Analysis
-
max time kernel
206s -
max time network
229s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
30-11-2022 17:43
Static task
static1
Behavioral task
behavioral1
Sample
deda52b25f9255b01eb0bb22444f6b8681e4a091da20c8c7d00efde1974c8025.exe
Resource
win7-20221111-en
General
-
Target
deda52b25f9255b01eb0bb22444f6b8681e4a091da20c8c7d00efde1974c8025.exe
-
Size
1.8MB
-
MD5
f1fa7d91c9d5c31b8dcb25fa73a1fad3
-
SHA1
a60fef98fb8dd848fbf57374fd2f70569950fd06
-
SHA256
deda52b25f9255b01eb0bb22444f6b8681e4a091da20c8c7d00efde1974c8025
-
SHA512
3cd56c54248b9363424bf447fd5c92bcfc6970d6ba6bf78e92abaf246c4631a8f77a7d69f9d3bd6af99d0ccbfa6490bff556d9973a10bca0ca090c40f1dc6703
-
SSDEEP
24576:3LKvy63ol0CibUBc6S4RBv6JhDW+baR5n9dV83mNO+b5j5ZmDQG5+a:3Ll63C0h6dXvSdaR93V83eljG
Malware Config
Extracted
nanocore
1.2.2.0
dontreachme3.ddns.net:3603
dontreachme1.ddns.net:3603
19a5c2b0-5593-40da-9945-6c6b53e85d75
-
activate_away_mode
false
-
backup_connection_host
dontreachme1.ddns.net
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-11-15T15:45:18.745530536Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
false
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
3603
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
19a5c2b0-5593-40da-9945-6c6b53e85d75
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
dontreachme3.ddns.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
false
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Extracted
njrat
0.7.3
Client
dontreachme3.ddns.net:3604
EdgeBrowser.exe
-
reg_key
EdgeBrowser.exe
-
splitter
123
Extracted
blacknet
v3.7.0 Public
Bot
https://furyx.de/panel
BN[e5decf896675e5ecc7bbef8ebff8a786]
-
antivm
false
-
elevate_uac
false
-
install_name
WindowsUpdate.exe
-
splitter
|BN|
-
start_name
50651597687556f33b7fc75d90350b99
-
startup
false
-
usb_spread
true
Extracted
remcos
1.7 Pro
Host
dontreachme3.ddns.net:3605
dontreachme1.ddns.net:3605
-
audio_folder
audio
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
5
-
copy_file
explorer.exe
-
copy_folder
explorer
-
delete_file
true
-
hide_file
true
-
hide_keylog_file
true
-
install_flag
true
-
install_path
%SystemDrive%
-
keylog_crypt
true
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
RuntimeBroker
-
keylog_path
%AppData%
-
mouse_option
true
-
mutex
remcos_ekuntpjjaa
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screens
-
screenshot_path
%AppData%
-
screenshot_time
1
-
startup_value
RuntimeBroker
-
take_screenshot_option
false
-
take_screenshot_time
5
Extracted
asyncrat
0.5.7B
Default
dontreachme3.ddns.net:3601
dontreachme1.ddns.net:3601
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_file
EpicGames.exe
-
install_folder
%AppData%
Signatures
-
BlackNET payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/6840-226-0x0000000000400000-0x000000000041E000-memory.dmp family_blacknet -
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
Processes:
resource yara_rule behavioral2/memory/6840-226-0x0000000000400000-0x000000000041E000-memory.dmp disable_win_def -
Modifies WinLogon for persistence 2 TTPs 8 IoCs
Processes:
realtekaudio.exeFirefoxinstaller.exeNortonInstaller.exeWinExplorer.exeEdgeBrowser.exerealtekaudio.exeWindowsExplorer.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\realtekaudio.exe\"" realtekaudio.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\Documents\\Firefoxinstaller.exe\"" Firefoxinstaller.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\Documents\\NortonInstaller.exe\"" NortonInstaller.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\Documents\\WinExplorer.exe\"" WinExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\Documents\\EdgeBrowser.exe\"" EdgeBrowser.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\realtekaudio.exe\"" realtekaudio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\explorer\\explorer.exe\"" WindowsExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\explorer\\explorer.exe\"" WindowsExplorer.exe -
Processes:
EdgeBrowser.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection EdgeBrowser.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" EdgeBrowser.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" EdgeBrowser.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" EdgeBrowser.exe -
Turns off Windows Defender SpyNet reporting 2 TTPs
-
Processes:
reg.exeWD+UAC.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WD+UAC.exe -
Processes:
EdgeBrowser.exeNortonInstaller.exerealtekaudio.exeFirefoxinstaller.exeWinExplorer.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeBrowser.exe = "0" EdgeBrowser.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\Documents\NortonInstaller.exe = "0" NortonInstaller.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\realtekaudio.exe = "0" realtekaudio.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\realtekaudio.exe = "0" realtekaudio.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths Firefoxinstaller.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NortonInstaller.exe = "0" NortonInstaller.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinExplorer.exe = "0" WinExplorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\Documents\Firefoxinstaller.exe = "0" Firefoxinstaller.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\Documents\WinExplorer.exe = "0" WinExplorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\Documents\EdgeBrowser.exe = "0" EdgeBrowser.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Firefoxinstaller.exe = "0" Firefoxinstaller.exe -
Async RAT payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2812-253-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
WindowsExplorer.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run WindowsExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\RuntimeBroker = "\"C:\\explorer\\explorer.exe\"" WindowsExplorer.exe -
Drops file in Drivers directory 1 IoCs
Processes:
EasyAASM.exedescription ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts EasyAASM.exe -
Executes dropped EXE 21 IoCs
Processes:
tmpA6B0.tmp.exetmpA75D.tmp.exeWD+UAC.exeMicrosoftCompatibility Download.exeEasyAASM.exeFirefoxinstaller.exeNortonInstaller.exeWinExplorer.exeEdgeBrowser.exeEdgeBrowser.exeWinExplorer.exeFirefoxinstaller.exeNortonInstaller.exeFirefoxinstaller.exerealtekaudio.exerealtekaudio.exeWindowsExplorer.exerealtekaudio.exerealtekaudio.exeEdgeBrowser.exeexplorer.exepid Process 2196 tmpA6B0.tmp.exe 3832 tmpA75D.tmp.exe 3608 WD+UAC.exe 4468 MicrosoftCompatibility Download.exe 3296 EasyAASM.exe 4880 Firefoxinstaller.exe 1996 NortonInstaller.exe 1544 WinExplorer.exe 3048 EdgeBrowser.exe 6244 EdgeBrowser.exe 6260 WinExplorer.exe 6252 Firefoxinstaller.exe 6272 NortonInstaller.exe 6840 Firefoxinstaller.exe 6860 realtekaudio.exe 6888 realtekaudio.exe 1476 WindowsExplorer.exe 2812 realtekaudio.exe 3800 realtekaudio.exe 2492 EdgeBrowser.exe 7344 explorer.exe -
Processes:
resource yara_rule behavioral2/files/0x0006000000022e23-138.dat upx behavioral2/files/0x0006000000022e23-139.dat upx behavioral2/memory/3832-151-0x0000000000400000-0x00000000004AC000-memory.dmp upx behavioral2/memory/3832-174-0x0000000000400000-0x00000000004AC000-memory.dmp upx -
Checks computer location settings 2 TTPs 12 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
EdgeBrowser.exerealtekaudio.exeWinExplorer.exerealtekaudio.exededa52b25f9255b01eb0bb22444f6b8681e4a091da20c8c7d00efde1974c8025.exetmpA6B0.tmp.exeFirefoxinstaller.exeWinExplorer.exeNortonInstaller.exeEasyAASM.exeWindowsExplorer.exeEdgeBrowser.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation EdgeBrowser.exe Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation realtekaudio.exe Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation WinExplorer.exe Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation realtekaudio.exe Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation deda52b25f9255b01eb0bb22444f6b8681e4a091da20c8c7d00efde1974c8025.exe Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation tmpA6B0.tmp.exe Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation Firefoxinstaller.exe Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation WinExplorer.exe Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation NortonInstaller.exe Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation EasyAASM.exe Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation WindowsExplorer.exe Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation EdgeBrowser.exe -
Drops startup file 10 IoCs
Processes:
Firefoxinstaller.exeNortonInstaller.exeEdgeBrowser.exerealtekaudio.exeWinExplorer.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Firefoxinstaller.exe Firefoxinstaller.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Firefoxinstaller.exe Firefoxinstaller.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NortonInstaller.exe NortonInstaller.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeBrowser.exe EdgeBrowser.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\realtekaudio.exe realtekaudio.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\realtekaudio.exe realtekaudio.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinExplorer.exe WinExplorer.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinExplorer.exe WinExplorer.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NortonInstaller.exe NortonInstaller.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeBrowser.exe EdgeBrowser.exe -
Processes:
EdgeBrowser.exerealtekaudio.exeFirefoxinstaller.exeWinExplorer.exeNortonInstaller.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" EdgeBrowser.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\realtekaudio.exe = "0" realtekaudio.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Firefoxinstaller.exe = "0" Firefoxinstaller.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinExplorer.exe = "0" WinExplorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\Documents\EdgeBrowser.exe = "0" EdgeBrowser.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection EdgeBrowser.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeBrowser.exe = "0" EdgeBrowser.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" EdgeBrowser.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0" EdgeBrowser.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\realtekaudio.exe = "0" realtekaudio.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions Firefoxinstaller.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\Documents\NortonInstaller.exe = "0" NortonInstaller.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet EdgeBrowser.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0" EdgeBrowser.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features EdgeBrowser.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths Firefoxinstaller.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NortonInstaller.exe = "0" NortonInstaller.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\Documents\Firefoxinstaller.exe = "0" Firefoxinstaller.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\Documents\WinExplorer.exe = "0" WinExplorer.exe -
Adds Run key to start application 2 TTPs 17 IoCs
Processes:
NortonInstaller.exeFirefoxinstaller.exeFirefoxinstaller.exerealtekaudio.exerealtekaudio.exeWinExplorer.exeWindowsExplorer.exeEdgeBrowser.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\Documents\\NortonInstaller.exe" NortonInstaller.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Firefox.exeI nstaller\\Firefox.exe" Firefoxinstaller.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\Documents\\Firefoxinstaller.exe" Firefoxinstaller.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\realtekaudio.exe = "C:\\Users\\Admin\\AppData\\Roaming\\realtekaudio.exe" realtekaudio.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\realtekaudio.exe = "C:\\Users\\Admin\\AppData\\Roaming\\realtekaudio.exe" realtekaudio.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Firefoxinstaller.exe = "C:\\Users\\Admin\\Documents\\Firefoxinstaller.exe" Firefoxinstaller.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NortonInstaller.exe = "C:\\Users\\Admin\\Documents\\NortonInstaller.exe" NortonInstaller.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinExplorer.exe = "C:\\Users\\Admin\\Documents\\WinExplorer.exe" WinExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\AppData\\Roaming\\realtekaudio.exe" realtekaudio.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run\ WindowsExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\explorer\\explorer.exe\"" WindowsExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\Documents\\WinExplorer.exe" WinExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\Documents\\EdgeBrowser.exe" EdgeBrowser.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EdgeBrowser.exe = "C:\\Users\\Admin\\Documents\\EdgeBrowser.exe" EdgeBrowser.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\AppData\\Roaming\\realtekaudio.exe" realtekaudio.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\explorer\\explorer.exe\"" WindowsExplorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ WindowsExplorer.exe -
Processes:
NortonInstaller.exeWD+UAC.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA NortonInstaller.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WD+UAC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WD+UAC.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Modifies WinLogon 2 TTPs 1 IoCs
Processes:
WindowsExplorer.exedescription ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ WindowsExplorer.exe -
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/3832-151-0x0000000000400000-0x00000000004AC000-memory.dmp autoit_exe behavioral2/memory/3832-174-0x0000000000400000-0x00000000004AC000-memory.dmp autoit_exe -
Drops file in System32 directory 2 IoCs
Processes:
reagentc.exedescription ioc Process File opened for modification C:\Windows\SysWOW64\Recovery reagentc.exe File opened for modification C:\Windows\SysWOW64\Recovery\ReAgent.xml reagentc.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
Processes:
Firefoxinstaller.exeNortonInstaller.exeEdgeBrowser.exeWinExplorer.exerealtekaudio.exepid Process 4880 Firefoxinstaller.exe 4880 Firefoxinstaller.exe 4880 Firefoxinstaller.exe 4880 Firefoxinstaller.exe 4880 Firefoxinstaller.exe 4880 Firefoxinstaller.exe 4880 Firefoxinstaller.exe 4880 Firefoxinstaller.exe 4880 Firefoxinstaller.exe 4880 Firefoxinstaller.exe 4880 Firefoxinstaller.exe 4880 Firefoxinstaller.exe 4880 Firefoxinstaller.exe 4880 Firefoxinstaller.exe 4880 Firefoxinstaller.exe 1996 NortonInstaller.exe 1996 NortonInstaller.exe 1996 NortonInstaller.exe 1996 NortonInstaller.exe 1996 NortonInstaller.exe 1996 NortonInstaller.exe 1996 NortonInstaller.exe 1996 NortonInstaller.exe 1996 NortonInstaller.exe 1996 NortonInstaller.exe 1996 NortonInstaller.exe 1996 NortonInstaller.exe 1996 NortonInstaller.exe 1996 NortonInstaller.exe 3048 EdgeBrowser.exe 3048 EdgeBrowser.exe 3048 EdgeBrowser.exe 3048 EdgeBrowser.exe 3048 EdgeBrowser.exe 3048 EdgeBrowser.exe 3048 EdgeBrowser.exe 3048 EdgeBrowser.exe 3048 EdgeBrowser.exe 3048 EdgeBrowser.exe 3048 EdgeBrowser.exe 3048 EdgeBrowser.exe 3048 EdgeBrowser.exe 3048 EdgeBrowser.exe 1544 WinExplorer.exe 1544 WinExplorer.exe 1544 WinExplorer.exe 1544 WinExplorer.exe 1544 WinExplorer.exe 1544 WinExplorer.exe 1544 WinExplorer.exe 1544 WinExplorer.exe 1544 WinExplorer.exe 1544 WinExplorer.exe 1544 WinExplorer.exe 1544 WinExplorer.exe 1544 WinExplorer.exe 1544 WinExplorer.exe 6888 realtekaudio.exe 6888 realtekaudio.exe 6888 realtekaudio.exe 6888 realtekaudio.exe 6888 realtekaudio.exe 6888 realtekaudio.exe 6888 realtekaudio.exe -
Suspicious use of SetThreadContext 7 IoCs
Processes:
EdgeBrowser.exeWinExplorer.exeFirefoxinstaller.exeNortonInstaller.exeFirefoxinstaller.exerealtekaudio.exerealtekaudio.exedescription pid Process procid_target PID 3048 set thread context of 6244 3048 EdgeBrowser.exe 155 PID 1544 set thread context of 6260 1544 WinExplorer.exe 157 PID 4880 set thread context of 6252 4880 Firefoxinstaller.exe 158 PID 1996 set thread context of 6272 1996 NortonInstaller.exe 156 PID 6252 set thread context of 6840 6252 Firefoxinstaller.exe 165 PID 6888 set thread context of 2812 6888 realtekaudio.exe 196 PID 6860 set thread context of 3800 6860 realtekaudio.exe 206 -
Drops file in Windows directory 4 IoCs
Processes:
reagentc.exedescription ioc Process File opened for modification C:\Windows\Logs\ReAgent\ReAgent.log reagentc.exe File opened for modification C:\Windows\Panther\UnattendGC\setuperr.log reagentc.exe File opened for modification C:\Windows\Panther\UnattendGC\diagerr.xml reagentc.exe File opened for modification C:\Windows\Panther\UnattendGC\diagwrn.xml reagentc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 7 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target Process procid_target 4612 3608 WerFault.exe 85 5788 4468 WerFault.exe 86 6576 1544 WerFault.exe 90 6564 1996 WerFault.exe 89 6772 1996 WerFault.exe 89 5764 6888 WerFault.exe 167 444 6860 WerFault.exe 166 -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid Process 7004 schtasks.exe 3484 schtasks.exe -
Delays execution with timeout.exe 6 IoCs
Processes:
timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exepid Process 5560 timeout.exe 2348 timeout.exe 1460 timeout.exe 5712 timeout.exe 5572 timeout.exe 5552 timeout.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
tmpA6B0.tmp.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid Process 2196 tmpA6B0.tmp.exe 2196 tmpA6B0.tmp.exe 2196 tmpA6B0.tmp.exe 3192 powershell.exe 3192 powershell.exe 4264 powershell.exe 4264 powershell.exe 2676 powershell.exe 2676 powershell.exe 4684 powershell.exe 4684 powershell.exe 396 powershell.exe 396 powershell.exe 4660 powershell.exe 4660 powershell.exe 4364 powershell.exe 4364 powershell.exe 3224 powershell.exe 3224 powershell.exe 2084 powershell.exe 2084 powershell.exe 4444 powershell.exe 4444 powershell.exe 3328 powershell.exe 3328 powershell.exe 1064 powershell.exe 1064 powershell.exe 4632 powershell.exe 4632 powershell.exe 3580 powershell.exe 3580 powershell.exe 4996 powershell.exe 4996 powershell.exe 1252 powershell.exe 1252 powershell.exe 3224 powershell.exe 3224 powershell.exe 3580 powershell.exe 3580 powershell.exe 4684 powershell.exe 4684 powershell.exe 4996 powershell.exe 4444 powershell.exe 4996 powershell.exe 4444 powershell.exe 3328 powershell.exe 3328 powershell.exe 4632 powershell.exe 4632 powershell.exe 1252 powershell.exe 1252 powershell.exe 3192 powershell.exe 3192 powershell.exe 4264 powershell.exe 4264 powershell.exe 1064 powershell.exe 1064 powershell.exe 4364 powershell.exe 4364 powershell.exe 2676 powershell.exe 2676 powershell.exe 4660 powershell.exe 4660 powershell.exe 396 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
tmpA75D.tmp.exeNortonInstaller.exepid Process 3832 tmpA75D.tmp.exe 6272 NortonInstaller.exe -
Suspicious use of AdjustPrivilegeToken 37 IoCs
Processes:
deda52b25f9255b01eb0bb22444f6b8681e4a091da20c8c7d00efde1974c8025.exetmpA6B0.tmp.exeMicrosoftCompatibility Download.exeFirefoxinstaller.exeWinExplorer.exeNortonInstaller.exeEdgeBrowser.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeWinExplorer.exerealtekaudio.exepowershell.exepowershell.exepowershell.exepowershell.exeFirefoxinstaller.exepowershell.exeNortonInstaller.exerealtekaudio.exedescription pid Process Token: SeDebugPrivilege 4244 deda52b25f9255b01eb0bb22444f6b8681e4a091da20c8c7d00efde1974c8025.exe Token: SeDebugPrivilege 2196 tmpA6B0.tmp.exe Token: SeDebugPrivilege 4468 MicrosoftCompatibility Download.exe Token: SeDebugPrivilege 4880 Firefoxinstaller.exe Token: SeDebugPrivilege 1544 WinExplorer.exe Token: SeDebugPrivilege 1996 NortonInstaller.exe Token: SeDebugPrivilege 3048 EdgeBrowser.exe Token: SeDebugPrivilege 3328 powershell.exe Token: SeDebugPrivilege 4684 powershell.exe Token: SeDebugPrivilege 1064 powershell.exe Token: SeDebugPrivilege 2084 powershell.exe Token: SeDebugPrivilege 4660 powershell.exe Token: SeDebugPrivilege 396 powershell.exe Token: SeDebugPrivilege 4364 powershell.exe Token: SeDebugPrivilege 4632 powershell.exe Token: SeDebugPrivilege 3224 powershell.exe Token: SeDebugPrivilege 1252 powershell.exe Token: SeDebugPrivilege 4444 powershell.exe Token: SeDebugPrivilege 4996 powershell.exe Token: SeDebugPrivilege 4264 powershell.exe Token: SeDebugPrivilege 3580 powershell.exe Token: SeDebugPrivilege 2676 powershell.exe Token: SeDebugPrivilege 3192 powershell.exe Token: SeDebugPrivilege 6092 powershell.exe Token: SeDebugPrivilege 6080 powershell.exe Token: SeDebugPrivilege 6112 powershell.exe Token: SeDebugPrivilege 6260 WinExplorer.exe Token: SeDebugPrivilege 6888 realtekaudio.exe Token: SeDebugPrivilege 5844 powershell.exe Token: SeDebugPrivilege 6268 powershell.exe Token: SeDebugPrivilege 2544 powershell.exe Token: SeDebugPrivilege 4844 powershell.exe Token: SeDebugPrivilege 6840 Firefoxinstaller.exe Token: SeDebugPrivilege 5484 powershell.exe Token: SeDebugPrivilege 6272 NortonInstaller.exe Token: SeDebugPrivilege 6272 NortonInstaller.exe Token: SeDebugPrivilege 6860 realtekaudio.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
tmpA75D.tmp.exepid Process 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
tmpA75D.tmp.exepid Process 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
tmpA75D.tmp.exeFirefoxinstaller.exepid Process 3832 tmpA75D.tmp.exe 3832 tmpA75D.tmp.exe 6840 Firefoxinstaller.exe 6840 Firefoxinstaller.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
deda52b25f9255b01eb0bb22444f6b8681e4a091da20c8c7d00efde1974c8025.exetmpA6B0.tmp.exeFirefoxinstaller.exeEdgeBrowser.exeWinExplorer.exeNortonInstaller.exedescription pid Process procid_target PID 4244 wrote to memory of 2196 4244 deda52b25f9255b01eb0bb22444f6b8681e4a091da20c8c7d00efde1974c8025.exe 83 PID 4244 wrote to memory of 2196 4244 deda52b25f9255b01eb0bb22444f6b8681e4a091da20c8c7d00efde1974c8025.exe 83 PID 4244 wrote to memory of 3832 4244 deda52b25f9255b01eb0bb22444f6b8681e4a091da20c8c7d00efde1974c8025.exe 84 PID 4244 wrote to memory of 3832 4244 deda52b25f9255b01eb0bb22444f6b8681e4a091da20c8c7d00efde1974c8025.exe 84 PID 4244 wrote to memory of 3832 4244 deda52b25f9255b01eb0bb22444f6b8681e4a091da20c8c7d00efde1974c8025.exe 84 PID 2196 wrote to memory of 3608 2196 tmpA6B0.tmp.exe 85 PID 2196 wrote to memory of 3608 2196 tmpA6B0.tmp.exe 85 PID 2196 wrote to memory of 3608 2196 tmpA6B0.tmp.exe 85 PID 2196 wrote to memory of 4468 2196 tmpA6B0.tmp.exe 86 PID 2196 wrote to memory of 4468 2196 tmpA6B0.tmp.exe 86 PID 2196 wrote to memory of 4468 2196 tmpA6B0.tmp.exe 86 PID 2196 wrote to memory of 3296 2196 tmpA6B0.tmp.exe 87 PID 2196 wrote to memory of 3296 2196 tmpA6B0.tmp.exe 87 PID 2196 wrote to memory of 3296 2196 tmpA6B0.tmp.exe 87 PID 2196 wrote to memory of 4880 2196 tmpA6B0.tmp.exe 88 PID 2196 wrote to memory of 4880 2196 tmpA6B0.tmp.exe 88 PID 2196 wrote to memory of 4880 2196 tmpA6B0.tmp.exe 88 PID 2196 wrote to memory of 1996 2196 tmpA6B0.tmp.exe 89 PID 2196 wrote to memory of 1996 2196 tmpA6B0.tmp.exe 89 PID 2196 wrote to memory of 1996 2196 tmpA6B0.tmp.exe 89 PID 2196 wrote to memory of 1544 2196 tmpA6B0.tmp.exe 90 PID 2196 wrote to memory of 1544 2196 tmpA6B0.tmp.exe 90 PID 2196 wrote to memory of 1544 2196 tmpA6B0.tmp.exe 90 PID 2196 wrote to memory of 3048 2196 tmpA6B0.tmp.exe 91 PID 2196 wrote to memory of 3048 2196 tmpA6B0.tmp.exe 91 PID 2196 wrote to memory of 3048 2196 tmpA6B0.tmp.exe 91 PID 4880 wrote to memory of 3192 4880 Firefoxinstaller.exe 95 PID 4880 wrote to memory of 3192 4880 Firefoxinstaller.exe 95 PID 4880 wrote to memory of 3192 4880 Firefoxinstaller.exe 95 PID 4880 wrote to memory of 4632 4880 Firefoxinstaller.exe 97 PID 4880 wrote to memory of 4632 4880 Firefoxinstaller.exe 97 PID 4880 wrote to memory of 4632 4880 Firefoxinstaller.exe 97 PID 3048 wrote to memory of 3328 3048 EdgeBrowser.exe 99 PID 3048 wrote to memory of 3328 3048 EdgeBrowser.exe 99 PID 3048 wrote to memory of 3328 3048 EdgeBrowser.exe 99 PID 4880 wrote to memory of 396 4880 Firefoxinstaller.exe 101 PID 4880 wrote to memory of 396 4880 Firefoxinstaller.exe 101 PID 4880 wrote to memory of 396 4880 Firefoxinstaller.exe 101 PID 1544 wrote to memory of 4684 1544 WinExplorer.exe 100 PID 1544 wrote to memory of 4684 1544 WinExplorer.exe 100 PID 1544 wrote to memory of 4684 1544 WinExplorer.exe 100 PID 1996 wrote to memory of 4996 1996 NortonInstaller.exe 102 PID 1996 wrote to memory of 4996 1996 NortonInstaller.exe 102 PID 1996 wrote to memory of 4996 1996 NortonInstaller.exe 102 PID 1996 wrote to memory of 4264 1996 NortonInstaller.exe 111 PID 1996 wrote to memory of 4264 1996 NortonInstaller.exe 111 PID 1996 wrote to memory of 4264 1996 NortonInstaller.exe 111 PID 1544 wrote to memory of 3580 1544 WinExplorer.exe 108 PID 1544 wrote to memory of 3580 1544 WinExplorer.exe 108 PID 1544 wrote to memory of 3580 1544 WinExplorer.exe 108 PID 3048 wrote to memory of 2676 3048 EdgeBrowser.exe 107 PID 3048 wrote to memory of 2676 3048 EdgeBrowser.exe 107 PID 3048 wrote to memory of 2676 3048 EdgeBrowser.exe 107 PID 4880 wrote to memory of 3224 4880 Firefoxinstaller.exe 110 PID 4880 wrote to memory of 3224 4880 Firefoxinstaller.exe 110 PID 4880 wrote to memory of 3224 4880 Firefoxinstaller.exe 110 PID 1996 wrote to memory of 2084 1996 NortonInstaller.exe 114 PID 1996 wrote to memory of 2084 1996 NortonInstaller.exe 114 PID 1996 wrote to memory of 2084 1996 NortonInstaller.exe 114 PID 1544 wrote to memory of 1252 1544 WinExplorer.exe 117 PID 1544 wrote to memory of 1252 1544 WinExplorer.exe 117 PID 1544 wrote to memory of 1252 1544 WinExplorer.exe 117 PID 3048 wrote to memory of 4660 3048 EdgeBrowser.exe 118 PID 3048 wrote to memory of 4660 3048 EdgeBrowser.exe 118 -
System policy modification 1 TTPs 1 IoCs
Processes:
WD+UAC.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WD+UAC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\deda52b25f9255b01eb0bb22444f6b8681e4a091da20c8c7d00efde1974c8025.exe"C:\Users\Admin\AppData\Local\Temp\deda52b25f9255b01eb0bb22444f6b8681e4a091da20c8c7d00efde1974c8025.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4244 -
C:\Users\Admin\AppData\Local\Temp\tmpA6B0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpA6B0.tmp.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Users\Admin\Documents\WD+UAC.exe"C:\Users\Admin\Documents\WD+UAC.exe"3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- System policy modification
PID:3608 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 9204⤵
- Program crash
PID:4612
-
-
-
C:\Users\Admin\Documents\MicrosoftCompatibility Download.exe"C:\Users\Admin\Documents\MicrosoftCompatibility Download.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4468 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 16444⤵
- Program crash
PID:5788
-
-
-
C:\Users\Admin\Documents\EasyAASM.exe"C:\Users\Admin\Documents\EasyAASM.exe"3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Checks computer location settings
PID:3296 -
C:\Windows\SysWOW64\reagentc.exereagentc.exe /disable4⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:6008
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:4⤵
- Suspicious use of AdjustPrivilegeToken
PID:6080
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming4⤵
- Suspicious use of AdjustPrivilegeToken
PID:6092
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:6112
-
-
C:\Users\Admin\AppData\Roaming\realtekaudio.exe"C:\Users\Admin\AppData\Roaming\realtekaudio.exe"4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:6860 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\realtekaudio.exe" -Force5⤵
- Suspicious use of AdjustPrivilegeToken
PID:5484
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\realtekaudio.exe" -Force5⤵PID:3560
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\realtekaudio.exe" -Force5⤵PID:7032
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\realtekaudio.exe" -Force5⤵PID:5432
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 15⤵PID:2348
-
C:\Windows\SysWOW64\timeout.exetimeout 16⤵
- Delays execution with timeout.exe
PID:1460
-
-
-
C:\Users\Admin\AppData\Roaming\realtekaudio.exe"C:\Users\Admin\AppData\Roaming\realtekaudio.exe"5⤵
- Executes dropped EXE
PID:3800
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6860 -s 23605⤵
- Program crash
PID:444
-
-
-
C:\Users\Admin\AppData\Roaming\realtekaudio.exeC:\Users\Admin\AppData\Roaming\realtekaudio.exe4⤵
- Modifies WinLogon for persistence
- Windows security bypass
- Executes dropped EXE
- Checks computer location settings
- Drops startup file
- Windows security modification
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:6888 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\realtekaudio.exe" -Force5⤵
- Suspicious use of AdjustPrivilegeToken
PID:5844
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\realtekaudio.exe" -Force5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2544
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\realtekaudio.exe" -Force5⤵
- Suspicious use of AdjustPrivilegeToken
PID:6268
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\realtekaudio.exe" -Force5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4844
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 15⤵PID:5672
-
C:\Windows\SysWOW64\timeout.exetimeout 16⤵
- Delays execution with timeout.exe
PID:2348
-
-
-
C:\Users\Admin\AppData\Roaming\realtekaudio.exe"C:\Users\Admin\AppData\Roaming\realtekaudio.exe"5⤵
- Executes dropped EXE
PID:2812
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6888 -s 22405⤵
- Program crash
PID:5764
-
-
-
-
C:\Users\Admin\Documents\Firefoxinstaller.exe"C:\Users\Admin\Documents\Firefoxinstaller.exe"3⤵
- Modifies WinLogon for persistence
- Windows security bypass
- Executes dropped EXE
- Checks computer location settings
- Drops startup file
- Windows security modification
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Firefoxinstaller.exe" -Force4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3192
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Firefoxinstaller.exe" -Force4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4632
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Firefoxinstaller.exe" -Force4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:396
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Documents\Firefoxinstaller.exe" -Force4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3224
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 14⤵PID:5776
-
C:\Windows\SysWOW64\timeout.exetimeout 15⤵
- Delays execution with timeout.exe
PID:5560
-
-
-
C:\Users\Admin\Documents\Firefoxinstaller.exe"C:\Users\Admin\Documents\Firefoxinstaller.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:6252 -
C:\Users\Admin\Documents\Firefoxinstaller.exe"C:\Users\Admin\Documents\Firefoxinstaller.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:6840
-
-
-
-
C:\Users\Admin\Documents\NortonInstaller.exe"C:\Users\Admin\Documents\NortonInstaller.exe"3⤵
- Modifies WinLogon for persistence
- Windows security bypass
- Executes dropped EXE
- Checks computer location settings
- Drops startup file
- Windows security modification
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NortonInstaller.exe" -Force4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4996
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NortonInstaller.exe" -Force4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4264
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NortonInstaller.exe" -Force4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2084
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Documents\NortonInstaller.exe" -Force4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1064
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 14⤵PID:5764
-
C:\Windows\SysWOW64\timeout.exetimeout 15⤵
- Delays execution with timeout.exe
PID:5572
-
-
-
C:\Users\Admin\Documents\NortonInstaller.exe"C:\Users\Admin\Documents\NortonInstaller.exe"4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:6272 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "UPNP Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmp3687.tmp"5⤵
- Creates scheduled task(s)
PID:3484
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 23564⤵
- Program crash
PID:6564
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 23564⤵
- Program crash
PID:6772
-
-
-
C:\Users\Admin\Documents\WinExplorer.exe"C:\Users\Admin\Documents\WinExplorer.exe"3⤵
- Modifies WinLogon for persistence
- Windows security bypass
- Executes dropped EXE
- Checks computer location settings
- Drops startup file
- Windows security modification
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinExplorer.exe" -Force4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4684
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinExplorer.exe" -Force4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3580
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinExplorer.exe" -Force4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1252
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Documents\WinExplorer.exe" -Force4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4364
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 14⤵PID:5740
-
C:\Windows\SysWOW64\timeout.exetimeout 15⤵
- Delays execution with timeout.exe
PID:5552
-
-
-
C:\Users\Admin\Documents\WinExplorer.exe"C:\Users\Admin\Documents\WinExplorer.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:6260 -
C:\Users\Admin\Documents\WindowsExplorer.exe"C:\Users\Admin\Documents\WindowsExplorer.exe"5⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Modifies WinLogon
PID:1476 -
C:\Windows\SysWOW64\cmd.exe/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f6⤵PID:4476
-
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f7⤵
- UAC bypass
- Modifies registry key
PID:4276
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "6⤵PID:6672
-
C:\Windows\SysWOW64\PING.EXEPING 127.0.0.1 -n 27⤵
- Runs ping.exe
PID:6560
-
-
C:\explorer\explorer.exe"C:\explorer\explorer.exe"7⤵
- Executes dropped EXE
PID:7344
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1544 -s 23884⤵
- Program crash
PID:6576
-
-
-
C:\Users\Admin\Documents\EdgeBrowser.exe"C:\Users\Admin\Documents\EdgeBrowser.exe"3⤵
- Modifies WinLogon for persistence
- Modifies Windows Defender Real-time Protection settings
- Windows security bypass
- Executes dropped EXE
- Checks computer location settings
- Drops startup file
- Windows security modification
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeBrowser.exe" -Force4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3328
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeBrowser.exe" -Force4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2676
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeBrowser.exe" -Force4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4660
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Documents\EdgeBrowser.exe" -Force4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4444
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 14⤵PID:5752
-
C:\Windows\SysWOW64\timeout.exetimeout 15⤵
- Delays execution with timeout.exe
PID:5712
-
-
-
C:\Users\Admin\Documents\EdgeBrowser.exe"C:\Users\Admin\Documents\EdgeBrowser.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
PID:6244 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /tn NYAN /F5⤵PID:6984
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn NYAN /tr "C:\Users\Admin\Documents\EdgeBrowser.exe" /sc minute /mo 15⤵
- Creates scheduled task(s)
PID:7004
-
-
C:\Users\Admin\EdgeBrowser.exe"C:\Users\Admin\EdgeBrowser.exe"5⤵
- Executes dropped EXE
PID:2492
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmpA75D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpA75D.tmp.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3832
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3608 -ip 36081⤵PID:4940
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4468 -ip 44681⤵PID:5644
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 1996 -ip 19961⤵PID:6508
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1544 -ip 15441⤵PID:6516
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 6888 -ip 68881⤵PID:3132
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 6860 -ip 68601⤵PID:6480
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5d5e53cc8e471a9b7fbf2a280306260a7
SHA15ec93ec6c83e0992bd92549c53e6d8a81c49eeb0
SHA2567b545eafedcb5dc2e9f12ec051d88c3f2995ab3864d03c56dd0ed1aeb59ff6dc
SHA512c94792bc4af6e193bf7fb4c95e75f168046b6ca5fdf8ac08a527f078e3a2f474ece7a4ad56616550db7a2ce61985227fd28270891cb7d2f68a0737d7d4613d8b
-
Filesize
1KB
MD541088fa7e1ea7acc252be5728f4c0f56
SHA102f4aafd7025fd710491658c230ddc5493e2a366
SHA256bef0fe04c67e31e8b09cef7f80eb8b4483c939d290bac4cee7717e9cb05ccfa8
SHA5126ca956597ea1e57ac745e0183984fc0a40ee1e72a099f8303ed9564e8bc9a3ab37c43d1050a2902d34c622941a8af62bfb671ce650789e50adac35df62e60dfe
-
Filesize
127B
MD580b32b79bf519fce07cdf7b8b7881067
SHA12fe368e8f5855ef5f08c46f389bf3b5482ace60b
SHA2568ed98d8b82c482aaa79a8ea2f1aaea676c5641d69f2478ba7f241e990d5d99b1
SHA512dc7b986bd5de842d8beb315dea77a424194701b6272cac884dd31cd04586879fa93f3d1f44ec9ca01625b31115b00a2b5fe5028baef7d9ab277881653cab116e
-
Filesize
1KB
MD58d64f65d497b498fe88d9f446628e0e6
SHA12c01f76965fa52f717649db191a016b04c296b97
SHA256735f05df747c5fee00b019083ce51cc52bc338382228e43441f1700a8dc3385b
SHA512e9f3df490abd42ca4321a771ee35a54819e37eea99256a398544d94c6ff30f7d021a23d87233e3112a2edb5d5fecef4835b688281e2b29d114af01a90cd6fbf1
-
Filesize
1.3MB
MD511ee7471fc15a11b25135052aa282602
SHA1bacf067665074dddd07b74c0ff44e27d549e6866
SHA2567c85333ea420f466a6d3113f5ded4c3cadc8ba4d9ae92fe2f53d475543c8c87b
SHA512391087e5eefd09f8013824ffdb7b2d5c27c41e259b56e19dbde061862276125dd6998468b71007503edad28e9d7cb5e88b15b9977a666a00194c3a6063e152d7
-
Filesize
1.3MB
MD511ee7471fc15a11b25135052aa282602
SHA1bacf067665074dddd07b74c0ff44e27d549e6866
SHA2567c85333ea420f466a6d3113f5ded4c3cadc8ba4d9ae92fe2f53d475543c8c87b
SHA512391087e5eefd09f8013824ffdb7b2d5c27c41e259b56e19dbde061862276125dd6998468b71007503edad28e9d7cb5e88b15b9977a666a00194c3a6063e152d7
-
Filesize
479KB
MD5ba9409e272ccd7bb5a43e9d28f1b7440
SHA12dd25abd0c6e55e05f596671c839ed035e00e61d
SHA25673b7fea4754e8be18812adc0ddd7b3c3c8c3797a889cc801cc94c7195027aa11
SHA51289a1e4e77465c965cfe9c1ab2983d601506469cafbebc327daeee52fefd319a4f988af375e932060a3debab5fea7ad7830ec8b0453daa08f7320358c54472bc9
-
Filesize
479KB
MD5ba9409e272ccd7bb5a43e9d28f1b7440
SHA12dd25abd0c6e55e05f596671c839ed035e00e61d
SHA25673b7fea4754e8be18812adc0ddd7b3c3c8c3797a889cc801cc94c7195027aa11
SHA51289a1e4e77465c965cfe9c1ab2983d601506469cafbebc327daeee52fefd319a4f988af375e932060a3debab5fea7ad7830ec8b0453daa08f7320358c54472bc9
-
Filesize
1.1MB
MD5b117965f227519eb5c8d6e86bc2dd2a4
SHA1e1d80bd0958b69cc73eaf1ee26aa816f795aad63
SHA256f8cfedc4ecdfa6a3e14f46968b5a8e6797a448b0d30f12015cd721121470fcfd
SHA512728252062ff056079c811cfd42c52971b55e96771ecbd911c49f01c94927a1259ab96c2079e78aced2cae737302401889a3fda52c91d0eccc3719f24d17c177f
-
Filesize
1.1MB
MD5b117965f227519eb5c8d6e86bc2dd2a4
SHA1e1d80bd0958b69cc73eaf1ee26aa816f795aad63
SHA256f8cfedc4ecdfa6a3e14f46968b5a8e6797a448b0d30f12015cd721121470fcfd
SHA512728252062ff056079c811cfd42c52971b55e96771ecbd911c49f01c94927a1259ab96c2079e78aced2cae737302401889a3fda52c91d0eccc3719f24d17c177f
-
Filesize
1.1MB
MD5b117965f227519eb5c8d6e86bc2dd2a4
SHA1e1d80bd0958b69cc73eaf1ee26aa816f795aad63
SHA256f8cfedc4ecdfa6a3e14f46968b5a8e6797a448b0d30f12015cd721121470fcfd
SHA512728252062ff056079c811cfd42c52971b55e96771ecbd911c49f01c94927a1259ab96c2079e78aced2cae737302401889a3fda52c91d0eccc3719f24d17c177f
-
Filesize
1.1MB
MD5b117965f227519eb5c8d6e86bc2dd2a4
SHA1e1d80bd0958b69cc73eaf1ee26aa816f795aad63
SHA256f8cfedc4ecdfa6a3e14f46968b5a8e6797a448b0d30f12015cd721121470fcfd
SHA512728252062ff056079c811cfd42c52971b55e96771ecbd911c49f01c94927a1259ab96c2079e78aced2cae737302401889a3fda52c91d0eccc3719f24d17c177f
-
Filesize
1.1MB
MD5b117965f227519eb5c8d6e86bc2dd2a4
SHA1e1d80bd0958b69cc73eaf1ee26aa816f795aad63
SHA256f8cfedc4ecdfa6a3e14f46968b5a8e6797a448b0d30f12015cd721121470fcfd
SHA512728252062ff056079c811cfd42c52971b55e96771ecbd911c49f01c94927a1259ab96c2079e78aced2cae737302401889a3fda52c91d0eccc3719f24d17c177f
-
Filesize
315KB
MD54807d6b3bc3740ed58861f208470d076
SHA15efe5de43d28aeaa24c7065ce7113fd0c96f2539
SHA256133a86c10b14d53d0807901d3cd477b0e1f62b9351707fe82ded7fe19c1f7689
SHA512e1494471bc8bf182b694907714043cc39d7e4003ccfd56d1fc41c3d15071bf2cc4347858afacff174849be30b32aab828f91d13f3dd58629e0f560918bca6475
-
Filesize
315KB
MD54807d6b3bc3740ed58861f208470d076
SHA15efe5de43d28aeaa24c7065ce7113fd0c96f2539
SHA256133a86c10b14d53d0807901d3cd477b0e1f62b9351707fe82ded7fe19c1f7689
SHA512e1494471bc8bf182b694907714043cc39d7e4003ccfd56d1fc41c3d15071bf2cc4347858afacff174849be30b32aab828f91d13f3dd58629e0f560918bca6475
-
Filesize
1.3MB
MD5824438344c636fdd81ff2e0d02577912
SHA1ae288a2cc5bd0cce01615d8d568031c3e84902e2
SHA256eaba5f0fb075665dc6568f05f66a271b0a03046da739d41de5920d78c40deb65
SHA51209f1903c6244af5f191e64e9ff6025af6a1c752096b48d43094e5eb6f92c00a77381b49dd6d0d57fc995d4bc4a8375f0ef13d2a9cbc823e3d91b6b9f418b568b
-
Filesize
1.3MB
MD5824438344c636fdd81ff2e0d02577912
SHA1ae288a2cc5bd0cce01615d8d568031c3e84902e2
SHA256eaba5f0fb075665dc6568f05f66a271b0a03046da739d41de5920d78c40deb65
SHA51209f1903c6244af5f191e64e9ff6025af6a1c752096b48d43094e5eb6f92c00a77381b49dd6d0d57fc995d4bc4a8375f0ef13d2a9cbc823e3d91b6b9f418b568b
-
Filesize
1.3MB
MD5824438344c636fdd81ff2e0d02577912
SHA1ae288a2cc5bd0cce01615d8d568031c3e84902e2
SHA256eaba5f0fb075665dc6568f05f66a271b0a03046da739d41de5920d78c40deb65
SHA51209f1903c6244af5f191e64e9ff6025af6a1c752096b48d43094e5eb6f92c00a77381b49dd6d0d57fc995d4bc4a8375f0ef13d2a9cbc823e3d91b6b9f418b568b
-
Filesize
1.5MB
MD570d3bb5c6ca4166d190ad265b14f117e
SHA195497e892ee875ef226edf3db059121c2c5284ed
SHA2567d8f13128ef978852b8a1446bba4f9c9dea53cbcd1fcedc08b2054cbe8b0e5d9
SHA5120abff26122a137960f1d4564828b1456d0bdff68c87d120c3514cc2c819038d0c6c34398f67377898058b6e8d08f4676393831c413d80181786e459ef4d01720
-
Filesize
1.5MB
MD570d3bb5c6ca4166d190ad265b14f117e
SHA195497e892ee875ef226edf3db059121c2c5284ed
SHA2567d8f13128ef978852b8a1446bba4f9c9dea53cbcd1fcedc08b2054cbe8b0e5d9
SHA5120abff26122a137960f1d4564828b1456d0bdff68c87d120c3514cc2c819038d0c6c34398f67377898058b6e8d08f4676393831c413d80181786e459ef4d01720
-
Filesize
1.5MB
MD570d3bb5c6ca4166d190ad265b14f117e
SHA195497e892ee875ef226edf3db059121c2c5284ed
SHA2567d8f13128ef978852b8a1446bba4f9c9dea53cbcd1fcedc08b2054cbe8b0e5d9
SHA5120abff26122a137960f1d4564828b1456d0bdff68c87d120c3514cc2c819038d0c6c34398f67377898058b6e8d08f4676393831c413d80181786e459ef4d01720
-
Filesize
1.5MB
MD570d3bb5c6ca4166d190ad265b14f117e
SHA195497e892ee875ef226edf3db059121c2c5284ed
SHA2567d8f13128ef978852b8a1446bba4f9c9dea53cbcd1fcedc08b2054cbe8b0e5d9
SHA5120abff26122a137960f1d4564828b1456d0bdff68c87d120c3514cc2c819038d0c6c34398f67377898058b6e8d08f4676393831c413d80181786e459ef4d01720
-
Filesize
29KB
MD5cc4dacf8520e38549ad23aaeedf67027
SHA12583bf30caee94ea804201c65d55d6e4df7f643f
SHA256671d6806eb42b720d6fd9aa0e19c14918bb79204db90b5db1fbdf67ee87c253f
SHA5124e8ad8b28d596c9844d5255e9f25f3e9999433e8804e1eb2af2bf3a1aba2742c1a4df500b460c5837f596f41f0d3f05686c5d817de6b294edbae1a652c63725a
-
Filesize
29KB
MD5cc4dacf8520e38549ad23aaeedf67027
SHA12583bf30caee94ea804201c65d55d6e4df7f643f
SHA256671d6806eb42b720d6fd9aa0e19c14918bb79204db90b5db1fbdf67ee87c253f
SHA5124e8ad8b28d596c9844d5255e9f25f3e9999433e8804e1eb2af2bf3a1aba2742c1a4df500b460c5837f596f41f0d3f05686c5d817de6b294edbae1a652c63725a
-
Filesize
2.1MB
MD5d2fe1a2f73303d37c178250add341b97
SHA1e341e8adaec629d299101bbf1b9a3ca2bfaf7417
SHA25626742bef88539fcb6beb9753293a4fef4044663cfcb0a799e989194fcdfd3456
SHA5120c685c265ed28f7655bf27c1a5c1f735670df40ae6e4b835bac3cc62b63b8fe54af82ab0941ca988b1c3220e740c0b2508103a1736b72a79a27ea17bf9a1bc81
-
Filesize
2.1MB
MD5d2fe1a2f73303d37c178250add341b97
SHA1e341e8adaec629d299101bbf1b9a3ca2bfaf7417
SHA25626742bef88539fcb6beb9753293a4fef4044663cfcb0a799e989194fcdfd3456
SHA5120c685c265ed28f7655bf27c1a5c1f735670df40ae6e4b835bac3cc62b63b8fe54af82ab0941ca988b1c3220e740c0b2508103a1736b72a79a27ea17bf9a1bc81
-
Filesize
2.1MB
MD5d2fe1a2f73303d37c178250add341b97
SHA1e341e8adaec629d299101bbf1b9a3ca2bfaf7417
SHA25626742bef88539fcb6beb9753293a4fef4044663cfcb0a799e989194fcdfd3456
SHA5120c685c265ed28f7655bf27c1a5c1f735670df40ae6e4b835bac3cc62b63b8fe54af82ab0941ca988b1c3220e740c0b2508103a1736b72a79a27ea17bf9a1bc81
-
Filesize
97KB
MD5a77ff55010a30b7bda46c35f74c160ea
SHA12be0031a06e02ce9a16ffd59747e793314759167
SHA2567a2b062cfbd490970999dff5b19a25b0600d6ada1cf1271066dcf335d74dee30
SHA512fdd0e51697aa2bcea5ae6939493cc5360794f96429e08d194ac1b72b689221da047bae8be0f698654b42e23f5381b102b0854e1cece20557df93db1c596eed02
-
Filesize
97KB
MD5a77ff55010a30b7bda46c35f74c160ea
SHA12be0031a06e02ce9a16ffd59747e793314759167
SHA2567a2b062cfbd490970999dff5b19a25b0600d6ada1cf1271066dcf335d74dee30
SHA512fdd0e51697aa2bcea5ae6939493cc5360794f96429e08d194ac1b72b689221da047bae8be0f698654b42e23f5381b102b0854e1cece20557df93db1c596eed02
-
Filesize
1.0MB
MD53830fb01bdf4b41e2e9551d422caf795
SHA1d63a892fc41d2be82de8d02a04b906a8595dcac9
SHA2566c07127df2ebac66a59a3bc4157a891def20b61d87cf2d206353025893d01422
SHA5125f2c54bd05b2fe4109b66e3721a19cd533899c3c694ca3a51422cb5d4015d536b96d0e16ea1f5ed8a43dc6d3e690a1702351034f3a68765d6dc6b16983c19886
-
Filesize
1.0MB
MD53830fb01bdf4b41e2e9551d422caf795
SHA1d63a892fc41d2be82de8d02a04b906a8595dcac9
SHA2566c07127df2ebac66a59a3bc4157a891def20b61d87cf2d206353025893d01422
SHA5125f2c54bd05b2fe4109b66e3721a19cd533899c3c694ca3a51422cb5d4015d536b96d0e16ea1f5ed8a43dc6d3e690a1702351034f3a68765d6dc6b16983c19886
-
Filesize
1.0MB
MD53830fb01bdf4b41e2e9551d422caf795
SHA1d63a892fc41d2be82de8d02a04b906a8595dcac9
SHA2566c07127df2ebac66a59a3bc4157a891def20b61d87cf2d206353025893d01422
SHA5125f2c54bd05b2fe4109b66e3721a19cd533899c3c694ca3a51422cb5d4015d536b96d0e16ea1f5ed8a43dc6d3e690a1702351034f3a68765d6dc6b16983c19886
-
Filesize
92KB
MD501ccde20287004986c0f29ff0df2e3b1
SHA118f9831e3246a08f000b0f4d6f009f2294c7c652
SHA256862e652677b7a597b24efc1bdb16030ed8512a8e262050a4b40a829b58855860
SHA512785545dcb74ca29b405261931be0464e65aadc84ebf51e7ad62af709b3867c3a706c9b4efc1e7f922e90c301ff0944feb2dbe6a790db7ac0ba4215b75fde86ee
-
Filesize
92KB
MD501ccde20287004986c0f29ff0df2e3b1
SHA118f9831e3246a08f000b0f4d6f009f2294c7c652
SHA256862e652677b7a597b24efc1bdb16030ed8512a8e262050a4b40a829b58855860
SHA512785545dcb74ca29b405261931be0464e65aadc84ebf51e7ad62af709b3867c3a706c9b4efc1e7f922e90c301ff0944feb2dbe6a790db7ac0ba4215b75fde86ee
-
Filesize
1.3MB
MD5824438344c636fdd81ff2e0d02577912
SHA1ae288a2cc5bd0cce01615d8d568031c3e84902e2
SHA256eaba5f0fb075665dc6568f05f66a271b0a03046da739d41de5920d78c40deb65
SHA51209f1903c6244af5f191e64e9ff6025af6a1c752096b48d43094e5eb6f92c00a77381b49dd6d0d57fc995d4bc4a8375f0ef13d2a9cbc823e3d91b6b9f418b568b
-
Filesize
1.3MB
MD5824438344c636fdd81ff2e0d02577912
SHA1ae288a2cc5bd0cce01615d8d568031c3e84902e2
SHA256eaba5f0fb075665dc6568f05f66a271b0a03046da739d41de5920d78c40deb65
SHA51209f1903c6244af5f191e64e9ff6025af6a1c752096b48d43094e5eb6f92c00a77381b49dd6d0d57fc995d4bc4a8375f0ef13d2a9cbc823e3d91b6b9f418b568b
-
Filesize
92KB
MD501ccde20287004986c0f29ff0df2e3b1
SHA118f9831e3246a08f000b0f4d6f009f2294c7c652
SHA256862e652677b7a597b24efc1bdb16030ed8512a8e262050a4b40a829b58855860
SHA512785545dcb74ca29b405261931be0464e65aadc84ebf51e7ad62af709b3867c3a706c9b4efc1e7f922e90c301ff0944feb2dbe6a790db7ac0ba4215b75fde86ee
-
Filesize
92KB
MD501ccde20287004986c0f29ff0df2e3b1
SHA118f9831e3246a08f000b0f4d6f009f2294c7c652
SHA256862e652677b7a597b24efc1bdb16030ed8512a8e262050a4b40a829b58855860
SHA512785545dcb74ca29b405261931be0464e65aadc84ebf51e7ad62af709b3867c3a706c9b4efc1e7f922e90c301ff0944feb2dbe6a790db7ac0ba4215b75fde86ee