALV.Admin\Process.txt

Filesize
753B

MD5
8e5a99963d410e98bf50d3c3f94d9e6b

SHA1
fb1f54b6cc281976c13bf1c70c42c6757e77adc8

SHA256
a3fff23075c0afe973be80bc0d2c50940114076720f5d9d70b3994e5f8cd1265

SHA512
11ae9ce90e6ea10df1a34381cb66d03ce670ac0bed07cfbb071e4ee49db9468450224a8e78baee32cf1d2bd16358534a963c95e3086ecad27e2a75a1cc73c7e2

Download Submit
C:\Users\Admin\AppData\Roaming\HBNNHHBNXZNJHTHRRPJTJBZHCNTALV.Admin\Process.txt

Filesize
1KB

MD5
6aa62bb35473d1ce06d7899b03f3f8e9

SHA1
fe8f46ff257178401f6d05a1cd6af5bc48f447de

SHA256
0b768f3e7871469f93c54134a30f5157c76774187ad42287b6ae6b3c26cca9d1

SHA512
4a1128fa2c45de8af54552884a5f5d5d3192786ab50be101f2cb2ab24ca2ece1e88ed39d40cb0336d0b6b0643aa87da7e045f09d0f97a280b965aab686a0627c

Download Submit
C:\Users\Admin\AppData\Roaming\Internalprosecc.exe

Filesize
164KB

MD5
4b06b42db179839dd27ce8a73a133e99

SHA1
64092408337ca8a86514c47b595974dfefee2254

SHA256
71704d51f72f9df524f91a7e6fff0b02025d2256f5333e9c7d6c78cc29174942

SHA512
f0dba2e746fd3dc17d7205889aee452d4f050a604474080d6281fd5560e6139fdee33dc688437f8cfcbd90d71d4de9b01bad422dfc3aa24a3fd032e46d3724ad

Download Submit
C:\Users\Admin\AppData\Roaming\Internalprosecc.exe

Filesize
119KB

MD5
d2700ea11ee95c6ea7783ef7adfb1792

SHA1
2cacec83ee4dbb37f73f6ceb3ed1d7114e694957

SHA256
3a189959bb2f13a1f55c4e011ce9a0d55a1a20b54e2150e5cb7598b40845cc52

SHA512
0de73e8bbe36cfff3d95564517e88306e9c75568ed238327a95d783cbe3922935ea28664b2e8dceb609a53471222a3e3b98aa22aa9fba432c574cb306d2b4d9c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

Filesize
7KB

MD5
5f734ed938c8984c0e5426968b113e9e

SHA1
46ac5c9a3a00a58f6030ff4cc5025fa3252eda1d

SHA256
4f6f892557c9ae1813cb0824a0babcad4dc71dc5d534d5100df26d9cee03322d

SHA512
f6e4eaf862f4194fdf93225688403aa0f3d85bd875450b0cf5654b1afaef3f5230b794c5894289ab73cf8e7c827fa86cba8d2c0584d8ee365a977c8f303c3772

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe

Filesize
8KB

MD5
535dcc91e97292c6d78a5a936e25ee02

SHA1
535828103f018d4755cb0effc8af7668892940c9

SHA256
6a9d9122b72ce1c077a04553cdd9b2a57caab68e4dff2d6f56d50f42bc88470e

SHA512
972e7722b496c1ce7bebf144090c715eb12402eaa6ab90389222e8834afe253454a2de4182f08445e51027f6674a6f0264367b1505aef727da5765801d8c9ee5

Download Submit
C:\Users\Admin\AppData\Roaming\WindowsInternal.exe

Filesize
297KB

MD5
019ff55bdd79ebc8eb9124b5c0004221

SHA1
f6611444c9e03a36220938bec28d6e442e9ecbe2

SHA256
9999b332f8f08b7a12e7f9f7801f2d882d1527adb1cce515b08ed8bf467f5a10

SHA512
86f983406f60a5d4cf4545ac98c4ab1dfe2d2b42447956a5223de7bae29e4e0162e0270f1ea98e486cc09e4be0a7738d86cc7bbfe5bc8d1d9651f83463cb5dbd

Download Submit
C:\Users\Admin\AppData\Roaming\WindowsInternal.exe

Filesize
83KB

MD5
473342445720e03f9dcf9a23b296722e

SHA1
6a49a3a31e698f1917752670b1219ffd3ae55604

SHA256
bf9df4c8f8f2e85062da4144c264e4161ed699586bb869d3f8e24b65de52e713

SHA512
f8d16ea62c20c54147bdcc4470dd7f31923f3ca13c7fec1c3d13f1ba4dc317b2623c20cfeb93de1ec66e3b101729b5d716d7e8a12a3e2fc7299071110094caec

Download Submit
memory/728-86-0x000000001C850000-0x000000001C862000-memory.dmp

Filesize
72KB

Download
memory/728-85-0x00007FFDC0F30000-0x00007FFDC19F1000-memory.dmp

Filesize
10.8MB

Download
memory/728-97-0x000000001C910000-0x000000001C920000-memory.dmp

Filesize
64KB

Download
memory/728-304-0x00007FFDC0F30000-0x00007FFDC19F1000-memory.dmp

Filesize
10.8MB

Download
memory/728-84-0x000000001C920000-0x000000001CB0A000-memory.dmp

Filesize
1.9MB

Download
memory/728-66-0x0000000000C70000-0x0000000000E5C000-memory.dmp

Filesize
1.9MB

Download
memory/820-93-0x0000000075C00000-0x0000000075CF0000-memory.dmp

Filesize
960KB

Download
memory/820-94-0x0000000000520000-0x0000000000D36000-memory.dmp

Filesize
8.1MB

Download
memory/820-333-0x0000000000520000-0x0000000000D36000-memory.dmp

Filesize
8.1MB

Download
memory/820-357-0x0000000075C00000-0x0000000075CF0000-memory.dmp

Filesize
960KB

Download
memory/820-108-0x0000000005870000-0x0000000005902000-memory.dmp

Filesize
584KB

Download
memory/820-356-0x0000000075C00000-0x0000000075CF0000-memory.dmp

Filesize
960KB

Download
memory/820-99-0x0000000000520000-0x0000000000D36000-memory.dmp

Filesize
8.1MB

Download
memory/820-161-0x0000000075C00000-0x0000000075CF0000-memory.dmp

Filesize
960KB

Download
memory/820-158-0x0000000005B40000-0x0000000005B4A000-memory.dmp

Filesize
40KB

Download
memory/820-167-0x0000000075C00000-0x0000000075CF0000-memory.dmp

Filesize
960KB

Download
memory/820-164-0x0000000075C00000-0x0000000075CF0000-memory.dmp

Filesize
960KB

Download
memory/820-55-0x0000000000520000-0x0000000000D36000-memory.dmp

Filesize
8.1MB

Download
memory/820-91-0x0000000075C00000-0x0000000075CF0000-memory.dmp

Filesize
960KB

Download
memory/820-362-0x0000000075C00000-0x0000000075CF0000-memory.dmp

Filesize
960KB

Download
memory/820-337-0x0000000075C00000-0x0000000075CF0000-memory.dmp

Filesize
960KB

Download
memory/820-88-0x0000000075C00000-0x0000000075CF0000-memory.dmp

Filesize
960KB

Download
memory/820-83-0x0000000075C00000-0x0000000075CF0000-memory.dmp

Filesize
960KB

Download
memory/820-105-0x0000000005E20000-0x00000000063C4000-memory.dmp

Filesize
5.6MB

Download
memory/1576-129-0x0000000075C00000-0x0000000075CF0000-memory.dmp

Filesize
960KB

Download
memory/1576-144-0x0000000075C00000-0x0000000075CF0000-memory.dmp

Filesize
960KB

Download
memory/1576-104-0x0000000075C00000-0x0000000075CF0000-memory.dmp

Filesize
960KB

Download
memory/1576-361-0x0000000075C00000-0x0000000075CF0000-memory.dmp

Filesize
960KB

Download
memory/1576-101-0x0000000075C00000-0x0000000075CF0000-memory.dmp

Filesize
960KB

Download
memory/1576-168-0x0000000075C00000-0x0000000075CF0000-memory.dmp

Filesize
960KB

Download
memory/1576-100-0x0000000000F30000-0x000000000178E000-memory.dmp

Filesize
8.4MB

Download
memory/1576-289-0x0000000006AB0000-0x0000000006B16000-memory.dmp

Filesize
408KB

Download
memory/1576-96-0x0000000000F30000-0x000000000178E000-memory.dmp

Filesize
8.4MB

Download
memory/1576-159-0x0000000077274000-0x0000000077276000-memory.dmp

Filesize
8KB

Download
memory/1576-363-0x0000000000F30000-0x000000000178E000-memory.dmp

Filesize
8.4MB

Download
memory/1576-360-0x0000000000F30000-0x000000000178E000-memory.dmp

Filesize
8.4MB

Download
memory/1576-110-0x0000000075C00000-0x0000000075CF0000-memory.dmp

Filesize
960KB

Download
memory/1576-107-0x0000000075C00000-0x0000000075CF0000-memory.dmp

Filesize
960KB

Download
memory/1576-92-0x0000000000F30000-0x000000000178E000-memory.dmp

Filesize
8.4MB

Download
memory/2612-98-0x000000001B7E0000-0x000000001B7F0000-memory.dmp

Filesize
64KB

Download
memory/2612-75-0x00000000008B0000-0x0000000000948000-memory.dmp

Filesize
608KB

Download
memory/2612-186-0x00007FFDC0F30000-0x00007FFDC19F1000-memory.dmp

Filesize
10.8MB

Download
memory/2612-79-0x00007FFDC0F30000-0x00007FFDC19F1000-memory.dmp

Filesize
10.8MB

Download
memory/2780-320-0x00007FFDC0F30000-0x00007FFDC19F1000-memory.dmp

Filesize
10.8MB

Download
memory/2780-4-0x0000000005A40000-0x0000000005A50000-memory.dmp

Filesize
64KB

Download
memory/2780-0-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download
memory/2780-16-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download
memory/2780-3-0x0000000001890000-0x0000000001896000-memory.dmp

Filesize
24KB

Download
memory/2780-1-0x0000000000340000-0x0000000000E7E000-memory.dmp

Filesize
11.2MB

Download
memory/2780-2-0x0000000003440000-0x0000000003446000-memory.dmp

Filesize
24KB

Download
memory/2792-364-0x00007FFDC0F30000-0x00007FFDC19F1000-memory.dmp

Filesize
10.8MB

Download
memory/2792-353-0x0000000000340000-0x0000000000346000-memory.dmp

Filesize
24KB

Download
memory/2828-89-0x000000001CD50000-0x000000001CF52000-memory.dmp

Filesize
2.0MB

Download
memory/2828-95-0x00007FFDC0F30000-0x00007FFDC19F1000-memory.dmp

Filesize
10.8MB

Download
memory/2828-82-0x0000000000B50000-0x0000000000D52000-memory.dmp

Filesize
2.0MB

Download
memory/2828-330-0x00007FFDC0F30000-0x00007FFDC19F1000-memory.dmp

Filesize
10.8MB

Download
memory/2828-160-0x000000001C940000-0x000000001C950000-memory.dmp

Filesize
64KB

Download
memory/2964-335-0x0000000000550000-0x0000000000556000-memory.dmp

Filesize
24KB

Download
memory/2964-336-0x00007FFDC0F30000-0x00007FFDC19F1000-memory.dmp

Filesize
10.8MB

Download
memory/2964-338-0x000000001C1F0000-0x000000001C200000-memory.dmp

Filesize
64KB

Download
memory/4484-188-0x000000001B550000-0x000000001B560000-memory.dmp

Filesize
64KB

Download
memory/4484-187-0x00007FFDC0F30000-0x00007FFDC19F1000-memory.dmp

Filesize
10.8MB

Download
memory/4684-305-0x00007FFDC0F30000-0x00007FFDC19F1000-memory.dmp

Filesize
10.8MB

Download
memory/4684-339-0x00007FFDC0F30000-0x00007FFDC19F1000-memory.dmp

Filesize
10.8MB

Download
memory/5104-383-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/5104-369-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/5104-375-0x0000000000510000-0x0000000000530000-memory.dmp

Filesize
128KB

Download
memory/5104-367-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/5104-378-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/5104-380-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/5104-371-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/5104-379-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/5104-382-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/5104-381-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/5104-388-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/5104-389-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/5104-387-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads