493340b6a7247b62c120c17cebec7b9d6027ab56ec4abf809257068311bad309

Analysis

max time kernel
20s
max time network
38s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
21-11-2024 18:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MEGAsyncSetup64.exe
Size

57.1MB
MD5

2ebe2facc9c972b002e7822ad75af42d
SHA1

f3890f80e88e574d92f12a40e486430c3ae37546
SHA256

493340b6a7247b62c120c17cebec7b9d6027ab56ec4abf809257068311bad309
SHA512

be028a4c97d0d9d9012a0cd7e8e81c907d6be18d5efb2ba80c6f252c146b4e651ca139c19db5a566275cf31ce9392ab59c488f8bb2d40367239e6ff75b1f7fa8
SSDEEP

1572864:z4qhlwRYRsHRM7htx8sgVVtAK8AjMJsXk:z4qURHKVtx8sgVDnAJsXk

Score

7^/10

discovery persistence privilege_escalation upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x00050000000195bd-76.dat	acprotect
behavioral1/memory/2256-183-0x0000000074EA0000-0x0000000074EAB000-memory.dmp	acprotect

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

UPX packed file 19 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2256-78-0x0000000074EB0000-0x0000000074EBB000-memory.dmp	upx
behavioral1/files/0x00050000000195bd-76.dat	upx
behavioral1/memory/2256-94-0x0000000074EA0000-0x0000000074EAB000-memory.dmp	upx
behavioral1/memory/2256-137-0x0000000074EB0000-0x0000000074EBB000-memory.dmp	upx
behavioral1/memory/2256-151-0x0000000074EB0000-0x0000000074EBB000-memory.dmp	upx
behavioral1/memory/2256-175-0x0000000074EB0000-0x0000000074EBB000-memory.dmp	upx
behavioral1/memory/2256-183-0x0000000074EA0000-0x0000000074EAB000-memory.dmp	upx
behavioral1/memory/2256-219-0x0000000074EA0000-0x0000000074EAB000-memory.dmp	upx
behavioral1/memory/2256-231-0x0000000074EA0000-0x0000000074EAB000-memory.dmp	upx
behavioral1/memory/2256-245-0x0000000074EA0000-0x0000000074EAB000-memory.dmp	upx
behavioral1/memory/2256-258-0x0000000074EA0000-0x0000000074EAB000-memory.dmp	upx
behavioral1/memory/2256-295-0x0000000074EA0000-0x0000000074EAB000-memory.dmp	upx
behavioral1/memory/2256-309-0x0000000074EA0000-0x0000000074EAB000-memory.dmp	upx
behavioral1/memory/2256-405-0x0000000074EA0000-0x0000000074EAB000-memory.dmp	upx
behavioral1/memory/2256-415-0x0000000074EA0000-0x0000000074EAB000-memory.dmp	upx
behavioral1/memory/2256-476-0x0000000074EA0000-0x0000000074EAB000-memory.dmp	upx
behavioral1/memory/2256-656-0x0000000074EA0000-0x0000000074EAB000-memory.dmp	upx
behavioral1/memory/2256-1149-0x0000000074EA0000-0x0000000074EAB000-memory.dmp	upx
behavioral1/memory/2256-1260-0x0000000074EA0000-0x0000000074EAB000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Loads dropped DLL 64 IoCs

pid	Process
2256	MEGAsyncSetup64.exe
2256	MEGAsyncSetup64.exe
2256	MEGAsyncSetup64.exe
2256	MEGAsyncSetup64.exe
2256	MEGAsyncSetup64.exe
2256	MEGAsyncSetup64.exe
2256	MEGAsyncSetup64.exe
2256	MEGAsyncSetup64.exe
2256	MEGAsyncSetup64.exe
2256	MEGAsyncSetup64.exe
1572	regsvr32.exe
2256	MEGAsyncSetup64.exe
2256	MEGAsyncSetup64.exe
2256	MEGAsyncSetup64.exe
2256	MEGAsyncSetup64.exe
2256	MEGAsyncSetup64.exe
2256	MEGAsyncSetup64.exe
2256	MEGAsyncSetup64.exe
2256	MEGAsyncSetup64.exe
2256	MEGAsyncSetup64.exe
2256	MEGAsyncSetup64.exe
2256	MEGAsyncSetup64.exe
2256	MEGAsyncSetup64.exe
2256	MEGAsyncSetup64.exe
2256	MEGAsyncSetup64.exe
2256	MEGAsyncSetup64.exe
2256	MEGAsyncSetup64.exe
2256	MEGAsyncSetup64.exe
2256	MEGAsyncSetup64.exe
2256	MEGAsyncSetup64.exe
2256	MEGAsyncSetup64.exe
2256	MEGAsyncSetup64.exe
2256	MEGAsyncSetup64.exe
2256	MEGAsyncSetup64.exe
2256	MEGAsyncSetup64.exe
2256	MEGAsyncSetup64.exe
2256	MEGAsyncSetup64.exe
2256	MEGAsyncSetup64.exe
2256	MEGAsyncSetup64.exe
2256	MEGAsyncSetup64.exe
2256	MEGAsyncSetup64.exe
2256	MEGAsyncSetup64.exe
2256	MEGAsyncSetup64.exe
2256	MEGAsyncSetup64.exe
2256	MEGAsyncSetup64.exe
2256	MEGAsyncSetup64.exe
2256	MEGAsyncSetup64.exe
2256	MEGAsyncSetup64.exe
2256	MEGAsyncSetup64.exe
2256	MEGAsyncSetup64.exe
2256	MEGAsyncSetup64.exe
2256	MEGAsyncSetup64.exe
2256	MEGAsyncSetup64.exe
2256	MEGAsyncSetup64.exe
2256	MEGAsyncSetup64.exe
2256	MEGAsyncSetup64.exe
2256	MEGAsyncSetup64.exe
2256	MEGAsyncSetup64.exe
2256	MEGAsyncSetup64.exe
2256	MEGAsyncSetup64.exe
2256	MEGAsyncSetup64.exe
2256	MEGAsyncSetup64.exe
2256	MEGAsyncSetup64.exe
2256	MEGAsyncSetup64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEGAsyncSetup64.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
2840	taskkill.exe
2576	taskkill.exe

Modifies registry class 33 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{056D528D-CE28-4194-9BA3-BA2E9197FF8C}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0596C850-7BDD-4C9D-AFDF-873BE6890635}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0229E5E7-09E9-45CF-9228-0228EC7D5F17}\ = "MEGA (Context menu)"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\MEGA (Context menu)	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{056D528D-CE28-4194-9BA3-BA2E9197FF8C}\ = "\x01 MEGA (Pending)"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0229E5E7-09E9-45CF-9228-0228EC7D5F17}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\MEGA (Context menu)	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\MEGA (Context menu)\ = "{0229E5E7-09E9-45CF-9228-0228EC7D5F17}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\MEGA (Context menu)\ = "{0229E5E7-09E9-45CF-9228-0228EC7D5F17}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{05B38830-F4E9-4329-978B-1DD28605D202}\ = "\x01 MEGA (Synced)"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{05B38830-F4E9-4329-978B-1DD28605D202}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{056D528D-CE28-4194-9BA3-BA2E9197FF8C}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0229E5E7-09E9-45CF-9228-0228EC7D5F17}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\MEGA (Context menu)	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{056D528D-CE28-4194-9BA3-BA2E9197FF8C}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\MEGAsync\\ShellExtX64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0596C850-7BDD-4C9D-AFDF-873BE6890637}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0596C850-7BDD-4C9D-AFDF-873BE6890635}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\MEGA (Context menu)\ = "{0229E5E7-09E9-45CF-9228-0228EC7D5F17}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{05B38830-F4E9-4329-978B-1DD28605D202}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0596C850-7BDD-4C9D-AFDF-873BE6890637}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0596C850-7BDD-4C9D-AFDF-873BE6890635}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\MEGAsync\\ShellExtX64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\MEGA (Context menu)\ = "{0229E5E7-09E9-45CF-9228-0228EC7D5F17}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0229E5E7-09E9-45CF-9228-0228EC7D5F17}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{05B38830-F4E9-4329-978B-1DD28605D202}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\MEGAsync\\ShellExtX64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0596C850-7BDD-4C9D-AFDF-873BE6890637}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0229E5E7-09E9-45CF-9228-0228EC7D5F17}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\MEGAsync\\ShellExtX64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{056D528D-CE28-4194-9BA3-BA2E9197FF8C}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{05B38830-F4E9-4329-978B-1DD28605D202}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0596C850-7BDD-4C9D-AFDF-873BE6890637}\ = "\x01 MEGA (Syncing)"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0596C850-7BDD-4C9D-AFDF-873BE6890637}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\MEGAsync\\ShellExtX64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0596C850-7BDD-4C9D-AFDF-873BE6890635}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0596C850-7BDD-4C9D-AFDF-873BE6890635}\ = "\x01 MEGA (NotFound)"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\MEGA (Context menu)	regsvr32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2840	taskkill.exe
Token: SeDebugPrivilege	2576	taskkill.exe
Token: SeRestorePrivilege	2256	MEGAsyncSetup64.exe
Token: SeTakeOwnershipPrivilege	2256	MEGAsyncSetup64.exe
Token: SeRestorePrivilege	2256	MEGAsyncSetup64.exe
Token: SeTakeOwnershipPrivilege	2256	MEGAsyncSetup64.exe
Token: SeRestorePrivilege	2256	MEGAsyncSetup64.exe
Token: SeTakeOwnershipPrivilege	2256	MEGAsyncSetup64.exe
Token: SeRestorePrivilege	2256	MEGAsyncSetup64.exe
Token: SeTakeOwnershipPrivilege	2256	MEGAsyncSetup64.exe
Token: SeRestorePrivilege	2256	MEGAsyncSetup64.exe
Token: SeTakeOwnershipPrivilege	2256	MEGAsyncSetup64.exe
Token: SeRestorePrivilege	2256	MEGAsyncSetup64.exe
Token: SeTakeOwnershipPrivilege	2256	MEGAsyncSetup64.exe
Token: SeRestorePrivilege	2256	MEGAsyncSetup64.exe
Token: SeTakeOwnershipPrivilege	2256	MEGAsyncSetup64.exe
Token: SeRestorePrivilege	2256	MEGAsyncSetup64.exe
Token: SeTakeOwnershipPrivilege	2256	MEGAsyncSetup64.exe
Token: SeRestorePrivilege	2256	MEGAsyncSetup64.exe
Token: SeTakeOwnershipPrivilege	2256	MEGAsyncSetup64.exe
Token: SeRestorePrivilege	2256	MEGAsyncSetup64.exe
Token: SeTakeOwnershipPrivilege	2256	MEGAsyncSetup64.exe
Token: SeRestorePrivilege	2256	MEGAsyncSetup64.exe
Token: SeTakeOwnershipPrivilege	2256	MEGAsyncSetup64.exe
Token: SeRestorePrivilege	2256	MEGAsyncSetup64.exe
Token: SeTakeOwnershipPrivilege	2256	MEGAsyncSetup64.exe
Token: SeRestorePrivilege	2256	MEGAsyncSetup64.exe
Token: SeTakeOwnershipPrivilege	2256	MEGAsyncSetup64.exe
Token: SeRestorePrivilege	2256	MEGAsyncSetup64.exe
Token: SeTakeOwnershipPrivilege	2256	MEGAsyncSetup64.exe
Token: SeRestorePrivilege	2256	MEGAsyncSetup64.exe
Token: SeTakeOwnershipPrivilege	2256	MEGAsyncSetup64.exe
Token: SeRestorePrivilege	2256	MEGAsyncSetup64.exe
Token: SeTakeOwnershipPrivilege	2256	MEGAsyncSetup64.exe
Token: SeRestorePrivilege	2256	MEGAsyncSetup64.exe
Token: SeTakeOwnershipPrivilege	2256	MEGAsyncSetup64.exe
Token: SeRestorePrivilege	2256	MEGAsyncSetup64.exe
Token: SeTakeOwnershipPrivilege	2256	MEGAsyncSetup64.exe
Token: SeRestorePrivilege	2256	MEGAsyncSetup64.exe
Token: SeTakeOwnershipPrivilege	2256	MEGAsyncSetup64.exe
Token: SeRestorePrivilege	2256	MEGAsyncSetup64.exe
Token: SeTakeOwnershipPrivilege	2256	MEGAsyncSetup64.exe
Token: SeRestorePrivilege	2256	MEGAsyncSetup64.exe
Token: SeTakeOwnershipPrivilege	2256	MEGAsyncSetup64.exe
Token: SeRestorePrivilege	2256	MEGAsyncSetup64.exe
Token: SeTakeOwnershipPrivilege	2256	MEGAsyncSetup64.exe
Token: SeRestorePrivilege	2256	MEGAsyncSetup64.exe
Token: SeTakeOwnershipPrivilege	2256	MEGAsyncSetup64.exe
Token: SeRestorePrivilege	2256	MEGAsyncSetup64.exe
Token: SeTakeOwnershipPrivilege	2256	MEGAsyncSetup64.exe
Token: SeRestorePrivilege	2256	MEGAsyncSetup64.exe
Token: SeTakeOwnershipPrivilege	2256	MEGAsyncSetup64.exe
Token: SeRestorePrivilege	2256	MEGAsyncSetup64.exe
Token: SeTakeOwnershipPrivilege	2256	MEGAsyncSetup64.exe
Token: SeRestorePrivilege	2256	MEGAsyncSetup64.exe
Token: SeTakeOwnershipPrivilege	2256	MEGAsyncSetup64.exe
Token: SeRestorePrivilege	2256	MEGAsyncSetup64.exe
Token: SeTakeOwnershipPrivilege	2256	MEGAsyncSetup64.exe
Token: SeRestorePrivilege	2256	MEGAsyncSetup64.exe
Token: SeTakeOwnershipPrivilege	2256	MEGAsyncSetup64.exe
Token: SeRestorePrivilege	2256	MEGAsyncSetup64.exe
Token: SeTakeOwnershipPrivilege	2256	MEGAsyncSetup64.exe
Token: SeRestorePrivilege	2256	MEGAsyncSetup64.exe
Token: SeTakeOwnershipPrivilege	2256	MEGAsyncSetup64.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1504	explorer.exe
1504	explorer.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2256 wrote to memory of 2840	2256	MEGAsyncSetup64.exe	30
PID 2256 wrote to memory of 2840	2256	MEGAsyncSetup64.exe	30
PID 2256 wrote to memory of 2840	2256	MEGAsyncSetup64.exe	30
PID 2256 wrote to memory of 2840	2256	MEGAsyncSetup64.exe	30
PID 2256 wrote to memory of 2576	2256	MEGAsyncSetup64.exe	33
PID 2256 wrote to memory of 2576	2256	MEGAsyncSetup64.exe	33
PID 2256 wrote to memory of 2576	2256	MEGAsyncSetup64.exe	33
PID 2256 wrote to memory of 2576	2256	MEGAsyncSetup64.exe	33
PID 2256 wrote to memory of 1572	2256	MEGAsyncSetup64.exe	35
PID 2256 wrote to memory of 1572	2256	MEGAsyncSetup64.exe	35
PID 2256 wrote to memory of 1572	2256	MEGAsyncSetup64.exe	35
PID 2256 wrote to memory of 1572	2256	MEGAsyncSetup64.exe	35
PID 2256 wrote to memory of 1572	2256	MEGAsyncSetup64.exe	35
PID 2256 wrote to memory of 1572	2256	MEGAsyncSetup64.exe	35
PID 2256 wrote to memory of 1572	2256	MEGAsyncSetup64.exe	35
PID 2256 wrote to memory of 1504	2256	MEGAsyncSetup64.exe	36
PID 2256 wrote to memory of 1504	2256	MEGAsyncSetup64.exe	36
PID 2256 wrote to memory of 1504	2256	MEGAsyncSetup64.exe	36
PID 2256 wrote to memory of 1504	2256	MEGAsyncSetup64.exe	36

C:\Users\Admin\AppData\Local\Temp\MEGAsyncSetup64.exe
"C:\Users\Admin\AppData\Local\Temp\MEGAsyncSetup64.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2256
- C:\Windows\system32\taskkill.exe
  taskkill /f /IM MEGAsync.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2840
- C:\Windows\system32\taskkill.exe
  taskkill /f /IM explorer.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2576
- C:\Windows\system32\regsvr32.exe
  "C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\MEGAsync\ShellExtX64.dll"
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:1572
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Suspicious use of FindShellTrayWindow
  PID:1504
- C:\Users\Admin\AppData\Local\MEGAsync\MEGAsync.exe
  C:\Users\Admin\AppData\Local\MEGAsync\MEGAsync.exe
  2⤵
  PID:2392

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0xc4
1⤵
PID:1580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\MEGAsync\MEGA Website.url

Filesize
44B

MD5
6800057c7c8057e3b32b89098ab4c5fb

SHA1
e22590bc0a3537d5efdb4c6c0a4e28a7d61f51f4

SHA256
7b5f1278de755dde65017404b662b6ab97fa7328974eec3872ce571f7e462dac

SHA512
29b281c62f3f03260d9f422c85f1e8ca701d3b15d144842612dfc00a9f1a5a4c81f1b5ce1ac8a82e7fed8660b2cf7cefcc51431c19db6ce8f3dbca4c55c7f715

Download Submit
C:\Users\Admin\AppData\Local\MEGAsync\ShellExtX64.dll

Filesize
811KB

MD5
c91752d28a0ce81a16896f54e3d28501

SHA1
7f0f7075e51b7d9bc1be7cbb1ea09d541fc46123

SHA256
89e2d8333c7215041cd9864ecbd43f5fc4bc7df4a8b6ca8b1311f5a46f7fe416

SHA512
20aeadcd18ba937aea96dd2fea7df3732a16bdd3d8e5b7e48fba3e774501d979e6d3ed376cae8a99ccd4119325b2ffc531b9664ff8388b75745751eda983fd38

Download Submit
C:\Users\Admin\AppData\Local\MEGAsync\leftbanner\left_banner96.bmp

Filesize
150KB

MD5
1d8eef457fee93a80364111745d6d7db

SHA1
ab9a797a10744f0ce39ffcaa3040091a8c0d0c11

SHA256
7780f0337551bce407ccee3e6995ca4289aa3c6fe67da7065afaa862030f8957

SHA512
e81ad703d378fd3150b9f408792135006b0b67c705f170f3d045751b2081d271eecc718c9e15531542aeb65d991f555fd49747059dbb5b89d1e0fd77b8f162a3

Download Submit
C:\Users\Admin\AppData\Local\MEGAsync\uninst.exe

Filesize
337KB

MD5
1a39ec812c343be1511405b571f02a4c

SHA1
aba56c47b5cbdfc6e52e5b38c648e4e7c77e7806

SHA256
daf43c6271d6565c917fa3dbb40a548719b004b3c64d1e60518b16ab54ac32ad

SHA512
480a288a6ee5afa03b0209aa01823584adaf075e1c9b418e9465e84e39890bd37309153deaa6fe6bdc8c5a4879d41e878ba900fe32a463c433722ae461c22583

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszC582.tmp\modern-wizard.bmp

Filesize
25KB

MD5
cbe40fd2b1ec96daedc65da172d90022

SHA1
366c216220aa4329dff6c485fd0e9b0f4f0a7944

SHA256
3ad2dc318056d0a2024af1804ea741146cfc18cc404649a44610cbf8b2056cf2

SHA512
62990cb16e37b6b4eff6ab03571c3a82dcaa21a1d393c3cb01d81f62287777fb0b4b27f8852b5fa71bc975feab5baa486d33f2c58660210e115de7e2bd34ea63

