44caliber | hxxps://pixeldrain[.]com/u/pTQAcqFT

Analysis

max time kernel
87s
max time network
93s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
14-02-2024 13:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://pixeldrain.com/u/pTQAcqFT

Score

10^/10

44caliber njrat umbral evasion persistence spyware stealer trojan

Malware Config

Extracted

Family

umbral

https://discord.com/api/webhooks/1207297266575081502/8pNNw7XjV5x3NJruoh5DyQ0-4SAQCe6BhhIyIv91xDxVVGnGIhfAFyQBn7F9GYDazHOv

Extracted

Family

44caliber

https://discord.com/api/webhooks/1207280118632816672/0IZfDvtoISIje6CJrXL_Q-d2-6He_gSbGz-bx0rHpv2QNeoScHFiZ4sukqDpuSEztgqw

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber

Detect Umbral payload 3 IoCs

resource	yara_rule
behavioral1/memory/2768-229-0x0000000000B10000-0x0000000000EE8000-memory.dmp	family_umbral
behavioral1/memory/2768-231-0x0000000000B10000-0x0000000000EE8000-memory.dmp	family_umbral
behavioral1/memory/2768-273-0x0000000000B10000-0x0000000000EE8000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1604	netsh.exe
1724	netsh.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\857a36d144447cbe1b21c7d14a00d148.exe	Realtek_High_Defenition_Audio_Device.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\857a36d144447cbe1b21c7d14a00d148.exe	Realtek_High_Defenition_Audio_Device.exe

Executes dropped EXE 5 IoCs

pid	Process
1016	monjaro_executor.exe
2036	protected.exe
2768	stealer_umbral.exe
1668	stealer_44l.exe
524	Realtek_High_Defenition_Audio_Device.exe

Loads dropped DLL 7 IoCs

pid	Process
2496	firefox.exe
2296	WerFault.exe
2296	WerFault.exe
2296	WerFault.exe
2296	WerFault.exe
2296	WerFault.exe
2036	protected.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\857a36d144447cbe1b21c7d14a00d148 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Realtek_High_Defenition_Audio_Device.exe\" .."	Realtek_High_Defenition_Audio_Device.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\857a36d144447cbe1b21c7d14a00d148 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Realtek_High_Defenition_Audio_Device.exe\" .."	Realtek_High_Defenition_Audio_Device.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

pid	Process
2768	stealer_umbral.exe
1668	stealer_44l.exe
2036	protected.exe
524	Realtek_High_Defenition_Audio_Device.exe
524	Realtek_High_Defenition_Audio_Device.exe
524	Realtek_High_Defenition_Audio_Device.exe
524	Realtek_High_Defenition_Audio_Device.exe
524	Realtek_High_Defenition_Audio_Device.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2296	1668	WerFault.exe	40

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_Classes\Local Settings	firefox.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\monjaro_executor.exe:Zone.Identifier	firefox.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1080	PING.EXE

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2768	stealer_umbral.exe
2036	protected.exe
1668	stealer_44l.exe
1668	stealer_44l.exe
1668	stealer_44l.exe
1668	stealer_44l.exe
524	Realtek_High_Defenition_Audio_Device.exe

