xworm | fda69ccb7e8acf085194e1359b1facf3b7c8f5b8eca43172a2a199d22aa675a9

Resubmissions

16-01-2025 20:24

250116-y67sesxmgw 10

16-01-2025 20:21

16-01-2025 20:03

16-01-2025 19:53

16-01-2025 19:45

Analysis

max time kernel
857s
max time network
849s
platform
windows7_x64
resource
win7-20240903-ja
resource tags

arch:x64arch:x86image:win7-20240903-jalocale:ja-jpos:windows7-x64systemwindows
submitted
16-01-2025 20:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fatality_loader.rar
Size

956KB
MD5

5c917c1945a53e6c6fd9e55c52a5071f
SHA1

33829463306b1ea8d8997c136c7ad87467773cef
SHA256

fda69ccb7e8acf085194e1359b1facf3b7c8f5b8eca43172a2a199d22aa675a9
SHA512

69d4e041c83e2298c1c8f56a48dee9be249ae4ffbd84b75a94203015cfde21998b8f798798de55dd9ab1813550c2442d89a84e1586a65c8c96d8f64513353e43
SSDEEP

24576:Rej8HegWnDJNfJJB8XWQ/zx7raihPUOOORYgZ:S8HfWDJNGXZ/Nra4rpOgZ

Score

10^/10

xworm discovery execution persistence rat trojan

Malware Config

Extracted

Family

xworm

star-telecharger.gl.at.ply.gg:27119

Attributes

Install_directory
%AppData%
install_file
svchost.exe

Signatures

Detect Xworm Payload 8 IoCs

resource	yara_rule
behavioral1/files/0x0009000000016d3f-6.dat	family_xworm
behavioral1/memory/2864-8-0x0000000000E70000-0x0000000000E8A000-memory.dmp	family_xworm
behavioral1/memory/1628-256-0x0000000000200000-0x000000000021A000-memory.dmp	family_xworm
behavioral1/memory/1756-345-0x0000000000250000-0x000000000026A000-memory.dmp	family_xworm
behavioral1/memory/1620-407-0x0000000000BB0000-0x0000000000BCA000-memory.dmp	family_xworm
behavioral1/memory/2572-554-0x0000000000F30000-0x0000000000F4A000-memory.dmp	family_xworm
behavioral1/memory/1488-2631-0x0000000000170000-0x000000000018A000-memory.dmp	family_xworm
behavioral1/memory/2924-2695-0x0000000001310000-0x000000000132A000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1192	powershell.exe
2844	powershell.exe
1652	powershell.exe
1660	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	fatality_loader.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	fatality_loader.exe

Executes dropped EXE 15 IoCs

pid	Process
2864	fatality_loader.exe
1628	svchost.exe
840	fatality_loader.exe
1756	svchost.exe
1620	svchost.exe
2572	svchost.exe
2992	svchost.exe
1488	svchost.exe
2924	svchost.exe
1740	svchost.exe
2072	svchost.exe
2616	svchost.exe
1664	svchost.exe
1656	svchost.exe
2564	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	fatality_loader.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Saved Games\Microsoft Games\desktop.ini	solitaire.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs

Web Service

T1102

flow	ioc
46	discord.com
48	discord.com
49	discord.com
60	discord.com
61	discord.com
62	discord.com
63	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2188	timeout.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cea0fc840f4d884abac62de7c33d4cce0000000002000000000010660000000100002000000072b40b124a3d561de9b480a8515a6b891285847f2dddecf031a5e3333d50b8bf000000000e8000000002000020000000650a9065414c3c00b51db90d5ec7c375714184296b027e27a504fd197725699b20000000e1c3bf5e00b4e15a11aff49df63fd62053e7b644a0d8fdfaae826fe7db400b4f400000004a22717424f8b46b57e88dbf6f252a01f8a08e8cd4cb1911c397074f492b9a1843bf6a034a603939f2c6c83379238b136dd596e6be4bf5196bc8c68d79c74343	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cea0fc840f4d884abac62de7c33d4cce00000000020000000000106600000001000020000000c968b872595eaeffe9e92a56ffea4db868628937c11a18f2899ee834d12aa781000000000e8000000002000020000000ef95f8219a29cbcd8515d037dd3db80f3e0e93d793df52ca06d2c627afefaab7900000001b9dd6c38d18684424392df4d92a720e5e7e070d2572f1fb0b2a1e6e026a1c00fee7099d7cad7a58d4fc6830a65cf84c27c1995041209eea297c5f8737e3b9611bf005bdf92fdce1f6833068a4f63f8041e6c7fc987600576432d5a780d4d0d5940dd7190d05bf63941cd7e170f571005c2a2a85ee1b14a71f9a9d1ee75bd57f3ca7126f8d7cb981439f858fd4745deb4000000052bc2bc1fc17c7e51ca491596935f2b773df14974079859036b7d6b5045942497a8913e26187d325c703386ea469cff6ada771b3b5ec58a7b80a0a0a8d025574	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{AF1B90D1-D445-11EF-87EF-4A033A7AEF8D} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "443219990"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30bef28b5268db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE

Modifies registry class 20 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\.tmp\ = "tmp_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\tmp_auto_file\shell\edit\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\tmp_auto_file\shell\open	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\tmp_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft	solitaire.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\tmp_auto_file	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\tmp_auto_file\shell\open\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows	solitaire.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\GameUX\GameStats\{8669ECE8-D1C3-4345-8310-E60F6D44FDAF}\LastPlayed = "0"	solitaire.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\tmp_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\tmp_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\GameUX\GameStats\{8669ECE8-D1C3-4345-8310-E60F6D44FDAF}	solitaire.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\GameUX	solitaire.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\GameUX\GameStats	solitaire.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\.tmp	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\tmp_auto_file\shell\edit	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\tmp_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings	solitaire.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software	solitaire.exe

Opens file in notepad (likely ransom note) 3 IoCs

ransomware

pid	Process
2808	NOTEPAD.EXE
2776	NOTEPAD.EXE
2368	NOTEPAD.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1356	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2844	powershell.exe
1652	powershell.exe
1660	powershell.exe
1192	powershell.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
2864	fatality_loader.exe
2912	solitaire.exe
1968	rundll32.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeRestorePrivilege	2328	7zFM.exe
Token: 35	2328	7zFM.exe
Token: SeSecurityPrivilege	2328	7zFM.exe
Token: SeDebugPrivilege	2864	fatality_loader.exe
Token: SeDebugPrivilege	2844	powershell.exe
Token: SeDebugPrivilege	1652	powershell.exe
Token: SeDebugPrivilege	1660	powershell.exe
Token: SeDebugPrivilege	1192	powershell.exe
Token: SeDebugPrivilege	2864	fatality_loader.exe
Token: SeDebugPrivilege	1628	svchost.exe
Token: 33	2092	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2092	AUDIODG.EXE
Token: 33	2092	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2092	AUDIODG.EXE
Token: SeDebugPrivilege	840	fatality_loader.exe
Token: SeDebugPrivilege	1756	svchost.exe
Token: SeDebugPrivilege	1620	svchost.exe
Token: SeDebugPrivilege	2572	svchost.exe
Token: SeDebugPrivilege	2992	svchost.exe
Token: SeDebugPrivilege	1488	svchost.exe
Token: SeDebugPrivilege	2924	svchost.exe
Token: SeDebugPrivilege	1740	svchost.exe
Token: SeDebugPrivilege	2072	svchost.exe
Token: SeDebugPrivilege	2616	svchost.exe
Token: SeDebugPrivilege	1664	svchost.exe
Token: SeDebugPrivilege	1656	svchost.exe
Token: SeDebugPrivilege	2564	svchost.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2328	7zFM.exe
2328	7zFM.exe
1176	iexplore.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe
2864	fatality_loader.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2864	fatality_loader.exe
1176	iexplore.exe
1176	iexplore.exe
1344	IEXPLORE.EXE
1344	IEXPLORE.EXE
1176	iexplore.exe
1344	IEXPLORE.EXE
1344	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2864 wrote to memory of 2844	2864	fatality_loader.exe	35
PID 2864 wrote to memory of 2844	2864	fatality_loader.exe	35
PID 2864 wrote to memory of 2844	2864	fatality_loader.exe	35
PID 2864 wrote to memory of 1652	2864	fatality_loader.exe	37
PID 2864 wrote to memory of 1652	2864	fatality_loader.exe	37
PID 2864 wrote to memory of 1652	2864	fatality_loader.exe	37
PID 2864 wrote to memory of 1660	2864	fatality_loader.exe	39
PID 2864 wrote to memory of 1660	2864	fatality_loader.exe	39
PID 2864 wrote to memory of 1660	2864	fatality_loader.exe	39
PID 2864 wrote to memory of 1192	2864	fatality_loader.exe	41
PID 2864 wrote to memory of 1192	2864	fatality_loader.exe	41
PID 2864 wrote to memory of 1192	2864	fatality_loader.exe	41
PID 2864 wrote to memory of 1356	2864	fatality_loader.exe	43
PID 2864 wrote to memory of 1356	2864	fatality_loader.exe	43
PID 2864 wrote to memory of 1356	2864	fatality_loader.exe	43
PID 464 wrote to memory of 1628	464	taskeng.exe	46
PID 464 wrote to memory of 1628	464	taskeng.exe	46
PID 464 wrote to memory of 1628	464	taskeng.exe	46
PID 1968 wrote to memory of 2776	1968	rundll32.exe	53
PID 1968 wrote to memory of 2776	1968	rundll32.exe	53
PID 1968 wrote to memory of 2776	1968	rundll32.exe	53
PID 464 wrote to memory of 1756	464	taskeng.exe	58
PID 464 wrote to memory of 1756	464	taskeng.exe	58
PID 464 wrote to memory of 1756	464	taskeng.exe	58
PID 464 wrote to memory of 1620	464	taskeng.exe	59
PID 464 wrote to memory of 1620	464	taskeng.exe	59
PID 464 wrote to memory of 1620	464	taskeng.exe	59
PID 464 wrote to memory of 2572	464	taskeng.exe	60
PID 464 wrote to memory of 2572	464	taskeng.exe	60
PID 464 wrote to memory of 2572	464	taskeng.exe	60
PID 1176 wrote to memory of 1344	1176	iexplore.exe	62
PID 1176 wrote to memory of 1344	1176	iexplore.exe	62
PID 1176 wrote to memory of 1344	1176	iexplore.exe	62
PID 1176 wrote to memory of 1344	1176	iexplore.exe	62
PID 464 wrote to memory of 2992	464	taskeng.exe	64
PID 464 wrote to memory of 2992	464	taskeng.exe	64
PID 464 wrote to memory of 2992	464	taskeng.exe	64
PID 464 wrote to memory of 1488	464	taskeng.exe	65
PID 464 wrote to memory of 1488	464	taskeng.exe	65
PID 464 wrote to memory of 1488	464	taskeng.exe	65
PID 464 wrote to memory of 2924	464	taskeng.exe	66
PID 464 wrote to memory of 2924	464	taskeng.exe	66
PID 464 wrote to memory of 2924	464	taskeng.exe	66
PID 464 wrote to memory of 1740	464	taskeng.exe	67
PID 464 wrote to memory of 1740	464	taskeng.exe	67
PID 464 wrote to memory of 1740	464	taskeng.exe	67
PID 464 wrote to memory of 2072	464	taskeng.exe	68
PID 464 wrote to memory of 2072	464	taskeng.exe	68
PID 464 wrote to memory of 2072	464	taskeng.exe	68
PID 464 wrote to memory of 2616	464	taskeng.exe	69
PID 464 wrote to memory of 2616	464	taskeng.exe	69
PID 464 wrote to memory of 2616	464	taskeng.exe	69
PID 464 wrote to memory of 1664	464	taskeng.exe	70
PID 464 wrote to memory of 1664	464	taskeng.exe	70
PID 464 wrote to memory of 1664	464	taskeng.exe	70
PID 464 wrote to memory of 1656	464	taskeng.exe	71
PID 464 wrote to memory of 1656	464	taskeng.exe	71
PID 464 wrote to memory of 1656	464	taskeng.exe	71
PID 464 wrote to memory of 2564	464	taskeng.exe	72
PID 464 wrote to memory of 2564	464	taskeng.exe	72
PID 464 wrote to memory of 2564	464	taskeng.exe	72
PID 2864 wrote to memory of 2756	2864	fatality_loader.exe	73
PID 2864 wrote to memory of 2756	2864	fatality_loader.exe	73
PID 2864 wrote to memory of 2756	2864	fatality_loader.exe	73

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\fatality_loader.rar"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2328

C:\Users\Admin\Desktop\fatality_loader.exe
"C:\Users\Admin\Desktop\fatality_loader.exe"
1⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2864
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\fatality_loader.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2844
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'fatality_loader.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1652
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1660
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1192
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1356
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /delete /f /tn "svchost"
  2⤵
  PID:2756
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp203D.tmp.bat""
  2⤵
  PID:2208
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:2188

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\nigga.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:2808

C:\Windows\system32\taskeng.exe
taskeng.exe {0D37BFDE-8391-4D57-9CB6-A7DEAA1466F0} S-1-5-21-4177215427-74451935-3209572229-1000:JSMURNPT\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:464
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1628
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1756
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1620
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2572
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2992
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1488
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2924
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1740
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2072
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2616
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1664
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1656
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2564

C:\Program Files\Microsoft Games\solitaire\solitaire.exe
"C:\Program Files\Microsoft Games\solitaire\solitaire.exe"
1⤵
- Drops desktop.ini file(s)
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:2912

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x144
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2092

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:284

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Log.tmp
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Log.tmp
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2776

C:\Users\Admin\Desktop\fatality_loader.exe
"C:\Users\Admin\Desktop\fatality_loader.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:840

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Kno758C.tmp
1⤵
- Opens file in notepad (likely ransom note)
PID:2368

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1176
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1176 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

Filesize
1KB

MD5
55540a230bdab55187a841cfe1aa1545

SHA1
363e4734f757bdeb89868efe94907774a327695e

SHA256
d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

SHA512
c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6B2043001D270792DFFD725518EAFE2C

Filesize
579B

MD5
f55da450a5fb287e1e0f0dcc965756ca

SHA1
7e04de896a3e666d00e687d33ffad93be83d349e

SHA256
31ad6648f8104138c738f39ea4320133393e3a18cc02296ef97c2ac9ef6731d0

SHA512
19bd9a319dfdaad7c13a6b085e51c67c0f9cb1eb4babc4c2b5cdf921c13002ca324e62dfa05f344e340d0d100aa4d6fac0683552162ccc7c0321a8d146da0630

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
8e3698aaa5461e03085786f94b133407

SHA1
b268dd2b214fe6cca88fb5be624b75d04bfcf2e9

SHA256
ac0f7f3b27b3bd7067c0eae8824024b61a998e276a0acf4fec8397591d723086

SHA512
abd720720b1639bcb1c4b7d02e66aeb6466c814d6525893b104a9399dc18431d97bb5cdf283835b499506cad9e1fe592636eab927e23556e7fac4e2eef3001dc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6B2043001D270792DFFD725518EAFE2C

Filesize
252B

MD5
693656a274ae67b754e7f90dc28dbd98

SHA1
4c9c0d2d33b63d0628bcef40cad41298215bf633

SHA256
6f9ab23507005df7610220b24c530ea9abf8a2015d302006e325c2439cbdb1cb

SHA512
74c50faa628a6a82a83465e20b5aa8da9f75914fd5245e35a88f25cea0bd5d4cd93436d9ced02349548b0132b8319466af7f68b28532076a830c5f9b1fe0878f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bfb5cdbab263eca93a267a322b0e8997

SHA1
51071759ddf06eb599112d6dfc6ff42be13a4cbd

SHA256
b6cf205277d7689b8639611bcacad0c5352fe14ce16c12f6d2199116fca538bd

SHA512
2da4df5e08a5f7db614fa4fa7678ee4635390f6ce3f72fbf59a5a6884d5f472ad8e543dbed63a3bdb210be11dfc4a1f79786e35e104f03aeb358d5ef13bcf43a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bd8a2e967663002aae508e31b40f2dc0

SHA1
7c1379b33e42de4ec31075ae9e8d8d152ce0a3a7

SHA256
f1b94b026f609b499d47363fa0d5ea43cff9a18d6e90198a7fc0be15a26afec5

SHA512
ff86cf05e7e1181e445b3dcca5393af927f4a52dde78b310e463f9feb24c4bae1c206288c3be697ec9fc2e6aafcb04f66f2ec280a1dc4efcfe864138a41a808f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
06a09eb75200d37f0b06ade13d10065f

SHA1
996dca0666c5efd97e1da656260ab9004e55489e

SHA256
f49989317df1c791237f3a94230ad96b270a7941404170eb471a4515156a0bc0

SHA512
7680651b17b57609e3debaaa3d6b41eb6356c069d0958ebdea19e35bec39fe09ddee23ece98b6eadf89f1ce7c508273e7a7b79dce396b93f832f78238af4fc70

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
141d34fe4c76cc5fb0a0b77a162a7f13

SHA1
9d0175990fb0d4c87eb9c31ff0d081a4e01b8782

SHA256
46017f04dd2dec2ea4896de0a1611cdbef4950f0d9de92deaa1c09783edccf79

SHA512
21f5abbf6832d83640c3a456dc496d542344964fb267036741dd6a88e5b7c5b0ca3ce63fd732e5646daf79cdbd3dd5f6f0c98a0722df3c08a16c07c884da50e5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cbafcab15d2fa34c16ef3116096ace7c

SHA1
ca90b163d0ac6228e1257aef990b8ccae9253512

SHA256
3eac9d9ff4e1f42b3dbf7df9b8ac44fc1b48bb6e751ccbc62ff7ce126d47df6a

SHA512
65bf9af3eeb78383874ac71ce2d5eee750523eccd8400e42d154d673e41eb3491f06fcfe1318495fcf7c09e5e9e621a2d04e127a270c86cc4639452bc1619e2b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
58b02cd629a4d7594460c57238ac1f19

SHA1
6450e82288b21815b9002917bb335614b9ed02db

SHA256
81ea8e280c6b58eca0b99ef25fa272468c9714d9a4cdf5e4192a49be84c79433

SHA512
2fc974cb4255b0f1aabce9d97c055ff752bb787d4c5b968afac9fcd9e6f30a639c1c1c21db67b7feb10438b22bfee569bca48b79c822443a2112b52cc267ddb2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
223a6eb09367c2402ed9154d79e85990

SHA1
c0128b833aa4450dac48db7bf64bf1229742b2fe

SHA256
d16405275ce72efbcc1f3c30326c077d1df6712d52edbe9eca5de20bc5013ca9

SHA512
e7e3aa83ce5f16c2557dbbe30619a7fce025773804f84a45a074b2942aae7e46daa8cd075d7b557fe8f07adf7f90e51f9089affe2cfb267b44ea0b3bb18a6209

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a3cdfd14e5728c594b192bf6cffa0d87

SHA1
8912d17a1080f34a6b6e9e4f209c2230fb60a161

SHA256
3e0b8d0f7e7700467d5e323c8129c3657cb687fcea91e44c53b05f445f0fc736

SHA512
fc3d7e5f7834b01b8dbe644222be458f198a561a49038ddb4c38621bc1f2bc0276e86846766a2d39aa0013a0d1a309c34131a9c3a5acb3578dced543746d0399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cea1450213b84b7a011128e60d0210fe

SHA1
bcb2bd33bfd67eb6626d6e422e839fb971acc453

SHA256
aa07c7a9ddf1b38b83dda4c65ee2e992f030562134d69decc958e0467c2add22

SHA512
cadc3b664bcad24f56636bf363a0d3d61d9461b0a21ab171de3864df5b34b74507fe4f9da5f5993e932bf46f617335cf1db6cf12eb22502ab3eec1684a036f01

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
29151b5ac4cea0000704702bcd943bd9

SHA1
b732d415135f8396ddabdd20fc2f60c0e6204b1c

SHA256
b907e7c806c61f29172aeaf3a575eff0b9675338242604ffe989e4dcfcc9f627

SHA512
1ecef868633692fba06797fdc8c78518097b272ffe5a9da0d2a44911e87402f1f8c33b6bbf77500c587347a3c1572458bf8145ceb41f4bf85894b91e84607df6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7b4908fbb9562ed27233eadf2bc226b3

SHA1
b0a2b4fef90a0623239146d85d79ed3dd8dec798

SHA256
2f405f0dde58df3a4b0b315d4f4d40b56ccb04c90a254e97e5b959fb70090033

SHA512
e3eda5e5549de2f87eae74f6173ed9c34708c56124f89b83a6a9285998b9855f259cb03aefdcbf7c97c9c8fa4fc596d1b50dd115f06d78f9134a5b58a7ea6204

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5a2034ab22cffe11efde877a7b77ce01

SHA1
47d5694f8bc376f6a1e3e6401a07859ea0672587

SHA256
489563e1d1e94f301b4e3d8d12b4eca4dd62f88be55aa2445b2a3681a9d7be7d

SHA512
7f41837b7c69e478a015bdd50a61eab3cf94628919222c481708a3d2e86b2a5f8fff7140ab0c53985a97201e3d6c749705480c7d4ba6e5f107f04b0ea936fe84

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
638515017c45cdf00d334c432b81506c

SHA1
874b79371d4347b61d9ce64ad2b222ff57eafbd0

SHA256
c5fa6f22d91e2d739ef74f466077bcea7ac555dbb9c7661f41825c490f4489de

SHA512
ed43a652b1a198007d33fb5a0c14ba15c8338a9922908e862ea1d0dafcec7a649a1a1829b8d54898304e78dac62de986880ae4f65a0f9784b7d60ab8bdf8b293

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e15b62e626c0e176297c63f4cd9a3f57

SHA1
a05e4c4ab721cc1862d86fd838b20a14b40605e2

SHA256
735e71053b48a85243b180cc9888d57308b25a665bd914f7955a57b5051bd010

SHA512
b5d105a8f9d60592943c0c53f8a75119f9c67a57ffdaf145dbb649b6491acd24860a8eba5bdb4c3624e1e0007dc6705c3fc9a1acf2703b8e89e981a5a7f6a3ff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d545a882f45f7c2e509348e31565a4b7

SHA1
58b611a4fef820478c92da3da6b0cf6cca42eafb

SHA256
601092f89b974f31e989ef278088e3af1d87b287a28900d9615e94986e654a6e

SHA512
fade685630c5c5d4f231e6e50dd2f59f3cfd4ca5023485bf1ccfe6908312fc604a21a7ad1d1628986d87465fc330a01a2c1aa2356327a2253768cbf81c77c10b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ef47a4adb903fa1eb14fc9c7c67397f8

SHA1
ece8f787c1c47930cf945d360f3cc227fd45eb11

SHA256
a6f02288e63960c46a547f83bed855715930f4eb94230004abacc9ac1ef26a92

SHA512
71380e9ce3db441cd373201e152e4a6f776247b8e3daa34da39a86f2228dea1ce318f6f06f19a330812ea53117b408c987657b287950772f68266ed75a40676a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
034610db6de9ec15507315d4678e4b35

SHA1
9ee2d60579282906931738e96b2dc74c3d07c1ff

SHA256
2fffc8d9f40d6c7f5d8bc6ea07a3c40642404f652a24c02b5a736394efb3d4fb

SHA512
eacd341782662288c9ecc002ecbefe2d57c5a95fda75566a65e7bef8f1549e9b479460a9ad0c3e2b6a39f095ec62508d4acb6f22ceb8e280fd348ce428906afd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a1efe3eace9dba010892d673be672e83

SHA1
a8cf69f0be466e49959c453eac3dd6f650a6dc02

SHA256
56391d249dab8fcff2daee4a03ab729272e0c31877be1f5baedf4ab5cf2a7357

SHA512
6fd38cf7a941afee827b88bec952cf2b5b9f15ded055bd2d386ac821c0d349340a161420a2a53c5ebee248bdefdb7bdfc0ed65bd1aa2ecb6ef48aa8e1268fcb8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
94a4f399bd99152babada0f487e8586d

SHA1
117f631d3ccd612a41973702efbfdbe707d601e5

SHA256
14e4e1bb7ae284f506da00df06d45cd8f7d8593942211ceb69b0ecaf92f23fb0

SHA512
a86677924dfde03c0dfa4e1d979c379ee1bb1553547ebde30b4e9f25d7157b00bcd47977c2320e63184116b5e820c7031d206e67d0245caad7c699779f1b481a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
246108b3c2f2177105b058a017712687

SHA1
1bf84a7eca3c8c608792706af038b29c8a8f88a3

SHA256
aa02c4166a533f64b92f1acfa54b6106e97ae3f1ccc7d4a0518d4244322e6111

SHA512
d7b35e07e4a8fbd9850a421086f9677ddb668da30b5e20b5669c6073adc0a260d7ec7c5ba4fdc8e9f877deceaadd20422d11991a80c6d7ffa88af129829c78a5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
453c171856c3552669f4df9accf813f9

SHA1
0aa2672f85cb27375d3b3798b71c6c43611f8b0e

SHA256
faa715d46c644a640515fd62e3ab2faa862c8884e1c392108b1b146124408a97

SHA512
490433140654e60fe3ab452ae2b5ae3def43e62591e0f0f9d97fc786af54ee41edd29f05ab6f34419d7eff1d4db7b5a4404f74883a0a844a818102a4b0a32759

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0b401aff403c4901b262ad33063c2ca2

SHA1
9a0311141a847004a1ff10cd8da314cdbd38caf2

SHA256
43b015e6bbc3f9f6761b258a5a5cb474963687cca095fde4d2be1dd733478353

SHA512
1da58275645f23caff69f52e00a6e2ce5082a43b99f1844dd36d4f5ab1b1266ed300e4525b1643590cce0bd9dbdc3160c8c0f5c9befac200b3a868afced00223

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
24a167393742cfa956ea6996cc5e2121

SHA1
c96f2f68da61b7d2d8f0e6cd64ae818c06945215

SHA256
d42f2961f77de0a020b611e75c3f3718e6cfa718e003cd0d6cd7409d2c5cd731

SHA512
03288c1e259940723e22309fa9f14e1d8d07426159eb7809beff35ac2641fb9305bc9c30119ef2be32765e0969cb0461c6558fa8ecc590e14b388458a5e79e6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\njqq61f\imagestore.dat

Filesize
9KB

MD5
3cac3f656adbc576df5d9a2352d0b9b8

SHA1
80aaf289412ad7a3eec9042a56272e76ef9daf44

SHA256
6d15266ff848e629518efaa131ac048f2ecdbf27901d7e03aef4376a258af517

SHA512
eb92de27454020bcad61cdab293aae8a9a4c5de76fba4e5df2400a0b29d7e5b1b019ab72a4e3564e3793321cf028c07f7d08288f2d0782b99c08ee23f5270ae0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\njqq61f\imagestore.dat

Filesize
8KB

MD5
22d268931ce290f58b598582db6a61a9

SHA1
22fce12ec48e5eaf1b9c713db4c82b187e2b51a8

SHA256
29622872a9eb9b145d76c58ecaeb5a2553bde60dc553e84391c76735581a9d4b

SHA512
0f0bb7986bb31010ce82d4ce8f857db03a2ab326b67a9af3ca93810acae19ac97926920b50146404b20bf127c97470adf1caa039d8e5847ff27579663ebc68f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7CNUR30T\62fddf0fde45a8baedcc7ee5_847541504914fd33810e70a0ea73177e%20(2)-1[1].png

Filesize
557B

MD5
c309ae41848547064c2ddb7dc66b6215

SHA1
6d9801822541e4be3ed25137c4e53a249c85ba2a

SHA256
11848b5f1c8a7f294c6211c2f0d0dc83a8a28bfe1ef0829a8dacfdf475c5e5a2

SHA512
3ef32b52e7070ca0fa9a8cf06e49fe43d67da63fd3a0cd0985363f6223c758440a44e65c3eebc7d6cee0b1ca3aedc4c6ee78b7167fc4136d90539d6ba18d030f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7CNUR30T\favicon-trans-bg-blue-mg[1].ico

Filesize
4KB

MD5
30967b1b52cb6df18a8af8fcc04f83c9

SHA1
aaf67cd84fcd64fb2d8974d7135d6f1e4fc03588

SHA256
439b6089e45ef1e0c37ef88764d5c99a3b2752609c4e2af3376480d7ffcfaf2e

SHA512
7cb3c09a81fbd301741e7cf5296c406baf1c76685d354c54457c87f6471867390a1aeed9f95701eb9361d7dfacce31afd1d240841037fc1de4a120c66c1b088c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab67DA.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
755B

MD5
b56dc36ed52bd5742bf8e1fb2a00ac40

SHA1
09b9612479b0f457104f531e178798557f933d55

SHA256
cb112d6ef220f7dbfad6f644a6e2fe4516e472f7110c5052ba056d0a82f83c2e

SHA512
b2d806384fc49c2c1163da57e374ad530ed278ba03db088545a153fd125dd847c134efb1d7ed66afd7d55c54ce3615dc53809ece056a65cdfb744d7f53f4088c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar67ED.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp203D.tmp.bat

Filesize
156B

MD5
f10dfe93b8c2b275f83ea3e0905e0cbd

SHA1
46b02cffb4fd7f1a0a46b0c61ea8074f916e23d8

SHA256
666e4f2aff1e9ee7a9f6089ae128a54a0e12a1a4c0cf741613491b02e6a06f7c

SHA512
a021e150cc5316fa007c4e9a89ef0cfc4ffdc270be8421b862c6d85ef12b21a22c7bf4b2b48b6b34fed2f74f01ebf179d053cd283e987f7a8807317f2a2cd434

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
4ed71f3e6100a49489368c369ff343fa

SHA1
c507e3c830ece54e77a3b7676010d70f26f6569e

SHA256
0c12493f5c88b6f333560cb8a286e8a3fbbb4182cab70399558c0403e3688da0

SHA512
d8593f08c15395a1676a7d4c8dbb20126b0c7a72c34ea296287aae37d10cf000d8605f240d2941e2fbb39c81f31784683772ca8b49eee32636cde1e652126111

Download Submit
C:\Users\Admin\Desktop\fatality_loader.exe

Filesize
75KB

MD5
b0b2aa81bf9c1881d0ecfaa256a40c38

SHA1
032d7be78202832ca0d60b1ec95c739ef8174a9f

SHA256
6f7a2c19a3ff11fcc518a1a00624a723e30b8aab58f2a563b1b306e64f530758

SHA512
6606090977eebc5150e88549be88f676521bc762591807927aa9d9940408b523b3535fee5ca2abfb8acd90b12c1966c8c21433179616e14c93ae14a791a9d094

