Analysis
-
max time kernel
156s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
-
submitted
29/03/2025, 01:35
General
-
Target
Fatality.exe
-
Size
4.3MB
-
MD5
87ec8a86c4477f7f07870c2e986a41ac
-
SHA1
7c29508c83f5f4e2eba74781f90158ac2e6f9c45
-
SHA256
c6cd7c317902053a4334a142ba9f061161a891ffb01220f486c42019d6ecb117
-
SHA512
e3c55d3bf6333863d769a1e9277f54b6cf5a1384aea6c4da179092a960aedf5591c7bab480bb909f786758e26784a5acea3cf446ac3a37624b35877ffdacbef7
-
SSDEEP
98304:nWIpskZHDRgx3iS1U4NewTXlQuT/3Bzi0tbihNuJpQF7:nv5kySZNhzT/JlbINu+7
Score
10/10
Malware Config
Signatures
-
Detect SalatStealer payload 55 IoCs
-
Salatstealer family
-
salatstealer
SalatStealer is a stealer that takes sceenshot written in Golang.
-
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 64 IoCs
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
UPX packed file 64 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Program Files directory 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 9 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Fatality.exe"C:\Users\Admin\AppData\Local\Temp\Fatality.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\fatality.exe"C:\Users\Admin\AppData\Local\Temp\fatality.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\fatality.exe"C:\Users\Admin\AppData\Local\Temp\fatality.exe"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\fatality.exe"C:\Users\Admin\AppData\Local\Temp\fatality.exe"4⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\ConnectedDevicesPlatform\taskhostw.exeC:\Users\Admin\AppData\Local\ConnectedDevicesPlatform\taskhostw.exe6⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\taskhostw.exe"C:\Program Files\Google\Chrome\Application\taskhostw.exe" -7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\taskhostw.exe"C:\Program Files (x86)\Microsoft\Edge\Application\taskhostw.exe" -7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fatality.exe"C:\Users\Admin\AppData\Local\Temp\fatality.exe"5⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\fatality.exe"C:\Users\Admin\AppData\Local\Temp\fatality.exe"6⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\fatality.exe"C:\Users\Admin\AppData\Local\Temp\fatality.exe"7⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\fatality.exe"C:\Users\Admin\AppData\Local\Temp\fatality.exe"8⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"9⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\fatality.exe"C:\Users\Admin\AppData\Local\Temp\fatality.exe"9⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\fatality.exe"C:\Users\Admin\AppData\Local\Temp\fatality.exe"10⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"11⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\fatality.exe"C:\Users\Admin\AppData\Local\Temp\fatality.exe"11⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\fatality.exe"C:\Users\Admin\AppData\Local\Temp\fatality.exe"12⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\fatality.exe"C:\Users\Admin\AppData\Local\Temp\fatality.exe"13⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"14⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\fatality.exe"C:\Users\Admin\AppData\Local\Temp\fatality.exe"14⤵
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\fatality.exe"C:\Users\Admin\AppData\Local\Temp\fatality.exe"15⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"16⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\fatality.exe"C:\Users\Admin\AppData\Local\Temp\fatality.exe"16⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\fatality.exe"C:\Users\Admin\AppData\Local\Temp\fatality.exe"17⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"18⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\fatality.exe"C:\Users\Admin\AppData\Local\Temp\fatality.exe"18⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"19⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\fatality.exe"C:\Users\Admin\AppData\Local\Temp\fatality.exe"19⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"20⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\fatality.exe"C:\Users\Admin\AppData\Local\Temp\fatality.exe"20⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"21⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\fatality.exe"C:\Users\Admin\AppData\Local\Temp\fatality.exe"21⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"22⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\fatality.exe"C:\Users\Admin\AppData\Local\Temp\fatality.exe"22⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\fatality.exe"C:\Users\Admin\AppData\Local\Temp\fatality.exe"23⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"24⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\fatality.exe"C:\Users\Admin\AppData\Local\Temp\fatality.exe"24⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"25⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\fatality.exe"C:\Users\Admin\AppData\Local\Temp\fatality.exe"25⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\fatality.exe"C:\Users\Admin\AppData\Local\Temp\fatality.exe"26⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"27⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\fatality.exe"C:\Users\Admin\AppData\Local\Temp\fatality.exe"27⤵
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"28⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\fatality.exe"C:\Users\Admin\AppData\Local\Temp\fatality.exe"28⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\fatality.exe"C:\Users\Admin\AppData\Local\Temp\fatality.exe"29⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"30⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\fatality.exe"C:\Users\Admin\AppData\Local\Temp\fatality.exe"30⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"31⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\fatality.exe"C:\Users\Admin\AppData\Local\Temp\fatality.exe"31⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"32⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\fatality.exe"C:\Users\Admin\AppData\Local\Temp\fatality.exe"32⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"33⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\fatality.exe"C:\Users\Admin\AppData\Local\Temp\fatality.exe"33⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\fatality.exe"C:\Users\Admin\AppData\Local\Temp\fatality.exe"34⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\fatality.exe"C:\Users\Admin\AppData\Local\Temp\fatality.exe"35⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\fatality.exe"C:\Users\Admin\AppData\Local\Temp\fatality.exe"36⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\fatality.exe"C:\Users\Admin\AppData\Local\Temp\fatality.exe"37⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\fatality.exe"C:\Users\Admin\AppData\Local\Temp\fatality.exe"38⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\fatality.exe"C:\Users\Admin\AppData\Local\Temp\fatality.exe"39⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\fatality.exe"C:\Users\Admin\AppData\Local\Temp\fatality.exe"40⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\fatality.exe"C:\Users\Admin\AppData\Local\Temp\fatality.exe"41⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\fatality.exe"C:\Users\Admin\AppData\Local\Temp\fatality.exe"42⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\fatality.exe"C:\Users\Admin\AppData\Local\Temp\fatality.exe"43⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\fatality.exe"C:\Users\Admin\AppData\Local\Temp\fatality.exe"44⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\fatality.exe"C:\Users\Admin\AppData\Local\Temp\fatality.exe"45⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\fatality.exe"C:\Users\Admin\AppData\Local\Temp\fatality.exe"46⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\fatality.exe"C:\Users\Admin\AppData\Local\Temp\fatality.exe"47⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\fatality.exe"C:\Users\Admin\AppData\Local\Temp\fatality.exe"48⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\fatality.exe"C:\Users\Admin\AppData\Local\Temp\fatality.exe"49⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\fatality.exe"C:\Users\Admin\AppData\Local\Temp\fatality.exe"50⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\fatality.exe"C:\Users\Admin\AppData\Local\Temp\fatality.exe"51⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\fatality.exe"C:\Users\Admin\AppData\Local\Temp\fatality.exe"52⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\fatality.exe"C:\Users\Admin\AppData\Local\Temp\fatality.exe"53⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\fatality.exe"C:\Users\Admin\AppData\Local\Temp\fatality.exe"54⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\fatality.exe"C:\Users\Admin\AppData\Local\Temp\fatality.exe"55⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\fatality.exe"C:\Users\Admin\AppData\Local\Temp\fatality.exe"56⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\fatality.exe"C:\Users\Admin\AppData\Local\Temp\fatality.exe"57⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\fatality.exe"C:\Users\Admin\AppData\Local\Temp\fatality.exe"58⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\fatality.exe"C:\Users\Admin\AppData\Local\Temp\fatality.exe"59⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\fatality.exe"C:\Users\Admin\AppData\Local\Temp\fatality.exe"60⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\fatality.exe"C:\Users\Admin\AppData\Local\Temp\fatality.exe"61⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\fatality.exe"C:\Users\Admin\AppData\Local\Temp\fatality.exe"62⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"63⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\fatality.exe"C:\Users\Admin\AppData\Local\Temp\fatality.exe"63⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"64⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\fatality.exe"C:\Users\Admin\AppData\Local\Temp\fatality.exe"64⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"65⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fatality.exe"C:\Users\Admin\AppData\Local\Temp\fatality.exe"65⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"66⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\fatality.exe"C:\Users\Admin\AppData\Local\Temp\fatality.exe"66⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"67⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\fatality.exe"C:\Users\Admin\AppData\Local\Temp\fatality.exe"67⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"1⤵
-
C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"1⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /71⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SDRSVC1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
Filesize
3.1MB
MD5244a6c09bc6ba607ee59b5efa46a8703
SHA1924d4d52dad661bf30a52ccc6617e9d55ea8ea3b
SHA2560fe932f5c1c2e5023089795a9caef8427f716bce92f2903d668cc8f98d352b6f
SHA512b1ef92ce0d79da152631376fb7c2c879be22f869458c29d1efe035cec2c4e4ec12b61959118ce95512ed79f852ecd6600de0d790cb456db7c19e00a096b19b4a
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
8KB
-
Filesize
4.3MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
11.5MB