Analysis
-
max time kernel
145s -
max time network
152s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
02/03/2024, 22:58
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://cdn.discordapp.com/attachments/1199885205868126319/1213613091300974602/Etheral_External.exe?ex=65f61c44&is=65e3a744&hm=0161b4c6eff9c63d2ea89f6e2b42fa7fc49fbd4987ea98760ed200ee0f22588e&
Resource
win11-20240221-en
General
-
Target
https://cdn.discordapp.com/attachments/1199885205868126319/1213613091300974602/Etheral_External.exe?ex=65f61c44&is=65e3a744&hm=0161b4c6eff9c63d2ea89f6e2b42fa7fc49fbd4987ea98760ed200ee0f22588e&
Malware Config
Signatures
-
Downloads MZ/PE file
-
Modifies Installed Components in the registry 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\Version = "12,0,22000,282" unregmp2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\IsInstalled = "0" unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\Stubpath = "%SystemRoot%\\system32\\unregmp2.exe /ShowWMP" unregmp2.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95} unregmp2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\DontAsk = "2" unregmp2.exe -
Executes dropped EXE 12 IoCs
pid Process 1064 Etheral_External.exe 4648 b2e.exe 3688 Etheral_External.exe 2468 b2e.exe 872 Etheral_External.exe 3992 b2e.exe 1004 Etheral_External.exe 1932 b2e.exe 4108 b2e.exe 2224 b2e.exe 2592 b2e.exe 4864 b2e.exe -
resource yara_rule behavioral1/files/0x000100000002a7a8-60.dat upx behavioral1/memory/1064-68-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral1/memory/1064-76-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral1/memory/3688-83-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral1/memory/872-114-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral1/memory/1004-149-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral1/memory/3460-168-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral1/memory/3460-176-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral1/memory/2032-211-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral1/memory/1188-299-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral1/memory/1708-315-0x0000000000400000-0x000000000040A000-memory.dmp upx -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini unregmp2.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: unregmp2.exe File opened (read-only) \??\L: unregmp2.exe File opened (read-only) \??\E: wmplayer.exe File opened (read-only) \??\Z: wmplayer.exe File opened (read-only) \??\B: unregmp2.exe File opened (read-only) \??\I: unregmp2.exe File opened (read-only) \??\U: unregmp2.exe File opened (read-only) \??\M: wmplayer.exe File opened (read-only) \??\J: unregmp2.exe File opened (read-only) \??\Q: unregmp2.exe File opened (read-only) \??\Y: unregmp2.exe File opened (read-only) \??\L: wmplayer.exe File opened (read-only) \??\S: wmplayer.exe File opened (read-only) \??\W: wmplayer.exe File opened (read-only) \??\Y: wmplayer.exe File opened (read-only) \??\A: unregmp2.exe File opened (read-only) \??\W: unregmp2.exe File opened (read-only) \??\H: wmplayer.exe File opened (read-only) \??\K: wmplayer.exe File opened (read-only) \??\U: wmplayer.exe File opened (read-only) \??\G: unregmp2.exe File opened (read-only) \??\N: wmplayer.exe File opened (read-only) \??\O: wmplayer.exe File opened (read-only) \??\T: wmplayer.exe File opened (read-only) \??\T: unregmp2.exe File opened (read-only) \??\Q: wmplayer.exe File opened (read-only) \??\V: wmplayer.exe File opened (read-only) \??\X: wmplayer.exe File opened (read-only) \??\H: unregmp2.exe File opened (read-only) \??\M: unregmp2.exe File opened (read-only) \??\N: unregmp2.exe File opened (read-only) \??\S: unregmp2.exe File opened (read-only) \??\A: wmplayer.exe File opened (read-only) \??\B: wmplayer.exe File opened (read-only) \??\I: wmplayer.exe File opened (read-only) \??\J: wmplayer.exe File opened (read-only) \??\K: unregmp2.exe File opened (read-only) \??\O: unregmp2.exe File opened (read-only) \??\P: unregmp2.exe File opened (read-only) \??\R: unregmp2.exe File opened (read-only) \??\P: wmplayer.exe File opened (read-only) \??