Download Submit
\Users\Admin\AppData\Local\Temp\nszC582.tmp\AccessControl.dll

Filesize
8KB

MD5
65d017ba65785b43720de6c9979a2e8c

SHA1
0aed2846e1b338077bae5a7f756c345a5c90d8a9

SHA256
ccc6aaf1071d9077475b574d9bf1fc23de40a06547fc90cf4255a44d3bf631ac

SHA512
31a19105892d5a9b49eb81a90a2330c342a5504fa4940b99a12279a63e1a19ee5d4b257d0900794ff7021a09408995a5d12e95cc38f09cf12fb2fd860d205c95

Download Submit
\Users\Admin\AppData\Local\Temp\nszC582.tmp\LangDLL.dll

Filesize
5KB

MD5
ab1db56369412fe8476fefffd11e4cc0

SHA1
daad036a83b2ee2fa86d840a34a341100552e723

SHA256
6f14c8f01f50a30743dac68c5ac813451463dfb427eb4e35fcdfe2410e1a913b

SHA512
8d886643b4fc24adf78f76b663227d6e61863f89e0cbd49548f40dd040666ca94ea46bec9e336850e4f300995d56e6dc85b689c8e09ff46758822d280f06b03d

Download Submit
\Users\Admin\AppData\Local\Temp\nszC582.tmp\StartMenu.dll

Filesize
7KB

MD5
87dde5538ccc83d54d1fef0abc91998d

SHA1
61809d0b54b8cb91918ea2656bf43cfdbe4cd648

SHA256
948998c5c1f9bf5cebff627bc397a4641acc23fb9a3d32650df4ea3d87f68ebb

SHA512
37887af3f4a1f44a9970f662dd90f30009d2ad2b89fc5811074f0d76f9e178f416b0770827431bf1b4159a65b358598ee7d062692ca810fa601f81fe940fac85

Download Submit
\Users\Admin\AppData\Local\Temp\nszC582.tmp\System.dll

Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
\Users\Admin\AppData\Local\Temp\nszC582.tmp\UAC.dll

Filesize
18KB

MD5
113c5f02686d865bc9e8332350274fd1

SHA1
4fa4414666f8091e327adb4d81a98a0d6e2e254a

SHA256
0d21041a1b5cd9f9968fc1d457c78a802c9c5a23f375327e833501b65bcd095d

SHA512
e190d1ee50c0b2446b14f0d9994a0ce58f5dbd2aa5d579f11b3a342da1d4abf0f833a0415d3817636b237930f314be54e4c85b4db4a9b4a3e532980ea9c91284

Download Submit
\Users\Admin\AppData\Local\Temp\nszC582.tmp\UserInfo.dll

Filesize
4KB

MD5
9eb662f3b5fbda28bffe020e0ab40519

SHA1
0bd28183a9d8dbb98afbcf100fb1f4f6c5fc6c41

SHA256
9aa388c7de8e96885adcb4325af871b470ac50edb60d4b0d876ad43f5332ffd1

SHA512
6c36f7b45efe792c21d8a87d03e63a4b641169fad6d014db1e7d15badd0e283144d746d888232d6123b551612173b2bb42bf05f16e3129b625f5ddba4134b5b8

Download Submit
\Users\Admin\AppData\Local\Temp\nszC582.tmp\execDos.dll

Filesize
5KB

MD5
0deb397ca1e716bb7b15e1754e52b2ac

SHA1
fbb9bcf872c5dbb4ca4c80fb21d41519bc273ef5

SHA256
720be35cd1b4a333264713dc146b4ad024f3a7ad0644c2d8c6fcedd3c30e8a1f

SHA512
507db0bee0897660750007e7ce674406acf9e8bf942cf26ded5654c07682757b07c9eb767bead0966478abc554dc9a6461c4288dc35d12cacfadad4c128f1bb7

Download Submit
\Users\Admin\AppData\Local\Temp\nszC582.tmp\nsDialogs.dll

Filesize
9KB

MD5
466179e1c8ee8a1ff5e4427dbb6c4a01

SHA1
eb607467009074278e4bd50c7eab400e95ae48f7

SHA256
1e40211af65923c2f4fd02ce021458a7745d28e2f383835e3015e96575632172

SHA512
7508a29c722d45297bfb090c8eb49bd1560ef7d4b35413f16a8aed62d3b1030a93d001a09de98c2b9fea9acf062dc99a7278786f4ece222e7436b261d14ca817

