Analysis Overview
SHA256
75fe871f78a0eea5ce5489c0815c230603aa45e2fc5f7bf67414a90888c63407
Threat Level: Known bad
The file 新建文件夹 (2).7z was found to be: Known bad.
Malicious Activity Summary
FatalRat
Fatal Rat payload
VMProtect packed file
Loads dropped DLL
ACProtect 1.3x - 1.4x DLL software
UPX packed file
Enumerates connected drives
Adds Run key to start application
Checks computer location settings
Drops file in System32 directory
Executes dropped EXE
Loads dropped DLL
Enumerates physical storage devices
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-06-30 08:03
Signatures
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-06-30 08:03
Reported
2023-06-30 08:06
Platform
win7-20230621-en
Max time kernel
150s
Max time network
153s
Command Line
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\新建文件夹 (2)\_D0DE469BB8424834A796EDFE1D0176CA.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\新建文件夹 (2)\_D0DE469BB8424834A796EDFE1D0176CA.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\新建文件夹 (2)\_D0DE469BB8424834A796EDFE1D0176CA.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\新建文件夹 (2)\_D0DE469BB8424834A796EDFE1D0176CA.exe
"C:\Users\Admin\AppData\Local\Temp\新建文件夹 (2)\_D0DE469BB8424834A796EDFE1D0176CA.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.baidu.com | udp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | tcp |
Files
memory/2028-54-0x0000000000400000-0x0000000000873000-memory.dmp
memory/2028-57-0x0000000000400000-0x0000000000873000-memory.dmp
\Users\Public\Pictures\pe.dll
| MD5 | d0a62532cecac152bc553474d5899a94 |
| SHA1 | fbb691817dfbae7518648c82304e42288b8354e3 |
| SHA256 | 242911c8ec9f435569637d5490219a181eb0438c98f8357227d6424e97485f49 |
| SHA512 | 9e2150873aa2ce7fa360a5dda0e490f497b716282e827d89e85d50e166a73bd54bbedfa54b5fdb22b31dcfa297b564f922d2cbb152fe490ac336dd2e0fc3ea51 |
memory/2028-62-0x0000000010000000-0x0000000010021000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7DZDVCQ4\N1NXXFAM.htm
| MD5 | 8c3a72a6d9535401c6a501924ff5f830 |
| SHA1 | 8e05f6f45154a333bfff2645b3200921ed4a9cf5 |
| SHA256 | c6be6906668708d1589c76b01ad3bb0bc04047c3d64ee84a559697cfc1ca0b1b |
| SHA512 | c97a835b890e2860cf667b0ecb92d4aff4b937f536bf1cd56a3459de918334d53577b0ad6c64a2bcf83470540c4ec0439cf0c54e09e56d392c61415b1cf074ed |
memory/2028-72-0x0000000000400000-0x0000000000873000-memory.dmp
memory/2028-75-0x0000000010000000-0x0000000010021000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-06-30 08:03
Reported
2023-06-30 08:06
Platform
win10v2004-20230621-en
Max time kernel
150s
Max time network
153s
Command Line
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\新建文件夹 (2)\_D0DE469BB8424834A796EDFE1D0176CA.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{23F03270-37F2-49D4-B73B-9E2A7FE4CB38}.catalogItem | C:\Windows\System32\svchost.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{FAA5A47B-913E-4D48-A451-0825C617DD57}.catalogItem | C:\Windows\System32\svchost.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{83872F96-E858-4643-9EF3-DFD2AF651CD8}.catalogItem | C:\Windows\System32\svchost.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{2556AC7D-4B6A-4943-9EB0-A8C6807AB63E}.catalogItem | C:\Windows\System32\svchost.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{C3DD29AC-F316-43C3-90D0-965C573E2050}.catalogItem | C:\Windows\System32\svchost.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{8401E070-F66A-4BA3-A8E3-7CA4B7A06A1A}.catalogItem | C:\Windows\System32\svchost.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{9578D02F-4206-4D21-A5E1-9D486A35595E}.catalogItem | C:\Windows\System32\svchost.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{FFCE30FD-5EE2-40CE-B284-DD89FEF4E1E3}.catalogItem | C:\Windows\System32\svchost.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\新建文件夹 (2)\_D0DE469BB8424834A796EDFE1D0176CA.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\新建文件夹 (2)\_D0DE469BB8424834A796EDFE1D0176CA.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\新建文件夹 (2)\_D0DE469BB8424834A796EDFE1D0176CA.exe
"C:\Users\Admin\AppData\Local\Temp\新建文件夹 (2)\_D0DE469BB8424834A796EDFE1D0176CA.exe"
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.baidu.com | udp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 8.8.8.8:53 | 77.88.193.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 8.8.8.8:53 | 161.252.72.23.in-addr.arpa | udp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 8.8.8.8:53 | 160.252.72.23.in-addr.arpa | udp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| GB | 51.132.193.105:443 | tcp | |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| NL | 8.238.20.254:80 | tcp | |
| NL | 8.238.20.254:80 | tcp | |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.13.109.52.in-addr.arpa | udp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | www.baidu.com | tcp |
| US | 104.193.88.77:443 | tcp |
Files
memory/2776-133-0x0000000000400000-0x0000000000873000-memory.dmp
memory/2776-134-0x0000000000400000-0x0000000000873000-memory.dmp
C:\Users\Public\Pictures\gj.dll
| MD5 | d0a62532cecac152bc553474d5899a94 |
| SHA1 | fbb691817dfbae7518648c82304e42288b8354e3 |
| SHA256 | 242911c8ec9f435569637d5490219a181eb0438c98f8357227d6424e97485f49 |
| SHA512 | 9e2150873aa2ce7fa360a5dda0e490f497b716282e827d89e85d50e166a73bd54bbedfa54b5fdb22b31dcfa297b564f922d2cbb152fe490ac336dd2e0fc3ea51 |
memory/2776-142-0x0000000010000000-0x0000000010021000-memory.dmp
memory/2776-146-0x0000000000400000-0x0000000000873000-memory.dmp
memory/2776-148-0x0000000010000000-0x0000000010021000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\7RMPX3MN\OHLL01H6.htm
| MD5 | d51acb034a9a5d7baa2907d8808e229f |
| SHA1 | 18452d07dc3a510b51478a77a9610f3fba65aabd |
| SHA256 | 6465a3bcbec0a8698e340bf1664e28aabd7bbb5d1705034c1280d49ee7de67da |
| SHA512 | 213d551f990d79d997ad2d02867804acd4404e7c281607a0280b9509abe33c38de038ea0961f0a2433a756c5eb88e3aaac2178c2027bcbdc8e0579b72c56cdb8 |
Analysis: behavioral3
Detonation Overview
Submitted
2023-06-30 08:03
Reported
2023-06-30 08:06
Platform
win7-20230621-en
Max time kernel
133s
Max time network
30s
Command Line
Signatures
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Processes
C:\Windows\system32\msiexec.exe
msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\新建文件夹 (2)\f49acfb27630f8962eb2fe80da75b3e09f4b3d69c8d3c316687200a1c8aa1f4f.msi"
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2023-06-30 08:03
Reported
2023-06-30 08:06
Platform
win10v2004-20230621-en
Max time kernel
86s
Max time network
135s
Command Line
Signatures
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Processes
C:\Windows\system32\msiexec.exe
msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\新建文件夹 (2)\f49acfb27630f8962eb2fe80da75b3e09f4b3d69c8d3c316687200a1c8aa1f4f.msi"
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.143.241.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.252.72.23.in-addr.arpa | udp |
| US | 13.89.179.8:443 | tcp | |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 54.120.234.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.8.109.52.in-addr.arpa | udp |
| US | 23.39.157.169:443 | tcp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2023-06-30 08:03
Reported
2023-06-30 08:06
Platform
win7-20230621-en
Max time kernel
30s
Max time network
33s
Command Line
Signatures
FatalRat
Fatal Rat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000\Software\Microsoft\Windows\CurrentVersion\Run\Çý¶¯ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\????? (2)\\?????\\Agghosts.exe" | C:\Users\Admin\AppData\Local\Temp\新建文件夹 (2)\新建文件夹\Agghosts.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000\Software\Microsoft\Windows\CurrentVersion\Run\Çý¶¯ = "C:\\Users\\Admin\\AppData\\Local\\Agghosts.exe" | C:\Users\Admin\AppData\Local\Agghosts.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Agghosts.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\新建文件夹 (2)\新建文件夹\Agghosts.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\新建文件夹 (2)\新建文件夹\Agghosts.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1320 wrote to memory of 1388 | N/A | C:\Users\Admin\AppData\Local\Temp\新建文件夹 (2)\新建文件夹\Agghosts.exe | C:\Users\Admin\AppData\Local\Agghosts.exe |
| PID 1320 wrote to memory of 1388 | N/A | C:\Users\Admin\AppData\Local\Temp\新建文件夹 (2)\新建文件夹\Agghosts.exe | C:\Users\Admin\AppData\Local\Agghosts.exe |
| PID 1320 wrote to memory of 1388 | N/A | C:\Users\Admin\AppData\Local\Temp\新建文件夹 (2)\新建文件夹\Agghosts.exe | C:\Users\Admin\AppData\Local\Agghosts.exe |
| PID 1320 wrote to memory of 1388 | N/A | C:\Users\Admin\AppData\Local\Temp\新建文件夹 (2)\新建文件夹\Agghosts.exe | C:\Users\Admin\AppData\Local\Agghosts.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\新建文件夹 (2)\新建文件夹\Agghosts.exe
"C:\Users\Admin\AppData\Local\Temp\新建文件夹 (2)\新建文件夹\Agghosts.exe"
C:\Users\Admin\AppData\Local\Agghosts.exe
"C:\Users\Admin\AppData\Local\Agghosts.exe"
Network
Files
memory/1320-54-0x0000000010000000-0x000000001001D000-memory.dmp
\Users\Admin\AppData\Local\Agghosts.exe
| MD5 | 614ceaa6ab7f39714e24e9e6b7b0c7b4 |
| SHA1 | 83b63819fe9a9b8c1624e9969fe125088a873cdc |
| SHA256 | e46b0297c7cf534ce46bc673062ed903d11b574fb0602c3bb1a30eb4bbf6f05f |
| SHA512 | 406bc2d2602d0b18e41148c211ceeb65580402046b205ae5e2a65421d02e2fb1ffc4fee76fb803b9e3f7b00081375a36b6b9162729ea447a7f10997716529483 |
C:\Users\Admin\AppData\Local\Agghosts.exe
| MD5 | 614ceaa6ab7f39714e24e9e6b7b0c7b4 |
| SHA1 | 83b63819fe9a9b8c1624e9969fe125088a873cdc |
| SHA256 | e46b0297c7cf534ce46bc673062ed903d11b574fb0602c3bb1a30eb4bbf6f05f |
| SHA512 | 406bc2d2602d0b18e41148c211ceeb65580402046b205ae5e2a65421d02e2fb1ffc4fee76fb803b9e3f7b00081375a36b6b9162729ea447a7f10997716529483 |
C:\Users\Admin\AppData\Local\Agghosts.exe
| MD5 | 614ceaa6ab7f39714e24e9e6b7b0c7b4 |
| SHA1 | 83b63819fe9a9b8c1624e9969fe125088a873cdc |
| SHA256 | e46b0297c7cf534ce46bc673062ed903d11b574fb0602c3bb1a30eb4bbf6f05f |
| SHA512 | 406bc2d2602d0b18e41148c211ceeb65580402046b205ae5e2a65421d02e2fb1ffc4fee76fb803b9e3f7b00081375a36b6b9162729ea447a7f10997716529483 |
Analysis: behavioral6
Detonation Overview
Submitted
2023-06-30 08:03
Reported
2023-06-30 08:06
Platform
win10v2004-20230621-en
Max time kernel
75s
Max time network
127s
Command Line
Signatures
FatalRat
Fatal Rat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Çý¶¯ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\????? (2)\\?????\\Agghosts.exe" | C:\Users\Admin\AppData\Local\Temp\新建文件夹 (2)\新建文件夹\Agghosts.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Çý¶¯ = "C:\\Users\\Admin\\AppData\\Local\\Agghosts.exe" | C:\Users\Admin\AppData\Local\Agghosts.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\新建文件夹 (2)\新建文件夹\Agghosts.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Agghosts.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\新建文件夹 (2)\新建文件夹\Agghosts.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4732 wrote to memory of 1752 | N/A | C:\Users\Admin\AppData\Local\Temp\新建文件夹 (2)\新建文件夹\Agghosts.exe | C:\Users\Admin\AppData\Local\Agghosts.exe |
| PID 4732 wrote to memory of 1752 | N/A | C:\Users\Admin\AppData\Local\Temp\新建文件夹 (2)\新建文件夹\Agghosts.exe | C:\Users\Admin\AppData\Local\Agghosts.exe |
| PID 4732 wrote to memory of 1752 | N/A | C:\Users\Admin\AppData\Local\Temp\新建文件夹 (2)\新建文件夹\Agghosts.exe | C:\Users\Admin\AppData\Local\Agghosts.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\新建文件夹 (2)\新建文件夹\Agghosts.exe
"C:\Users\Admin\AppData\Local\Temp\新建文件夹 (2)\新建文件夹\Agghosts.exe"
C:\Users\Admin\AppData\Local\Agghosts.exe
"C:\Users\Admin\AppData\Local\Agghosts.exe"
Network
| Country | Destination | Domain | Proto |
| US | 93.184.221.240:80 | tcp | |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| NL | 95.101.74.134:443 | www.bing.com | tcp |
| NL | 95.101.74.134:443 | www.bing.com | tcp |
| NL | 95.101.74.134:443 | www.bing.com | tcp |
| NL | 95.101.74.134:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 134.74.101.95.in-addr.arpa | udp |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 8.8.8.8:53 | 1.202.248.87.in-addr.arpa | udp |
Files
memory/4732-133-0x0000000000D70000-0x0000000000D95000-memory.dmp
memory/4732-134-0x0000000010000000-0x000000001001D000-memory.dmp
C:\Users\Admin\AppData\Local\Agghosts.exe
| MD5 | 614ceaa6ab7f39714e24e9e6b7b0c7b4 |
| SHA1 | 83b63819fe9a9b8c1624e9969fe125088a873cdc |
| SHA256 | e46b0297c7cf534ce46bc673062ed903d11b574fb0602c3bb1a30eb4bbf6f05f |
| SHA512 | 406bc2d2602d0b18e41148c211ceeb65580402046b205ae5e2a65421d02e2fb1ffc4fee76fb803b9e3f7b00081375a36b6b9162729ea447a7f10997716529483 |
C:\Users\Admin\AppData\Local\Agghosts.exe
| MD5 | 614ceaa6ab7f39714e24e9e6b7b0c7b4 |
| SHA1 | 83b63819fe9a9b8c1624e9969fe125088a873cdc |
| SHA256 | e46b0297c7cf534ce46bc673062ed903d11b574fb0602c3bb1a30eb4bbf6f05f |
| SHA512 | 406bc2d2602d0b18e41148c211ceeb65580402046b205ae5e2a65421d02e2fb1ffc4fee76fb803b9e3f7b00081375a36b6b9162729ea447a7f10997716529483 |
C:\Users\Admin\AppData\Local\Agghosts.exe
| MD5 | 614ceaa6ab7f39714e24e9e6b7b0c7b4 |
| SHA1 | 83b63819fe9a9b8c1624e9969fe125088a873cdc |
| SHA256 | e46b0297c7cf534ce46bc673062ed903d11b574fb0602c3bb1a30eb4bbf6f05f |
| SHA512 | 406bc2d2602d0b18e41148c211ceeb65580402046b205ae5e2a65421d02e2fb1ffc4fee76fb803b9e3f7b00081375a36b6b9162729ea447a7f10997716529483 |