Analysis
-
max time kernel
7s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
11-05-2024 10:53
General
-
Target
2024-05-11_731ff38afbc5a664f5a458e222d91f84_megazord.exe
-
Size
2.7MB
-
MD5
731ff38afbc5a664f5a458e222d91f84
-
SHA1
5105f89898a3d9e5b5b52ddcd7d0a3b167aaf701
-
SHA256
a0e3a64e0e6aee3370ccbbca59f8ae0b34be674963c1dabe14926b24fdcae7d0
-
SHA512
910b1c9fb8e28c3f24d35a875ff86f3ab2e2c573797e078ece204538a3bdc6d42bc92531197e57be577ffb2e4cacdd53fec6a61843e6c69be4794e68506f68c3
-
SSDEEP
24576:3RoBHi3buy4toE1jC6Ayo2xhWLbSPlqRvc68XzRVGvxB5VA0UC1dUUKj/OZ8j3g3:BoKmo4jC6TovDRUC1doj/Tg3
Score
10/10
Malware Config
Extracted
Family
stealc
C2
http://185.172.128.150
Attributes
-
url_path
/c698e1bc8a2f5e6d.php
Signatures
-
Detect ZGRat V1 3 IoCs
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload 19 IoCs
-
Stealc
Stealc is an infostealer written in C++.
-
ZGRat
ZGRat is remote access trojan written in C#.
-
Detect binaries embedding considerable number of MFA browser extension IDs. 3 IoCs
-
Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs. 3 IoCs
-
Detects Windows executables referencing non-Windows User-Agents 19 IoCs
-
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 3 IoCs
-
Detects executables (downlaoders) containing URLs to raw contents of a paste 3 IoCs
-
Detects executables Discord URL observed in first stage droppers 19 IoCs
-
Detects executables containing URLs to raw contents of a Github gist 19 IoCs
-
Detects executables containing artifacts associated with disabling Widnows Defender 19 IoCs
-
Detects executables referencing many varying, potentially fake Windows User-Agents 19 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs
Run Powershell and hide display window.
-
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 4 IoCs
-
Drops startup file 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies system certificate store 2 TTPs 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 16 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-11_731ff38afbc5a664f5a458e222d91f84_megazord.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-11_731ff38afbc5a664f5a458e222d91f84_megazord.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"2⤵
- Drops startup file
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Pictures\JjZyt32Bn2wLsZlHDeDwBcya.exe"C:\Users\Admin\Pictures\JjZyt32Bn2wLsZlHDeDwBcya.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\u1us.0.exe"C:\Users\Admin\AppData\Local\Temp\u1us.0.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\u1us.1.exe"C:\Users\Admin\AppData\Local\Temp\u1us.1.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD15⤵
-
C:\Users\Admin\Pictures\7qpe2uhyFfcFLK14hhWHZ9Vk.exe"C:\Users\Admin\Pictures\7qpe2uhyFfcFLK14hhWHZ9Vk.exe"3⤵
-
C:\Users\Admin\Pictures\7qpe2uhyFfcFLK14hhWHZ9Vk.exe"C:\Users\Admin\Pictures\7qpe2uhyFfcFLK14hhWHZ9Vk.exe"4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"5⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes6⤵
- Modifies Windows Firewall
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe5⤵
-
C:\Users\Admin\Pictures\sVpmhyfZNMHMufQ7BOE7puy9.exe"C:\Users\Admin\Pictures\sVpmhyfZNMHMufQ7BOE7puy9.exe"3⤵
-
C:\Users\Admin\Pictures\sVpmhyfZNMHMufQ7BOE7puy9.exe"C:\Users\Admin\Pictures\sVpmhyfZNMHMufQ7BOE7puy9.exe"4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"5⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes6⤵
- Modifies Windows Firewall
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe5⤵
-
C:\Users\Admin\Pictures\xiXA3znCUXMdfpI0a8QfLa3E.exe"C:\Users\Admin\Pictures\xiXA3znCUXMdfpI0a8QfLa3E.exe"3⤵
-
C:\Users\Admin\Pictures\xiXA3znCUXMdfpI0a8QfLa3E.exe"C:\Users\Admin\Pictures\xiXA3znCUXMdfpI0a8QfLa3E.exe"4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"5⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes6⤵