Suspicious use of AdjustPrivilegeToken 57 IoCs

description	pid	Process
Token: SeDebugPrivilege	2496	firefox.exe
Token: SeDebugPrivilege	2496	firefox.exe
Token: SeDebugPrivilege	1668	stealer_44l.exe
Token: SeDebugPrivilege	2768	stealer_umbral.exe
Token: SeIncreaseQuotaPrivilege	268	wmic.exe
Token: SeSecurityPrivilege	268	wmic.exe
Token: SeTakeOwnershipPrivilege	268	wmic.exe
Token: SeLoadDriverPrivilege	268	wmic.exe
Token: SeSystemProfilePrivilege	268	wmic.exe
Token: SeSystemtimePrivilege	268	wmic.exe
Token: SeProfSingleProcessPrivilege	268	wmic.exe
Token: SeIncBasePriorityPrivilege	268	wmic.exe
Token: SeCreatePagefilePrivilege	268	wmic.exe
Token: SeBackupPrivilege	268	wmic.exe
Token: SeRestorePrivilege	268	wmic.exe
Token: SeShutdownPrivilege	268	wmic.exe
Token: SeDebugPrivilege	268	wmic.exe
Token: SeSystemEnvironmentPrivilege	268	wmic.exe
Token: SeRemoteShutdownPrivilege	268	wmic.exe
Token: SeUndockPrivilege	268	wmic.exe
Token: SeManageVolumePrivilege	268	wmic.exe
Token: SeImpersonatePrivilege	268	wmic.exe
Token: 33	268	wmic.exe
Token: 34	268	wmic.exe
Token: 35	268	wmic.exe
Token: SeIncreaseQuotaPrivilege	268	wmic.exe
Token: SeSecurityPrivilege	268	wmic.exe
Token: SeTakeOwnershipPrivilege	268	wmic.exe
Token: SeLoadDriverPrivilege	268	wmic.exe
Token: SeSystemProfilePrivilege	268	wmic.exe
Token: SeSystemtimePrivilege	268	wmic.exe
Token: SeProfSingleProcessPrivilege	268	wmic.exe
Token: SeIncBasePriorityPrivilege	268	wmic.exe
Token: SeCreatePagefilePrivilege	268	wmic.exe
Token: SeBackupPrivilege	268	wmic.exe
Token: SeRestorePrivilege	268	wmic.exe
Token: SeShutdownPrivilege	268	wmic.exe
Token: SeDebugPrivilege	268	wmic.exe
Token: SeSystemEnvironmentPrivilege	268	wmic.exe
Token: SeRemoteShutdownPrivilege	268	wmic.exe
Token: SeUndockPrivilege	268	wmic.exe
Token: SeManageVolumePrivilege	268	wmic.exe
Token: SeImpersonatePrivilege	268	wmic.exe
Token: 33	268	wmic.exe
Token: 34	268	wmic.exe
Token: 35	268	wmic.exe
Token: SeDebugPrivilege	524	Realtek_High_Defenition_Audio_Device.exe
Token: 33	524	Realtek_High_Defenition_Audio_Device.exe
Token: SeIncBasePriorityPrivilege	524	Realtek_High_Defenition_Audio_Device.exe
Token: 33	524	Realtek_High_Defenition_Audio_Device.exe
Token: SeIncBasePriorityPrivilege	524	Realtek_High_Defenition_Audio_Device.exe
Token: 33	524	Realtek_High_Defenition_Audio_Device.exe
Token: SeIncBasePriorityPrivilege	524	Realtek_High_Defenition_Audio_Device.exe
Token: 33	524	Realtek_High_Defenition_Audio_Device.exe
Token: SeIncBasePriorityPrivilege	524	Realtek_High_Defenition_Audio_Device.exe
Token: 33	524	Realtek_High_Defenition_Audio_Device.exe
Token: SeIncBasePriorityPrivilege	524	Realtek_High_Defenition_Audio_Device.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2496	firefox.exe
2496	firefox.exe
2496	firefox.exe
2496	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2496	firefox.exe
2496	firefox.exe
2496	firefox.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2496	firefox.exe
2496	firefox.exe
2496	firefox.exe
2768	stealer_umbral.exe
2036	protected.exe
1668	stealer_44l.exe
524	Realtek_High_Defenition_Audio_Device.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 2496	2040	firefox.exe	24
PID 2040 wrote to memory of 2496	2040	firefox.exe	24
PID 2040 wrote to memory of 2496	2040	firefox.exe	24
PID 2040 wrote to memory of 2496	2040	firefox.exe	24
PID 2040 wrote to memory of 2496	2040	firefox.exe	24
PID 2040 wrote to memory of 2496	2040	firefox.exe	24
PID 2040 wrote to memory of 2496	2040	firefox.exe	24
PID 2040 wrote to memory of 2496	2040	firefox.exe	24
PID 2040 wrote to memory of 2496	2040	firefox.exe	24
PID 2040 wrote to memory of 2496	2040	firefox.exe	24
PID 2040 wrote to memory of 2496	2040	firefox.exe	24
PID 2040 wrote to memory of 2496	2040	firefox.exe	24
PID 2496 wrote to memory of 2996	2496	firefox.exe	29
PID 2496 wrote to memory of 2996	2496	firefox.exe	29
PID 2496 wrote to memory of 2996	2496	firefox.exe	29
PID 2496 wrote to memory of 2844	2496	firefox.exe	30
PID 2496 wrote to memory of 2844	2496	firefox.exe	30
PID 2496 wrote to memory of 2844	2496	firefox.exe	30
PID 2496 wrote to memory of 2844	2496	firefox.exe	30
PID 2496 wrote to memory of 2844	2496	firefox.exe	30
PID 2496 wrote to memory of 2844	2496	firefox.exe	30
PID 2496 wrote to memory of 2844	2496	firefox.exe	30
PID 2496 wrote to memory of 2844	2496	firefox.exe	30
PID 2496 wrote to memory of 2844	2496	firefox.exe	30
PID 2496 wrote to memory of 2844	2496	firefox.exe	30
PID 2496 wrote to memory of 2844	2496	firefox.exe	30
PID 2496 wrote to memory of 2844	2496	firefox.exe	30
PID 2496 wrote to memory of 2844	2496	firefox.exe	30
PID 2496 wrote to memory of 2844	2496	firefox.exe	30
PID 2496 wrote to memory of 2844	2496	firefox.exe	30
PID 2496 wrote to memory of 2844	2496	firefox.exe	30
PID 2496 wrote to memory of 2844	2496	firefox.exe	30
PID 2496 wrote to memory of 2844	2496	firefox.exe	30
PID 2496 wrote to memory of 2844	2496	firefox.exe	30
PID 2496 wrote to memory of 2844	2496	firefox.exe	30
PID 2496 wrote to memory of 2844	2496	firefox.exe	30
PID 2496 wrote to memory of 2844	2496	firefox.exe	30
PID 2496 wrote to memory of 2844	2496	firefox.exe	30
PID 2496 wrote to memory of 2844	2496	firefox.exe	30
PID 2496 wrote to memory of 2844	2496	firefox.exe	30
PID 2496 wrote to memory of 2844	2496	firefox.exe	30
PID 2496 wrote to memory of 2844	2496	firefox.exe	30
PID 2496 wrote to memory of 2844	2496	firefox.exe	30
PID 2496 wrote to memory of 2844	2496	firefox.exe	30
PID 2496 wrote to memory of 2844	2496	firefox.exe	30
PID 2496 wrote to memory of 2844	2496	firefox.exe	30
PID 2496 wrote to memory of 2844	2496	firefox.exe	30
PID 2496 wrote to memory of 2844	2496	firefox.exe	30
PID 2496 wrote to memory of 2844	2496	firefox.exe	30
PID 2496 wrote to memory of 2844	2496	firefox.exe	30
PID 2496 wrote to memory of 2844	2496	firefox.exe	30
PID 2496 wrote to memory of 2844	2496	firefox.exe	30
PID 2496 wrote to memory of 2844	2496	firefox.exe	30
PID 2496 wrote to memory of 2844	2496	firefox.exe	30
PID 2496 wrote to memory of 2844	2496	firefox.exe	30
PID 2496 wrote to memory of 2844	2496	firefox.exe	30
PID 2496 wrote to memory of 2844	2496	firefox.exe	30
PID 2496 wrote to memory of 2844	2496	firefox.exe	30
PID 2496 wrote to memory of 2844	2496	firefox.exe	30
PID 2496 wrote to memory of 1392	2496	firefox.exe	31
PID 2496 wrote to memory of 1392	2496	firefox.exe	31
PID 2496 wrote to memory of 1392	2496	firefox.exe	31
PID 2496 wrote to memory of 1392	2496	firefox.exe	31
PID 2496 wrote to memory of 1392	2496	firefox.exe	31

