Analysis Overview
SHA256
17a8163909ec053405886787423ea582bdd75f9b4c0e565ae2f145889fe20797
Threat Level: Likely malicious
The file Fatal.zip was found to be: Likely malicious.
Malicious Activity Summary
Possible privilege escalation attempt
Executes dropped EXE
Modifies file permissions
Command and Scripting Interpreter: PowerShell
Drops file in Windows directory
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-13 13:42
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-13 13:42
Reported
2024-10-13 13:45
Platform
win10v2004-20241007-en
Max time kernel
94s
Max time network
152s
Command Line
Signatures
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zO0D7D8EE7\Activation.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zO0D7C07A7\Fatal.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zO0D726E58\Fatal.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zO0D745A78\Fatal.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zO0D799038\Activation.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zO0D7FCD88\Fatal.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Fonts\Poppins.ttf | C:\Users\Admin\AppData\Local\Temp\7zO0D726E58\Fatal.exe | N/A |
| File created | C:\Windows\Fonts\globalstats.json | C:\Users\Admin\AppData\Local\Temp\7zO0D745A78\Fatal.exe | N/A |
| File created | C:\Windows\IME\permissions.bat | C:\Users\Admin\AppData\Local\Temp\7zO0D7D8EE7\Activation.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Fatal.zip"
C:\Users\Admin\AppData\Local\Temp\7zO0D7D8EE7\Activation.exe
"C:\Users\Admin\AppData\Local\Temp\7zO0D7D8EE7\Activation.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c title Windows Activation Fix
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c color 0b
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c echo.
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c echo This tool will fix your Windows Activation
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c echo.
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c echo.
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c echo.
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c echo Made by skidaim#0607
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c echo.
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c echo.
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c echo.
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pause
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c echo Starting...
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c %windir%\IME\permissions.bat
C:\Windows\system32\takeown.exe
takeown /F C:\Windows\System32\sppsvc.exe
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32 /grant administrators:F /T
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\spp /grant administrators:F /T
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c echo Applying permissions...
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe -c $acl = Get-Acl 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -AclObject $acl
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -c $acl = Get-Acl 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -AclObject $acl
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe -c $acl = Get-Acl 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP' -AclObject $acl
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -c $acl = Get-Acl 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP' -AclObject $acl
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe -c $acl = Get-Acl 'HKLM:\SYSTEM\CurrentControlSet\Services\SPPSVC'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\SPPSVC' -AclObject $acl
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -c $acl = Get-Acl 'HKLM:\SYSTEM\CurrentControlSet\Services\SPPSVC'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\SPPSVC' -AclObject $acl
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe -c $acl = Get-Acl 'HKLM:\SYSTEM\WPA'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SYSTEM\WPA' -AclObject $acl
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -c $acl = Get-Acl 'HKLM:\SYSTEM\WPA'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SYSTEM\WPA' -AclObject $acl
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe -c $acl = Get-Acl '%windir%\System32'; $rule = New-Object System.Security.AccessControl.FileSystemAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path '%windir%\System32' -AclObject $acl
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -c $acl = Get-Acl 'C:\Windows\System32'; $rule = New-Object System.Security.AccessControl.FileSystemAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'C:\Windows\System32' -AclObject $acl
C:\Users\Admin\AppData\Local\Temp\7zO0D7C07A7\Fatal.exe
"C:\Users\Admin\AppData\Local\Temp\7zO0D7C07A7\Fatal.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7zO0D74D9B7\Serials_Checker.bat" "
C:\Windows\system32\mode.com
mode con: cols=90 lines=37
C:\Windows\System32\Wbem\WMIC.exe
wmic bios get serialnumber
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get serialnumber
C:\Windows\System32\Wbem\WMIC.exe
wmic diskdrive get serialnumber
C:\Windows\System32\Wbem\WMIC.exe
wmic baseboard get serialnumber
C:\Windows\System32\Wbem\WMIC.exe
wmic path Win32_NetworkAdapter where "PNPDeviceID like '%PCI%' AND NetConnectionStatus=2 AND AdapterTypeID='0'" get MacAddress
C:\Users\Admin\AppData\Local\Temp\7zO0D726E58\Fatal.exe
"C:\Users\Admin\AppData\Local\Temp\7zO0D726E58\Fatal.exe"
C:\Users\Admin\AppData\Local\Temp\7zO0D745A78\Fatal.exe
"C:\Users\Admin\AppData\Local\Temp\7zO0D745A78\Fatal.exe"
C:\Users\Admin\AppData\Local\Temp\7zO0D799038\Activation.exe
"C:\Users\Admin\AppData\Local\Temp\7zO0D799038\Activation.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c title Windows Activation Fix
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c color 0b
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c echo.
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c echo This tool will fix your Windows Activation
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c echo.
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c echo.
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c echo.
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c echo Made by skidaim#0607
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c echo.
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c echo.
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c echo.
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pause
C:\Users\Admin\AppData\Local\Temp\7zO0D7FCD88\Fatal.exe
"C:\Users\Admin\AppData\Local\Temp\7zO0D7FCD88\Fatal.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | keyauth.win | udp |
| US | 172.67.72.57:443 | keyauth.win | tcp |
| US | 8.8.8.8:53 | 57.72.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 172.67.72.57:443 | keyauth.win | tcp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\7zO0D7D8EE7\Activation.exe
| MD5 | 8c1d40db6464fd098716a317486db961 |
| SHA1 | 4b4d82e0a91f11e1348488b9e9edd43697d9db67 |
| SHA256 | 7b9723c3ca58ecdde9af2dd2215e00fa7c7692e960242d9c6b2e80ab45fc90d5 |
| SHA512 | 16c868e227c4928dfcc116ba6e9d93c22418936cad625cd48645abb96229d31ee1329105097d2e7f36f6382e214dfd54e1eb92842bcc45edd978f64da6c4c6dd |
C:\Windows\IME\permissions.bat
| MD5 | 4be7ca8b30ea192628228857b5005655 |
| SHA1 | 588a60df54f8ff2924b2fd569dfc39ce5ae17cfd |
| SHA256 | 5e56203e437e3a219fcc9f295c8bcf31961585de816212ce0a6a306a465bc853 |
| SHA512 | 169b735f5b72ff12910451cf9fbab231b0d9e8b9481f9e01824e5c85075caf17283bb4a54353a9c5958c5ff7eebc6dc932630c1e824be5ebe416bc608306c7b4 |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3bgeph1r.ta1.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3028-16-0x0000024C716A0000-0x0000024C716C2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 8fe7bd6cd1d64bcdabbf2e2ae72c5a28 |
| SHA1 | 5e1080c3b8cc4c5bffc73ffe6d45fa073335d0de |
| SHA256 | 5054cd4d79ca09e90169cdaee05c1e3dfc5d6fa1ad1275e11fd094521fed3fb8 |
| SHA512 | 658004888ba70fa4a8c4b573d439496532c08b81afdc0b2419187c2ec9f3e42408d9a7c2bd2c73efd06fd5ada7ea57e1bb5d188e57ead32a7c0c900a82099f68 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 386c44d4c41d27709445d4f198838023 |
| SHA1 | 0aa143134cb817134df0f1d3228273a95d809cba |
| SHA256 | 4eced13fe8ec1d8bd12e62f76c4d40bcb46d36df35d30726e76af5b7f4637187 |
| SHA512 | 6e74bb1b0ec5e66b0a84e6c51f37746b012a2a48cbbb616545a95bd5c63708aa63e3ab85c48c32ac888aed35f1e826cab67e26ea0879c37a5a4e75441a9627e5 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 17b397582c38a9b7f02a6740179d4cd3 |
| SHA1 | 6735fd9df8684fdff5814c20f4ee5aa68f56e0b7 |
| SHA256 | b571accb65e2150741e6f99799f04b6ed5eb29c1086c4b668b59ffde543a0c22 |
| SHA512 | 9c9c0d7ff194f1274b90ff52f67372736fa50fc3ee6240b1b36b0ae01cae400b5edc6a5aec76b4b311ea5148c1fd8b1eaabddfb553cd710ac58b3e7195fd0a27 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e10336d7c94f7b9bcf0640ff57ebd7d0 |
| SHA1 | 394db719a9c9c4e6f110eb8b830a9ee96c2d7e65 |
| SHA256 | a4989f70ff796549f1a609e78270aaaca446393e205ce7ac7d16d7f1f62eac4f |
| SHA512 | e0f598c43b023226b749a85c2c179facfa0027c4f0e2e88c743d28dffaddc97972cdd684989404150f7f9f989432249398a686eef28e2166a29407b531cb7d53 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d1508709714b9e61b563a55213645e2f |
| SHA1 | 1f7c860f940546154f912869d362c841bdadf6c5 |
| SHA256 | 5ea57334a2383d28ed1eaf44f43074495b32a70fb527eee3c59956168b6fb3cf |
| SHA512 | e94b86111b0ad7aca3d14dff2d836c4425779fb4f1ae51d32c07a2fc2305a4f19617e923442b8a9eceffa506906b7f34dc34dad571a4f54135cf8f1417b46e14 |
C:\Users\Admin\AppData\Local\Temp\7zO0D7C07A7\Fatal.exe
| MD5 | 663e52c8e349bba33eac53e2b55a7cd2 |
| SHA1 | 5c1fa2565ecd8373c09dcf6dad60f669a7a5d75a |
| SHA256 | c438078aee47f5e520db9f25c2d72108fe16cfbd8153bd8ebeb0658e83ccbdc4 |
| SHA512 | 63f2c7c136bfcaaeac1fe45070a89e33f78f04f550ac34d3d80e0b8ec28432c3f365c9ad550604847bb7c1b9c1bbe4a3ce9eef959e7a911e201481fed7b8a652 |
memory/4360-80-0x000001D1C8580000-0x000001D1C9DA0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zO0D74D9B7\Serials_Checker.bat
| MD5 | 5fe2042248f297bfc8f19b5ea671ff82 |
| SHA1 | 4625febff56516901519d6483bb0bc45a4d7550b |
| SHA256 | e61994a0d5895f3f50d568226bb082a3e71d5be155cac6a5223330216d72011f |
| SHA512 | 1e961d26b210d27432c7843c3548d00a306f98cd22513bdda452662d8f1ca227d275668564b82b7f521e589ceebcf209b43d5601207039054a7c083eed5f4c15 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Fatal.exe.log
| MD5 | b78f0793c3ef1d417e56d34b656b40bb |
| SHA1 | 4a622f8022516098cb5aae35a5953bde039111a7 |
| SHA256 | 67090a383e35cf075d5c0f0c1d78c4e4b805de6aa951b5d4dd01fd9ae8ccdcfb |
| SHA512 | ab3fb91602bd6f070d9b060da4a26d01869e9b23e319db9164d2e251b2c47db690da0f832e69a45c03bc99919942ef516a0b157cfa0aaea84e64b1e90ae5b933 |
memory/3208-100-0x00000166FCCC0000-0x00000166FCDDA000-memory.dmp
memory/3208-101-0x00000166E3220000-0x00000166E3286000-memory.dmp
memory/3208-102-0x00000166FCE40000-0x00000166FD216000-memory.dmp
memory/3208-103-0x00000166FFA80000-0x00000166FFA92000-memory.dmp
memory/3472-117-0x000001B4C94F0000-0x000001B4C9556000-memory.dmp
C:\WINDOWS\FONTS\POPPINS.TTF
| MD5 | 093ee89be9ede30383f39a899c485a82 |
| SHA1 | fdd3002e7d814ee47c1c1b8487c72c6bbb3a2d00 |
| SHA256 | 707fdc5c8bab57a90061c6a8ed7b70d5ffb82fc810e994e79f90bace890c255a |
| SHA512 | 4be480df0b639750483eb09229b4edcfdcd16141eb95d92a3f28a13bf737146d7cc5db6ad03a5cde258f71b589e5310b6d9bc1563ac7b1d40408eea236d96f4b |
memory/3472-119-0x000001B4CD510000-0x000001B4CD5C2000-memory.dmp
memory/3472-122-0x000001B4CD7A0000-0x000001B4CD7DC000-memory.dmp
C:\ProgramData\KeyAuth\debug\Fatal\Oct_13_2024_logs.txt
| MD5 | 7361b251e6d63f3b76de0c333e4918be |
| SHA1 | 7b692c021906cf98d71c99a34455c6afa242442b |
| SHA256 | 5841dc8b35500efdded51a7446ff2151460f0a4742aa675bc9199a998c41f24e |
| SHA512 | 078bcf8a7c86618666a3a6f1649bfeade22739cffecd607adcbfb05ac8a21e290e9cdea7e000fdd78cc3970b534da0a5bea667f8cd7ef1bed19218a3d009b420 |
C:\Windows\Fonts\globalstats.json
| MD5 | 027392df21771f3a8abf083d925cd2b2 |
| SHA1 | 86d7255ec205022f6cd6810ae0b668446def60ac |
| SHA256 | fe4bccfd7100c0fa711584db321bc6adb32fafe656e7a8b7eda7cc32b42a83ad |
| SHA512 | b988052de0fdbd3cb6191dc2632bc3cb65517ae619244964773f3942fbe065d58015e6dbc348be62f1b662c6c83623844cbe32b15c8daa47295138df2504d9ac |