Download Submit
memory/2256-405-0x0000000074EA0000-0x0000000074EAB000-memory.dmp

Filesize
44KB

Download
memory/2256-1327-0x0000000074EA0000-0x0000000074EAB000-memory.dmp

Filesize
44KB

Download
memory/2256-219-0x0000000074EA0000-0x0000000074EAB000-memory.dmp

Filesize
44KB

Download
memory/2256-231-0x0000000074EA0000-0x0000000074EAB000-memory.dmp

Filesize
44KB

Download
memory/2256-252-0x0000000074EA0000-0x0000000074EAB000-memory.dmp

Filesize
44KB

Download
memory/2256-245-0x0000000074EA0000-0x0000000074EAB000-memory.dmp

Filesize
44KB

Download
memory/2256-258-0x0000000074EA0000-0x0000000074EAB000-memory.dmp

Filesize
44KB

Download
memory/2256-295-0x0000000074EA0000-0x0000000074EAB000-memory.dmp

Filesize
44KB

Download
memory/2256-309-0x0000000074EA0000-0x0000000074EAB000-memory.dmp

Filesize
44KB

Download
memory/2256-175-0x0000000074EB0000-0x0000000074EBB000-memory.dmp

Filesize
44KB

Download
memory/2256-415-0x0000000074EA0000-0x0000000074EAB000-memory.dmp

Filesize
44KB

Download
memory/2256-476-0x0000000074EA0000-0x0000000074EAB000-memory.dmp

Filesize
44KB

Download
memory/2256-656-0x0000000074EA0000-0x0000000074EAB000-memory.dmp

Filesize
44KB

Download
memory/2256-1149-0x0000000074EA0000-0x0000000074EAB000-memory.dmp

Filesize
44KB

Download
memory/2256-1260-0x0000000074EA0000-0x0000000074EAB000-memory.dmp

Filesize
44KB

Download
memory/2256-183-0x0000000074EA0000-0x0000000074EAB000-memory.dmp

Filesize
44KB

Download
memory/2256-151-0x0000000074EB0000-0x0000000074EBB000-memory.dmp

Filesize
44KB

Download
memory/2256-137-0x0000000074EB0000-0x0000000074EBB000-memory.dmp

Filesize
44KB

Download
memory/2256-94-0x0000000074EA0000-0x0000000074EAB000-memory.dmp

Filesize
44KB

Download
memory/2256-1373-0x0000000074DD0000-0x0000000074DDB000-memory.dmp

Filesize
44KB

Download
memory/2256-1372-0x0000000074DE0000-0x0000000074DEB000-memory.dmp

Filesize
44KB

Download
memory/2256-78-0x0000000074EB0000-0x0000000074EBB000-memory.dmp

Filesize
44KB

Download
memory/2256-1399-0x0000000074EB0000-0x0000000074EB9000-memory.dmp

Filesize
36KB

Download
memory/2256-1400-0x0000000074EA0000-0x0000000074EA9000-memory.dmp

Filesize
36KB

Download
memory/2392-1378-0x000007FEF3AC0000-0x000007FEF3EC2000-memory.dmp

Filesize
4.0MB

Download
memory/2392-1377-0x000007FEF4D50000-0x000007FEF529D000-memory.dmp

Filesize
5.3MB

Download
memory/2392-1379-0x000000013FC70000-0x000000014495F000-memory.dmp

Filesize
76.9MB

Download
memory/2392-1404-0x00000000049E0000-0x0000000004BE2000-memory.dmp

Filesize
2.0MB

Download
memory/2392-1402-0x0000000004590000-0x00000000049D2000-memory.dmp

Filesize
4.3MB

Download
memory/2392-1794-0x0000000006A70000-0x0000000006A7A000-memory.dmp

Filesize
40KB

Download
memory/2392-1793-0x0000000006A70000-0x0000000006A7A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads