Analysis

  • max time kernel
    126s
  • max time network
    131s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-03-2024 15:20

General

  • Target

    New.exe

  • Size

    4.1MB

  • MD5

    723ae6ee64497f45e3eb194dc928489c

  • SHA1

    9e6e4e5816ee069e0d18bcb132d176df9949d165

  • SHA256

    c881060a9d5bf634923f485a8656243c15af8b20cdebfd33a612565693419067

  • SHA512

    488accf660b9541f37bf6fc38ad479347a985be42bb765ea3fce0005f28f5ee42b3fa356a077df2836b07a2344d567a9f3b79289129b3a2ba80cc1241ebb180c

  • SSDEEP

    49152:36glmRKCncrCQV+8bjrajELExlb0zuFHQLNJYZI06m94H:nOOLSx9+UY

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

C2

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php

rc4.i32
rc4.i32

Extracted

Family

stealc

C2

http://185.172.128.145

Attributes
  • url_path

    /3cd2b41cbde8fc9c.php

Extracted

Family

lumma

C2

https://wisemassiveharmonious.shop/api

https://colorfulequalugliess.shop/api

https://relevantvoicelesskw.shop/api

https://associationokeo.shop/api

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

  • Glupteba payload 8 IoCs
  • Lumma Stealer

    An infostealer written in C++ first seen in August 2022.

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Stealc

    Stealc is an infostealer written in C++.

  • Downloads MZ/PE file
  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 6 IoCs
  • Executes dropped EXE 27 IoCs
  • Loads dropped DLL 14 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 13 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates connected drives 3 TTPs 4 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Manipulates WinMonFS driver. 1 IoCs

    Roottkits write to WinMonFS to hide directories/files from being detected.

