Overview
overview
10Static
static
6DUMP_00A10...iR.exe
windows7-x64
7DgH5SjZFle...DI.exe
windows7-x64
10Dumped_.exe
windows7-x64
7EntrateSetup.exe
windows7-x64
9ErrorFileRemover.exe
windows7-x64
10ExtraTools.exe
windows7-x64
7F45F47EDCE...54.exe
windows7-x64
10decrypt_00...00.exe
windows7-x64
6dffde400ad...3d.exe
windows7-x64
10dircrypt.deobf.exe
windows7-x64
10dma locker 4.0.exe
windows7-x64
9downloader.js
windows7-x64
10dump.mem.exe
windows7-x64
6e0ff79cc94...ss.exe
windows7-x64
7e37dc428ec...ad.vbs
windows7-x64
1e5df2d114c...8a.exe
windows7-x64
10e6c4ae4709...ss.exe
windows7-x64
7e77df2ce34...2d.exe
windows7-x64
1e8e07496df...d2.exe
windows7-x64
ea8292721a...1e.exe
windows7-x64
5eaa857c95f...er.dll
windows7-x64
1ed3a685ca6...91.exe
windows7-x64
9edffa07d66...9d5.js
windows7-x64
10encrypter.exe
windows7-x64
10encryptor_...81.exe
windows7-x64
9f002618c01...35.apk
windows7-x64
3f213e54c85...ea.exe
windows7-x64
1f2c8eee2cd...3f.exe
windows7-x64
10f31bfe95e3...7_.exe
windows7-x64
7f6a8d7a429...da.exe
windows7-x64
10f915110765...da.exe
windows7-x64
7fb8823e949...-0.dll
windows7-x64
1Analysis
-
max time kernel
599s -
max time network
604s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
22-11-2024 03:25
Behavioral task
behavioral1
Sample
DUMP_00A10000-00A1D000.exe.ViR.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe
Resource
win7-20240708-en
Behavioral task
behavioral3
Sample
Dumped_.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
EntrateSetup.exe
Resource
win7-20240903-en
Behavioral task
behavioral5
Sample
ErrorFileRemover.exe
Resource
win7-20241010-en
Behavioral task
behavioral6
Sample
ExtraTools.exe
Resource
win7-20240903-en
Behavioral task
behavioral7
Sample
F45F47EDCED7FAC5A99C45AB4B8C2D54.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
decrypt_0000000000000020-000A0000.exe
Resource
win7-20240903-en
Behavioral task
behavioral9
Sample
dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe
Resource
win7-20241010-en
Behavioral task
behavioral10
Sample
dircrypt.deobf.exe
Resource
win7-20241023-en
Behavioral task
behavioral11
Sample
dma locker 4.0.exe
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
downloader.js
Resource
win7-20241010-en
Behavioral task
behavioral13
Sample
dump.mem.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
e0ff79cc943f489668067ec3be11398a084a76ecd0283c9e18b2d0bf6e464c32_not_packed_maybe_useless.exe
Resource
win7-20240708-en
Behavioral task
behavioral15
Sample
e37dc428ec65a38707ad9e247950f3501a94e4abccb737a3562d69032c8505ad.vbs
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
Resource
win7-20240729-en
Behavioral task
behavioral17
Sample
e6c4ae470977aa78d1005746ae05deea0bf3b4260f88865662a35f99b2559dbc_not_packed_maybe_useless.exe
Resource
win7-20240708-en
Behavioral task
behavioral18
Sample
e77df2ce34949eb11290445a411a47fb927e8871e2580897581981d17730032d.exe
Resource
win7-20240903-en
Behavioral task
behavioral19
Sample
e8e07496df5370d2e49ecce5a47c1fd2.exe
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
ea8292721a34ca2f1831447868bbe91e.exe
Resource
win7-20240903-en
Behavioral task
behavioral21
Sample
eaa857c95fca38ca08411b757f4ad2a841cfb9782deca8abf64aada445923c0d_Stealer.dll
Resource
win7-20241010-en
Behavioral task
behavioral22
Sample
ed3a685ca65de70b79faf95bbd94c343e73a150e83184f67e0bdb35b11d05791.exe
Resource
win7-20240903-en
Behavioral task
behavioral23
Sample
edffa07d667dbd224682639f56eb1b913e4ffeac874999e02c23e86eeb6489d5.js
Resource
win7-20241023-en
Behavioral task
behavioral24
Sample
encrypter.exe
Resource
win7-20240903-en
Behavioral task
behavioral25
Sample
encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
Resource
win7-20240903-en
Behavioral task
behavioral26
Sample
f002618c01fe652f7f00eabd0e890e4992ccce818dfb2863e82c43f793685635.apk
Resource
win7-20240729-en
Behavioral task
behavioral27
Sample
f213e54c8520e7458751020edf15a5ea.exe
Resource
win7-20241010-en
Behavioral task
behavioral28
Sample
f2c8eee2cd88b834e9d4c0eb4930f03f.exe
Resource
win7-20241023-en
Behavioral task
behavioral29
Sample
f31bfe95e31d761459b885052d35ba5e25ab19333378fb72b12efd675f6018d7_.exe
Resource
win7-20241010-en
Behavioral task
behavioral30
Sample
f6a8d7a4291c55020101d046371a8bda.exe
Resource
win7-20240903-en
Behavioral task
behavioral31
Sample
f9151107655aaa6db995888a7cb69ada.exe
Resource
win7-20240708-en
Behavioral task
behavioral32
Sample
fb8823e9494016f59ab25ec6cc0961da_api-ms-win-system-softpub-l1-1-0.dll
Resource
win7-20241010-en
General
-
Target
ErrorFileRemover.exe
-
Size
2.4MB
-
MD5
dbfbf254cfb84d991ac3860105d66fc6
-
SHA1
893110d8c8451565caa591ddfccf92869f96c242
-
SHA256
68b0e1932f3b4439865be848c2d592d5174dbdbaab8f66104a0e5b28c928ee0c
-
SHA512
5e9ccdf52ebdb548c3fa22f22dd584e9a603ca1163a622db5707dbcc5d01e4835879dcfd28cb1589cbb25aed00f352f7a0a0962b1f38b68fc7d6693375e7666d
-
SSDEEP
49152:6kAG2QGTC5xvMdgpdb1KRHGepUu2cGbqPs9+q2HRPTnFVSLE:6kAjQGTCnvMmpYQqPNRPTnF4Y
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Program Files (x86)\\Windows\\Error file remover\\fatalerror.exe" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Program Files (x86)\\Windows\\Error file remover\\fatalerror.exe" msiexec.exe -
Executes dropped EXE 1 IoCs
pid Process 1436 fatalerror.exe -
Loads dropped DLL 15 IoCs
pid Process 2060 ErrorFileRemover.exe 2060 ErrorFileRemover.exe 2428 MsiExec.exe 2428 MsiExec.exe 2428 MsiExec.exe 2428 MsiExec.exe 2428 MsiExec.exe 2428 MsiExec.exe 2428 MsiExec.exe 2428 MsiExec.exe 2428 MsiExec.exe 2636 MsiExec.exe 2428 MsiExec.exe 2060 ErrorFileRemover.exe 2428 MsiExec.exe -
Blocklisted process makes network request 1 IoCs
flow pid Process 4 2428 MsiExec.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\I: ErrorFileRemover.exe File opened (read-only) \??\L: ErrorFileRemover.exe File opened (read-only) \??\M: ErrorFileRemover.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: ErrorFileRemover.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\A: ErrorFileRemover.exe File opened (read-only) \??\G: ErrorFileRemover.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\E: ErrorFileRemover.exe File opened (read-only) \??\K: ErrorFileRemover.exe File opened (read-only) \??\R: ErrorFileRemover.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\P: ErrorFileRemover.exe File opened (read-only) \??\V: ErrorFileRemover.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\T: ErrorFileRemover.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\W: ErrorFileRemover.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Z: ErrorFileRemover.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\H: ErrorFileRemover.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\J: ErrorFileRemover.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\B: ErrorFileRemover.exe File opened (read-only) \??\S: ErrorFileRemover.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\U: ErrorFileRemover.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\N: ErrorFileRemover.exe File opened (read-only) \??\Y: ErrorFileRemover.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\X: ErrorFileRemover.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\U: msiexec.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Windows\Error file remover\fatalerror.exe msiexec.exe File created C:\Program Files (x86)\Windows\Error file remover\Windows Logoff Sound.wav msiexec.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File opened for modification C:\Windows\Installer\f7879a3.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI7B19.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI7D5D.tmp msiexec.exe File created C:\Windows\Tasks\sys.job MsiExec.exe File created C:\Windows\Installer\f7879a3.msi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\f7879a6.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI88F5.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI7DCB.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI7E88.tmp msiexec.exe File created C:\Windows\Installer\f7879a6.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI88E5.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8A50.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8C45.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8DEC.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI7C42.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI7CB1.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8935.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8974.tmp msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fatalerror.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ErrorFileRemover.exe -
Modifies data under HKEY_USERS 3 IoCs
description ioc Process Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E msiexec.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2528 msiexec.exe 2528 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeRestorePrivilege 2528 msiexec.exe Token: SeTakeOwnershipPrivilege 2528 msiexec.exe Token: SeSecurityPrivilege 2528 msiexec.exe Token: SeCreateTokenPrivilege 2060 ErrorFileRemover.exe Token: SeAssignPrimaryTokenPrivilege 2060 ErrorFileRemover.exe Token: SeLockMemoryPrivilege 2060 ErrorFileRemover.exe Token: SeIncreaseQuotaPrivilege 2060 ErrorFileRemover.exe Token: SeMachineAccountPrivilege 2060 ErrorFileRemover.exe Token: SeTcbPrivilege 2060 ErrorFileRemover.exe Token: SeSecurityPrivilege 2060 ErrorFileRemover.exe Token: SeTakeOwnershipPrivilege 2060 ErrorFileRemover.exe Token: SeLoadDriverPrivilege 2060 ErrorFileRemover.exe Token: SeSystemProfilePrivilege 2060 ErrorFileRemover.exe Token: SeSystemtimePrivilege 2060 ErrorFileRemover.exe Token: SeProfSingleProcessPrivilege 2060 ErrorFileRemover.exe Token: SeIncBasePriorityPrivilege 2060 ErrorFileRemover.exe Token: SeCreatePagefilePrivilege 2060 ErrorFileRemover.exe Token: SeCreatePermanentPrivilege 2060 ErrorFileRemover.exe Token: SeBackupPrivilege 2060 ErrorFileRemover.exe Token: SeRestorePrivilege 2060 ErrorFileRemover.exe Token: SeShutdownPrivilege 2060 ErrorFileRemover.exe Token: SeDebugPrivilege 2060 ErrorFileRemover.exe Token: SeAuditPrivilege 2060 ErrorFileRemover.exe Token: SeSystemEnvironmentPrivilege 2060 ErrorFileRemover.exe Token: SeChangeNotifyPrivilege 2060 ErrorFileRemover.exe Token: SeRemoteShutdownPrivilege 2060 ErrorFileRemover.exe Token: SeUndockPrivilege 2060 ErrorFileRemover.exe Token: SeSyncAgentPrivilege 2060 ErrorFileRemover.exe Token: SeEnableDelegationPrivilege 2060 ErrorFileRemover.exe Token: SeManageVolumePrivilege 2060 ErrorFileRemover.exe Token: SeImpersonatePrivilege 2060 ErrorFileRemover.exe Token: SeCreateGlobalPrivilege 2060 ErrorFileRemover.exe Token: SeShutdownPrivilege 2892 msiexec.exe Token: SeIncreaseQuotaPrivilege 2892 msiexec.exe Token: SeCreateTokenPrivilege 2892 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2892 msiexec.exe Token: SeLockMemoryPrivilege 2892 msiexec.exe Token: SeIncreaseQuotaPrivilege 2892 msiexec.exe Token: SeMachineAccountPrivilege 2892 msiexec.exe Token: SeTcbPrivilege 2892 msiexec.exe Token: SeSecurityPrivilege 2892 msiexec.exe Token: SeTakeOwnershipPrivilege 2892 msiexec.exe Token: SeLoadDriverPrivilege 2892 msiexec.exe Token: SeSystemProfilePrivilege 2892 msiexec.exe Token: SeSystemtimePrivilege 2892 msiexec.exe Token: SeProfSingleProcessPrivilege 2892 msiexec.exe Token: SeIncBasePriorityPrivilege 2892 msiexec.exe Token: SeCreatePagefilePrivilege 2892 msiexec.exe Token: SeCreatePermanentPrivilege 2892 msiexec.exe Token: SeBackupPrivilege 2892 msiexec.exe Token: SeRestorePrivilege 2892 msiexec.exe Token: SeShutdownPrivilege 2892 msiexec.exe Token: SeDebugPrivilege 2892 msiexec.exe Token: SeAuditPrivilege 2892 msiexec.exe Token: SeSystemEnvironmentPrivilege 2892 msiexec.exe Token: SeChangeNotifyPrivilege 2892 msiexec.exe Token: SeRemoteShutdownPrivilege 2892 msiexec.exe Token: SeUndockPrivilege 2892 msiexec.exe Token: SeSyncAgentPrivilege 2892 msiexec.exe Token: SeEnableDelegationPrivilege 2892 msiexec.exe Token: SeManageVolumePrivilege 2892 msiexec.exe Token: SeImpersonatePrivilege 2892 msiexec.exe Token: SeCreateGlobalPrivilege 2892 msiexec.exe Token: SeRestorePrivilege 2528 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2892 msiexec.exe 2892 msiexec.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1436 fatalerror.exe 1436 fatalerror.exe 1436 fatalerror.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 2060 wrote to memory of 2892 2060 ErrorFileRemover.exe 30 PID 2060 wrote to memory of 2892 2060 ErrorFileRemover.exe 30 PID 2060 wrote to memory of 2892 2060 ErrorFileRemover.exe 30 PID 2060 wrote to memory of 2892 2060 ErrorFileRemover.exe 30 PID 2060 wrote to memory of 2892 2060 ErrorFileRemover.exe 30 PID 2060 wrote to memory of 2892 2060 ErrorFileRemover.exe 30 PID 2060 wrote to memory of 2892 2060 ErrorFileRemover.exe 30 PID 2528 wrote to memory of 2428 2528 msiexec.exe 31 PID 2528 wrote to memory of 2428 2528 msiexec.exe 31 PID 2528 wrote to memory of 2428 2528 msiexec.exe 31 PID 2528 wrote to memory of 2428 2528 msiexec.exe 31 PID 2528 wrote to memory of 2428 2528 msiexec.exe 31 PID 2528 wrote to memory of 2428 2528 msiexec.exe 31 PID 2528 wrote to memory of 2428 2528 msiexec.exe 31 PID 2528 wrote to memory of 2636 2528 msiexec.exe 32 PID 2528 wrote to memory of 2636 2528 msiexec.exe 32 PID 2528 wrote to memory of 2636 2528 msiexec.exe 32 PID 2528 wrote to memory of 2636 2528 msiexec.exe 32 PID 2528 wrote to memory of 2636 2528 msiexec.exe 32 PID 2528 wrote to memory of 2636 2528 msiexec.exe 32 PID 2528 wrote to memory of 2636 2528 msiexec.exe 32 PID 2952 wrote to memory of 1436 2952 taskeng.exe 34 PID 2952 wrote to memory of 1436 2952 taskeng.exe 34 PID 2952 wrote to memory of 1436 2952 taskeng.exe 34 PID 2952 wrote to memory of 1436 2952 taskeng.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe"C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe"1⤵
- Loads dropped DLL
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\0A01606\Error file remover.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /exelang 0 /noprereqs "2⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2892
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Modifies WinLogon for persistence
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 85C124E974A4815FD74652CF1F5EB6B72⤵
- Loads dropped DLL
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
PID:2428
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding D0DF24FCC7D9A7DE0396A15905B2F351 M Global\MSI00002⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2636
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {EDB707B6-9464-4A86-957E-8042D78A2628} S-1-5-21-3692679935-4019334568-335155002-1000:BCXRJFKE\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Program Files (x86)\Windows\Error file remover\fatalerror.exe"C:\Program Files (x86)\Windows\Error file remover\fatalerror.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1436
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5181⤵PID:2204
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
99KB
MD50f35c0f15e91bf2533656b0129fff225
SHA119dd9cfae6a1166a655d913aceee9bcbfd35991a
SHA2567035ce433cd48a51a30c9599a65bfc4f86b94d37ddb1f3da5fd769976e111493
SHA51257a41522b513cbe8f73738df977664744d3f71d2783eab03881b031c70b741a70271e3087e06d320c9215a7c338e006583003773f86feea2cff18f0a0fa90ffa
-
Filesize
69B
MD57ab1355b8ae96751a8e6f3d6c953cd34
SHA190e3fcb6fb0cc25cbfc602f8d9920adaa9986802
SHA256abd27abe6af73b4e33b98f706250163f2fdbeaea452e900d108da5afb3283936
SHA512af35de60b0e2cdfa8809aefd152918e549fc0ed2e5c672a0fff1811abff1ca6b837179c1fac73361b15f55f1f7b36709d61c89fe07848f5bb8a48d04d6ed9aac
-
Filesize
84B
MD5a93f81025eb9327246712b7d13ae0ece
SHA1791c3f4441b5a62b815d63d205c1c552690dbbe6
SHA25636f63277652d93a37a8fe93bc4a3533590ba92ca08eec97408ceac27978f3009
SHA5122cef3c4c26c6dad4064c62d11835a9fd6c202649608c66ad535276c25a6faa550235385f3e817785768977c9f4bb6e8747c371980a6262553f9f7d79c47581aa
-
Filesize
84B
MD568ff1ccfea788678e926d7d48f990cb8
SHA19748174737bf2759ce864ceb0a888be971ab22f6
SHA256ae8e2145e52732ef616bb81433171b9a7a5633eb1017cb3687a72f3e35c6699d
SHA5129db7b35e28cc343c693ca92671680cad584ed30d540e02fe2a7259ea6950024a856dfa6b9289f6ef5b1f0b51b81236507c03846382be50b1a7d025e154e1d988
-
C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\{508A7E40-70C6-4BA4-B6A2-368AA3DBCC36}.session
Filesize4KB
MD55c58ea5b80d8472bd7eacc63bbea861a
SHA19add817c0e59f3ea96f7a08336d9d223b218d98c
SHA256013cef8fe16201e72f55fa503a98a6abd36f53e188d3e05536e6330a7a95d09d
SHA5120b34fb75a9e50a3bfbeaa0c9db30f871dad98ef6325eefd782b266cfdd8396f37bec35e551a3604fe01d571a789f6810795da2fb661bc7020bb7b287b30aac41
-
C:\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\0A01606\Error file remover.msi
Filesize1010KB
MD527bc9540828c59e1ca1997cf04f6c467
SHA1bfa6d1ce9d4df8beba2bedf59f86a698de0215f3
SHA25605c18698c3dc3b2709afd3355ad5b91a60b2121a52e5fcc474e4e47fb8e95e2a
SHA512a3ae822116cddb52d859de7ffc958541bb47c355a835c5129aade9cc0e5fba3ff25387061deb5b55b5694a535f09fe8669485282eb6e7c818cc7092eb3392848
-
C:\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\0A01606\Windows Logoff Sound.wav
Filesize724KB
MD5bab1293f4cf987216af8051acddaf97f
SHA100abe5cfb050b4276c3dd2426e883cd9e1cde683
SHA256bc26b1b97eeb45995bbd5f854db19f994cce1bb9ac9fb625eb207302dccdf344
SHA5123b44371756f069be4f70113a09761a855d80e96c23c8cd76d0c19a43e93d1a159af079ba5189b88b5ee2c093099a02b00ea4dc20a498c9c0c2df7dc95e5ddd49
-
Filesize
24KB
MD5e579c5b3c386262e3dd4150eb2b13898
SHA15ab7b37956511ea618bf8552abc88f8e652827d3
SHA256e9573a3041e5a45ed8133576d199eb8d12f8922bbe47d194fef9ac166a96b9e2
SHA5129cf947bad87a701f0e0ad970681767e64b7588089cd9064c72bf24ba6ca0a922988f95b141b29a68ae0e0097f03a66d9b25b9d52197ff71f6e369cde0438e0bb
-
Filesize
180KB
MD5d552dd4108b5665d306b4a8bd6083dde
SHA1dae55ccba7adb6690b27fa9623eeeed7a57f8da1
SHA256a0367875b68b1699d2647a748278ebce64d5be633598580977aa126a81cf57c5
SHA512e5545a97014b5952e15bb321135f65c0e24414f8dd606fe454fd2d048d3f769b9318df7cfb2a6bf932eb2bf6d79811b93cb2008115deb0f0fa9db07f32a70969
-
Filesize
88KB
MD54083cb0f45a747d8e8ab0d3e060616f2
SHA1dcec8efa7a15fa432af2ea0445c4b346fef2a4d6
SHA256252b7423b01ff81aea6fe7b40de91abf49f515e9c0c7b95aa982756889f8ac1a
SHA51226f8949cad02334f9942fda8509579303b81b11bc052a962c5c31a7c6c54a1c96957f30ee241c2206d496d2c519d750d7f6a12b52afdb282fa706f9fee385133
-
Filesize
96KB
MD53cab78d0dc84883be2335788d387601e
SHA114745df9595f190008c7e5c190660361f998d824
SHA256604e79fe970c5ed044517a9a35e4690ea6f7d959d21173ebef45cdd3d3a22bdd
SHA512df6b49f2b5cddebd7e23e81b0f89e4883fc12d95735a9b3f84d2f402f4996c54b5fdea8adb9eaa98e8c973b089656d18d6b322bd71cb42d7807f7fa8a7348820
-
Filesize
128KB
MD57e6b88f7bb59ec4573711255f60656b5
SHA15e7a159825a2d2cb263a161e247e9db93454d4f6
SHA25659ff5bc12b155cc2e666bd8bc34195c3750eb742542374fc5e53fb22d11e862f
SHA512294a379c99403f928d476e04668717cdabc7dc3e33bcf6bcad5c3d93d4268971811ff7303aa5b4b2ed2b59d59c8eba350a9a30888d4b5b3064708521ac21439c
-
Filesize
312KB
MD5aa82345a8f360804ea1d8d935f0377aa
SHA1c09cf3b1666d9192fa524c801bb2e3542c0840e2
SHA2569c155d4214cebda186647c035ada552963dcac8f88a6b38a23ea34f9ecd1d437
SHA512c051a381d87ba933ea7929c899fb01af2207cb2462dcb2b55c28cff65596b27bdb05a48207624eeea40fddb85003133ad7af09ca93cfb2426c155daea5a9a6db
-
Filesize
126KB
MD53531cf7755b16d38d5e9e3c43280e7d2
SHA119981b17ae35b6e9a0007551e69d3e50aa1afffe
SHA25676133e832c15aa5cbc49fb3ba09e0b8dd467c307688be2c9e85e79d3bf62c089
SHA5127b053ba2cf92ef2431b98b2a06bd56340dad94de36d11e326a80cd61b9acb378ac644ac407cf970f4ef8333b8d3fb4ff40b18bb41ec5aee49d79a6a2adcf28fd