Download Submit
memory/1488-2631-0x0000000000170000-0x000000000018A000-memory.dmp

Filesize
104KB

Download
memory/1620-407-0x0000000000BB0000-0x0000000000BCA000-memory.dmp

Filesize
104KB

Download
memory/1628-256-0x0000000000200000-0x000000000021A000-memory.dmp

Filesize
104KB

Download
memory/1652-31-0x000000001BE20000-0x000000001BE78000-memory.dmp

Filesize
352KB

Download
memory/1652-30-0x0000000002830000-0x0000000002838000-memory.dmp

Filesize
32KB

Download
memory/1652-29-0x0000000001F50000-0x0000000001F5A000-memory.dmp

Filesize
40KB

Download
memory/1652-28-0x000000001B610000-0x000000001B660000-memory.dmp

Filesize
320KB

Download
memory/1652-26-0x0000000001DA0000-0x0000000001DA8000-memory.dmp

Filesize
32KB

Download
memory/1652-27-0x0000000001F30000-0x0000000001F40000-memory.dmp

Filesize
64KB

Download
memory/1652-25-0x000000001B730000-0x000000001BA12000-memory.dmp

Filesize
2.9MB

Download
memory/1756-345-0x0000000000250000-0x000000000026A000-memory.dmp

Filesize
104KB

Download
memory/2572-554-0x0000000000F30000-0x0000000000F4A000-memory.dmp

Filesize
104KB

Download
memory/2844-13-0x000000001B730000-0x000000001BA12000-memory.dmp

Filesize
2.9MB

Download
memory/2844-14-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download
memory/2844-15-0x0000000001F30000-0x0000000001F40000-memory.dmp

Filesize
64KB

Download
memory/2844-16-0x0000000002BB0000-0x0000000002C00000-memory.dmp

Filesize
320KB

Download
memory/2844-17-0x0000000002840000-0x000000000284A000-memory.dmp

Filesize
40KB

Download
memory/2844-18-0x0000000002850000-0x0000000002858000-memory.dmp

Filesize
32KB

Download
memory/2844-19-0x0000000002CD0000-0x0000000002D28000-memory.dmp

Filesize
352KB

Download
memory/2864-184-0x000000001A630000-0x000000001A63C000-memory.dmp

Filesize
48KB

Download
memory/2864-343-0x000000001B6D0000-0x000000001B75E000-memory.dmp

Filesize
568KB

Download
memory/2864-8-0x0000000000E70000-0x0000000000E8A000-memory.dmp

Filesize
104KB

Download
memory/2864-576-0x000000001AB40000-0x000000001AB4C000-memory.dmp

Filesize
48KB

Download
memory/2912-294-0x0000000000270000-0x000000000027A000-memory.dmp

Filesize
40KB

Download
memory/2912-272-0x00000000004B0000-0x00000000004BA000-memory.dmp

Filesize
40KB

Download
memory/2912-268-0x0000000000270000-0x000000000027A000-memory.dmp

Filesize
40KB

Download
memory/2912-269-0x0000000000270000-0x000000000027A000-memory.dmp

Filesize
40KB

Download
memory/2912-270-0x0000000000270000-0x000000000027A000-memory.dmp

Filesize
40KB

Download
memory/2912-266-0x0000000000270000-0x000000000027A000-memory.dmp

Filesize
40KB

Download
memory/2912-265-0x0000000000270000-0x000000000027A000-memory.dmp

Filesize
40KB

Download
memory/2912-267-0x0000000000270000-0x000000000027A000-memory.dmp

Filesize
40KB

Download
memory/2912-271-0x00000000004B0000-0x00000000004BA000-memory.dmp

Filesize
40KB

Download
memory/2912-293-0x0000000000270000-0x000000000027A000-memory.dmp

Filesize
40KB

Download
memory/2912-298-0x0000000000270000-0x000000000027A000-memory.dmp

Filesize
40KB

Download
memory/2912-302-0x00000000004B0000-0x00000000004BA000-memory.dmp

Filesize
40KB

Download
memory/2912-303-0x00000000004B0000-0x00000000004BA000-memory.dmp

Filesize
40KB

Download
memory/2912-301-0x00000000004B0000-0x00000000004BA000-memory.dmp

Filesize
40KB

Download
memory/2924-2695-0x0000000001310000-0x000000000132A000-memory.dmp

Filesize
104KB

Download