Overview

overview

10

Static

static

3

fatality_loader.rar

windows11-21h2-x64

Resubmissions

16-01-2025 20:24

250116-y67sesxmgw 10

16-01-2025 20:21

250116-y4yfzaxqhj 4

16-01-2025 20:03

250116-yss24sxlel 10

16-01-2025 19:53

250116-yl22fawma1 10

16-01-2025 19:45

250116-ygh3rswkdz 10

Analysis

  • max time kernel
    791s
  • max time network
    803s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    16-01-2025 19:53

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    fatality_loader.rar

  • Size

    956KB

  • MD5

    5c917c1945a53e6c6fd9e55c52a5071f

  • SHA1

    33829463306b1ea8d8997c136c7ad87467773cef

  • SHA256

    fda69ccb7e8acf085194e1359b1facf3b7c8f5b8eca43172a2a199d22aa675a9

  • SHA512

    69d4e041c83e2298c1c8f56a48dee9be249ae4ffbd84b75a94203015cfde21998b8f798798de55dd9ab1813550c2442d89a84e1586a65c8c96d8f64513353e43

  • SSDEEP

    24576:Rej8HegWnDJNfJJB8XWQ/zx7raihPUOOORYgZ:S8HfWDJNGXZ/Nra4rpOgZ

Score
10/10
xwormbootkitdiscoveryevasionexecutionpersistencerattrojanupx

Malware Config

Extracted

Family

xworm

C2

star-telecharger.gl.at.ply.gg:27119

Attributes
  • Install_directory

    %AppData%

  • install_file

    svchost.exe

Signatures

  • Contains code to disable Windows Defender 1 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Detect Xworm Payload 2 IoCs
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Disables Task Manager via registry modification
    evasion
  • Drops startup file 2 IoCs
  • Executes dropped EXE 45 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 3 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops autorun.inf file 1 TTPs 1 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 7 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 30 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 61 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 14 IoCs
    evasion
  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Kills process with taskkill 22 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 5 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 46 IoCs
  • Modifies registry class 49 IoCs
  • Opens file in notepad (likely ransom note) 2 IoCs
    ransomware
  • Runs net.exe
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\lsass.exe
    C:\Windows\system32\lsass.exe
    1⤵
      PID:700
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -nop -win 1 -c & {rp hkcu:\environment windir -ea 0;$AveYo=' (\ /) ( * . * ) A limited account protects you from UAC exploits ``` ';$env:1=6;iex((gp Registry::HKEY_Users\S-1-5-21*\Volatile* ToggleDefender -ea 0)[0].ToggleDefender)}
        2⤵
        • Modifies Windows Defender Real-time Protection settings
        • Command and Scripting Interpreter: PowerShell
        • Modifies data under HKEY_USERS
        PID:1196
        • C:\Windows\system32\sc.exe
          "C:\Windows\system32\sc.exe" qc windefend
          3⤵
          • Launches sc.exe
          PID:1060
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
          3⤵
            PID:4476
          • C:\Windows\system32\whoami.exe
            "C:\Windows\system32\whoami.exe" /groups
            3⤵
              PID:1372
            • C:\Windows\system32\net1.exe
              "C:\Windows\system32\net1.exe" stop windefend
              3⤵
                PID:724
              • C:\Windows\system32\sc.exe
                "C:\Windows\system32\sc.exe" config windefend depend= RpcSs-TOGGLE
                3⤵
                • Launches sc.exe
                PID:2476
          • C:\Program Files\7-Zip\7zFM.exe
            "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\fatality_loader.rar"
            1⤵
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            PID:1424
          • C:\Users\Admin\Desktop\fatality_loader.exe
            "C:\Users\Admin\Desktop\fatality_loader.exe"
            1⤵
            • Suspicious use of NtCreateUserProcessOtherParentProcess
            • Drops startup file
            • Executes dropped EXE
            • Adds Run key to start application
            • Enumerates connected drives
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:4892
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\fatality_loader.exe'
              2⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1056
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'fatality_loader.exe'
              2⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1964
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
              2⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4112
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
              2⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3592
            • C:\Windows\System32\schtasks.exe
              "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"
              2⤵
              • Scheduled Task/Job: Scheduled Task
              PID:872
            • C:\Users\Admin\AppData\Local\Temp\vyanmo.exe
              "C:\Users\Admin\AppData\Local\Temp\vyanmo.exe"
              2⤵
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2664
              • C:\windows\quarknova.exe
                "C:\windows\quarknova.exe" -startuproutine
                3⤵
                • Executes dropped EXE
                • Drops autorun.inf file
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                PID:2904
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /c taskkill /f /pid 2664 & del /f /q "C:\Users\Admin\AppData\Local\Temp\vyanmo.exe"
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:2804
                • C:\Windows\system32\taskkill.exe
                  taskkill /f /pid 2664
                  4⤵
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3864
            • C:\Windows\SYSTEM32\taskkill.exe
              taskkill /F /IM explorer.exe
              2⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:2340
            • C:\Users\Admin\AppData\Local\Temp\jwddrp.exe
              "C:\Users\Admin\AppData\Local\Temp\jwddrp.exe"
              2⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:3760
            • C:\Windows\explorer.exe
              "C:\Windows\explorer.exe"
              2⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Enumerates connected drives
              • Checks SCSI registry key(s)
              • Modifies Internet Explorer settings
              • Modifies registry class
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:5044
              • C:\Windows\system32\taskmgr.exe
                "C:\Windows\system32\taskmgr.exe" /0
                3⤵
                • Checks SCSI registry key(s)
                • Suspicious use of FindShellTrayWindow
                PID:1484
              • C:\Windows\system32\taskmgr.exe
                "C:\Windows\system32\taskmgr.exe" /0
                3⤵
                  PID:1692
              • C:\Users\Admin\AppData\Local\Temp\huaall.exe
                "C:\Users\Admin\AppData\Local\Temp\huaall.exe"
                2⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:3276
                • C:\Windows\system32\wscript.exe
                  "C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\55B4.tmp\55B5.tmp\55B6.vbs //Nologo
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:5092
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\55B4.tmp\ur.cmd" "
                    4⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2672
                    • C:\Users\Admin\AppData\Local\Temp\55B4.tmp\mbr.exe
                      mbr.exe
                      5⤵
                      • Executes dropped EXE
                      • Adds Run key to start application
                      • Writes to the Master Boot Record (MBR)
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of WriteProcessMemory
                      PID:3924
                      • C:\Windows\SysWOW64\schtasks.exe
                        schtasks.exe /Create /TN "Windows Update" /ru SYSTEM /SC ONSTART /TR "C:\Users\Admin\AppData\Local\Temp\55B4.tmp\mbr.exe"
                        6⤵
                        • System Location Discovery: System Language Discovery
                        • Scheduled Task/Job: Scheduled Task
                        PID:2832
                    • C:\Users\Admin\AppData\Local\Temp\55B4.tmp\mousedraw.exe
                      mousedraw.exe
                      5⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:4100
                    • C:\Windows\system32\timeout.exe
                      timeout 10
                      5⤵
                      • Delays execution with timeout.exe
                      PID:4364
                    • C:\Users\Admin\AppData\Local\Temp\55B4.tmp\bytebeat.exe
                      bytebeat.exe
                      5⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:1440
                    • C:\Users\Admin\AppData\Local\Temp\55B4.tmp\ScreenShuffle.exe
                      ScreenShuffle.exe
                      5⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:1600
                    • C:\Windows\system32\timeout.exe
                      timeout 10
                      5⤵
                      • Delays execution with timeout.exe
                      PID:3528
                    • C:\Users\Admin\AppData\Local\Temp\55B4.tmp\PatBlt3.exe
                      PatBlt3.exe
                      5⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:4296
                    • C:\Windows\system32\timeout.exe
                      timeout 9
                      5⤵
                      • Delays execution with timeout.exe
                      PID:3996
                    • C:\Windows\system32\taskkill.exe
                      taskkill /f /im bytebeat.exe
                      5⤵
                      • Kills process with taskkill
                      PID:3756
                    • C:\Windows\system32\taskkill.exe
                      taskkill /f /im PatBlt3.exe
                      5⤵
                      • Kills process with taskkill
                      PID:1452
                    • C:\Windows\system32\taskkill.exe
                      taskkill /f /im ScreenShuffle.exe
                      5⤵
                      • Kills process with taskkill
                      PID:1520
                    • C:\Windows\system32\taskkill.exe
                      taskkill /f /im mousedraw.exe
                      5⤵
                      • Kills process with taskkill
                      PID:3244
                    • C:\Users\Admin\AppData\Local\Temp\55B4.tmp\bytebeat1.exe
                      bytebeat1.exe
                      5⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:3680
                    • C:\Users\Admin\AppData\Local\Temp\55B4.tmp\mlt.exe
                      mlt.exe
                      5⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:4208
                    • C:\Windows\system32\timeout.exe
                      timeout 60
                      5⤵
                      • Delays execution with timeout.exe
                      PID:4140
                    • C:\Windows\system32\taskkill.exe
                      taskkill /f /im bytebeat1.exe
                      5⤵
                      • Kills process with taskkill
                      PID:2580
                    • C:\Windows\system32\taskkill.exe
                      taskkill /f /im mlt.exe
                      5⤵
                      • Kills process with taskkill
                      PID:1440
                    • C:\Users\Admin\AppData\Local\Temp\55B4.tmp\ATohou.exe
                      ATohou.exe
                      5⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:3840
                    • C:\Users\Admin\AppData\Local\Temp\55B4.tmp\IconHell.exe
                      IconHell.exe
                      5⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:924
                    • C:\Windows\system32\timeout.exe
                      timeout 20
                      5⤵
                      • Delays execution with timeout.exe
                      PID:692
                    • C:\Users\Admin\AppData\Local\Temp\55B4.tmp\reds.exe
                      reds.exe
                      5⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:1060
                    • C:\Windows\system32\timeout.exe
                      timeout 9
                      5⤵
                      • Delays execution with timeout.exe
                      PID:3508
                    • C:\Windows\system32\taskkill.exe
                      taskkill /f /im ATohou.exe
                      5⤵
                      • Kills process with taskkill
                      PID:3740
                    • C:\Windows\system32\taskkill.exe
                      taskkill /f /im IconHell.exe
                      5⤵
                      • Kills process with taskkill
                      PID:1120
                    • C:\Windows\system32\taskkill.exe
                      taskkill /f /im reds.exe
                      5⤵
                      • Kills process with taskkill
                      PID:3436
                    • C:\Users\Admin\AppData\Local\Temp\55B4.tmp\AWave.exe
                      AWave.exe
                      5⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:3248
                    • C:\Users\Admin\AppData\Local\Temp\55B4.tmp\circle.exe
                      circle.exe
                      5⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:1884
                    • C:\Users\Admin\AppData\Local\Temp\55B4.tmp\PatBlt3.exe
                      PatBlt3.exe
                      5⤵
                      • Executes dropped EXE
                      PID:5096
                    • C:\Windows\system32\timeout.exe
                      timeout 30
                      5⤵
                      • Delays execution with timeout.exe
                      PID:4164
                    • C:\Windows\system32\taskkill.exe
                      taskkill /f /im circle.exe
                      5⤵
                      • Kills process with taskkill
                      PID:1756
                    • C:\Windows\system32\taskkill.exe
                      taskkill /f /im PatBlt3.exe
                      5⤵
                      • Kills process with taskkill
                      PID:484
                    • C:\Windows\system32\timeout.exe
                      timeout 30
                      5⤵
                      • Delays execution with timeout.exe
                      PID:4472
                    • C:\Windows\system32\taskkill.exe
                      taskkill /f /im AWave.exe
                      5⤵
                      • Kills process with taskkill
                      PID:4616
              • C:\Windows\system32\sc.exe
                "C:\Windows\system32\sc.exe" qc windefend
                2⤵
                • Launches sc.exe
                PID:5016
              • C:\Windows\system32\cmd.exe
                "C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
                2⤵
                  PID:1492
                • C:\Windows\system32\whoami.exe
                  "C:\Windows\system32\whoami.exe" /groups
                  2⤵
                    PID:2760
                  • C:\Windows\system32\net1.exe
                    "C:\Windows\system32\net1.exe" start TrustedInstaller
                    2⤵
                      PID:2604
                    • C:\Windows\system32\net1.exe
                      "C:\Windows\system32\net1.exe" start lsass
                      2⤵
                        PID:2512
                      • C:\Users\Admin\AppData\Local\Temp\bquziw.exe
                        "C:\Users\Admin\AppData\Local\Temp\bquziw.exe"
                        2⤵
                        • Executes dropped EXE
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of SetWindowsHookEx
                        PID:1404
                      • C:\Users\Admin\AppData\Local\Temp\wuiopb.exe
                        "C:\Users\Admin\AppData\Local\Temp\wuiopb.exe"
                        2⤵
                        • Executes dropped EXE
                        • System Location Discovery: System Language Discovery
                        • Modifies registry class
                        PID:3476
                        • C:\Windows\SysWOW64\NOTEPAD.EXE
                          "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\getsus.txt
                          3⤵
                          • System Location Discovery: System Language Discovery
                          • Opens file in notepad (likely ransom note)
                          PID:2792
                      • C:\Users\Admin\AppData\Local\Temp\bhcczv.exe
                        "C:\Users\Admin\AppData\Local\Temp\bhcczv.exe"
                        2⤵
                        • Executes dropped EXE
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of SetWindowsHookEx
                        PID:4112
                        • C:\Windows\system32\wscript.exe
                          "C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\3298.tmp\3299.tmp\329A.vbs //Nologo
                          3⤵
                            PID:5024
                            • C:\Windows\system32\cmd.exe
                              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3298.tmp\ur.cmd" "
                              4⤵
                                PID:5032
                                • C:\Users\Admin\AppData\Local\Temp\3298.tmp\mbr.exe
                                  mbr.exe
                                  5⤵
                                  • Executes dropped EXE
                                  • Writes to the Master Boot Record (MBR)
                                  • System Location Discovery: System Language Discovery
                                  PID:3004
                                • C:\Users\Admin\AppData\Local\Temp\3298.tmp\bgm.exe
                                  bgm.exe
                                  5⤵
                                  • Executes dropped EXE
                                  • System Location Discovery: System Language Discovery
                                  PID:2672
                                • C:\Users\Admin\AppData\Local\Temp\3298.tmp\mousedraw.exe
                                  mousedraw.exe
                                  5⤵
                                  • Executes dropped EXE
                                  • System Location Discovery: System Language Discovery
                                  PID:4236
                                • C:\Windows\system32\timeout.exe
                                  timeout 30
                                  5⤵
                                  • Delays execution with timeout.exe
                                  PID:3796
                                • C:\Windows\system32\taskkill.exe
                                  taskkill /f /im bgm.exe
                                  5⤵
                                  • Kills process with taskkill
                                  PID:724
                                • C:\Windows\system32\taskkill.exe
                                  taskkill /f /im mousedraw.exe
                                  5⤵
                                  • Kills process with taskkill
                                  PID:3148
                                • C:\Users\Admin\AppData\Local\Temp\3298.tmp\sn.exe
                                  sn.exe
                                  5⤵
                                  • Executes dropped EXE
                                  • System Location Discovery: System Language Discovery
                                  PID:3460
                                • C:\Users\Admin\AppData\Local\Temp\3298.tmp\txtout.exe
                                  txtout.exe
                                  5⤵
                                  • Executes dropped EXE
                                  • System Location Discovery: System Language Discovery
                                  PID:4516
                                • C:\Users\Admin\AppData\Local\Temp\3298.tmp\txtout2.exe
                                  txtout2.exe
                                  5⤵
                                  • Executes dropped EXE
                                  • System Location Discovery: System Language Discovery
                                  PID:3944
                                • C:\Windows\system32\timeout.exe
                                  timeout 60
                                  5⤵
                                  • Delays execution with timeout.exe
                                  PID:396
                                • C:\Windows\system32\taskkill.exe
                                  taskkill /f /im txtout.exe
                                  5⤵
                                  • Kills process with taskkill
                                  PID:5084
                                • C:\Windows\system32\taskkill.exe
                                  taskkill /f /im txtout2.exe
                                  5⤵
                                  • Kills process with taskkill
                                  PID:4296
                                • C:\Users\Admin\AppData\Local\Temp\3298.tmp\first.exe
                                  first.exe
                                  5⤵
                                  • Executes dropped EXE
                                  • System Location Discovery: System Language Discovery
                                  PID:4204
                                • C:\Windows\system32\timeout.exe
                                  timeout 5
                                  5⤵
                                  • Delays execution with timeout.exe
                                  PID:2920
                                • C:\Windows\system32\taskkill.exe
                                  taskkill /f /im sn.exe
                                  5⤵
                                  • Kills process with taskkill
                                  PID:1244
                                • C:\Windows\system32\taskkill.exe
                                  taskkill /f /im first.exe
                                  5⤵
                                  • Kills process with taskkill
                                  PID:2976
                                • C:\Users\Admin\AppData\Local\Temp\3298.tmp\xp_snd.exe
                                  xp_snd.exe
                                  5⤵
                                  • Executes dropped EXE
                                  • System Location Discovery: System Language Discovery
                                  PID:3044
                                • C:\Users\Admin\AppData\Local\Temp\3298.tmp\GlitchB.exe
                                  GlitchB.exe
                                  5⤵
                                  • Executes dropped EXE
                                  • System Location Discovery: System Language Discovery
                                  PID:488
                                • C:\Windows\system32\timeout.exe
                                  timeout 60
                                  5⤵
                                  • Delays execution with timeout.exe
                                  PID:5004
                                • C:\Windows\system32\taskkill.exe
                                  taskkill /f /im xp_snd.exe
                                  5⤵
                                  • Kills process with taskkill
                                  PID:2332
                                • C:\Users\Admin\AppData\Local\Temp\3298.tmp\bytebeat.exe
                                  bytebeat.exe
                                  5⤵
                                  • Executes dropped EXE
                                  • System Location Discovery: System Language Discovery
                                  PID:1864
                                • C:\Users\Admin\AppData\Local\Temp\3298.tmp\PatBlt3.exe
                                  PatBlt3.exe
                                  5⤵
                                  • Executes dropped EXE
                                  • System Location Discovery: System Language Discovery
                                  PID:3724
                                • C:\Windows\system32\timeout.exe
                                  timeout 4
                                  5⤵
                                  • Delays execution with timeout.exe
                                  PID:2012
                                • C:\Windows\system32\taskkill.exe
                                  taskkill /f /im GlitchB.exe
                                  5⤵
                                  • Kills process with taskkill
                                  PID:4632
                                • C:\Windows\system32\timeout.exe
                                  timeout 40
                                  5⤵
                                  • Delays execution with timeout.exe
                                  PID:2524
                        • C:\Windows\System32\rundll32.exe
                          C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                          1⤵
                            PID:4628
                          • C:\Users\Admin\AppData\Roaming\svchost.exe
                            C:\Users\Admin\AppData\Roaming\svchost.exe
                            1⤵
                            • Executes dropped EXE
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1344
                          • C:\Windows\system32\NOTEPAD.EXE
                            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\nigga\haha.txt
                            1⤵
                            • Opens file in notepad (likely ransom note)
                            PID:4860
                          • C:\Users\Admin\AppData\Roaming\svchost.exe
                            C:\Users\Admin\AppData\Roaming\svchost.exe
                            1⤵
                            • Executes dropped EXE
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1772
                          • C:\Users\Admin\AppData\Roaming\svchost.exe
                            C:\Users\Admin\AppData\Roaming\svchost.exe
                            1⤵
                            • Executes dropped EXE
                            • Suspicious use of AdjustPrivilegeToken
                            PID:3128
                          • C:\Users\Admin\AppData\Roaming\svchost.exe
                            C:\Users\Admin\AppData\Roaming\svchost.exe
                            1⤵
                            • Executes dropped EXE
                            • Suspicious use of AdjustPrivilegeToken
                            PID:628
                          • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
                            "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
                            1⤵
                            • Enumerates system info in registry
                            • Modifies Internet Explorer settings
                            • Modifies registry class
                            • Suspicious use of SetWindowsHookEx
                            PID:32
                          • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                            "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                            1⤵
                            • Modifies registry class
                            • Suspicious use of SetWindowsHookEx
                            PID:4212
                          • C:\Windows\system32\AUDIODG.EXE
                            C:\Windows\system32\AUDIODG.EXE 0x00000000000004BC 0x00000000000004D4
                            1⤵
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1104
                          • C:\Users\Admin\AppData\Roaming\svchost.exe
                            C:\Users\Admin\AppData\Roaming\svchost.exe
                            1⤵
                            • Executes dropped EXE
                            PID:2364
                          • C:\Users\Admin\AppData\Roaming\svchost.exe
                            C:\Users\Admin\AppData\Roaming\svchost.exe
                            1⤵
                            • Executes dropped EXE
                            PID:3612
                          • C:\Users\Admin\AppData\Roaming\svchost.exe
                            C:\Users\Admin\AppData\Roaming\svchost.exe
                            1⤵
                            • Executes dropped EXE
                            PID:3732
                          • C:\Users\Admin\AppData\Roaming\svchost.exe
                            C:\Users\Admin\AppData\Roaming\svchost.exe
                            1⤵
                            • Executes dropped EXE
                            PID:4220
                          • C:\Users\Admin\AppData\Roaming\svchost.exe
                            C:\Users\Admin\AppData\Roaming\svchost.exe
                            1⤵
                            • Executes dropped EXE
                            PID:4536
                          • C:\Users\Admin\AppData\Roaming\svchost.exe
                            C:\Users\Admin\AppData\Roaming\svchost.exe
                            1⤵
                            • Executes dropped EXE
                            PID:4360
                          • C:\Users\Admin\AppData\Roaming\svchost.exe
                            C:\Users\Admin\AppData\Roaming\svchost.exe
                            1⤵
                            • Executes dropped EXE
                            PID:2668
                          • C:\Users\Admin\AppData\Roaming\svchost.exe
                            C:\Users\Admin\AppData\Roaming\svchost.exe
                            1⤵
                            • Executes dropped EXE
                            PID:2524
                          • C:\Users\Admin\AppData\Roaming\svchost.exe
                            C:\Users\Admin\AppData\Roaming\svchost.exe
                            1⤵
                            • Executes dropped EXE
                            PID:3764

                          Network

                          MITRE ATT&CK Enterprise v15

                          Reconnaissance

                          Resource Development

                          Initial Access

                          Replication Through Removable Media

                          1
                          T1091

                          Execution

                          Command and Scripting Interpreter

                          1
                          T1059

                          PowerShell

                          1
                          T1059.001

                          Scheduled Task/Job

                          1
                          T1053

                          Scheduled Task

                          1
                          T1053.005

                          Persistence

                          Boot or Logon Autostart Execution

                          2
                          T1547

                          Active Setup

                          1
                          T1547.014

                          Registry Run Keys / Startup Folder

                          1
                          T1547.001

                          Create or Modify System Process

                          1
                          T1543

                          Windows Service

                          1
                          T1543.003

                          Pre-OS Boot

                          1
                          T1542

                          Bootkit

                          1
                          T1542.003

                          Scheduled Task/Job

                          1
                          T1053

                          Scheduled Task

                          1
                          T1053.005

                          Privilege Escalation

                          Boot or Logon Autostart Execution

                          2
                          T1547

                          Active Setup

                          1
                          T1547.014

                          Registry Run Keys / Startup Folder

                          1
                          T1547.001

                          Create or Modify System Process

                          1
                          T1543

                          Windows Service

                          1
                          T1543.003

                          Scheduled Task/Job

                          1
                          T1053

                          Scheduled Task

                          1
                          T1053.005

                          Defense Evasion

                          Impair Defenses

                          1
                          T1562

                          Disable or Modify Tools

                          1
                          T1562.001

                          Modify Registry

                          4
                          T1112

                          Pre-OS Boot

                          1
                          T1542

                          Bootkit

                          1
                          T1542.003

                          Credential Access

                          Discovery

                          Peripheral Device Discovery

                          2
                          T1120

                          Query Registry

                          4
                          T1012

                          System Information Discovery

                          4
                          T1082

                          System Location Discovery

                          1
                          T1614

                          System Language Discovery

                          1
                          T1614.001

                          Lateral Movement

                          Replication Through Removable Media

                          1
                          T1091

                          Collection

                          Command and Control

                          Exfiltration

                          Impact

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                            Filesize

                            2KB

                            MD5

                            627073ee3ca9676911bee35548eff2b8

                            SHA1

                            4c4b68c65e2cab9864b51167d710aa29ebdcff2e

                            SHA256

                            85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

                            SHA512

                            3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.exe.log
                            Filesize

                            654B

                            MD5

                            2cbbb74b7da1f720b48ed31085cbd5b8

                            SHA1

                            79caa9a3ea8abe1b9c4326c3633da64a5f724964

                            SHA256

                            e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3

                            SHA512

                            ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
                            Filesize

                            28KB

                            MD5

                            d9475a507afac618e5e7f07af940610f

                            SHA1

                            4eb9865753ea2ae11b5ec2b71385418a015f2b40

                            SHA256

                            3ebcd76cfef1d83eada1bb15c1e52175056977fd9a20b90276bc6ddc15419992

                            SHA512

                            98dc53afdea7a875043529e27e3c941020bb720e0d83b824fd5fda832a47c868e8c3699742ecd7b13e0c2c0822b08939dafadbea8ed29ba33326870040b37dd1

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                            Filesize

                            944B

                            MD5

                            4914eb0b2ff51bfa48484b5cc8454218

                            SHA1

                            6a7c3e36ce53b42497884d4c4a3bda438dd4374b

                            SHA256

                            7e510fc9344ef239ab1ab650dc95bb25fd44e2efba8b8246a3ac17880ee8b69e

                            SHA512

                            83ab35f622f4a5040ca5cb615a30f83bb0741449225f1fd1815b6923e225c28241d0c02d34f83f743349a5e57f84ca1c6f44016797a93d5985be41d11be79500

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                            Filesize

                            944B

                            MD5

                            d0a4a3b9a52b8fe3b019f6cd0ef3dad6

                            SHA1

                            fed70ce7834c3b97edbd078eccda1e5effa527cd

                            SHA256

                            21942e513f223fdad778348fbb20617dd29f986bccd87824c0ae7f15649f3f31

                            SHA512

                            1a66f837b4e7fb6346d0500aeacb44902fb8a239bce23416271263eba46fddae58a17075e188ae43eb516c841e02c87e32ebd73256c7cc2c0713d00c35f1761b

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                            Filesize

                            944B

                            MD5

                            cef328ddb1ee8916e7a658919323edd8

                            SHA1

                            a676234d426917535e174f85eabe4ef8b88256a5

                            SHA256

                            a1b5b7ada8ebc910f20f91ada3991d3321104e9da598c958b1edac9f9aca0e90

                            SHA512

                            747400c20ca5b5fd1b54bc24e75e6a78f15af61df263be932d2ee7b2f34731c2de8ce03b2706954fb098c1ac36f0b761cf37e418738fa91f2a8ea78572f545cb

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                            Filesize

                            944B

                            MD5

                            6f0e62045515b66d0a0105abc22dbf19

                            SHA1

                            894d685122f3f3c9a3457df2f0b12b0e851b394c

                            SHA256

                            529811e4d3496c559f3bd92cd877b93b719c3ac4834202aa76ab9e16e25f9319

                            SHA512

                            f78426df6032ee77f8c463446ab1c6bb4669ef7a2463dead831ec4ff83a07d7dc702d79372d8bcaf4594bf0fb6e11e9f027f3e0325de9b19be5f51b7b80ed54a

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\W78K9TNJ\www.bing[1].xml
                            Filesize

                            31KB

                            MD5

                            3ad3b199bdfe118e587db350440135ab

                            SHA1

                            5924007baf306de40ee82e37c7d119bf7b93490d

                            SHA256

                            32e3fc1eb5d4d833616e2663ce9011193d500198b4997fb60c8ae83e6173e34d

                            SHA512

                            288d01f39d452922195700586b3d7a36dd75d609a9d0507c88a6d6ade5ed3b8c8c3053688cf9466e2433cb91034ff07671220e3c18249e1c2f86c366619fb289

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\W78K9TNJ\www.bing[1].xml
                            Filesize

                            17KB

                            MD5

                            52b89a414ddf747420580ece55129aff

                            SHA1

                            a29d785d17c0c2deca1055a7f8ce599442c0622f

                            SHA256

                            33a2e8f3ce3f5a70674414c78ed1702b98dfe0568dd9fa326111a74145add59a

                            SHA512

                            0f206e4cc143edc1fb7b7812c683440c032612ef20d0450014df18f4b8799d43d8260bbfd62319d8c40680fc4e96191c824848353ec98cc9f4b5cd1e26b48fde

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\55B4.tmp\55B5.tmp\55B6.vbs
                            Filesize

                            598B

                            MD5

                            7b67cc2db9a5e0a79d5d431cb2593a8c

                            SHA1

                            c6ff0b04b1e7ee23ae7f1354be7f361df4f30122

                            SHA256

                            3de12efa0acea1e1e9ad25e5622e5d33ea83ffffce309c80c6ca5bafd7dcd513

                            SHA512

                            28b7259b4e56b6a3540ba713873e59f5281dea49e3970d462962d0dacace3503a05bcaddac727e8466849caba1a2918b51e17a2dbf9e3e0755ebde02b0f7a1f3

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\55B4.tmp\ATohou.exe
                            Filesize

                            11KB

                            MD5

                            d7064aa7ee28f685757e7455d4e49c6a

                            SHA1

                            535d326ab1453bed0c050c8822aee9ef54c8b26e

                            SHA256

                            5028f3b3e63609038404bf6e3c2dbc360892312d85aa11e83489f381f09fb99b

                            SHA512

                            2a0747087ea14c664688d3453be8f40d396ca916143f0473eb1739fbe5cf1f19a451359d1e8713fe19b3bdda21eaea20a8294b23c0d99dd793818e85b83c28f8

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\55B4.tmp\AWave.exe
                            Filesize

                            11KB

                            MD5

                            9cbf1f1e4821fa5b8962423c9b2ecf24

                            SHA1

                            7f3fd62332d10cfdb0be3452a71cd6df2d7c0602

                            SHA256

                            afcb1f5e73785c0c5952394ca69986e9b9e86cc5fb0a4de4684903a03d9859a4

                            SHA512

                            bee905b459259801185c55e25f8e70fa563ea8ecaa0ad300aea0379500fe683d6bc370ae3d7a0d53898443faf150a1081f23146c8e32deb6961fe955aa0003c8

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\55B4.tmp\IconHell.exe
                            Filesize

                            106KB

                            MD5

                            81e8cdaa48b347db465f23cfbce4b98c

                            SHA1

                            abdf9ecf2b90b807aa7a639cebac52c3d1884176

                            SHA256

                            7ce9c1d958d55a643a5bab6b1930bef02478d8f6543b0df60a1bce1c7e5c2ec7

                            SHA512

                            8e336602174e3c9b3be68fc0864b5ea38244ad269f3410a16c8b9ad8e6cd141b165b4f7fbe787ee2d5205ad6888654e8c4ff3c64122fe3b8796a00b817c106d4

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\55B4.tmp\PatBlt3.exe
                            Filesize

                            104KB

                            MD5

                            08e74e5f077f0337d0c0d15dde94f8be

                            SHA1

                            d5ba49b2ddfe50ea4b214e0f447cbed7fb949279

                            SHA256

                            b41d36f67e147133f8c3aa054b52275f68d7e2735a65eb3abcdcd08bede1100b

                            SHA512

                            f102a81b56c053a7c492a0459f9e7410346949074fc68e733ae9174651bb0265266560526782fe1e95cb2769f54fca3071f56839126d9fc8d7266828b9228fa1

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\55B4.tmp\ScreenShuffle.exe
                            Filesize

                            104KB

                            MD5

                            042412143d162ce4877e700f1e0e00a3

                            SHA1

                            547b1358fbe4dc46d47ff516644a96f80f70f7ef

                            SHA256

                            29d6cb7222b713379111559d5a9df6f3f500e9b78940bafa82ebff0dc80f5690

                            SHA512

                            be2b148d9733519d9167fb2b3029abfa4ec6c64785c144ac49fe97e12f4cf1569f46c3a8466a8f4deef26f967363ab19eaf92f2a153b36cb9ea574048be94762

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\55B4.tmp\atohou.wav
                            Filesize

                            937KB

                            MD5

                            57527d717f010688b49ea5606c90d528

                            SHA1

                            c71fc0fca3e70910564ec4b349d632da0fdead41

                            SHA256

                            1f3fab8ff51eb8be18bafe3e091a23164a993b965574ccf7261aa4f4f593fd6d

                            SHA512

                            30254b863afd6938e35ae8b0df2cfc9767e17e60d2d64831bbfeac254c8f7e14bbae724f8e47503a0754517643761fcb96576f16d5304315ddead6e0b5cce2f0

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\55B4.tmp\awave.wav
                            Filesize