  • Drops file in System32 directory 7 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 4 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • NSIS installer 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies system certificate store 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\New.exe
    "C:\Users\Admin\AppData\Local\Temp\New.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3672
    • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3192
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
      2⤵
      • Drops startup file
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2336
      • C:\Users\Admin\Pictures\B073aAZciSwTQAxr1ovu1jw3.exe
        "C:\Users\Admin\Pictures\B073aAZciSwTQAxr1ovu1jw3.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:3720
        • C:\Users\Admin\AppData\Local\Temp\is-4P5A4.tmp\B073aAZciSwTQAxr1ovu1jw3.tmp
          "C:\Users\Admin\AppData\Local\Temp\is-4P5A4.tmp\B073aAZciSwTQAxr1ovu1jw3.tmp" /SL5="$801E2,1518993,56832,C:\Users\Admin\Pictures\B073aAZciSwTQAxr1ovu1jw3.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:4744
          • C:\Users\Admin\AppData\Local\Em Editor Free\emeditorfree.exe
            "C:\Users\Admin\AppData\Local\Em Editor Free\emeditorfree.exe" -i
            5⤵
            • Executes dropped EXE
            PID:1580
          • C:\Users\Admin\AppData\Local\Em Editor Free\emeditorfree.exe
            "C:\Users\Admin\AppData\Local\Em Editor Free\emeditorfree.exe" -s
            5⤵
            • Executes dropped EXE
            PID:1984
      • C:\Users\Admin\Pictures\kBjYDo1GDKG36UlP3F94uh9M.exe
        "C:\Users\Admin\Pictures\kBjYDo1GDKG36UlP3F94uh9M.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3528
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -nologo -noprofile
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:380
        • C:\Users\Admin\Pictures\kBjYDo1GDKG36UlP3F94uh9M.exe
          "C:\Users\Admin\Pictures\kBjYDo1GDKG36UlP3F94uh9M.exe"
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Checks for VirtualBox DLLs, possible anti-VM trick
          • Drops file in Windows directory
          • Modifies data under HKEY_USERS
          • Suspicious use of WriteProcessMemory
          PID:2980
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            5⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious use of AdjustPrivilegeToken
            PID:3972
          • C:\Windows\system32\cmd.exe
            C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
            5⤵
              PID:1380
              • C:\Windows\system32\netsh.exe
                netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
                6⤵
                • Modifies Windows Firewall
                PID:3936
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell -nologo -noprofile
              5⤵
              • Drops file in System32 directory
              • Modifies data under HKEY_USERS
              • Suspicious use of AdjustPrivilegeToken
              PID:960
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell -nologo -noprofile
              5⤵
              • Drops file in System32 directory
              • Modifies data under HKEY_USERS
              • Suspicious use of AdjustPrivilegeToken
              PID:2776
            • C:\Windows\rss\csrss.exe
              C:\Windows\rss\csrss.exe
              5⤵
              • Executes dropped EXE
              • Adds Run key to start application
              • Manipulates WinMonFS driver.
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              PID:2496
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                powershell -nologo -noprofile
                6⤵
                • Drops file in System32 directory
                • Modifies data under HKEY_USERS
                • Suspicious use of AdjustPrivilegeToken
                PID:1860
              • C:\Windows\SYSTEM32\schtasks.exe
                schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
                6⤵
                • Creates scheduled task(s)
                PID:960
                • C:\Windows\System32\Conhost.exe
                  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  7⤵
                    PID:1380
                • C:\Windows\SYSTEM32\schtasks.exe
                  schtasks /delete /tn ScheduledUpdate /f
                  6⤵
                    PID:4084
                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    powershell -nologo -noprofile
                    6⤵
                    • Drops file in System32 directory
                    • Modifies data under HKEY_USERS
                    • Suspicious use of AdjustPrivilegeToken
                    PID:952
                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    powershell -nologo -noprofile
                    6⤵
                    • Drops file in System32 directory
                    • Modifies data under HKEY_USERS
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1672
                  • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
                    C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
                    6⤵
                    • Executes dropped EXE
                    PID:4688
                  • C:\Windows\SYSTEM32\schtasks.exe
                    schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
                    6⤵
                    • Creates scheduled task(s)
                    PID:2276
                  • C:\Windows\windefender.exe
                    "C:\Windows\windefender.exe"
                    6⤵
                    • Executes dropped EXE
                    PID:4324
                    • C:\Windows\SysWOW64\cmd.exe
                      cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                      7⤵
                        PID:2056
                        • C:\Windows\SysWOW64\sc.exe
                          sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                          8⤵
                          • Launches sc.exe
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4040
              • C:\Users\Admin\Pictures\riroEZURknx6pNzdF5Mq9Zec.exe
                "C:\Users\Admin\Pictures\riroEZURknx6pNzdF5Mq9Zec.exe"
                3⤵
                • Executes dropped EXE
                • Checks SCSI registry key(s)
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: MapViewOfSection
                PID:1188
              • C:\Users\Admin\Pictures\8knxBMfGnop5OTwevXH2AlNE.exe
                "C:\Users\Admin\Pictures\8knxBMfGnop5OTwevXH2AlNE.exe"
                3⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Suspicious use of WriteProcessMemory
                PID:4832
                • C:\Users\Admin\AppData\Local\Temp\syncUpd.exe
                  C:\Users\Admin\AppData\Local\Temp\syncUpd.exe
                  4⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Checks processor information in registry
                  • Suspicious behavior: EnumeratesProcesses
                  PID:2460
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 2460 -s 1984
                    5⤵
                    • Program crash
                    PID:4308
                • C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
                  C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
                  4⤵
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  • Suspicious use of WriteProcessMemory
                  PID:2284
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
                    5⤵
                    • Suspicious use of WriteProcessMemory
                    PID:3948
                    • C:\Windows\SysWOW64\chcp.com
                      chcp 1251
                      6⤵
                        PID:224
                      • C:\Windows\SysWOW64\schtasks.exe
                        schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
                        6⤵
                        • Creates scheduled task(s)
                        PID:3128
                • C:\Users\Admin\Pictures\GQJk1dwoGxDl5nhQbEOSw2DU.exe
                  "C:\Users\Admin\Pictures\GQJk1dwoGxDl5nhQbEOSw2DU.exe" --silent --allusers=0
                  3⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Enumerates connected drives
                  • Modifies system certificate store
                  • Suspicious use of WriteProcessMemory
                  PID:1224
                  • C:\Users\Admin\Pictures\GQJk1dwoGxDl5nhQbEOSw2DU.exe
                    C:\Users\Admin\Pictures\GQJk1dwoGxDl5nhQbEOSw2DU.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.24 --initial-client-data=0x2e0,0x2e4,0x2e8,0x2bc,0x2ec,0x6e6221c8,0x6e6221d4,0x6e6221e0
                    4⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    PID:4876
                  • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\GQJk1dwoGxDl5nhQbEOSw2DU.exe
                    "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\GQJk1dwoGxDl5nhQbEOSw2DU.exe" --version
                    4⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    PID:1244
                  • C:\Users\Admin\Pictures\GQJk1dwoGxDl5nhQbEOSw2DU.exe
                    "C:\Users\Admin\Pictures\GQJk1dwoGxDl5nhQbEOSw2DU.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=1224 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240311152112" --session-guid=208ae88d-0526-43b9-85ae-846938541081 --server-tracking-blob=MDI5OTQ3OWM3YzJkNWNhNDNmMDQ4NDRiNzAxZWMxMjgzOTMyMWU1YjlmY2MyODE3YzI2YmIwNjQzZGZjMDVmMzp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2NyIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTcxMDE3MDQzOS44MjYwIiwidXRtIjp7ImNhbXBhaWduIjoiNzY3IiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoibWt0In0sInV1aWQiOiI4MTYxZTM1MC04OTgyLTQ3NmUtOThlYy1mMDg3YzAzOWFkMjcifQ== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=5405000000000000
                    4⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Enumerates connected drives
                    PID:4712
                    • C:\Users\Admin\Pictures\GQJk1dwoGxDl5nhQbEOSw2DU.exe
                      C:\Users\Admin\Pictures\GQJk1dwoGxDl5nhQbEOSw2DU.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.24 --initial-client-data=0x2f4,0x2f8,0x2fc,0x2c4,0x300,0x6db121c8,0x6db121d4,0x6db121e0
                      5⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      PID:3220
                  • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403111521121\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe
                    "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403111521121\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe"
                    4⤵
                    • Executes dropped EXE
                    PID:4264
                  • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403111521121\assistant\assistant_installer.exe
                    "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403111521121\assistant\assistant_installer.exe" --version
                    4⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    PID:1216
                    • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403111521121\assistant\assistant_installer.exe
                      "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403111521121\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.20 --initial-client-data=0x270,0x274,0x278,0x24c,0x27c,0x600040,0x60004c,0x600058
                      5⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      PID:2408
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2460 -ip 2460
              1⤵
                PID:2528
              • C:\Windows\system32\BackgroundTransferHost.exe
                "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
                1⤵
                  PID:1244
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6E94.bat" "
                  1⤵
                    PID:3876
                    • C:\Windows\system32\reg.exe
                      reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
                      2⤵
                        PID:2888
                    • C:\Windows\windefender.exe
                      C:\Windows\windefender.exe
                      1⤵
                      • Executes dropped EXE
                      • Modifies data under HKEY_USERS
                      PID:1520
                    • C:\Users\Admin\AppData\Local\Temp\B6B9.exe
                      C:\Users\Admin\AppData\Local\Temp\B6B9.exe
                      1⤵
                      • Executes dropped EXE
                      • Suspicious use of SetThreadContext
                      PID:2204
                      • C:\Users\Admin\AppData\Local\Temp\B6B9.exe
                        C:\Users\Admin\AppData\Local\Temp\B6B9.exe
                        2⤵
                        • Checks computer location settings
                        • Executes dropped EXE
                        • Adds Run key to start application
                        PID:2436
                        • C:\Windows\SysWOW64\icacls.exe
                          icacls "C:\Users\Admin\AppData\Local\b64cf3ea-884c-4ff1-a323-b7d4346eb5d6" /deny *S-1-1-0:(OI)(CI)(DE,DC)
                          3⤵
                          • Modifies file permissions
                          PID:4392
                        • C:\Users\Admin\AppData\Local\Temp\B6B9.exe
                          "C:\Users\Admin\AppData\Local\Temp\B6B9.exe" --Admin IsNotAutoStart IsNotTask
                          3⤵
                          • Executes dropped EXE
                          • Suspicious use of SetThreadContext
                          PID:2244
                          • C:\Users\Admin\AppData\Local\Temp\B6B9.exe
                            "C:\Users\Admin\AppData\Local\Temp\B6B9.exe" --Admin IsNotAutoStart IsNotTask
                            4⤵
                            • Executes dropped EXE
                            PID:624
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -u -p 624 -s 568
                              5⤵
                              • Program crash
                              PID:3132
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 624 -ip 624
                      1⤵
                        PID:896
                      • C:\Users\Admin\AppData\Local\Temp\D639.exe
                        C:\Users\Admin\AppData\Local\Temp\D639.exe
                        1⤵
                        • Executes dropped EXE
                        • Suspicious use of SetThreadContext
                        PID:4080
                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                          2⤵
                            PID:4592

                        Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\ProgramData\Are.docx

                          Filesize

                          11KB

                          MD5

                          a33e5b189842c5867f46566bdbf7a095

                          SHA1

                          e1c06359f6a76da90d19e8fd95e79c832edb3196

                          SHA256

                          5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

                          SHA512

                          f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

                        • C:\ProgramData\mozglue.dll

                          Filesize

                          593KB

                          MD5

                          c8fd9be83bc728cc04beffafc2907fe9

                          SHA1

                          95ab9f701e0024cedfbd312bcfe4e726744c4f2e

                          SHA256

                          ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

                          SHA512

                          fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

                        • C:\ProgramData\nss3.dll

                          Filesize

                          2.0MB

                          MD5

                          1cc453cdf74f31e4d913ff9c10acdde2

                          SHA1

                          6e85eae544d6e965f15fa5c39700fa7202f3aafe

                          SHA256

                          ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

                          SHA512

                          dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

                        • C:\Users\Admin\AppData\Local\Em Editor Free\emeditorfree.exe

                          Filesize

                          1.1MB

                          MD5

                          c472ca448e146d814ab657cc95fb0a12

                          SHA1

                          28c1c8dc0f593622a25d2fb3bfcb7c685b0145f8

                          SHA256

                          7769f42e9600973ec055bde949de805a7d30793ba12cf7d0a5bd80abf1a3409c

                          SHA512

                          bfa704c1ba79f3e9f1e5f39e2a59bacce28fdbff65028278c7b573179b203d92598ee0b08513341965cfce041074952a3bb9b83afe7e376beb257eb5bd8b279e

                        • C:\Users\Admin\AppData\Local\Em Editor Free\emeditorfree.exe

                          Filesize

                          256KB

                          MD5

                          1f30bb1d3121cbf566cb63e8c06776ee

                          SHA1

                          988c9f2d7e8e1453d03d79562e0917fa541377e7

                          SHA256

                          e9e9019a47cf606755f12e46f46913a4957c7f77c1585f71c2d9164ecad15a87

                          SHA512

                          7278b759e73e88e4cb99811fb9d67e9f9107085c0c42a1baa83072ed59b0da3e39f89e561888edc8fd14dc1244f00f2852d4b3605927c5728ff582d6db39fc6e

                        • C:\Users\Admin\AppData\Local\Em Editor Free\emeditorfree.exe

                          Filesize

                          576KB

                          MD5

                          ad60bd5c56e08f463cb1f9d5fde642cd

                          SHA1

                          e71df8a16862f186bc6793d5d5e448bee018f041

                          SHA256

                          9b1db8d4b15d7a25ff7296cab3f618de825e7e4f5b054adc7534abab93132693

                          SHA512

                          54954a4ad9477ec61964e362a0b9293dc5915241bfc9f723cd6574360c04285c517798fbf121de7211e30b5a0fe3856cb5e12fcc5107bff815c3476a0ab3d7a9

                        • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\GQJk1dwoGxDl5nhQbEOSw2DU.exe

                          Filesize

                          130KB

                          MD5

                          98909fe4cc1b0f5c09662ccfef21c5d2

                          SHA1

                          f618453031e85465249eac849f55b3e64bae1a68

                          SHA256

                          e160053908776988cdc5860348b1782cc326856fb6976f352c0d83c62b1d3eb9

                          SHA512

                          a6a55687f1b0a887671fe6d6b405131012735eda1b8706fc92f6bf4dabde285f8565a0498347718089abd1996b73726157a012416e48433e955362a338e98d2d

                        • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403111521121\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe

                          Filesize

                          2.5MB

                          MD5

                          20d293b9bf23403179ca48086ba88867

                          SHA1

                          dedf311108f607a387d486d812514a2defbd1b9e

                          SHA256

                          fd996b95ae46014edfd630bfc2bf8bc9e626adf883a1da017a8c3973b68ec348

                          SHA512

                          5d575c6f0d914583f9bb54f7b884caf9182f26f850da9bdd962f4ed5ed7258316a46fafaf3828dccb6916baaadb681fe1d175a3f4ed59f56066dc7e32b66f7b6

                        • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403111521121\assistant\assistant_installer.exe

                          Filesize

                          1.9MB

                          MD5

                          b3f05009b53af6435e86cfd939717e82

                          SHA1

                          770877e7c5f03e8d684984fe430bdfcc2cf41b26

                          SHA256

                          3ea8d40fcede1fc03e5603246d75d13e8d44d7229d4c390c39a55534053027f7

                          SHA512

                          d2dee80aaa79b19f1eb1db85079a05f621780e06bfea9e838b62d757ba29399f9090ec7c6ff553377c9b712f3ba8dd812cdff39f3e28829928e86746a8ac6b27

                        • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403111521121\assistant\dbgcore.DLL

                          Filesize

                          166KB

                          MD5

                          8b6f64e5d3a608b434079e50a1277913

                          SHA1

                          03f431fabf1c99a48b449099455c1575893d9f32

                          SHA256

                          926d444ffca166e006920412677c4ed2ef159cf0efc0578cb45b824f428f5eb2

                          SHA512

                          c9aeac62ece564ac64a894300fb9d41d13f22951ead73421854c23c506760d984dff0af92bef2d80f3a66e782f0075832e9c24a50ae6110d27a25c14e065b41c

                        • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403111521121\assistant\dbghelp.dll

                          Filesize

                          1.7MB

                          MD5

                          925ea07f594d3fce3f73ede370d92ef7

                          SHA1

                          f67ea921368c288a9d3728158c3f80213d89d7c2

                          SHA256

                          6d02ebd4ec9a6093f21cd8ccefb9445fa0ab7b1f69ac868a5cfc5d28ed8d2de9

                          SHA512

                          a809851da820d9fdd8fb860a8f549311dcc2579df2c6f6fba74f50d5d8bf94baa834b09fb5476ac248f18d1deb6b47d4fdd6d658889d5d45ca8774a9264483d2

                        • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403111521121\opera_package

                          Filesize

                          14.6MB

                          MD5

                          360efb56858be64f43fa1586e44c9f17

                          SHA1

                          721007f5b2d71047fae49c502c76d8b91e0f5876

                          SHA256

                          f967395aa0c889a0d8202d9347a1de1050216a0c45995eb756644d4d70d3ff44

                          SHA512

                          47a759f9fec7d0cd3868d479ee57d4057736e8c13f6c762f1615cd7356cdc7e7754b72c0df5992b488ba466fdb3041e1eb28b0ed4cb3a879f9c836aee9c97944