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://pixeldrain.com/u/pTQAcqFT"
1⤵
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://pixeldrain.com/u/pTQAcqFT
  2⤵
  - Loads dropped DLL
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2496
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2496.0.1375631322\2134477665" -parentBuildID 20221007134813 -prefsHandle 1228 -prefMapHandle 1220 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {12079fd6-857e-40a7-87f0-57bd9a870ba0} 2496 "\\.\pipe\gecko-crash-server-pipe.2496" 1304 11df3e58 gpu
    3⤵
    PID:2996
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2496.1.1242113679\466687357" -parentBuildID 20221007134813 -prefsHandle 1496 -prefMapHandle 1492 -prefsLen 21610 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {823c4807-8b28-4144-b8bf-6684027436a6} 2496 "\\.\pipe\gecko-crash-server-pipe.2496" 1508 e6fe58 socket
    3⤵
    PID:2844
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2496.2.1659470979\322163157" -childID 1 -isForBrowser -prefsHandle 2108 -prefMapHandle 2104 -prefsLen 21648 -prefMapSize 233444 -jsInitHandle 844 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fab513c9-021b-4ffa-8c61-f8b23343f935} 2496 "\\.\pipe\gecko-crash-server-pipe.2496" 2120 19bb8458 tab
    3⤵
    PID:1392
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2496.3.1266002382\1875361661" -childID 2 -isForBrowser -prefsHandle 2888 -prefMapHandle 2884 -prefsLen 26111 -prefMapSize 233444 -jsInitHandle 844 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {26bbc270-2f13-44a7-9815-bdc15f507934} 2496 "\\.\pipe\gecko-crash-server-pipe.2496" 2900 1b8b2358 tab
    3⤵
    PID:908
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2496.4.1762979442\1857592635" -childID 3 -isForBrowser -prefsHandle 3780 -prefMapHandle 3744 -prefsLen 26426 -prefMapSize 233444 -jsInitHandle 844 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e6ea122e-6bb6-4da9-b1c7-8fb7a0969f99} 2496 "\\.\pipe\gecko-crash-server-pipe.2496" 3764 1fce8258 tab
    3⤵
    PID:2008
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2496.5.1959157293\1658575926" -childID 4 -isForBrowser -prefsHandle 3904 -prefMapHandle 3908 -prefsLen 26426 -prefMapSize 233444 -jsInitHandle 844 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f4aab677-74a4-4489-b746-95fc486d9da4} 2496 "\\.\pipe\gecko-crash-server-pipe.2496" 3900 1fce5258 tab
    3⤵
    PID:2448
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2496.6.1235630360\568462373" -childID 5 -isForBrowser -prefsHandle 4076 -prefMapHandle 4080 -prefsLen 26426 -prefMapSize 233444 -jsInitHandle 844 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7f9b03fe-4a39-41e9-9935-27d029e7b80a} 2496 "\\.\pipe\gecko-crash-server-pipe.2496" 4064 1fce7658 tab
    3⤵
    PID:2480
- - C:\Users\Admin\Downloads\monjaro_executor.exe
    "C:\Users\Admin\Downloads\monjaro_executor.exe"
    3⤵
    - Executes dropped EXE
    PID:1016
  - - C:\Users\Admin\AppData\Local\Temp\protected.exe
      "C:\Users\Admin\AppData\Local\Temp\protected.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:2036
    - - C:\Users\Admin\AppData\Local\Temp\Realtek_High_Defenition_Audio_Device.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Realtek_High_Defenition_Audio_Device.exe"
        5⤵
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:524
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Realtek_High_Defenition_Audio_Device.exe" "Realtek_High_Defenition_Audio_Device.exe" ENABLE
        6⤵
        Modifies Windows Firewall
        
        PID:1604
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\Realtek_High_Defenition_Audio_Device.exe"
        6⤵
        Modifies Windows Firewall
        
        PID:1724
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /k ping 0 & del "C:\Users\Admin\AppData\Local\Temp\Realtek_High_Defenition_Audio_Device.exe" & exit
        6⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 0
        7⤵
        Runs ping.exe
        
        PID:1080
  - - C:\Users\Admin\AppData\Local\Temp\stealer_umbral.exe
      "C:\Users\Admin\AppData\Local\Temp\stealer_umbral.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2768
    - - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:268
  - - C:\Users\Admin\AppData\Local\Temp\stealer_44l.exe
      "C:\Users\Admin\AppData\Local\Temp\stealer_44l.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1668
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1668 -s 900
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:2296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\44\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\kzcnpuah.default-release\cache2\doomed\11959

Filesize
7KB

MD5
150326601e1529d74bc0784afd6e643a

SHA1
752dd9a8b2cf37ebae904c9be96bbaf99636edac

SHA256
ddfa8a3fef4f878cb95627d94d803f431e1582e8096bd68a7777fb6bb4195fc8

SHA512
6942c3182ee23bc56215159c2f8e4a79c457ab5cab94d682b42d179f606d63a41957e1fa8d176da666e8a3539e9c9f65c2c4db2ae8eb1d991757cd44b7b8f1af

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\kzcnpuah.default-release\cache2\doomed\20109

Filesize
7KB

MD5
0471c059228bd0f438e080ce1c1ee650

SHA1
82639e29fa2c10cd50603fcbe13afbce29a5f66b

SHA256
606f579b92a1ba7d9332fafc488e5eddfb65771445af0c306289899b2be8ba9d

SHA512
c0907f4985625fb1166a8eb5e1b8ee6cbd6935a3806fcd626aa3dd1971ceff1b80fbf01d18b90f79a87171569eef34151dc510cfb6658e4aaab1bec3b5e1087c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\kzcnpuah.default-release\cache2\doomed\23048

Filesize
7KB

MD5
c790d6de38dab960ab489655ab18a889

SHA1
e701c72b5af4a582dea0a1e64f235b83821b81d2

SHA256
763fb4e3db3181fa003381ec22d7fea3678a1c1388cd794c8946ff71eef92ff6

SHA512
b1c4572a2d6b0d65ffdf03d463b2d5413ab4cc7b2b9d9674cd156060f148a6f46277c401591519a1fa7fcff78d76a03bd0585e2100929e373faf349c3b0da1f7

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\kzcnpuah.default-release\cache2\doomed\28098

Filesize
7KB

MD5
1f925c4ac9b2353d00da8af61b041f3c

SHA1
265140d7a1b0f28daf51cee5f3e2d2ed24dc0632

SHA256
05f9550400cf325c5fb67c685fb45ad15dfc9faa826f96d12a031b9b9556c27c

SHA512
de89aa4736bb6adedd03f996a9921ad4847f62649356ddec1e4328c82ae217e40964f54725f8a677c290e46e3dec9df82c093339a35f660f77f0d5b19714a522

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\kzcnpuah.default-release\cache2\doomed\32510

Filesize
7KB

MD5
9aad487a392fe99f2a1322ee70097049

SHA1
f9bb0874d16a284a981e04fd19ff752fe22ce9e0

SHA256
88d590d72f38cbb7cd0504dce098fc207935cf94571f93053da1b569c24f7629

SHA512
45204e22ea2adbe8f3e13aa5ff2cb00802021afbde3e8f25c2d5d1fa7fc99d58eac1369737cb852c9b4ffa827c54a78593d61a6d1f0898303a7cd173008b8958

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\kzcnpuah.default-release\cache2\doomed\3770

Filesize
7KB

MD5
856de5567d14873121f95567de5e1b76

SHA1
77ab4a07491b52e3e2605d754669302e2ea35285

SHA256
403aa60f54c9cd25a622776f29c842fa989d7a8c89ebe42efcdcc6c5ef02c463

SHA512
f79f5e77342a20e25dca4e98fc6689e46351d4e1f24f48de162f4e368a19ab564b1dcbd1235604566d249a14e85a55aa6524d570635efac55803794d60587c81

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\kzcnpuah.default-release\cache2\doomed\7679

Filesize
7KB

MD5
97a38200997f6fdaa53eb29a1f831ae0

SHA1
31d05bc796f7582dc422fa2f572870100b3f97a3

SHA256
c3284ed9f1088e1b7f1a57dd101ef616ab8f372deac21dc21d04797feb7cf9c1

SHA512
d97f7bff5f25083f4436fbc06289859c23364cf99363bbe7840ac8edc756a384d86c3a791603dda464857d4c1d864db807a5f7ab9612cbb6ed84fdde41f52ec5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\kzcnpuah.default-release\cache2\entries\4832D199584363B876D3E7D57CA02A9B0F4D91CD

Filesize
13KB

MD5
e9977a089b818938fade29a1cd0936dc

SHA1
1a9f7d347fa48807595d4b76dac53b41b03fa6c8

SHA256
fdf2b62eb7084ab72884625b53404f1445af1e4e04d9426676b66c9895dc7972

SHA512
0d824c2e9e0ba6f35da3dd15e6db23b48728f4991880739b42bbf13694ce75e8deb297937316cff1ce002b624ee787b84fd096fd2586c46a3bafeb441bf31d05

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\kzcnpuah.default-release\cache2\entries\F8CBD54DDA10F4286A41EC6A537240712D6C2308

Filesize
9KB

MD5
e23c191cf7dd6c0a22012222d663a0c3

SHA1
233c59e967ccffdca2cb23b322551a90e41d352c

SHA256
37f21495f454648ccf48483c45f4f0adf34ea0e8afc46626ade1c2f77ff2c947

SHA512
3520ca7515a4a18000e81092522dcabeab89d0d16447a5044cec38c721ef53eb15aa556f991dc36dcd49e569fd115849b9497ab2e10d229eb3a05b5177fffed3

Download Submit
C:\Users\Admin\AppData\Local\Temp\protected.exe

Filesize
91KB

MD5
62bf5a587e49fea8982804c719912a71

SHA1
c9285524fbda5508dc05f9f2b916d7e1db8af962

SHA256
af417008b4f76b3de616d03ab57b487e595726c2dcc5c576a6fe6340f7001b6b

SHA512
b44e9c9d18b984f3993d251b0e2fa5268a2d25cf5033e4c264ce817b22a0293568a4fa4715dd52135757189d216e33657b5f72ff46a93b5ccd4d0d0e3319cdc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\protected.exe

Filesize
9KB

MD5
7cedb59f6def4c20dd7bafd6a695fd97

SHA1
7f963c430045df133abc9d16d2c1c9e338302cf5

SHA256
5d571f02765367854d0137e48b83c9a6cdb2697cd72b6af3b2ef9607a6df2a65

SHA512
0cab004a21d8cf18f88c4bec19097af6171b497cdae0e9d3ede2836b36d64f8691a61eaafe4a40943b4cd9d7bca7b9eac4ee2967061b9b0612e4ead341cc3610

Download Submit
C:\Users\Admin\AppData\Local\Temp\protected.exe

Filesize
421KB

MD5
d540e01d3a3614ecf6746d6bc1dd6a54

SHA1
9e9a9dac66ffc2d9366196e421f89d486468dbf5

SHA256
877f21c06adaddf86a98c6c0f7e6e5b02b6ae3bc1d157ddfb6a7bea4c3b82a31

SHA512
5f02e39be1d0acb4042f7b2ad0a9c7bff0df115fc78d4f175831cfde67eb3e91c2b5b8bbd8da87ac6cb1f5c520e384760790d21e71d0d1e8dcecce398d9c939e

Download Submit
C:\Users\Admin\AppData\Local\Temp\stealer_44l.exe

Filesize
600KB

MD5
c80f6edf4860eb0db163d1fa085419e2

SHA1
d7927b52d67415f83f65f59f1a1428f90d0fbfb7

SHA256
0a3c4ef94df3c70377f6cda2d9b69691932ce57e7f35e844b79f04289ba6731a

SHA512
393700ac9ca385904cc840939ee241625458cb011ba5e5308d57d565f2b0f731e22277d1f87a2e5883561fa02fb91f0890e422459bdb9cb08ee0572085fdfa87

Download Submit
C:\Users\Admin\AppData\Local\Temp\stealer_44l.exe

Filesize
726KB

MD5
4ce7fd13d30f25a2e4750414fdcbb5eb

SHA1
1d3c62a9b9be963f07987ca1f79c071cc3b4f355

SHA256
d03f651e517ad44df32d7d5f7940bd47f5cfa12ad1febbdc31efcc0ed72235bf

SHA512
83bc93e1f6126e674aac22bd63bccfb1282101133053470941953677b3c3f36801a0ff1f4cdf3610d786b97e7526def2ddbc67be9c0b5a1ee5618f9abee1528c

Download Submit
C:\Users\Admin\AppData\Local\Temp\stealer_44l.exe

Filesize
512KB

MD5
d86f3183eb56796d8aad08555d3e673b

SHA1
2990c3d8c9eeeaf9e06245f209224b51862d1c14

SHA256
3c0a184a9769fb714c2645beb769c7be16ae44194431b492c11ae1485027a5cb

SHA512
1a5f9c19f5c64d5edf243d3b49a8530b473b2b6c0d7e96f3e2ccdc0ddac69f704b862a77871ef8b534b91250529ccfee709c9463f3d09866329d78c942b94e1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\stealer_umbral.exe

Filesize
690KB

MD5
2f37907423cb7e2a0443262474adb919

SHA1
3f117bb93b6d81d4f3f926e0386d51595ecd3203

SHA256
b3a245cbe799ed0e369fea7c409774b1ace32405ccb7b31e0ffc25d4d1d84893

SHA512
f1e16b2343c4c5009cba10f4cf7f332955a1087b52df5ef4587641f828e344299c805094123571e6ddd2944e6e31a7ded5a05819e7fac401f909520c8d57aed4

Download Submit
C:\Users\Admin\AppData\Local\Temp\stealer_umbral.exe

Filesize
614KB

MD5
226d6e6fa94c47fcb57647c0721c72b0

SHA1
007cb8d884b8778eed4f7ae11dcc4ce8cadcbfcb

SHA256
098fc88236e34c75358ce5ab447998ef66cbad64acceaea8a2011ae44bc7e268

SHA512
c5733e90b1d94ab1e845232dd8e47ed1b1ea1114ecd519bed75cb842313dd398a815c4e22b5c03c58a2c372add6f62d44c0dc126def7a37c561f897de863bfa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
6.9MB

MD5
9cbd9b13b62037bd5411a6685fc44a0a

SHA1
a291f0a9dd3c6d32c433c00211a1402ba4784f16

SHA256
00a137e6bcb14d217c4308eefd6fd9dee11979582b073fbcfbb338c287c8aad8

SHA512
54f7798470083dd1a5178f20adfa9dfca2c653596ec3543dce5ef853b280a4357715eb5a73ae8c589f61237981cdee6a0271b286f8e6c3f3ccc565ff7256dac1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kzcnpuah.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
d5b5623466ebdc451602f31f4e4f5d4b

SHA1
7a0069d3a90225c2f89effe0375491aec6a1ccfb

SHA256
9c6ae1629d6189f0f12036415e317a77a724de46d31f8ebb1de2f8e86a8ba1fc

SHA512
787f2a111abd063fe98b940b6f018d39834ea40601a26f591ffbc9d2f11b98249064ee3b17cdf5bacf33f54def67921632346b78b74d426abdadfc8f44130388

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kzcnpuah.default-release\datareporting\glean\pending_pings\3a00e000-7e64-4191-85e5-71163612b585

Filesize
790B

MD5
3f5c92f6f54f1965b071ad655361bb12

SHA1
91ab200eec20bb0f729ebae8f9df22285983382c

SHA256
83010a332a8730eb7380a7f46ee1e40ecb3892961ce78ddd0b2ea59af792b3a0

SHA512
1ec04451d90b66ac7f46c8ab9ce02830bbe905c77f84a3616a428d045a621cc72d246d3785ac0c105172003d8d3df92c8ac5edbc8d20c6fed0dfd5603e24c708

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kzcnpuah.default-release\datareporting\glean\pending_pings\81d056f9-42d9-4f39-80d8-8004fa053552

Filesize
12KB

MD5
d5a61a8d81f5dd0e331334169164fc0a

SHA1
9add3b9c9a5d095e4a1e574db21687d647a87793

SHA256
ca01947b535a2d6eb5ab1239f8cabf2d48fc0916cf3b29d77fdb6a427f0edda1

SHA512
39cc8a0501f73c435e4a917d9316ff3997b79e004151d41df8d94246f6c0fea2019f729b049e1569142dc701508e5098f39624fdf0c33a96a274971094cf0fdb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kzcnpuah.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kzcnpuah.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kzcnpuah.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kzcnpuah.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kzcnpuah.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
6.7MB

MD5
2049f978c8d70190648832100cc4bbd9

SHA1
374faac84c306463cc1d2cf0a2f4a155ee50be26

SHA256
dcb70a88b03b4d8d70003b82eac6914054df36efb9916c9a135eb4a2d31a276d

SHA512
3a28f2a18802315d1c6c6b88456cf212505a011318b0f61f999ef2c7dcdd16e2a4d1de64d77c1eafdcc27c61bcb23c0fefeceb88eb8101dbeb99f8f15551d375

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kzcnpuah.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kzcnpuah.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kzcnpuah.default-release\prefs-1.js

Filesize
7KB

MD5
7412a935684709dffff195ef5f6df172

SHA1
2e4cbd2fe36ae0236e1176e5f149fc2d5c66d64f

SHA256
ab5fc46ec61a8b60bf7110cdd95f025d80caf3ae74bc4d5aa31a9ee41261596e

SHA512
9f59647fabc80e5dfe1ff8a07321d1ccdf698b3f3b5941eeda5e0a6f9042ab6d50fb1a8170b5834f2167db0bfdc01eac29ac0b960768f66cd3e9ba8df0e30935

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kzcnpuah.default-release\prefs-1.js

Filesize
6KB

MD5
22094c03286adcc01addb438547ae6b4

SHA1
06b3c1387d1ad018881cba322b0af61ae444714d

SHA256
f20aba8258c8aa44b566e8e325dce959c3c7623f42784c1692a2ad44a09f7459

SHA512
adeced220b524dd2100069dae5b7ac31d1143674e6dd9f4d60c469787a19267c03209a22db0f7d97b602253694fc48d2ed478130e4484fedb45b55da8ebcadd0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kzcnpuah.default-release\prefs-1.js

Filesize
6KB

MD5
cdad22eb596bdde110203fcfd4b3045d

SHA1
8eb5c30a83cc6eb0b08abbb8355f4c80b035a110

SHA256
8de05ddc5d784de80c91a0415ad20385537b3f8f41f56fe16c85702ab15880c7

SHA512
1ad89ef7d83e238124eaa78da5ae8d6acb88f2e8283dabea90ae9875fb120e88ba490816a0c8ed98ad7b8b0d4641c1eaca98f24146cb89c3bf3cac9887df8ab3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kzcnpuah.default-release\prefs.js

Filesize
6KB

MD5
0ad83fe4150880a53a020b6b5babc55d

SHA1
cee5bf9e2d6b824bdefe76c3b0d51d0fd4df4da3

SHA256
0770f81dc6e301792377a7bd67ecb8fb3e6fa2c08b2ac704fe2ecf093ffa9d92

SHA512
a264bcce8fdcb0d0f6157a866df126911d44841184bdadf82397426d7573f4a5f793dadec04aae049bc57893d5e416326972ac9107fa2db4d18f0ea0651e9e7f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kzcnpuah.default-release\prefs.js

Filesize
6KB

MD5
8b022404c9f8488839abdbc5705b57e6

SHA1
deca92f4f59a1967dc6e4bacaf627f29d81361e7

SHA256
55030ddcc67a604efa3635007e8d2e987f6449b0664adc22707d909c5eca84d6

SHA512
1f84290285f8868a603fb77d7b5fa48be22783e3cf94a64aa418b1a77f7e2a746168d3fec065298959a34796633da4b67c225b33dec58c116d0669e844117900

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kzcnpuah.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
e661c23f2bbc143bac92b07a83f021f8

SHA1
4583089bb20baea8e7b9fb66005385ab9a25d5c9

SHA256
5005bc4ea50a884b26f6b50fe7c5da0215e994266c439bc4f84d6a605195ab22

SHA512
98db0260a72a0d8f94c814c4b552163c76a76fae00042c819910fcd76bbf760071f4faf5c02bc6dfaa39ccd24a0b0115e2a3a6f7d5fc45867dbf8d84f6f5407c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kzcnpuah.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
19be8fda4eb91b2b3fd5175a0ac55679

SHA1
b6948b0497a2e6e5231b2cb2d87c91e0a7d21804

SHA256
d07b6f4e6a032b7ffdfee443424903627547707d4efd9d7ccf459e07288281de

SHA512
c79a662e79a0b8532a180f31925d09b85833d4da69f5f6614f0dabf8174579da12c63dc6774b32b8d858b450311f1fa3bf7b33936d52b44a354587f7cb63a210

Download Submit
C:\Users\Admin\Downloads\monjaro_executor.6XzvXBr9.exe.part

Filesize
1.9MB

MD5
1257acf8b62d8541d2860ffeae8b727f

SHA1
6cec03a1855b704d927075d36d8d9ba92831a443

SHA256
ffaffb1a0e883ca77edfb1725fe155f38e5ebca9cf2b9d47296a273bcf0235cb

SHA512
babfe47a663eab49c72296a52bf87b88b5efb19f3cd0db89d561446131f6e73070b894b4861a829ef5b41b65cafab7e29a61e7a17254371191ce0132558754fc

Download Submit
C:\Users\Admin\Downloads\monjaro_executor.exe

Filesize
1.2MB

MD5
5cbbe4263e3b07a57015994fe28c8561

SHA1
a362a4bf0095e72e3173ef58b624a45524dfc99d

SHA256
4e3188310af76fe39975641280a011be215f8506905347a2d76dac550845dbdd

SHA512
65e7e6e52392656436dcd3e4fef7406871a718e9244457aa0583bcae21c8c792de79e215c88a67b7a756d84cf79e8c201c95ea45489c779f8146e61be75907f4

Download Submit
C:\Users\Admin\Downloads\monjaro_executor.exe

Filesize
669KB

MD5
10db96aee0b17189d782919fea4b56c0

SHA1
ee1384b2832724d39394676a896bb19c6139b508

SHA256
d0ea6cf121e65d6e370db7536dc9b0e7e9cc60a8fd2ef65bf246d4dd7996a3d2

SHA512
1e77b84a78c0af36a0834502cff1a19a6d6d957058c2f0818b9840b607b8a8f70a506a4337d6c8f44a0257b338123b65283dec99caab5c187db0783f9a3fe895

Download Submit
\??\c:\users\admin\appdata\local\temp\71E53635

Filesize
14B

MD5
cade1ace9e852c3cd7389477da82cd68

SHA1
af02f76b17ad4b9bbfb26def6e2691d58fcf3e78

SHA256
9eb100d9c16747d8d98abc0d623bd06a7e91732cfc3e06c7d18655e25fb24e58

SHA512
e742a6070c5b4bc19663f17b69181ce5657dd5ded0b70b5c31b501007dfd998ae071d2e6b0667172103c2fbdf7356de75376fba26a096a3dae28eb562e78c44f

Download Submit
\Users\Admin\AppData\Local\Temp\Realtek_High_Defenition_Audio_Device.exe

Filesize
619KB

MD5
3308db5914e921c9344e4df9b3fd257a

SHA1
90100f9e935802ae111b7adc20bf69ea2ce516c1

SHA256
da27de51285230002412787802f43503d0fcb46e58ac72c5675e2b9a1b486a64

SHA512
0ad40cf756ee19f511ed1df07f5c939fd6ed7fdab6c2b4f42c7918b410471efedadf7b8dd36698cde3d49dd2295a5fad8ae2f0295b54d627a62daee71c79fed1

Download Submit
\Users\Admin\AppData\Local\Temp\stealer_44l.exe

Filesize
73KB

MD5
b54235161ed40a065cc69256060ec967

SHA1
5a9010bb693e63b9971840a32de0e49c2090913f

SHA256
ed7d50ba1ad7e05f2d27981ee57536c69e3856726ae0bcf93b763af4e9ce2abd

SHA512
fea6dd356dba1d5e41c210f4f5811be86e238261cb1fa5a2c3d5b7de5e6e01e8b6ce69d0260bb54d5417d17ac673ebbb8bb1e6337360d35e704082fa51c291a4

Download Submit
\Users\Admin\AppData\Local\Temp\stealer_44l.exe

Filesize
185KB

MD5
f42dea66355c14a844c867ae226e9df5

SHA1
4ef93e9f919dc56119c7b873094a427dee19b788

SHA256
dfa84fcd395ef952f4452280358fe0c8ba41e5240d1c7c17fb5c91229008a39a

SHA512
c44109b860da28229e0854f83a704e3de93426fecbda9ec6a6c5252c474ae5b79c14a9b6c6794d4cc9825d26039cfe4f23b4aba1bdec1beb09a3630d6bdfd338

Download Submit
\Users\Admin\AppData\Local\Temp\stealer_44l.exe

Filesize
319KB

MD5
1982c85a549945eeca893e51b9be6b56

SHA1
8c9bff2e9e9189fa7f585bf603921d02ef33316e

SHA256
f3a553fa37a4b5507b837cae433ac496831c33ac1413bf77ad69439a9e440ed4

SHA512
f4686df12f5990ecdf786a624c1e9e1ddf491d6ca74b917952113571727cf64869e21f518aea4925e772aa3a789909081b860b529ea61dadc7779f2fd31793a2

Download Submit
\Users\Admin\AppData\Local\Temp\stealer_44l.exe

Filesize
158KB

MD5
d35bd3841c4bc1fad82abb2abeca4271

SHA1
317d69fdec4b5216a3d787ec81bff11836a4c4b3

SHA256
34240855759b856893741e6bd4b71df8a6384c55bd491d8e5048b1e890d48125

SHA512
cc3d5c67bd3556dce91894c5804139bd5e8509c1cb5df7d9fb4cd5669b71600d3630aac3310c03f120f899274dd612b494115c4b55ae9baf2ca892f8c05e5d73

Download Submit
\Users\Admin\Downloads\monjaro_executor.exe

Filesize
1.2MB

MD5
7537b0cacc30c99eb6d9d8b183a5aa7c

SHA1
13fb28bd8a023b47c08b140094189535401ce16f

SHA256
4e5e0ecbf727c0fd84db5ed8b426a21037f549aef169f14b1478725110acd3ba

SHA512
f194c4e8b5d3642f04a0bcf7585b0adada8b3e4c6675cb376fe0e0d10efa81197730229d0bd1fbe2b873fadc712c52ae211a422fde7a8546272a527dafdb081f

Download Submit
memory/524-318-0x0000000073FA0000-0x000000007454B000-memory.dmp

Filesize
5.7MB

Download
memory/524-313-0x0000000073FA0000-0x000000007454B000-memory.dmp

Filesize
5.7MB

Download
memory/524-292-0x0000000073FA0000-0x000000007454B000-memory.dmp

Filesize
5.7MB

Download
memory/524-641-0x0000000073FA0000-0x000000007454B000-memory.dmp

Filesize
5.7MB

Download
memory/524-294-0x0000000001130000-0x00000000014D8000-memory.dmp

Filesize
3.7MB

Download
memory/524-289-0x0000000000430000-0x0000000000470000-memory.dmp

Filesize
256KB

Download
memory/524-628-0x0000000001130000-0x00000000014D8000-memory.dmp

Filesize
3.7MB

Download
memory/524-331-0x0000000000430000-0x0000000000470000-memory.dmp

Filesize
256KB

Download
memory/524-317-0x0000000001130000-0x00000000014D8000-memory.dmp

Filesize
3.7MB

Download
memory/524-310-0x0000000000430000-0x0000000000470000-memory.dmp

Filesize
256KB

Download
memory/1668-232-0x0000000000890000-0x0000000000C7A000-memory.dmp

Filesize
3.9MB

Download
memory/1668-238-0x0000000000500000-0x0000000000540000-memory.dmp

Filesize
256KB

Download
memory/1668-316-0x0000000074550000-0x0000000074C3E000-memory.dmp

Filesize
6.9MB

Download
memory/1668-309-0x0000000074550000-0x0000000074C3E000-memory.dmp

Filesize
6.9MB

Download
memory/1668-301-0x0000000000890000-0x0000000000C7A000-memory.dmp

Filesize
3.9MB

Download
memory/1668-220-0x0000000000890000-0x0000000000C7A000-memory.dmp

Filesize
3.9MB

Download
memory/1668-315-0x0000000000890000-0x0000000000C7A000-memory.dmp

Filesize
3.9MB

Download
memory/1668-230-0x0000000000890000-0x0000000000C7A000-memory.dmp

Filesize
3.9MB

Download
memory/1668-236-0x0000000074550000-0x0000000074C3E000-memory.dmp

Filesize
6.9MB

Download
memory/2036-285-0x00000000009A0000-0x0000000000D48000-memory.dmp

Filesize
3.7MB

Download
memory/2036-237-0x0000000002F30000-0x0000000002F70000-memory.dmp

Filesize
256KB

Download
memory/2036-235-0x0000000073FA0000-0x000000007454B000-memory.dmp

Filesize
5.7MB

Download
memory/2036-234-0x0000000073FA0000-0x000000007454B000-memory.dmp

Filesize
5.7MB

Download
memory/2036-210-0x00000000009A0000-0x0000000000D48000-memory.dmp

Filesize
3.7MB

Download
memory/2036-295-0x00000000009A0000-0x0000000000D48000-memory.dmp

Filesize
3.7MB

Download
memory/2036-293-0x0000000073FA0000-0x000000007454B000-memory.dmp

Filesize
5.7MB

Download
memory/2768-264-0x0000000003070000-0x00000000030B0000-memory.dmp

Filesize
256KB

Download
memory/2768-229-0x0000000000B10000-0x0000000000EE8000-memory.dmp

Filesize
3.8MB

Download
memory/2768-273-0x0000000000B10000-0x0000000000EE8000-memory.dmp

Filesize
3.8MB

Download
memory/2768-219-0x0000000000B10000-0x0000000000EE8000-memory.dmp

Filesize
3.8MB

Download
memory/2768-274-0x0000000074550000-0x0000000074C3E000-memory.dmp

Filesize
6.9MB

Download
memory/2768-231-0x0000000000B10000-0x0000000000EE8000-memory.dmp

Filesize
3.8MB

Download
memory/2768-233-0x0000000074550000-0x0000000074C3E000-memory.dmp

Filesize
6.9MB

Download