                            937KB

                            MD5

                            20e219b8b3cd4491456480f398139ce7

                            SHA1

                            9755727f41b9fe486d68e11699cd23a0e8b28598

                            SHA256

                            abf50ddf52095e841fbee3be182782b65ec6d59ef3cdb91d00fa0e4acead7f1a

                            SHA512

                            65e2e897c3570933c1561e22ab6aabc3a279a3ad41a0b9ff031f8a108f553cb6837f518912265f55d48478daecb7fe914623b36e08b909cdf068127d6453d665

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\55B4.tmp\bytebeat.exe
                            Filesize

                            102KB

                            MD5

                            445d48408fd9cb1bcadfb8243027a12b

                            SHA1

                            cb1382d3870a4a821ce8e731d9401f7ba0c0da40

                            SHA256

                            7a5b8795aed94dca80cc5e956f1b409135735637cc556c7b533acd6b2fbaee58

                            SHA512

                            b89d121f13a574d6b51125cb7b35ad68af22eeaa7b68b8cfbdcbdd228b941235a8a841906023274d93ee68ab64ca59251f6f7ffb2b59034616879e111359297f

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\55B4.tmp\bytebeat.wav
                            Filesize

                            937KB

                            MD5

                            b75d13f7047cc8865bdf84912033dae0

                            SHA1

                            f7e0199b38e3ea831abc61640b183860648e641c

                            SHA256

                            739b9539e83a1ae270007a7efbe0744054ebb6ef230c13c0ff9db2748433d91d

                            SHA512

                            fa9994a81924ee1a3cf0f6814155dbf9b7532e4ad7747c841f2dcfa82b56c6bf173933850bf2fd82fd1c6b04aec695cbbf3c6ebbcee5e7d20878925f0f4c396d

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\55B4.tmp\bytebeat1.exe
                            Filesize

                            102KB

                            MD5

                            6b673ece600bcc8a665ebf251d7d926e

                            SHA1

                            64ef7c73a713bf3c55fb4ac4e5366a7a425f1b4e

                            SHA256

                            41ac58d922f32134e75e87898d2c179d478c81edaae0d9bc28e7ce7d6f422f8b

                            SHA512

                            feb18a1aa72de47fd67919e196abd200afdf22ad5a7e5dac20593252d8b2ca86982bb07c2fed3681ef06c9933c6d197590c1df65aa5df93cb6abafca5e53e9ff

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\55B4.tmp\bytebeat1.wav
                            Filesize

                            1.3MB

                            MD5

                            ab3ed8a56477daabbd5f4174109ac5fa

                            SHA1

                            5f3915d8d5e9d0d1b07d64ad35644b6a16ba770a

                            SHA256

                            6a5b119f6221c5f174612cf497ce354ce8a1f6a601522304cdd7d89aea4b3a0d

                            SHA512

                            f989ba49968562c9f8a9ae917de050df34a9b8cb01103a57e3a6c4d54e61dcf41ee9b533b83ec6182a5c06d2d827e87ccf6692d612af103ee4befd67a96df321

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\55B4.tmp\circle.exe
                            Filesize

                            12KB

                            MD5

                            ed169e40a69cf73fd3ac59215b24063f

                            SHA1

                            32d49462e74e6c08b941d8cd530a5f3c0f3b5764

                            SHA256

                            b8ffde2fc69292ffa1a704a1cf977eedfc86277a61d4937245d218d22674178c

                            SHA512

                            f949a7b9b5dae91f887e7ce9bb45f7500534873d3baab5f5c2b1c31b1e185e70278ceb9d4f03f495460e0fb96399239fa678b0b4750ee870cbaa6333ab5ebb6c

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\55B4.tmp\mbr.exe
                            Filesize

                            101KB

                            MD5

                            ea3042914120ad7144fb22f55340bfdd

                            SHA1

                            af5c9ca0151a9577d7ca7472102a02a9b908231f

                            SHA256

                            4a99558a9579bcbf290fc636b7a35ed5415023bcc1c0cefb582de984691b95e5

                            SHA512

                            dcd6f6a3ae82fcf6b66bf733326748f97b3d1f5e5844fe1c1a5c6ad4838c28c8b92866d422669a532bd109cf21147fad887e1549b7bd8c4fbfbbab146d24a342

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\55B4.tmp\mlt.exe
                            Filesize

                            109KB

                            MD5

                            bc183f5854488a0774969ec19b492153

                            SHA1

                            2e08a1bbf1b09d989f86b80ce5cdc4f22dc65ad5

                            SHA256

                            4b97506ae7118dea78e251492166888732815f5cdc90b9c56de2f9ee3862b20f

                            SHA512

                            25a0d999d5d620f48e8d4bc1cb59013ecb5d33250d72e23211e5348fb38573cb3ec82a8370547b59bde9c4d7e555ec7f1dd48c284eabf0f33b595e562f4d3780

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\55B4.tmp\mousedraw.exe
                            Filesize

                            104KB

                            MD5

                            f7db0edd465e545dcd947f4beef32779

                            SHA1

                            a02d2dcbe4ea1146b726a6191354340f8dd41f6a

                            SHA256

                            9bbce9c9e1b513084b8a206e935b2512a341fd81688e71735ef27511d0378d47

                            SHA512

                            6d40cf365a30277328f9103083e939ac8fedf860ffef6d0c5bd80d708e0f73d606f456d37aa1fa5e69964ac2e20c263fbaa755a9c28eff962395e3509a7a4e25

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\55B4.tmp\reds.exe
                            Filesize

                            106KB

                            MD5

                            8ae9221dcd3eb86c479ad3a272e47c4b

                            SHA1

                            fd55b36bdebd91773a2a14636fef6738c5fe9d35

                            SHA256

                            4e46b8ffffd081aaeae5b5f21e8c1bc5c07eb6a16593c08b030c514cf55e8767

                            SHA512

                            1d482f7c13269cdd546eaad0b4af7bd6a0d524c0df93365440b823bc6a4eb49e84332c683318fcf200e3375b6536bcdddac0e14bd73fbdeb4874a69c8ea41c02

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\55B4.tmp\ur.cmd
                            Filesize

                            665B

                            MD5

                            d93cb2e7b75605532f5444cbe56b037a

                            SHA1

                            85b183e78d65b19e4ff8a6b20a03d5faa7e7d913

                            SHA256

                            8bc2530f120630a96f783bbc70a638efcd2c0054fbb3a3bb2cfb226279f2e36f

                            SHA512

                            d3c2203ef43d00309c47bfbe0c69990f97a7d3d989eb2d0d75ec280813a4e29414e22cc226563283897176a356db00113d0d8b584fb302df3be7da15abb8de49

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\Log.tmp
                            Filesize

                            35B

                            MD5

                            a7696021a300ff0c028f58e8bff3ad6a

                            SHA1

                            e93f3a47c6e15095571acaa2046d937035d12d09

                            SHA256

                            dc90d73c7cff0cda16d1909de8b7a9bf8458145bd725e9e75cd70ad59b24aea7

                            SHA512

                            a4107ccf0cd930e30af77bc8386724c3448ce0f44a7ad84e7640d05142c4d26596fcb0e25757a907dc35367d2f810cb9ea7292a70ffc12c1c43a12e01be5979f

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tjxh0sig.amu.ps1
                            Filesize

                            60B

                            MD5

                            d17fe0a3f47be24a6453e9ef58c94641

                            SHA1

                            6ab83620379fc69f80c0242105ddffd7d98d5d9d

                            SHA256

                            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                            SHA512

                            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\bhcczv.exe
                            Filesize

                            2.8MB

                            MD5

                            66d368393ee774e5be266b0413645670

                            SHA1

                            afa88f3f075015dd4098e06125ae845ef430741b

                            SHA256

                            de182f82bcf37731c7c36da147292703ec3d67ea32137bbd6f1b2345353d5c03

                            SHA512

                            d4db66a4f5834c2608b3d2ff7a7d6beca5c7a34cc2f9d275e2e6928f3ab6ec16c920f176f7c01c0567e1d5c89ff052b6552bccc67e4a2dc969a53f275c31c54c

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\bquziw.exe
                            Filesize

                            988KB

                            MD5

                            3c62ec2755dbbfcf1a01224bbd09474c

                            SHA1

                            956cf4fa08ab71a5b939d10a40b84be8ea19a6f0

                            SHA256

                            c614879ff5b5a5a835efc4c331d86c94451e7e00c8c070b94217de2ce91d62bb

                            SHA512

                            fe760dd1dcf3fd2af98dd2394d10093734a5d727eec6a0da7e17f66a6f0419d620686b33afccc3932e1bc9ee694972deffaf336582d38e3363749db1e66a8e68

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\huaall.exe
                            Filesize

                            816KB

                            MD5

                            007e6aa89335c47bafe33a7ba2fea331

                            SHA1

                            546d21cafa68db25b89d3fb4f2f48968d9cf08d6

                            SHA256

                            691bb4f2173d2f16cb8f5d0ee40ff7a93f7d0832fddf82ccbbf1dcc9d31322e4

                            SHA512

                            4ce1fae3469b168f4ad9d9a447caf5c9e6f924a7d426846709a2111354d34408baf7e42ebbb955e0e2dada428d67b7887b4c123986c5d90b1195ae95ff541107

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\jwddrp.exe
                            Filesize

                            9KB

                            MD5

                            b01ee228c4a61a5c06b01160790f9f7c

                            SHA1

                            e7cc238b6767401f6e3018d3f0acfe6d207450f8

                            SHA256

                            14e6ac84d824c0cf6ea8ebb5b3be10f8893449474096e59ff0fd878d49d0c160

                            SHA512

                            c849231c19590e61fbf15847af5062f817247f2bcd476700f1e1fa52dcafa5f0417cc01906b44c890be8cef9347e3c8f6b1594d750b1cebdd6a71256fed79140

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\vyanmo.exe
                            Filesize

                            4.2MB

                            MD5

                            5eb279cc197f50092c08f262fb78257b

                            SHA1

                            57c0e12f579aebb6ec715dada048cb95a8011942

                            SHA256

                            51be71b29050a31dc622ff2ba1f6c8eeddcc29e6021919f0a1176585f99d27eb

                            SHA512

                            13d6c3106d515e38dd7c0fe68227a9757aa3e02a3989cfa9b5176dd8c5a92458c89acab1b9da6568589379b4d5a303192c0fd512bd6db19dbe9f91f03b9e86fe

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\wcewbe.exe
                            Filesize

                            2KB

                            MD5

                            a56d479405b23976f162f3a4a74e48aa

                            SHA1

                            f4f433b3f56315e1d469148bdfd835469526262f

                            SHA256

                            17d81134a5957fb758b9d69a90b033477a991c8b0f107d9864dc790ca37e6a23

                            SHA512

                            f5594cde50ca5235f7759c9350d4054d7a61b5e61a197dffc04eb8cdef368572e99d212dd406ad296484b5f0f880bdc5ec9e155781101d15083c1564738a900a

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\wuiopb.exe
                            Filesize

                            11KB

                            MD5

                            369d768df21773cea87bfec7287dde2c

                            SHA1

                            0a71bfa9dd41d04a3bba141d21aea5269e63a9c9

                            SHA256

                            4cf10cbdcbf0eeeb3d44d3dcc6fa6c5ccd40d215daef4d3116ea468319378b28

                            SHA512

                            eaeb4850800e761ef082b16eec48d400e3985055959a11eec71cee233cc7dfdbdaca927faf14972279842d2bd80cacf2d1ce256b02ae2f1a2b5e672eaaf18020

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk
                            Filesize

                            771B

                            MD5

                            80f1eb81d9abaa626e69a7a5311a080b

                            SHA1

                            0f30b8cf6ddb2a79657163a03e626a5012d5e08c

                            SHA256

                            b9abf5cd0fb8594c38c416614974e0718f3c58ea45b4eccbc81f1195aab63b2d

                            SHA512

                            11ca942f93bd40c0ecb96a3467741899088770ad63db499caaec60a3b6fdeb3e4051e1d9bd65a0d1bd202c1334ab850482b75449f99d8e21f90953b273fc9221

                            Download Submit

                          • C:\Users\Admin\Desktop\fatality_loader.exe
                            Filesize

                            75KB

                            MD5

                            b0b2aa81bf9c1881d0ecfaa256a40c38

                            SHA1

                            032d7be78202832ca0d60b1ec95c739ef8174a9f

                            SHA256

                            6f7a2c19a3ff11fcc518a1a00624a723e30b8aab58f2a563b1b306e64f530758

                            SHA512

                            6606090977eebc5150e88549be88f676521bc762591807927aa9d9940408b523b3535fee5ca2abfb8acd90b12c1966c8c21433179616e14c93ae14a791a9d094

                            Download Submit

                          • C:\windows\Microsoft.Win32.TaskScheduler.dll
                            Filesize

                            307KB

                            MD5

                            782c3d132e535f51e94433f5747099b5

                            SHA1

                            f1c5c6e9f9d9dd0df6966dce97dd2764ccc96afa

                            SHA256

                            c25b77353f7178386ffb28cca0ebb8db7f18f0d78514bab8f175f1c637d651d9

                            SHA512

                            9df2a5cef92133e791be251e1677c71b29824d357bc7b59ab5671bca1e0a7f958849d128d19be89d39231a96e44d0b07d9a509309de757a848b567e35e5c5794

                            Download Submit

                          • memory/32-838-0x0000016343AB0000-0x0000016343BB0000-memory.dmp

                            Filesize

                            1024KB

                            Download

                          • memory/32-806-0x0000016321870000-0x0000016321970000-memory.dmp

                            Filesize

                            1024KB

                            Download

                          • memory/32-881-0x00000163441D0000-0x00000163442D0000-memory.dmp

                            Filesize

                            1024KB

                            Download

                          • memory/32-880-0x00000163433C0000-0x00000163433E0000-memory.dmp

                            Filesize

                            128KB

                            Download

                          • memory/32-882-0x00000163440F0000-0x0000016344110000-memory.dmp

                            Filesize

                            128KB

                            Download

                          • memory/32-970-0x0000016347BB0000-0x0000016347CB0000-memory.dmp

                            Filesize

                            1024KB

                            Download

                          • memory/924-1478-0x0000000000400000-0x000000000041D000-memory.dmp

                            Filesize

                            116KB

                            Download

                          • memory/1056-19-0x000001A0BCF30000-0x000001A0BCF52000-memory.dmp

                            Filesize

                            136KB

                            Download

                          • memory/1060-1486-0x0000000000400000-0x000000000041D000-memory.dmp

                            Filesize

                            116KB

                            Download

                          • memory/1404-1580-0x0000000000400000-0x00000000004FE000-memory.dmp

                            Filesize

                            1016KB

                            Download

                          • memory/1404-1581-0x0000000000400000-0x00000000004FE000-memory.dmp

                            Filesize

                            1016KB

                            Download

                          • memory/1404-1582-0x0000000000400000-0x00000000004FE000-memory.dmp

                            Filesize

                            1016KB

                            Download

                          • memory/1440-1420-0x0000000000400000-0x000000000041D000-memory.dmp

                            Filesize

                            116KB

                            Download

                          • memory/1484-1403-0x0000024DE9CC0000-0x0000024DE9CC1000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/1484-1412-0x0000024DE9CC0000-0x0000024DE9CC1000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/1484-1409-0x0000024DE9CC0000-0x0000024DE9CC1000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/1484-1410-0x0000024DE9CC0000-0x0000024DE9CC1000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/1484-1411-0x0000024DE9CC0000-0x0000024DE9CC1000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/1484-1404-0x0000024DE9CC0000-0x0000024DE9CC1000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/1484-1408-0x0000024DE9CC0000-0x0000024DE9CC1000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/1484-1414-0x0000024DE9CC0000-0x0000024DE9CC1000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/1484-1413-0x0000024DE9CC0000-0x0000024DE9CC1000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/1484-1402-0x0000024DE9CC0000-0x0000024DE9CC1000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/1600-1421-0x0000000000400000-0x000000000041D000-memory.dmp

                            Filesize

                            116KB

                            Download

                          • memory/1884-1515-0x0000000000400000-0x0000000000409000-memory.dmp

                            Filesize

                            36KB

                            Download

                          • memory/2664-109-0x0000000000340000-0x0000000000772000-memory.dmp

                            Filesize

                            4.2MB

                            Download

                          • memory/2664-111-0x000000001B3E0000-0x000000001B48A000-memory.dmp

                            Filesize

                            680KB

                            Download

                          • memory/2904-153-0x000000001BA20000-0x000000001BA74000-memory.dmp

                            Filesize

                            336KB

                            Download

                          • memory/3248-1514-0x0000000000400000-0x0000000000409000-memory.dmp

                            Filesize

                            36KB

                            Download

                          • memory/3476-1568-0x00000000003C0000-0x00000000003CA000-memory.dmp

                            Filesize

                            40KB

                            Download

                          • memory/3476-1571-0x0000000004D40000-0x0000000004D4A000-memory.dmp

                            Filesize

                            40KB

                            Download

                          • memory/3476-1569-0x0000000005270000-0x0000000005816000-memory.dmp

                            Filesize

                            5.6MB

                            Download

                          • memory/3476-1570-0x0000000004D60000-0x0000000004DF2000-memory.dmp

                            Filesize

                            584KB

                            Download

                          • memory/3680-1437-0x0000000000400000-0x000000000041D000-memory.dmp

                            Filesize

                            116KB

                            Download

                          • memory/3760-1128-0x0000000000400000-0x0000000000409000-memory.dmp

                            Filesize

                            36KB

                            Download

                          • memory/3760-704-0x0000000000400000-0x0000000000409000-memory.dmp

                            Filesize

                            36KB

                            Download

                          • memory/3760-741-0x0000000000400000-0x0000000000409000-memory.dmp

                            Filesize

                            36KB

                            Download

                          • memory/3840-1477-0x0000000000400000-0x0000000000409000-memory.dmp

                            Filesize

                            36KB

                            Download

                          • memory/3924-1365-0x0000000000400000-0x0000000000423000-memory.dmp

                            Filesize

                            140KB

                            Download

                          • memory/4100-1419-0x0000000000400000-0x000000000041D000-memory.dmp

                            Filesize

                            116KB

                            Download

                          • memory/4100-1427-0x0000000000400000-0x000000000041D000-memory.dmp

                            Filesize

                            116KB

                            Download

                          • memory/4100-1401-0x0000000000400000-0x000000000041D000-memory.dmp

                            Filesize

                            116KB

                            Download

                          • memory/4208-1438-0x0000000000400000-0x000000000041D000-memory.dmp

                            Filesize

                            116KB

                            Download

                          • memory/4296-1425-0x0000000000400000-0x000000000041D000-memory.dmp

                            Filesize

                            116KB

                            Download

                          • memory/4892-1422-0x00000000017B0000-0x00000000017BE000-memory.dmp

                            Filesize

                            56KB

                            Download

                          • memory/4892-97-0x0000000001610000-0x000000000161C000-memory.dmp

                            Filesize

                            48KB

                            Download

                          • memory/4892-356-0x0000000001780000-0x000000000178A000-memory.dmp

                            Filesize

                            40KB

                            Download

                          • memory/4892-58-0x00007FF9E0870000-0x00007FF9E1332000-memory.dmp

                            Filesize

                            10.8MB

                            Download

                          • memory/4892-57-0x00007FF9E0873000-0x00007FF9E0875000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/4892-10-0x00007FF9E0870000-0x00007FF9E1332000-memory.dmp

                            Filesize

                            10.8MB

                            Download

                          • memory/4892-9-0x0000000000DC0000-0x0000000000DDA000-memory.dmp

                            Filesize

                            104KB

                            Download

                          • memory/4892-8-0x00007FF9E0873000-0x00007FF9E0875000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/4892-1708-0x000000001C300000-0x000000001C30A000-memory.dmp

                            Filesize

                            40KB

                            Download

                          • memory/5096-1516-0x0000000000400000-0x000000000041D000-memory.dmp

                            Filesize

                            116KB

                            Download