                        • C:\Users\Admin\AppData\Local\Temp\6E94.bat

                          Filesize

                          77B

                          MD5

                          55cc761bf3429324e5a0095cab002113

                          SHA1

                          2cc1ef4542a4e92d4158ab3978425d517fafd16d

                          SHA256

                          d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a

                          SHA512

                          33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

                        • C:\Users\Admin\AppData\Local\Temp\B6B9.exe

                          Filesize

                          782KB

                          MD5

                          51597fedbf769613eac193b679de833d

                          SHA1

                          77c1fbd676bbaf9ef3f235d6f3d41df8ad6b7945

                          SHA256

                          b0129dd6f2d2f5bd058cddda97e1f47eedcfaec86995c6d988226c305d50d92c

                          SHA512

                          7e424c8548ace542cdd51c23b31e3907b9d14a95784f8918f85deb2d263d5e6cec845300b1db25aba6c29d3f9ff2ad768731237ab98430a52b83ed00ff017b23

                        • C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

                          Filesize

                          512KB

                          MD5

                          be1ac00f167db10466dd478c5fc84236

                          SHA1

                          88fdd87741500809227220714ebcdf6640ee12a5

                          SHA256

                          b2327156069cffc46a71de7796fa849247cb1be9e984baf38d3198aba6f0df84

                          SHA512

                          cf59ba95daaf312b504d5b86e222c9ff93f1b8b09dd0648bb3c712e61b83921bf3c00371c4aae0a9cbc81543a84d225dbc5e4803bd3486bbea2a0d537869a6bf

                        • C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403111521106541224.dll

                          Filesize

                          1024KB

                          MD5

                          dda78bf5a869f7b193163fd1a9c054da

                          SHA1

                          e5a0945ee6abc5be19cf42d3afc08bb2be419128

                          SHA256

                          6b3516adc6be5724707a7bb708f391765bc90cab33e5e144ece0b57ee8622524

                          SHA512

                          9e3e7b6e3cdb655b621b7c69d3569536005b0acfd7e10c4e7c8f82ff1a147b85eb54991d7c84bfc7ace739bdbc973f6b799b5b676eaeb3c41befd2c918f86f17

                        • C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403111521112484876.dll

                          Filesize

                          1.1MB

                          MD5

                          5a18f4fdd9a452d8f3a2692f79946acb

                          SHA1

                          abbc0892df6dc490fc1974ef835877c1fe585513

                          SHA256

                          e2cda95bdc19110fcbf8f56001c7c3741a60acb2e88fb9ee0d5f253d190e822e

                          SHA512

                          ead1438be6aeb7a1730dbc1a954b7b1129739fbf3b3adeaaf6862f4237a711a34dd14b4ef355af270348f5bf42220997f84fa871a6f3f37bfb67bb1999fc5a55

                        • C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403111521116281244.dll

                          Filesize

                          576KB

                          MD5

                          6585c04ac560776fa8dd6c2b85350b1f

                          SHA1

                          27b918c549a7e0cd3129b2a51f8451ab244f3429

                          SHA256

                          13624a80c9de106952e6315f00102bf44bfe2ce6192550e3a872d9c223212ef4

                          SHA512

                          9a40c9a11371b2dcb35a197c78cc991f269f897e281be1c4becbb2d90682b584644dbe367a701d114cfcc742fc4ba34910ff2691e712695986c0983526572bdd

                        • C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403111521116281244.dll

                          Filesize

                          42KB

                          MD5

                          f755fe732556cd439a27be40f780b758

                          SHA1

                          ead634b25d40d27ee54a531e4e36361f08d8246a

                          SHA256

                          ed98d8bb826ef82fa25113a4d3992ae7951199b2fa7d851c6d14144a027ef6bc

                          SHA512

                          b1d3ae9fb4b1b3019234dff1add232da3c1c2cf36f39adbce82adc7ed0d0125feb53603088aefc5578ce6bdf17357096e63673055331b1566a322a253f0dbd4a

                        • C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403111521130654712.dll

                          Filesize

                          512KB

                          MD5

                          edcabf3acb09e79b542436c67624d50b

                          SHA1

                          c36b51cd4ff8d95586e4665e64fc611c3c043425

                          SHA256

                          e2eebe087ade661f6d17f8765a231b8e4a107bbe7b38200c5dd50de142b85347

                          SHA512

                          e2103a1f4bdf2bbf7b383785d1aba6294e698961f3cf87629962f35abc115573f842016802adddce7fa65c9e803a63b2717cc1a83bf9fd1b71e05132cc674953

                        • C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403111521135653220.dll

                          Filesize

                          3.8MB

                          MD5

                          a7e2a8f0dfb1639dc1591c0961b1f861

                          SHA1

                          cee658bc7c0eb2f0f55b966c9c5201959bdc8d34

                          SHA256

                          3c1c782496dfbd0fa4534ea89a0d914d40e7c4b0a94d4991c7eebf751501bd46

                          SHA512

                          3063912ea960f5c63645ac70f47294285ad83dfae0fb36442894372f9083879a67cd6a6539bcc7a13eda2618d2a5aa5302fb89f0cf82920f136ef7c9b203ea0a

                        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zsvgfn3f.v5v.ps1

                          Filesize

                          60B

                          MD5

                          d17fe0a3f47be24a6453e9ef58c94641

                          SHA1

                          6ab83620379fc69f80c0242105ddffd7d98d5d9d

                          SHA256

                          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                          SHA512

                          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                        • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

                          Filesize

                          281KB

                          MD5

                          d98e33b66343e7c96158444127a117f6

                          SHA1

                          bb716c5509a2bf345c6c1152f6e3e1452d39d50d

                          SHA256

                          5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

                          SHA512

                          705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

                        • C:\Users\Admin\AppData\Local\Temp\is-4P5A4.tmp\B073aAZciSwTQAxr1ovu1jw3.tmp

                          Filesize

                          690KB

                          MD5

                          150a46b9c3e09bc0ed8d581669fe605b

                          SHA1

                          760baa334e4e024e80f27f8e23b900600281a853

                          SHA256

                          2d574caab0e532210a5541fa9a3d5187bf38bed3ef8809180462d929fd32637f

                          SHA512

                          d40d747e57c7e4ea33df06ae1c14bea2bc44fcad862432265158a248c1c4a0e4aae5107a1a2db5257a22f0b5223ec6f19401f7491435988da8137c4150009805

                        • C:\Users\Admin\AppData\Local\Temp\is-E924I.tmp\_isetup\_iscrypt.dll

                          Filesize

                          2KB

                          MD5

                          a69559718ab506675e907fe49deb71e9

                          SHA1

                          bc8f404ffdb1960b50c12ff9413c893b56f2e36f

                          SHA256

                          2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

                          SHA512

                          e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

                        • C:\Users\Admin\AppData\Local\Temp\nst8E77.tmp\INetC.dll

                          Filesize

                          21KB

                          MD5

                          2b342079303895c50af8040a91f30f71

                          SHA1

                          b11335e1cb8356d9c337cb89fe81d669a69de17e

                          SHA256

                          2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f

                          SHA512

                          550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47

                        • C:\Users\Admin\AppData\Local\Temp\syncUpd.exe

                          Filesize

                          283KB

                          MD5

                          099d81985b4d1951c9a0448bdead2e31

                          SHA1

                          3707f6971ecdd856999ca980a1b99b551bea5ff9

                          SHA256

                          291e511eb00d5f658d345115de7fbd13e416e353bee19cdac8709b0b856da095

                          SHA512

                          f0a2f1c2542c3f898add88c6505a2fde764c5ff00835fee62ef0fe9523706d9dd617f539e80235c6307fe2af2440cb104465af1f9053dfb3743c2f675b1e71b2

                        • C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

                          Filesize

                          40B

                          MD5

                          9cdf189636e47aa6042eb5856e0d9057

                          SHA1

                          afab72399ffb36dec1ad0793151eaa7ec91b9afd

                          SHA256

                          2da5f500f4eb304dc0b3377c19209c924267e3090c572abb66ce4beb301b1e02

                          SHA512

                          df1941c3feab837f1c6b870d59cde69d61532e30d4531fe222a0257cc83ad54ee8e66c8476089c5d2c2a0d2fba6239915e08a30f7df831e7bff975cc518d4a80

                        • C:\Users\Admin\AppData\Roaming\Temp\Task.bat

                          Filesize

                          128B

                          MD5

                          11bb3db51f701d4e42d3287f71a6a43e

                          SHA1

                          63a4ee82223be6a62d04bdfe40ef8ba91ae49a86

                          SHA256

                          6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331

                          SHA512

                          907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

                        • C:\Users\Admin\Pictures\7EiCwzdezozWvWhtgnDpecT7.exe

                          Filesize

                          7KB

                          MD5

                          5b423612b36cde7f2745455c5dd82577

                          SHA1

                          0187c7c80743b44e9e0c193e993294e3b969cc3d

                          SHA256

                          e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09

                          SHA512

                          c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c

                        • C:\Users\Admin\Pictures\8knxBMfGnop5OTwevXH2AlNE.exe

                          Filesize

                          2.1MB

                          MD5

                          74fbc954435fb0b73ad76afa3fb1969e

                          SHA1

                          a9eeba2cace9e8a236cb4bcdf379d71832d7f163

                          SHA256

                          7fae036851b4231149ee8d331cea9f3cd2d641c14be522909d9c3152d59241ab

                          SHA512

                          a08710f95d7136cc411172a9ab7135f6f21abd7cf3393f8e71c62cba84cd2fb3d490aae2bc177bc40b6139152fe86a362d7bff28f3ea06920eb37b24a29204a6

                        • C:\Users\Admin\Pictures\B073aAZciSwTQAxr1ovu1jw3.exe

                          Filesize

                          1.8MB

                          MD5

                          3ca2f625386f7a3ca29376148974fa64

                          SHA1

                          646443709518ef699bae4755b262370ff6e7fbcc

                          SHA256

                          25749c401805a1d66f16db72ad533a807bcb56c4f2aef449341af1ca92ec66b4

                          SHA512

                          dbe638a9127d89854b2b36795c8842587b5419805df23404d9c110f4c6cfb29604e5136dd40da17cd8eb31ef56cf1b6bb0fb12e4cab999ad9e583ca4ebbffe79

                        • C:\Users\Admin\Pictures\GQJk1dwoGxDl5nhQbEOSw2DU.exe

                          Filesize

                          2.5MB

                          MD5

                          6e2cba75e503c329503116801611b52f

                          SHA1

                          87fa56666fda240a3e2f0be5bb817d888d35b926

                          SHA256

                          88fcd287fbf95422454ccd263b0a0915cddaa92e4c86a426d3680b40fa0b29b6

                          SHA512

                          1dc8ccfc04d3a49d045233831b762f7122d2db000c5f663a50e9425991f3d51ce4d1fc2bf31aeefa5560553a12c25c9cbccc6a912c50fabea8c21776cc5b384b

                        • C:\Users\Admin\Pictures\GQJk1dwoGxDl5nhQbEOSw2DU.exe

                          Filesize

                          1.6MB

                          MD5

                          177c38eb9eb7af5087cb80b4a68b1281

                          SHA1

                          a7d0620725792d41222d03bb8c4e2c31ead7847f

                          SHA256

                          801ae1fee7f3a78340ccedf787d1391930045ba39b1efe077fba0e746b6b1d0b

                          SHA512

                          a97bd903f361f65929e640075882e2e3d3565b60e968142bb86ae50e848c71ff2363d55ada1c101b98804c96f63b5f81eb254ad68b9dda9a6c07e20c52d87641

                        • C:\Users\Admin\Pictures\GQJk1dwoGxDl5nhQbEOSw2DU.exe

                          Filesize

                          1.8MB

                          MD5

                          5614e2ea9f10d56d3199572664ab4abc

                          SHA1

                          d2e26e5ac239c00e561d7d92357e27bfbc5e16b3

                          SHA256

                          94d2ef9e71ef2ce604877a354562e1b367d11dc337b8db3a75fae1bc4354075b

                          SHA512

                          51fef200adbe6f1b167f68e9810beaf5a429b6a68ec4a756b6aca594889919f6773a57fc177e999a1a75979f1c580a624b11851fe6880de2c436408040abf0ed

                        • C:\Users\Admin\Pictures\GQJk1dwoGxDl5nhQbEOSw2DU.exe

                          Filesize

                          320KB

                          MD5

                          f8939b114aab258fa56e835d858747c2

                          SHA1

                          98350036dfec6cd033b48a574bb4cba481f6f77c

                          SHA256

                          7694f25356503f5f00a8d64587f905e7120607d3043114e02b127364c0643074

                          SHA512

                          51b0affac001a67ee573d77fbe5c616c5cd208cafa6ae13e74283eeb69f12ff5f2160dfe67729617f613f3f4555c5aa505486f42174fb40f7b76a9460f3c9233

                        • C:\Users\Admin\Pictures\GQJk1dwoGxDl5nhQbEOSw2DU.exe

                          Filesize

                          448KB

                          MD5

                          adb477df157b744465dfd76d5cb50cb7

                          SHA1

                          78c33535400f1bebbbc38f00f2ace5d78b57af5e

                          SHA256

                          c6cbf9678ca0efe2600cb5025a5f43e2a0b63a76a8b4173320b69170a5ef703d

                          SHA512

                          d05dfbf9225869f622509d54f207853db943a0d8b73e0eeb8e841880e3f580462dedc1df32656aadc440266333ff34d918c3311f625ec9fe0c8e54443a93dd93

                        • C:\Users\Admin\Pictures\GQJk1dwoGxDl5nhQbEOSw2DU.exe

                          Filesize

                          42KB

                          MD5

                          348dc4d114e42f5bf85ce09760660246

                          SHA1

                          5f4da836d7e87e5386a7f361ce522d28f4327d0f

                          SHA256

                          8a70c4aa00e0b939787b572d651f5306687ed06248a2fc8bcedf0b1a1a7c23aa

                          SHA512

                          c0f8bdf9b6e50e0871905ea5b62c84ab0952c4181b24e32f6c238ecf40e54508b080c404ce97e411409e1240082a81f4178318c7a5454472e5de171d08b350ee

                        • C:\Users\Admin\Pictures\kBjYDo1GDKG36UlP3F94uh9M.exe

                          Filesize

                          4.2MB

                          MD5

                          d184e9f455a3fb4b66cda4f480e2ebf8

                          SHA1

                          1369492c1ce7ce4bd8cee7a9bde706b781fb9f46

                          SHA256

                          bbecbf128a00477ac026297bac7bd37e623bace32afdda18cd561a8ea5fa06ab

                          SHA512

                          c4d335b6325e1638cc24476d4248cb5fa45e75564561fdff10c889b6d269fab9bf798f115c3858e50b0a39328845189571a7d67d4318d004a9a5cc0af8afd97e

                        • C:\Users\Admin\Pictures\kBjYDo1GDKG36UlP3F94uh9M.exe

                          Filesize

                          3.9MB

                          MD5

                          1b5db3a14abeadec87533581be1ce2cf

                          SHA1

                          2522160144ecab17a9fe716595f43cb007a909a2

                          SHA256

                          c407fdfdf85ad02428199f989672c2f23d5e916c65341a461fb6071521305080

                          SHA512

                          4309323b6fa7414402919c3d2624ccd73167e6afb10a278120fa13803c97bd1c5b6808206419ad6949e727f25a5c9da8a650529ac5f3e43f86c7afe80160c98f

                        • C:\Users\Admin\Pictures\riroEZURknx6pNzdF5Mq9Zec.exe

                          Filesize

                          284KB

                          MD5

                          e474dda04f6f90ba50ebff47395b19c9

                          SHA1

                          db1dc005639d232a25e074267239fd9e5fcbe6c7

                          SHA256

                          d5bb21fb44947ee712af26750d6a1df9e91e3baa3c5270eca5f88adbdf329bef

                          SHA512

                          aa906056618e239ab811a19492ea9b272b67b6b964f704a1679c68bf0ce1dbe1b574361d1d08901436a1d5faa888d0320dc56e84904421ad1134727090250055

                        • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

                          Filesize

                          2KB

                          MD5

                          968cb9309758126772781b83adb8a28f

                          SHA1

                          8da30e71accf186b2ba11da1797cf67f8f78b47c

                          SHA256

                          92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

                          SHA512

                          4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

                        • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                          Filesize

                          19KB

                          MD5

                          efd8ad67c3341bab76bcb7f85c8a0acd

                          SHA1

                          1c638d8b2330c7c19ac58b66e311e8472874c6d4

                          SHA256

                          051003d560bad10b963a231b15b642b216c6ba7a1fb7668ff3c0e5f56053fbf4

                          SHA512

                          50f22169679e5a691585962717c8aa320037cf62207b66c109036fdda56627bd81bd0bf11b161c04d2ee59ae1c6e8884e06a0d7d3da6cd14ee505f1576ae3ebf

                        • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                          Filesize

                          19KB

                          MD5

                          b9c56fef089c22f77c34ed291b6adf0c

                          SHA1

                          776ade0c003e86a7dc11e8f7e9a4ce6aadb22b54

                          SHA256

                          d34bf1ff2e2c75e16aab260415d1371dd9234d1fc201c6bad90c41461f7e74af

                          SHA512

                          adbc3ee356df5e448eac045a5f06cc68f23ccd9568e42967c3483ebe95f6e1f533e60b74574791e773583c9675ef439f70a6a16749422e27e43e5b22291399dc

                        • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                          Filesize

                          19KB

                          MD5

                          25d3fbd37ff5d6639622a5e0ecdb0e10

                          SHA1

                          7d276361cf23eefb054a10a0467794a7346010e0

                          SHA256

                          ffe88bba8be83e4f1379f13550002dc4bc131f3b907e6fdc2a189c859b9232ee

                          SHA512

                          ae561698b7c69f340c8ad1bd2913c3c0ee675571d0f1c3c6e000864c16aeb8145fa9f08c68588efae9757b5145961a4d6d83df7974fce14294a14a0116cace19

                        • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                          Filesize

                          19KB

                          MD5

                          fa403614546e98428b577aa8e009c870

                          SHA1

                          791d84ffe77113cdd0c2636d2df2cbebd9ec2ed4

                          SHA256

                          30400ee1e76f5b1cb056571b470528af0351ae4bee6c98a744f0ba7aeaf4a79d

                          SHA512

                          138d5a87f3e9e7983a2b56b2522cb6898b171e594f1bcbb5f0d461e36e0a8e3b1b1c0e9585ed85ba37e75a75c0fed0561795047ebd97e0d4bb89996eceb6b365

                        • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                          Filesize

                          19KB

                          MD5

                          0152c0fbfba55b85e7f847867afbf00d

                          SHA1

                          0e09c666517e49526a7abefa94512cc30a556238

                          SHA256

                          4c307d5f7e9006df16213fb3be5ed0e0836032d9aacb83c42d0a150525a9305a

                          SHA512

                          c71c209ce051cb896784c382d013ed58d95d57c52b469aca4ba3c166ff88bd254ca037019f63afe88b47b8dc13c5483181b4ef0647c89bdf6c69296ebbd43ce5

                        • C:\Windows\rss\csrss.exe

                          Filesize

                          2.6MB

                          MD5

                          55c85f58da6671f67922f372d356325c

                          SHA1

                          7ba3811e1dcf31c3829e5c381eb563779798746a

                          SHA256

                          06badece824c881c0a004fa9874333d5f00f3cc3032efb224762548a274ef208

                          SHA512

                          8a90cf5d4931cc93546e945587009696387b3c09f36326adf475dd8638ba12e41585ef4c792f740c89cc3e0b2cbb6096036e19d057ec09cadd8262a979729097

                        • C:\Windows\rss\csrss.exe

                          Filesize

                          2.0MB

                          MD5

                          7df38c9b9403dc949a2b823b8682e9e5

                          SHA1

                          66ae8c2b251180d2acf6112452f812d44ecd81a1

                          SHA256

                          d5b48887ce12ec6f40229e9a5091bcc6d0bd35e289257f25c78378316976b1c8

                          SHA512

                          4a6e4fc56de13e9570fd4267a5c6e6e765a77d03426ae75e375506c946e4acfe8633b8120bb8b8801b0c0e646d69a75ac71b3421183ecd6a1205ddfc4fe88eef

                        • C:\Windows\windefender.exe

                          Filesize

                          2.0MB

                          MD5

                          8e67f58837092385dcf01e8a2b4f5783

                          SHA1

                          012c49cfd8c5d06795a6f67ea2baf2a082cf8625

                          SHA256

                          166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

                          SHA512

                          40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

                        • memory/380-178-0x0000000006130000-0x0000000006484000-memory.dmp

                          Filesize

                          3.3MB

                        • memory/380-264-0x0000000007CC0000-0x0000000007CC8000-memory.dmp

                          Filesize

                          32KB

                        • memory/380-166-0x0000000005680000-0x00000000056A2000-memory.dmp

                          Filesize

                          136KB

                        • memory/380-150-0x0000000002C20000-0x0000000002C56000-memory.dmp

                          Filesize

                          216KB

                        • memory/380-152-0x00000000750A0000-0x0000000075850000-memory.dmp

                          Filesize

                          7.7MB

                        • memory/380-185-0x0000000006560000-0x000000000657E000-memory.dmp

                          Filesize

                          120KB

                        • memory/380-187-0x00000000065A0000-0x00000000065EC000-memory.dmp

                          Filesize

                          304KB

                        • memory/380-161-0x00000000057E0000-0x0000000005E08000-memory.dmp

                          Filesize

                          6.2MB

                        • memory/380-217-0x0000000006AE0000-0x0000000006B24000-memory.dmp

                          Filesize

                          272KB

                        • memory/380-160-0x0000000003140000-0x0000000003150000-memory.dmp

                          Filesize

                          64KB

                        • memory/380-157-0x0000000003140000-0x0000000003150000-memory.dmp

                          Filesize

                          64KB

                        • memory/380-271-0x00000000750A0000-0x0000000075850000-memory.dmp

                          Filesize

                          7.7MB

                        • memory/380-167-0x0000000005720000-0x0000000005786000-memory.dmp

                          Filesize

                          408KB

                        • memory/380-228-0x0000000007890000-0x0000000007906000-memory.dmp

                          Filesize

                          472KB

                        • memory/380-229-0x0000000007F90000-0x000000000860A000-memory.dmp

                          Filesize

                          6.5MB

                        • memory/380-230-0x0000000007930000-0x000000000794A000-memory.dmp

                          Filesize

                          104KB

                        • memory/380-173-0x0000000005E10000-0x0000000005E76000-memory.dmp

                          Filesize

                          408KB

                        • memory/380-235-0x0000000007B00000-0x0000000007B32000-memory.dmp

                          Filesize

                          200KB

                        • memory/380-236-0x000000006F420000-0x000000006F46C000-memory.dmp

                          Filesize

                          304KB

                        • memory/380-238-0x000000006EB00000-0x000000006EE54000-memory.dmp

                          Filesize

                          3.3MB

                        • memory/380-237-0x000000007F230000-0x000000007F240000-memory.dmp

                          Filesize

                          64KB

                        • memory/380-251-0x0000000007AE0000-0x0000000007AFE000-memory.dmp

                          Filesize

                          120KB

                        • memory/380-252-0x0000000007B40000-0x0000000007BE3000-memory.dmp

                          Filesize

                          652KB

                        • memory/380-253-0x0000000007C20000-0x0000000007C2A000-memory.dmp

                          Filesize

                          40KB

                        • memory/380-257-0x0000000007CE0000-0x0000000007D76000-memory.dmp

                          Filesize

                          600KB

                        • memory/380-258-0x0000000007C40000-0x0000000007C51000-memory.dmp

                          Filesize

                          68KB

                        • memory/380-259-0x0000000007C80000-0x0000000007C8E000-memory.dmp

                          Filesize

                          56KB

                        • memory/380-260-0x0000000007C90000-0x0000000007CA4000-memory.dmp

                          Filesize

                          80KB

                        • memory/380-261-0x0000000007D80000-0x0000000007D9A000-memory.dmp

                          Filesize

                          104KB

                        • memory/1188-108-0x0000000000400000-0x0000000001A34000-memory.dmp

                          Filesize

                          22.2MB

                        • memory/1188-127-0x0000000000400000-0x0000000001A34000-memory.dmp

                          Filesize

                          22.2MB

                        • memory/1188-100-0x0000000001B90000-0x0000000001B9B000-memory.dmp

                          Filesize

                          44KB

                        • memory/1188-97-0x0000000001D30000-0x0000000001E30000-memory.dmp

                          Filesize

                          1024KB

                        • memory/1244-362-0x0000000000750000-0x0000000000C88000-memory.dmp

                          Filesize

                          5.2MB

                        • memory/1580-105-0x0000000000400000-0x00000000005BB000-memory.dmp

                          Filesize

                          1.7MB

                        • memory/1580-109-0x0000000000400000-0x00000000005BB000-memory.dmp

                          Filesize

                          1.7MB

                        • memory/1984-282-0x0000000000400000-0x00000000005BB000-memory.dmp

                          Filesize

                          1.7MB

                        • memory/1984-115-0x0000000000400000-0x00000000005BB000-memory.dmp

                          Filesize

                          1.7MB

                        • memory/1984-267-0x0000000000400000-0x00000000005BB000-memory.dmp

                          Filesize

                          1.7MB

                        • memory/1984-434-0x0000000000400000-0x00000000005BB000-memory.dmp

                          Filesize

                          1.7MB

                        • memory/1984-366-0x0000000000400000-0x00000000005BB000-memory.dmp

                          Filesize

                          1.7MB

                        • memory/1984-226-0x0000000000400000-0x00000000005BB000-memory.dmp

                          Filesize

                          1.7MB

                        • memory/2284-163-0x0000000000400000-0x0000000000930000-memory.dmp

                          Filesize

                          5.2MB

                        • memory/2284-165-0x0000000000C20000-0x0000000000C21000-memory.dmp

                          Filesize

                          4KB

                        • memory/2284-266-0x0000000000400000-0x0000000000930000-memory.dmp

                          Filesize

                          5.2MB

                        • memory/2336-162-0x00000000750A0000-0x0000000075850000-memory.dmp

                          Filesize

                          7.7MB

                        • memory/2336-227-0x00000000059F0000-0x0000000005A00000-memory.dmp

                          Filesize

                          64KB

                        • memory/2336-19-0x00000000059F0000-0x0000000005A00000-memory.dmp

                          Filesize

                          64KB

                        • memory/2336-18-0x00000000750A0000-0x0000000075850000-memory.dmp

                          Filesize

                          7.7MB

                        • memory/2336-13-0x0000000000400000-0x0000000000408000-memory.dmp

                          Filesize

                          32KB

                        • memory/2460-298-0x0000000000400000-0x0000000001A34000-memory.dmp

                          Filesize

                          22.2MB

                        • memory/2460-302-0x0000000001C70000-0x0000000001D70000-memory.dmp

                          Filesize

                          1024KB

                        • memory/2460-414-0x0000000000400000-0x0000000001A34000-memory.dmp

                          Filesize

                          22.2MB

                        • memory/2460-234-0x0000000000400000-0x0000000001A34000-memory.dmp

                          Filesize

                          22.2MB

                        • memory/2460-142-0x0000000001C70000-0x0000000001D70000-memory.dmp

                          Filesize

                          1024KB

                        • memory/2460-144-0x0000000000400000-0x0000000001A34000-memory.dmp

                          Filesize

                          22.2MB

                        • memory/2460-313-0x0000000000400000-0x0000000001A34000-memory.dmp

                          Filesize

                          22.2MB

                        • memory/2460-143-0x0000000003650000-0x0000000003677000-memory.dmp

                          Filesize

                          156KB

                        • memory/2460-179-0x0000000061E00000-0x0000000061EF3000-memory.dmp

                          Filesize

                          972KB

                        • memory/2980-281-0x0000000003AE0000-0x0000000003EE1000-memory.dmp

                          Filesize

                          4.0MB

                        • memory/2980-380-0x0000000000400000-0x0000000001E16000-memory.dmp

                          Filesize

                          26.1MB

                        • memory/2980-286-0x0000000000400000-0x0000000001E16000-memory.dmp

                          Filesize

                          26.1MB

                        • memory/2980-438-0x0000000000400000-0x0000000001E16000-memory.dmp

                          Filesize

                          26.1MB

                        • memory/3192-2-0x00000165B9860000-0x00000165B9882000-memory.dmp

                          Filesize

                          136KB

                        • memory/3192-10-0x00007FFEEED70000-0x00007FFEEF831000-memory.dmp

                          Filesize

                          10.8MB

                        • memory/3192-11-0x00000165B9850000-0x00000165B9860000-memory.dmp

                          Filesize

                          64KB

                        • memory/3192-12-0x00000165B9850000-0x00000165B9860000-memory.dmp

                          Filesize

                          64KB

                        • memory/3192-14-0x00000165B9850000-0x00000165B9860000-memory.dmp

                          Filesize

                          64KB

                        • memory/3192-17-0x00007FFEEED70000-0x00007FFEEF831000-memory.dmp

                          Filesize

                          10.8MB

                        • memory/3220-436-0x0000000000370000-0x00000000008A8000-memory.dmp

                          Filesize

                          5.2MB

                        • memory/3428-126-0x0000000003170000-0x0000000003186000-memory.dmp

                          Filesize

                          88KB

                        • memory/3528-224-0x0000000000400000-0x0000000001E16000-memory.dmp

                          Filesize

                          26.1MB

                        • memory/3528-114-0x0000000000400000-0x0000000001E16000-memory.dmp

                          Filesize

                          26.1MB

                        • memory/3528-339-0x0000000000400000-0x0000000001E16000-memory.dmp

                          Filesize

                          26.1MB

                        • memory/3528-280-0x0000000003A20000-0x0000000003E22000-memory.dmp

                          Filesize

                          4.0MB

                        • memory/3528-110-0x0000000003A20000-0x0000000003E22000-memory.dmp

                          Filesize

                          4.0MB

                        • memory/3528-263-0x0000000000400000-0x0000000001E16000-memory.dmp

                          Filesize

                          26.1MB

                        • memory/3528-113-0x0000000003E30000-0x000000000471B000-memory.dmp

                          Filesize

                          8.9MB

                        • memory/3720-164-0x0000000000400000-0x0000000000414000-memory.dmp

                          Filesize

                          80KB

                        • memory/3720-52-0x0000000000400000-0x0000000000414000-memory.dmp

                          Filesize

                          80KB

                        • memory/3972-315-0x0000000002D20000-0x0000000002D30000-memory.dmp

                          Filesize

                          64KB

                        • memory/3972-317-0x0000000002D20000-0x0000000002D30000-memory.dmp

                          Filesize

                          64KB

                        • memory/3972-314-0x00000000750A0000-0x0000000075850000-memory.dmp

                          Filesize

                          7.7MB

                        • memory/3972-303-0x0000000005DC0000-0x0000000006114000-memory.dmp

                          Filesize

                          3.3MB

                        • memory/4744-62-0x0000000000610000-0x0000000000611000-memory.dmp

                          Filesize

                          4KB

                        • memory/4744-225-0x0000000000400000-0x00000000004BC000-memory.dmp

                          Filesize

                          752KB

                        • memory/4744-268-0x0000000000610000-0x0000000000611000-memory.dmp

                          Filesize

                          4KB

                        • memory/4832-159-0x0000000000400000-0x000000000043D000-memory.dmp

                          Filesize

                          244KB