- Modifies Windows Firewall
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe5⤵
-
C:\Users\Admin\Pictures\4icatpv0ABPtSnHTqiKOKzCJ.exe"C:\Users\Admin\Pictures\4icatpv0ABPtSnHTqiKOKzCJ.exe"3⤵
-
C:\Users\Admin\Pictures\4icatpv0ABPtSnHTqiKOKzCJ.exe"C:\Users\Admin\Pictures\4icatpv0ABPtSnHTqiKOKzCJ.exe"4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"5⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes6⤵
- Modifies Windows Firewall
-
C:\Users\Admin\Pictures\5KqBlZeDXkonXMAOUmIdBRZL.exe"C:\Users\Admin\Pictures\5KqBlZeDXkonXMAOUmIdBRZL.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSD6FE.tmp\Install.exe.\Install.exe /tEdidDDf "385118" /S4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"5⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"6⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 67⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 68⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"6⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 67⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 68⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"6⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 67⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 68⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"6⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 67⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 68⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"6⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force7⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force8⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force9⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"5⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True7⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True8⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bbmnnUCIPYyTQrzMQJ" /SC once /ST 10:55:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\tLVYvupllyMnDiy\uylCgPL.exe\" it /UcddidPliB 385118 /S" /V1 /F5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ"5⤵
-
C:\Windows\SysWOW64\cmd.exe/C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ6⤵
-
\??\c:\windows\SysWOW64\schtasks.exeschtasks /run /I /tn bbmnnUCIPYyTQrzMQJ7⤵
-
C:\Users\Admin\Pictures\KBorTadi7idXoN7BwnN2kup2.exe"C:\Users\Admin\Pictures\KBorTadi7idXoN7BwnN2kup2.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSF518.tmp\Install.exe.\Install.exe /tEdidDDf "385118" /S4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"5⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"6⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 67⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 68⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"6⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 67⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 68⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"6⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 67⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 68⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"6⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 67⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 68⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"6⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force7⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force8⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force9⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"5⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True7⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True8⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bbmnnUCIPYyTQrzMQJ" /SC once /ST 10:55:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\tLVYvupllyMnDiy\vuUnMeH.exe\" it /fHudidPXRn 385118 /S" /V1 /F5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ"5⤵
-
C:\Windows\SysWOW64\cmd.exe/C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ6⤵
-
\??\c:\windows\SysWOW64\schtasks.exeschtasks /run /I /tn bbmnnUCIPYyTQrzMQJ7⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {C99002A5-8A20-4F2B-88E5-C2B621136A34} S-1-5-18:NT AUTHORITY\System:Service:1⤵
-
C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\tLVYvupllyMnDiy\vuUnMeH.exeC:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\tLVYvupllyMnDiy\vuUnMeH.exe it /fHudidPXRn 385118 /S2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 66⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 66⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 66⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 66⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force6⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force7⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gPhhYViQy" /SC once /ST 02:00:25 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gPhhYViQy"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gPhhYViQy"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:324⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:644⤵
-
C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\tLVYvupllyMnDiy\vuUnMeH.exeC:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\tLVYvupllyMnDiy\vuUnMeH.exe it /fHudidPXRn 385118 /S2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 66⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 66⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 66⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 66⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force6⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force7⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ghQCtJprT" /SC once /ST 01:30:48 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "ghQCtJprT"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "ghQCtJprT"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:324⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:644⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gYFNfWBHw" /SC once /ST 00:09:13 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gYFNfWBHw"3⤵
-
C:\Windows\system32\makecab.exe"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240511105425.log C:\Windows\Logs\CBS\CbsPersist_20240511105425.cab1⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {27C88D4D-C877-4C9A-A07C-273D7C3C3B07} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Command and Scripting Interpreter: PowerShell
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15AFilesize
893B
MD5d4ae187b4574036c2d76b6df8a8c1a30
SHA1b06f409fa14bab33cbaf4a37811b8740b624d9e5
SHA256a2ce3a0fa7d2a833d1801e01ec48e35b70d84f3467cc9f8fab370386e13879c7
SHA5121f44a360e8bb8ada22bc5bfe001f1babb4e72005a46bc2a94c33c4bd149ff256cce6f35d65ca4f7fc2a5b9e15494155449830d2809c8cf218d0b9196ec646b0c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD52eefbbcc94826876a2bf808ffdacdce8
SHA14d6f333e66bf7c091d6216c0032110f1130760a3
SHA2565e030be04f89e3a49ee1caf9a197349aa8501f018fd3df09cdabcfc90aeef3f9
SHA5122fadf2e28e13f3d7bc54094054cbdae45d942818c7899207258541c584e97e92cdf2d60cfc2323b153471ef7f5922c59f94174e5b1e09cb202376080345b81ad
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD55373005e53dc46b485a8e5ab2811b43b
SHA196eb94d1a1bb9f73143ec35706d0dc7c810840a5
SHA25666f37a5e537d1589ee261d2f3ebe1cededdcb07c5dd2aec491baa544c615b943
SHA512d787bd3b92f4c1fafbf171713fefd8187940b718c76f0621ccfbc8373e3635c8b21a289953989a42fa4555bec9dae8ed848e5a732d69c85ac29460b35486edcb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD52c28fab8ba9f809fd40278ca2b4c2056
SHA168d95e23da3c8f21a401d45e187f0cdcbd28de03
SHA2561d1718a270e5ee102fa03a336b264a34c50d305a0a8585488b9a600163f2a2b3
SHA512134ca8be3922522f243975075783c665c44efe4210f30332fd3223196681dccbe1c0ad858942bd6259817cab351161206f21388c9dc3161a5fbd296e71ea1982
-
C:\Users\Admin\AppData\Local\Temp\CabAC29.tmpFilesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
C:\Users\Admin\AppData\Local\Temp\TarAC5D.tmpFilesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
C:\Users\Admin\AppData\Local\Temp\TarAD1E.tmpFilesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txtFilesize
2KB
MD5a628e738428c5e13fedbfec073fe8943
SHA134dc1b6d6f0e925b24c5406c85efb01b670eafe9
SHA256c7854899e7efd7db2dce5450056d553295ca8e0bca311fa83a673e2e4259b701
SHA512ffa66afdd1ec217637f9d5d35f7ccbb844e13a42e5014fec29560e87021f3c67c50d62bc4e9dd0b03febe009d65a578a85f87dfa32815ae88cf804516a4ba007
-
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txtFilesize
3KB
MD55ad5bcc6a12fa29caba296dad50d8019
SHA1675f1a48cb25b70f856d612135e887e05a742216
SHA2564e8a0d4c892cc7b23e58aec41d966e15cf1634ad05e32a3c84146e4604547a85
SHA5122d78fe5f4d57624b3dccc649b35136d24142e72c1ee191136dc577146cbf4ff4e4dc5dbee9b0dc23f9ae76c28d9571b512f934af62f4a0161724acad9c3d30ce
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD5beb961e538b45c6d8ee2e714b1f8aa7c
SHA1c54e8dd311c541ad5625805cd1572c650bb0bf92
SHA2567206cca5ceca4f0a229863f2e9b875730ea0472dd55ef2c6a07748268c919aa5
SHA5128c2fb0718d43b47a3ef1325d4ed0bb73d99f59c5f570ef2e891a63def3237c8dd9b92dc46f3d2061e4c8728b073d2a93d28d0e2ace690b146ffd95726cbde755
-
C:\Users\Admin\Pictures\4icatpv0ABPtSnHTqiKOKzCJ.exeFilesize
4.1MB
MD50b004bc3dda12c72e3fba5e88ff1e5b2
SHA180a435b54fded05c3f367aa80fc520410d8fa3b5
SHA2568ac77b0346213cd85babfd7ba2843b57d05ff710ea0faca597a96e48b17eaa64
SHA51206b8e14f6e44598ea51f8b82ec77808335d48f88dd59ef1c8b751b58430ff0478859834654e54bf3c4cfd7fad70238f620ea46d2b5cf2db204421737c3f069e2
-
C:\Users\Admin\Pictures\7qpe2uhyFfcFLK14hhWHZ9Vk.exeFilesize
4.1MB
MD5e59afc220dbb8577416508ad212bbd1b
SHA1a3ba692dbe801791159f783bed349706d8dd5dc7
SHA256f019eef28845ac4afccffd013f32abeab9bb387786991945aa5c1c4deaca794f
SHA512d4822ff9148a588f12d5aa4be460384b1a5b24530ebde445bd6daffc34d99e32c52d7dd18f302ead63943582042bd2941aa4f1f80f0aed9842983a7625791262
-
C:\Windows\Tasks\bbmnnUCIPYyTQrzMQJ.jobFilesize
500B
MD509e1cc0f44e50d8a9b41244a8d786d1c
SHA12c2a261365bf27a6330ca7dda091beab782f8526
SHA2563b6c656411c34f654c60a25dccd2509643987198873c57164d4510cfae1fdb84
SHA51281b9585e0591cb0d80c9fabfb815c44ef452ad7c92883898fa9123f540128a5fe63722fdfd1d41ec5f53799e359ce534f7118f2104e257ffd3cd1eaaa7ba301b
-
\ProgramData\mozglue.dllFilesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
\ProgramData\nss3.dllFilesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
\Users\Admin\AppData\Local\Temp\7zSD6FE.tmp\Install.exeFilesize
6.4MB
MD5220a02a940078153b4063f42f206087b
SHA102fc647d857573a253a1ab796d162244eb179315
SHA2567eb93d93b03447a6bafd7e084305d41bf9780bd415cb2e70020952d06f3d7b60
SHA51242ac563a7c28cbf361bfb150d5469f0278ab87ce445b437eef8425fb779689d70230b550815f30f9db2909c1ba0dd015b172dfe3e718d26706856f4cb0eeeeaa
-
\Users\Admin\AppData\Local\Temp\u1us.0.exeFilesize
245KB
MD5e975a0eae2991f1e4c995d7a4e3ffd79
SHA190ca4c9586bf9d7a19312228b1fbba7dace29fc4
SHA256b00335a75190fd3b930329adf19c93b483975cb24cc056bea62b0ef359abe3fa
SHA512843e70b2ed07a7487c45471999cf521dd6d9e2049be013c2e57f0d6e14dfbda9cb97a324413d8bdcd13d3bf6e8f484f2ab89a541c92550f430d081e2434c919a
-
\Users\Admin\AppData\Local\Temp\u1us.1.exeFilesize
4.6MB
MD5397926927bca55be4a77839b1c44de6e
SHA1e10f3434ef3021c399dbba047832f02b3c898dbd
SHA2564f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7
SHA512cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954
-
\Users\Admin\Pictures\5KqBlZeDXkonXMAOUmIdBRZL.exeFilesize
6.2MB
MD55cc472dcd66120aed74de36341bfd75a
SHA11dfc4d42da90fe070d4474ddd7fa7b6f6ffa97ab
SHA256958dd14c90b1c73852f926608f212377aa3a36666c04024f97c20deb375e9773
SHA512b5cf358d95ec9a6cca81d2e9c23f0ede93ab94963bb5c626f4e6233a06cedae63b73dd81d2455acb29b003c3b4e2f54da6010daebc4639a3dcc54314d4fe4f81
-
\Users\Admin\Pictures\JjZyt32Bn2wLsZlHDeDwBcya.exeFilesize
387KB
MD55efbed893c9af6ae0042d0b8b2c2d090
SHA15371b9c6b3e76f0db786ae51d6aee604efb076c0
SHA2561f9bb64c03784d72a65182024ef3a57204d5335e99f2c6d2c3d7babde1c3a50e
SHA5120e8160f27770d699964b2a4020ae67290aa682f471a03a0a7289ac701e5238c2004a447ccf0e1088c88cb6cc1e19e30997dacf3207c87b20b0533ffe21ac1f82
-
memory/708-593-0x0000000000400000-0x000000000257A000-memory.dmpFilesize
33.5MB
-
memory/708-505-0x0000000061E00000-0x0000000061EF3000-memory.dmpFilesize
972KB
-
memory/708-554-0x0000000000400000-0x000000000257A000-memory.dmpFilesize
33.5MB
-
memory/708-501-0x0000000000400000-0x000000000257A000-memory.dmpFilesize
33.5MB
-
memory/832-604-0x00000000042B0000-0x00000000046A8000-memory.dmpFilesize
4.0MB
-
memory/1148-403-0x0000000000400000-0x000000000295D000-memory.dmpFilesize
37.4MB
-
memory/1148-397-0x00000000041B0000-0x00000000045A8000-memory.dmpFilesize
4.0MB
-
memory/1148-591-0x0000000000400000-0x000000000295D000-memory.dmpFilesize
37.4MB
-
memory/1148-451-0x0000000000400000-0x000000000295D000-memory.dmpFilesize
37.4MB
-
memory/1148-545-0x0000000000400000-0x000000000295D000-memory.dmpFilesize
37.4MB
-
memory/1148-564-0x0000000000400000-0x000000000295D000-memory.dmpFilesize
37.4MB
-
memory/1368-381-0x00000000042D0000-0x00000000046C8000-memory.dmpFilesize
4.0MB
-
memory/1368-575-0x0000000000400000-0x000000000295D000-memory.dmpFilesize
37.4MB
-
memory/1368-542-0x0000000000400000-0x000000000295D000-memory.dmpFilesize
37.4MB
-
memory/1368-550-0x0000000000400000-0x000000000295D000-memory.dmpFilesize
37.4MB
-
memory/1368-448-0x0000000000400000-0x000000000295D000-memory.dmpFilesize
37.4MB
-
memory/1368-396-0x0000000000400000-0x000000000295D000-memory.dmpFilesize
37.4MB
-
memory/1464-609-0x00000000040F0000-0x00000000044E8000-memory.dmpFilesize
4.0MB
-
memory/1752-449-0x0000000000400000-0x000000000295D000-memory.dmpFilesize
37.4MB
-
memory/1752-543-0x0000000000400000-0x000000000295D000-memory.dmpFilesize
37.4MB
-
memory/1752-420-0x0000000004200000-0x00000000045F8000-memory.dmpFilesize
4.0MB
-
memory/1752-581-0x0000000000400000-0x000000000295D000-memory.dmpFilesize
37.4MB
-
memory/1752-562-0x0000000000400000-0x000000000295D000-memory.dmpFilesize
37.4MB
-
memory/1964-504-0x0000000000CA0000-0x000000000130E000-memory.dmpFilesize
6.4MB
-
memory/1964-639-0x0000000000CA0000-0x000000000130E000-memory.dmpFilesize
6.4MB
-
memory/1964-539-0x0000000010000000-0x00000000105DD000-memory.dmpFilesize
5.9MB
-
memory/2116-503-0x0000000000CA0000-0x000000000130E000-memory.dmpFilesize
6.4MB
-
memory/2116-638-0x0000000000CA0000-0x000000000130E000-memory.dmpFilesize
6.4MB
-
memory/2116-534-0x0000000010000000-0x00000000105DD000-memory.dmpFilesize
5.9MB
-
memory/2224-544-0x0000000000400000-0x000000000295D000-memory.dmpFilesize
37.4MB
-
memory/2224-450-0x0000000000400000-0x000000000295D000-memory.dmpFilesize
37.4MB
-
memory/2224-576-0x0000000000400000-0x000000000295D000-memory.dmpFilesize
37.4MB
-
memory/2224-436-0x0000000004180000-0x0000000004578000-memory.dmpFilesize
4.0MB
-
memory/2224-563-0x0000000000400000-0x000000000295D000-memory.dmpFilesize
37.4MB
-
memory/2380-398-0x0000000010000000-0x00000000105DD000-memory.dmpFilesize
5.9MB
-
memory/2380-585-0x0000000000BF0000-0x000000000125E000-memory.dmpFilesize
6.4MB
-
memory/2380-365-0x0000000001260000-0x00000000018CE000-memory.dmpFilesize
6.4MB
-
memory/2380-367-0x0000000001260000-0x00000000018CE000-memory.dmpFilesize
6.4MB
-
memory/2380-366-0x0000000001260000-0x00000000018CE000-memory.dmpFilesize
6.4MB
-
memory/2380-565-0x0000000001260000-0x00000000018CE000-memory.dmpFilesize
6.4MB
-
memory/2380-368-0x0000000000BF0000-0x000000000125E000-memory.dmpFilesize
6.4MB
-
memory/2404-466-0x0000000000400000-0x000000000259D000-memory.dmpFilesize
33.6MB
-
memory/2404-447-0x0000000000400000-0x000000000259D000-memory.dmpFilesize
33.6MB
-
memory/2596-402-0x0000000000E70000-0x00000000014DE000-memory.dmpFilesize
6.4MB
-
memory/2596-416-0x0000000010000000-0x00000000105DD000-memory.dmpFilesize
5.9MB
-
memory/2596-600-0x0000000000E70000-0x00000000014DE000-memory.dmpFilesize
6.4MB
-
memory/2596-602-0x00000000014E0000-0x0000000001B4E000-memory.dmpFilesize
6.4MB
-
memory/2596-404-0x00000000014E0000-0x0000000001B4E000-memory.dmpFilesize
6.4MB
-
memory/2596-405-0x00000000014E0000-0x0000000001B4E000-memory.dmpFilesize
6.4MB
-
memory/2596-601-0x00000000014E0000-0x0000000001B4E000-memory.dmpFilesize
6.4MB
-
memory/2596-406-0x00000000014E0000-0x0000000001B4E000-memory.dmpFilesize
6.4MB
-
memory/2660-605-0x0000000004330000-0x0000000004728000-memory.dmpFilesize
4.0MB
-
memory/2680-3-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/2680-1-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/2680-5-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/2696-597-0x0000000000400000-0x00000000008AD000-memory.dmpFilesize
4.7MB
-
memory/2696-546-0x0000000000400000-0x00000000008AD000-memory.dmpFilesize
4.7MB
-
memory/2884-401-0x0000000002080000-0x00000000026EE000-memory.dmpFilesize
6.4MB
-
memory/2884-599-0x0000000002080000-0x00000000026EE000-memory.dmpFilesize
6.4MB
-
memory/2892-6-0x000000013F2B0000-0x000000013F5F9000-memory.dmpFilesize
3.3MB
-
memory/2892-0-0x000000013F2B0000-0x000000013F5F9000-memory.dmpFilesize
3.3MB
-
memory/2964-555-0x0000000001F30000-0x000000000259E000-memory.dmpFilesize
6.4MB
-
memory/2964-364-0x0000000001F30000-0x000000000259E000-memory.dmpFilesize
6.4MB
-
memory/3016-617-0x0000000005890000-0x00000000058B4000-memory.dmpFilesize
144KB
-
memory/3016-621-0x00000000058B0000-0x00000000058BA000-memory.dmpFilesize
40KB
-
memory/3016-608-0x00000000058D0000-0x00000000058DC000-memory.dmpFilesize
48KB
-
memory/3016-610-0x00000000057F0000-0x0000000005804000-memory.dmpFilesize
80KB
-
memory/3016-645-0x000000001EA50000-0x000000001EA5C000-memory.dmpFilesize
48KB
-
memory/3016-606-0x000000001EEE0000-0x000000001EFEA000-memory.dmpFilesize
1.0MB
-
memory/3016-619-0x000000001DE70000-0x000000001DE9A000-memory.dmpFilesize
168KB
-
memory/3016-618-0x0000000005880000-0x000000000588A000-memory.dmpFilesize
40KB
-
memory/3016-620-0x000000001EFF0000-0x000000001F0A2000-memory.dmpFilesize
712KB
-
memory/3016-607-0x0000000005650000-0x0000000005660000-memory.dmpFilesize
64KB
-
memory/3016-625-0x000000001F740000-0x000000001FA40000-memory.dmpFilesize
3.0MB
-
memory/3016-629-0x00000000059E0000-0x00000000059EA000-memory.dmpFilesize
40KB
-
memory/3016-598-0x00000000001F0000-0x0000000003A24000-memory.dmpFilesize
56.2MB
-
memory/3016-640-0x000000001EA40000-0x000000001EA4A000-memory.dmpFilesize
40KB
-
memory/3016-642-0x000000001EBC0000-0x000000001EBE2000-memory.dmpFilesize
136KB
-
memory/3016-641-0x000000001EB60000-0x000000001EBC2000-memory.dmpFilesize
392KB
-
memory/3040-603-0x0000000004330000-0x0000000004728000-memory.dmpFilesize
4.0MB
-
memory/3040-614-0x0000000000400000-0x000000000295D000-memory.dmpFilesize
37.4MB