\R: wmplayer.exe File opened (read-only) \??\V: unregmp2.exe File opened (read-only) \??\X: unregmp2.exe File opened (read-only) \??\Z: unregmp2.exe File opened (read-only) \??\G: wmplayer.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File opened for modification C:\Program Files\Windows Media Player\wmplayer.exe unregmp2.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll svchost.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4" OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202 OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\4\MRUListEx = ffffffff OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\SniffedFolderType = "Music" OpenWith.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shellex\ContextMenuHandlers\PlayTo unregmp2.exe Key created \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5FA96407-7E77-483C-AC93-691D05850DE8}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000050000001800000030f125b7ef471a10a5f102608c9eebac0a000000a0000000b474dbf787420341afbaf1b13dcd75cf64000000a000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000900444648b4cd1118b70080036b11a030300000078000000 OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" OpenWith.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shellex\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}" unregmp2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Enqueue unregmp2.exe Key created \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg OpenWith.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\image\ShellEx\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}" unregmp2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NetworkExplorerPlugins\urn:schemas-upnp-org:device:MediaRenderer:1\ShellEx\ContextMenuHandlers\{17FC1A80-140E-4290-A64F-4A29A951A867} unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Play\command\DelegateExecute = "{ed1d0fdf-4414-470a-a56d-cfb68623fc58}" unregmp2.exe Set value (int) \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1" OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4" OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{94D6DDCC-4A68-4175-A374-BD584A510B78}\LogicalViewMode = "1" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings b2e.exe Set value (int) \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295" OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{94D6DDCC-4A68-4175-A374-BD584A510B78}\Mode = "4" OpenWith.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shellex\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}" unregmp2.exe Set value (str) \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" OpenWith.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Enqueue\command\DelegateExecute = "{45597c98-80f6-4549-84ff-752cf55e2d29}" unregmp2.exe Set value (data) \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 OpenWith.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Video\shellex\ContextMenuHandlers\PlayTo unregmp2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Play\command unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Enqueue\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9800" unregmp2.exe Set value (int) \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14" OpenWith.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1" OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByKey:PID = "0" OpenWith.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shellex\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}" unregmp2.exe Set value (data) \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2 OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1" OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" OpenWith.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Play\ = "&Play with Windows Media Player" unregmp2.exe Key created \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{94D6DDCC-4A68-4175-A374-BD584A510B78}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000050000001800000030f125b7ef471a10a5f102608c9eebac0a000000a00000002e37a3569cced2119f0e006097c686f60700000028000000e0859ff2f94f6810ab9108002b27b3d902000000a00000002e37a3569cced2119f0e006097c686f602000000780000002e37a3569cced2119f0e006097c686f60400000088000000 OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell OpenWith.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Play\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9801" unregmp2.exe Key created \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings b2e.exe Key created \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings b2e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Play\ = "&Play with Windows Media Player" unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Enqueue\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9800" unregmp2.exe Set value (data) \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\FFlags = "1092616257" OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5FA96407-7E77-483C-AC93-691D05850DE8}\Mode = "1" OpenWith.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Enqueue\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9800" unregmp2.exe Key created \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell OpenWith.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Play\command\DelegateExecute = "{ed1d0fdf-4414-470a-a56d-cfb68623fc58}" unregmp2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Enqueue\NeverDefault unregmp2.exe Set value (int) \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1" OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656} OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 OpenWith.exe -
NTFS ADS 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 397235.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Etheral_External.exe:Zone.Identifier msedge.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 1192 msedge.exe 1192 msedge.exe 4048 msedge.exe 4048 msedge.exe 1224 identity_helper.exe 1224 identity_helper.exe 4908 msedge.exe 4908 msedge.exe 3308 msedge.exe 3308 msedge.exe 4904 msedge.exe 4904 msedge.exe 4904 msedge.exe 4904 msedge.exe -
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
pid Process 688 OpenWith.exe 3788 OpenWith.exe 892 OpenWith.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 4048 msedge.exe 4048 msedge.exe 4048 msedge.exe 4048 msedge.exe 4048 msedge.exe 4048 msedge.exe 4048 msedge.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeShutdownPrivilege 4772 unregmp2.exe Token: SeCreatePagefilePrivilege 4772 unregmp2.exe Token: SeShutdownPrivilege 3260 wmplayer.exe Token: SeCreatePagefilePrivilege 3260 wmplayer.exe Token: SeDebugPrivilege 3036 firefox.exe Token: SeDebugPrivilege 3036 firefox.exe -
Suspicious use of FindShellTrayWindow 40 IoCs
pid Process 4048 msedge.exe 4048 msedge.exe 4048 msedge.exe 4048 msedge.exe 4048 msedge.exe 4048 msedge.exe 4048 msedge.exe 4048 msedge.exe 4048 msedge.exe 4048 msedge.exe 4048 msedge.exe 4048 msedge.exe 4048 msedge.exe 4048 msedge.exe 4048 msedge.exe 4048 msedge.exe 4048 msedge.exe 4048 msedge.exe 4048 msedge.exe 4048 msedge.exe 4048 msedge.exe 4048 msedge.exe 4048 msedge.exe 4048 msedge.exe 4048 msedge.exe 4048 msedge.exe 4048 msedge.exe 4048 msedge.exe 4048 msedge.exe 4048 msedge.exe 4048 msedge.exe 4048 msedge.exe 4048 msedge.exe 4048 msedge.exe 4048 msedge.exe 3260 wmplayer.exe 3036 firefox.exe 3036 firefox.exe 3036 firefox.exe 3036 firefox.exe -
Suspicious use of SendNotifyMessage 15 IoCs
pid Process 4048 msedge.exe 4048 msedge.exe 4048 msedge.exe 4048 msedge.exe 4048 msedge.exe 4048 msedge.exe 4048 msedge.exe 4048 msedge.exe 4048 msedge.exe 4048 msedge.exe 4048 msedge.exe 4048 msedge.exe 3036 firefox.exe 3036 firefox.exe 3036 firefox.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 4664 OpenWith.exe 4664 OpenWith.exe 4664 OpenWith.exe 4664 OpenWith.exe 4664 OpenWith.exe 4664 OpenWith.exe 4664 OpenWith.exe 4664 OpenWith.exe 4664 OpenWith.exe 4664 OpenWith.exe 4664 OpenWith.exe 4664 OpenWith.exe 4664 OpenWith.exe 4664 OpenWith.exe 4664 OpenWith.exe 4664 OpenWith.exe 4664 OpenWith.exe 4664 OpenWith.exe 4664 OpenWith.exe 4664 OpenWith.exe 4664 OpenWith.exe 4664 OpenWith.exe 4664 OpenWith.exe 4664 OpenWith.exe 4664 OpenWith.exe 4664 OpenWith.exe 4160 MiniSearchHost.exe 688 OpenWith.exe 688 OpenWith.exe 688 OpenWith.exe 688 OpenWith.exe 688 OpenWith.exe 688 OpenWith.exe 688 OpenWith.exe 688 OpenWith.exe 688 OpenWith.exe 688 OpenWith.exe 688 OpenWith.exe 688 OpenWith.exe 688 OpenWith.exe 688 OpenWith.exe 688 OpenWith.exe 688 OpenWith.exe 688 OpenWith.exe 688 OpenWith.exe 688 OpenWith.exe 688 OpenWith.exe 688 OpenWith.exe 688 OpenWith.exe 688 OpenWith.exe 688 OpenWith.exe 688 OpenWith.exe 688 OpenWith.exe 688 OpenWith.exe 688 OpenWith.exe 688 OpenWith.exe 688 OpenWith.exe 688 OpenWith.exe 688 OpenWith.exe 688 OpenWith.exe 688 OpenWith.exe 688 OpenWith.exe 688 OpenWith.exe 688 OpenWith.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4048 wrote to memory of 3536 4048 msedge.exe 79 PID 4048 wrote to memory of 3536 4048 msedge.exe 79 PID 4048 wrote to memory of 2292 4048 msedge.exe 80 PID 4048 wrote to memory of 2292 4048 msedge.exe 80 PID 4048 wrote to memory of 2292 4048 msedge.exe 80 PID 4048 wrote to memory of 2292 4048 msedge.exe 80 PID 4048 wrote to memory of 2292 4048 msedge.exe 80 PID 4048 wrote to memory of 2292 4048 msedge.exe 80 PID 4048 wrote to memory of 2292 4048 msedge.exe 80 PID 4048 wrote to memory of 2292 4048 msedge.exe 80 PID 4048 wrote to memory of 2292 4048 msedge.exe 80 PID 4048 wrote to memory of 2292 4048 msedge.exe 80 PID 4048 wrote to memory of 2292 4048 msedge.exe 80 PID 4048 wrote to memory of 2292 4048 msedge.exe 80 PID 4048 wrote to memory of 2292 4048 msedge.exe 80 PID 4048 wrote to memory of 2292 4048 msedge.exe 80 PID 4048 wrote to memory of 2292 4048 msedge.exe 80 PID 4048 wrote to memory of 2292 4048 msedge.exe 80 PID 4048 wrote to memory of 2292 4048 msedge.exe 80 PID 4048 wrote to memory of 2292 4048 msedge.exe 80 PID 4048 wrote to memory of 2292 4048 msedge.exe 80 PID 4048 wrote to memory of 2292 4048 msedge.exe 80 PID 4048 wrote to memory of 2292 4048 msedge.exe 80 PID 4048 wrote to memory of 2292 4048 msedge.exe 80 PID 4048 wrote to memory of 2292 4048 msedge.exe 80 PID 4048 wrote to memory of 2292 4048 msedge.exe 80 PID 4048 wrote to memory of 2292 4048 msedge.exe 80 PID 4048 wrote to memory of 2292 4048 msedge.exe 80 PID 4048 wrote to memory of 2292 4048 msedge.exe 80 PID 4048 wrote to memory of 2292 4048 msedge.exe 80 PID 4048 wrote to memory of 2292 4048 msedge.exe 80 PID 4048 wrote to memory of 2292 4048 msedge.exe 80 PID 4048 wrote to memory of 2292 4048 msedge.exe 80 PID 4048 wrote to memory of 2292 4048 msedge.exe 80 PID 4048 wrote to memory of 2292 4048 msedge.exe 80 PID 4048 wrote to memory of 2292 4048 msedge.exe 80 PID 4048 wrote to memory of 2292 4048 msedge.exe 80 PID 4048 wrote to memory of 2292 4048 msedge.exe 80 PID 4048 wrote to memory of 2292 4048 msedge.exe 80 PID 4048 wrote to memory of 2292 4048 msedge.exe 80 PID 4048 wrote to memory of 2292 4048 msedge.exe 80 PID 4048 wrote to memory of 2292 4048 msedge.exe 80 PID 4048 wrote to memory of 1192 4048 msedge.exe 81 PID 4048 wrote to memory of 1192 4048 msedge.exe 81 PID 4048 wrote to memory of 4640 4048 msedge.exe 82 PID 4048 wrote to memory of 4640 4048 msedge.exe 82 PID 4048 wrote to memory of 4640 4048 msedge.exe 82 PID 4048 wrote to memory of 4640 4048 msedge.exe 82 PID 4048 wrote to memory of 4640 4048 msedge.exe 82 PID 4048 wrote to memory of 4640 4048 msedge.exe 82 PID 4048 wrote to memory of 4640 4048 msedge.exe 82 PID 4048 wrote to memory of 4640 4048 msedge.exe 82 PID 4048 wrote to memory of 4640 4048 msedge.exe 82 PID 4048 wrote to memory of 4640 4048 msedge.exe 82 PID 4048 wrote to memory of 4640 4048 msedge.exe 82 PID 4048 wrote to memory of 4640 4048 msedge.exe 82 PID 4048 wrote to memory of 4640 4048 msedge.exe 82 PID 4048 wrote to memory of 4640 4048 msedge.exe 82 PID 4048 wrote to memory of 4640 4048 msedge.exe 82 PID 4048 wrote to memory of 4640 4048 msedge.exe 82 PID 4048 wrote to memory of 4640 4048 msedge.exe 82 PID 4048 wrote to memory of 4640 4048 msedge.exe 82 PID 4048 wrote to memory of 4640 4048 msedge.exe 82 PID 4048 wrote to memory of 4640 4048 msedge.exe 82 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1199885205868126319/1213613091300974602/Etheral_External.exe?ex=65f61c44&is=65e3a744&hm=0161b4c6eff9c63d2ea89f6e2b42fa7fc49fbd4987ea98760ed200ee0f22588e&1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4048 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff9a733cb8,0x7fff9a733cc8,0x7fff9a733cd82⤵PID:3536
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,6133751588318294791,11054851768928892093,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1928 /prefetch:22⤵PID:2292
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1916,6133751588318294791,11054851768928892093,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1192
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1916,6133751588318294791,11054851768928892093,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2904 /prefetch:82⤵PID:4640
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,6133751588318294791,11054851768928892093,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:12⤵PID:4960
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,6133751588318294791,11054851768928892093,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:12⤵PID:3520
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1916,6133751588318294791,11054851768928892093,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5352 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1224
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,6133751588318294791,11054851768928892093,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5060 /prefetch:12⤵PID:1492
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1916,6133751588318294791,11054851768928892093,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5836 /prefetch:82⤵PID:1972
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1916,6133751588318294791,11054851768928892093,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5988 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4908
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1916,6133751588318294791,11054851768928892093,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5968 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:3308
-
-
C:\Users\Admin\Downloads\Etheral_External.exe"C:\Users\Admin\Downloads\Etheral_External.exe"2⤵
- Executes dropped EXE
PID:1064 -
C:\Users\Admin\AppData\Local\Temp\7A21.tmp\b2e.exe"C:\Users\Admin\AppData\Local\Temp\7A21.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\7A21.tmp\b2e.exe C:\Users\Admin\Downloads "C:\Users\Admin\Downloads\Etheral_External.exe"3⤵
- Executes dropped EXE
PID:4648
-
-
-
C:\Users\Admin\Downloads\Etheral_External.exe"C:\Users\Admin\Downloads\Etheral_External.exe"2⤵
- Executes dropped EXE
PID:3688 -
C:\Users\Admin\AppData\Local\Temp\A335.tmp\b2e.exe"C:\Users\Admin\AppData\Local\Temp\A335.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\A335.tmp\b2e.exe C:\Users\Admin\Downloads "C:\Users\Admin\Downloads\Etheral_External.exe"3⤵
- Executes dropped EXE
PID:2468
-
-
-
C:\Users\Admin\Downloads\Etheral_External.exe"C:\Users\Admin\Downloads\Etheral_External.exe"2⤵
- Executes dropped EXE
PID:872 -
C:\Users\Admin\AppData\Local\Temp\B8C1.tmp\b2e.exe"C:\Users\Admin\AppData\Local\Temp\B8C1.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\B8C1.tmp\b2e.exe C:\Users\Admin\Downloads "C:\Users\Admin\Downloads\Etheral_External.exe"3⤵
- Executes dropped EXE
PID:3992
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,6133751588318294791,11054851768928892093,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6068 /prefetch:12⤵PID:4380
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,6133751588318294791,11054851768928892093,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:12⤵PID:3768
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,6133751588318294791,11054851768928892093,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1736 /prefetch:12⤵PID:1356
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,6133751588318294791,11054851768928892093,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:12⤵PID:776
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,6133751588318294791,11054851768928892093,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6032 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:4904
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4972
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3868
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4664
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2496
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:4160
-
C:\Users\Admin\Downloads\Etheral_External.exe"C:\Users\Admin\Downloads\Etheral_External.exe"1⤵
- Executes dropped EXE
PID:1004 -
C:\Users\Admin\AppData\Local\Temp\E0BB.tmp\b2e.exe"C:\Users\Admin\AppData\Local\Temp\E0BB.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\E0BB.tmp\b2e.exe C:\Users\Admin\Downloads "C:\Users\Admin\Downloads\Etheral_External.exe"2⤵
- Executes dropped EXE
- Modifies registry class
PID:1932
-
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Etheral_External.zip\Etheral_External.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_Etheral_External.zip\Etheral_External.exe"1⤵PID:3460
-
C:\Users\Admin\AppData\Local\Temp\2872.tmp\b2e.exe"C:\Users\Admin\AppData\Local\Temp\2872.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\2872.tmp\b2e.exe C:\Windows\system32 "C:\Users\Admin\AppData\Local\Temp\Temp1_Etheral_External.zip\Etheral_External.exe"2⤵
- Executes dropped EXE
- Modifies registry class
PID:4108
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:688
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Etheral_External.zip\Etheral_External.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_Etheral_External.zip\Etheral_External.exe"1⤵PID:2032
-
C:\Users\Admin\AppData\Local\Temp\63B6.tmp\b2e.exe"C:\Users\Admin\AppData\Local\Temp\63B6.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\63B6.tmp\b2e.exe C:\Windows\system32 "C:\Users\Admin\AppData\Local\Temp\Temp1_Etheral_External.zip\Etheral_External.exe"2⤵
- Executes dropped EXE
- Modifies registry class
PID:2224
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:3788 -
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play "C:\Users\Admin\AppData\Local\Temp\6433.tmp\F"2⤵PID:3916
-
C:\Program Files (x86)\Windows Media Player\setup_wm.exe"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play "C:\Users\Admin\AppData\Local\Temp\6433.tmp\F"3⤵PID:2056
-
C:\Windows\SysWOW64\unregmp2.exeC:\Windows\system32\unregmp2.exe /ShowWMP /SetShowState /CreateMediaLibrary4⤵PID:872
-
C:\Windows\system32\unregmp2.exe"C:\Windows\SysNative\unregmp2.exe" /ShowWMP /SetShowState /CreateMediaLibrary /REENTRANT5⤵
- Modifies Installed Components in the registry
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies registry class
PID:1004
-
-
-
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Relaunch /Play "C:\Users\Admin\AppData\Local\Temp\6433.tmp\F"4⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3260
-
-
-
C:\Windows\SysWOW64\unregmp2.exe"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon3⤵PID:4820
-
C:\Windows\system32\unregmp2.exe"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT4⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:4772
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost1⤵
- Drops file in Windows directory
PID:2012
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Etheral_External.zip\Etheral_External.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_Etheral_External.zip\Etheral_External.exe"1⤵PID:1188
-
C:\Users\Admin\AppData\Local\Temp\BB3D.tmp\b2e.exe"C:\Users\Admin\AppData\Local\Temp\BB3D.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\BB3D.tmp\b2e.exe C:\Windows\system32 "C:\Users\Admin\AppData\Local\Temp\Temp1_Etheral_External.zip\Etheral_External.exe"2⤵
- Executes dropped EXE
PID:2592
-
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Etheral_External.zip\Etheral_External.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_Etheral_External.zip\Etheral_External.exe"1⤵PID:1708
-
C:\Users\Admin\AppData\Local\Temp\CB98.tmp\b2e.exe"C:\Users\Admin\AppData\Local\Temp\CB98.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\CB98.tmp\b2e.exe C:\Windows\system32 "C:\Users\Admin\AppData\Local\Temp\Temp1_Etheral_External.zip\Etheral_External.exe"2⤵
- Executes dropped EXE
PID:4864
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:892 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\CBE6.tmp\M"2⤵PID:3936
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\AppData\Local\Temp\CBE6.tmp\M3⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3036 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3036.0.1900253300\452007637" -parentBuildID 20221007134813 -prefsHandle 1760 -prefMapHandle 1752 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8d022702-a5e6-44f1-a201-55453b954ee9} 3036 "\\.\pipe\gecko-crash-server-pipe.3036" 1740 2b7b32ed858 gpu4⤵PID:1316
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3036.1.976351994\738548519" -parentBuildID 20221007134813 -prefsHandle 2216 -prefMapHandle 2212 -prefsLen 21563 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c8eb385c-1090-491a-b0bf-15147a438d46} 3036 "\\.\pipe\gecko-crash-server-pipe.3036" 2236 2b7b31fd558 socket4⤵
- Checks processor information in registry
PID:1088
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3036.2.1493846963\365914414" -childID 1 -isForBrowser -prefsHandle 2884 -prefMapHandle 2784 -prefsLen 21601 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {96eb41ac-e350-4fa3-b748-9f7dd658fc55} 3036 "\\.\pipe\gecko-crash-server-pipe.3036" 2976 2b7b84d9558 tab4⤵PID:4952
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3036.3.935314\423660765" -childID 2 -isForBrowser -prefsHandle 3384 -prefMapHandle 3380 -prefsLen 26064 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8cd8db11-84ed-4d46-8c37-6efd10d00d9b} 3036 "\\.\pipe\gecko-crash-server-pipe.3036" 1276 2b7a7168758 tab4⤵PID:1916
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3036.4.1000607608\1729737766" -childID 3 -isForBrowser -prefsHandle 4868 -prefMapHandle 4880 -prefsLen 26298 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e04bc243-7908-4493-babf-f3c23f0abdeb} 3036 "\\.\pipe\gecko-crash-server-pipe.3036" 4888 2b7a712f358 tab4⤵PID:5676
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3036.5.2049441250\839824109" -childID 4 -isForBrowser -prefsHandle 5040 -prefMapHandle 5044 -prefsLen 26298 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {85b6dd2b-23eb-448d-8f3f-f8925767cfc0} 3036 "\\.\pipe\gecko-crash-server-pipe.3036" 5032 2b7baa56558 tab4⤵PID:5684
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3036.6.1976101786\652812073" -childID 5 -isForBrowser -prefsHandle 5236 -prefMapHandle 5240 -prefsLen 26298 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {09c3dcd0-6a3c-417a-b1fa-806f9bdfc1e4} 3036 "\\.\pipe\gecko-crash-server-pipe.3036" 5228 2b7baa55058 tab4⤵PID:5692
-
-
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:5232
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
352B
MD51578e75dc45a7bf1d7705c2a49b0532e
SHA16fd493e8b3322a961474f619f69fce57a5ac271a
SHA2569cb8c828f1cd7730f0049de9b92a246f163165068386619ba5f0d1bdb0cffd69
SHA512075d223f451fc0e529da0912285b02ddc5f91e26999d1b0cb29681ec1329dd14101bdc02f8cd6bbfe87649d8b349aca0a41241b3c8dbc4cbfc792c3d45033d01
-
Filesize
152B
MD596899614360333c9904499393c6e3d75
SHA1bbfa17cf8df01c266323965735f00f0e9e04cd34
SHA256486e4b4bb11f664c91c675e73cfeabe53b5009ae719459813be17814cd97e43c
SHA512974735b40a9f92b40a37a698f7f333590f32ff45633c6e619500e74ec274bc20bf7dbc830b1685777b714d37a3ca103d741ee056f4ff45ef08c07b38a7895df7
-
Filesize
152B
MD519a8bcb40a17253313345edd2a0da1e7
SHA186fac74b5bbc59e910248caebd1176a48a46d72e
SHA256b8024fbed11683ef4b53f5afac0ff691025b7eecca0f6a95737da1585558227e
SHA5129f8780f49d30aad01b28189804329aeca6ad2b7ffb6be505d40bb1af7802bb62622f518cb1c43a5815bbbb46638f6c52aead3d68f14fa957d18157edb42e95c0
-
Filesize
186B
MD5094ab275342c45551894b7940ae9ad0d
SHA12e7ce26fe2eb9be641ae929d0c9cc0dfa26c018e
SHA256ef1739b833a1048ee1bd55dcbac5b1397396faca1ad771f4d6c2fe58899495a3
SHA51219d0c688dc1121569247111e45de732b2ab86c71aecdde34b157cfd1b25c53473ed3ade49a97f8cb2ddc4711be78fa26c9330887094e031e9a71bb5c29080b0d
-
Filesize
5KB
MD5e41686c94c6267d61a4d0ca6fbd240d6
SHA13872ce8901494cd01bf4e27e6456975d6f5fd1b6
SHA256f1ade4a4e7929d5d9ad7eec3acd69a040299c7d756bd517f46c1758e52437294
SHA5129ce1d34e5db701c7f18f14c4c6bcd78b119936777ce690c31c31ad202b9b122e2a1a01897ac0644dc2ecce3ab480ef74032a33da090d986c37e1ce44e89d7afe
-
Filesize
5KB
MD575290d35b54ed02cca19fc83dd561736
SHA1e7d032f7dbe5f06f361e90c367f521d6fd0e3ce2
SHA256e5edc21bd1c66b7e8dedb9e18afc587ad123dac0aad394281c9f5fde4ebbd309
SHA512f02bd981983e4d0bde8118e3a6a11b514261c5affd36f89740e1a415d6c14b08a5c48675274c187fef76387e09dd224319d5bfd7286c1035a14e4ba72d090e60
-
Filesize
5KB
MD583bcdf6a631192aefb998586a1de0b1d
SHA1cd31e241a7ac9dab3098d3f8042b9bae3d2d34c8
SHA2560e9b913284ad3f8e72bb6b8649283610fa080a24aba5c5c972c68335c0c7a94a
SHA512dc30ea5af8aa9621f4d6a8889a28272753733767836a3435128328c0b4baec6fdec0faff5979b0b16a237520c9966f6ad884b6cae95326827edbdd7de5a25720
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD531ab3ff50d8e1f4ebe19400170560421
SHA13a97fb4d873cfd54a737352f8c74b800a4797712
SHA256bf15a19e1ea1e1a526b110b4ac83a0b177ab85c09b666ea55014a7f812c6b566
SHA51253c7768b6ba0fa5929a88355a0871d7cf8004c195c4ad16b3fc2f07b0738be72d91a7a097dd08e75f1596b4d86ffa5f565f76b8422253e23eefb857b4b71221b
-
Filesize
11KB
MD5367e66c324f645e5fc81bd62fc42b73a
SHA110210377d35fdb66fe8164a5b12d337b338aca50
SHA25643d0744090c7c4c3fef71f45fd2df8cbaca6fa191da9d4ac4ddf544ccf1e200d
SHA5124839edaffea3a07cebc3a44057e89361ca9e4433f42a120326a08cfde973d909eb14ab0d82c12761bc728e52a307b10f436deac76c40e22d3b56f2274261400f
-
Filesize
64KB
MD519d78b1eae63fd95e33c36ae0cad7aa8
SHA152bbbd1abf5e05fd11b19462a54685e7ccfc2d4b
SHA25650c2e86388d63a5a5a2052f9866083e8784c3eed266f9b947b4f5772e5fbcf80
SHA51234d6dd06fc41e2a3bf026cc58e461cf12064eab6969225d118b786aaacfabaac8bd7cbc6c26ad2c985faa04f0a07a4134119d4780c9189ded6db3d0fe9b59454
-
Filesize
1024KB
MD571aee774e59aaf663d13cf03adb7190f
SHA1e1f867b457e2feeba877aca6f8ab0c81093b8d3d
SHA2567c3d3cceabf53db67838a1b43efbbdb3b00c513bbcb9e7a184f05b6f1c167e62
SHA512fd2f0670e5888279b5d14c40fb1ae477a84c81fe0aa008056e15e646e48fc5756a61905d87cf79f76cf7fd3b64f8d0a0095969bfa6c7fe557648691425c2aabe
-
Filesize
9KB
MD57050d5ae8acfbe560fa11073fef8185d
SHA15bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
Filesize10KB
MD5eebfb84605e05222e3ad98f4b9f62db2
SHA136ddd440df5b2776281ad245a6a57e7a183c09a0
SHA2564a9b70f7113d5c252937ad9bbfa110031124ffe3643648db3f944111b61bd559
SHA51290e6f46d36c30783af4032f72beb58eb157849a8197e39945542da8a0c1313cb87e91f18a732f5718ec6a676fcd790458419bcc22c608824416fa6df14bf5ba6
-
Filesize
8KB
MD58cfa7caeb6f14c1865b718b6f9a98d9d
SHA1edd6e3f59e55066171155be6536d237a8f77d051
SHA2564ad8e4e3181e8884da13b8729c6f9e05865b4b85f80ccae6be41a58f060ce44f
SHA512a4cfe14c82e90f0ac40c69db676e990ff5ef3a6398d50c5b52f1dac3fd79379746bd393781c87d543e05087cf17445c308cb0fc3241e33aba76d3fcbfeec41b3
-
Filesize
1KB
MD5964ea6f8d7e0ad9f59a4aa936785f060
SHA1dd85dce8777e1232ee6b626e5ee8843e807f4e4e
SHA256e55e089e4f22bb55aee02acb79a0f9e3d17187dd68de7f991f4499b90c78c191
SHA512251279fc6e15a59a6a728aab24bcd9e7b4443da96a823c9d60fdb9d2364c319f574f007a23eeddd397c380a851a126d16bd774b47398bc9850d1d914b0147781
-
Filesize
2KB
MD55f70399439add62450a86c760be4b818
SHA184a16a9676dd87bdfea424e22ce89e0d4d72248a
SHA256cb2ea66effa1b3d318cf70b100d5b3f78c455c30aa85b7c5b88f5be97e871bb1
SHA5121c2bee21b3b51059b4cc8b2d682dc8af08e4b891eafd360fb4a87823a58feecf3179d694f6386fe4c08b6726a7b42fb9b9d2236e66bd8176a494e5929a9eb94c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d8xutbrp.default-release\datareporting\glean\db\data.safe.bin
Filesize2KB
MD53932e0f00d573729b9515fba2b8fc15e
SHA10945d3e53bcc70e80a70c6dba041163abccf7e84
SHA256b5c74e0263e85f8887fcaff1121d28eae5f9956516ffc2e33219e513c2fccd3b
SHA512ef17d2f76b79c90ae31a3c426ac9e7197cceab0c0dfa3d41f518b2012bbee315c52473eff98f3105f3a7e0dc72cfeb655449b378eaa916309eda73a3f9e01a7f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d8xutbrp.default-release\datareporting\glean\pending_pings\05160ed3-d4b7-4d96-8c35-a6bb3e6754db
Filesize12KB
MD55b6078e6a5b515ba42f688d27ebffed3
SHA126378e17e4e1941edbec3d7ac4d87f2dfa95bced
SHA256b7cb196ea6b51f018b962614a51df2dded10552a8553f4637ac9e76675890ca1
SHA512140eca00009b63d723c068512561a4036e8190ffd1f9e65fd476f8da267524bba7b128d6a59f39826c5bedd9d28e4f2a7cca78768af779136c59b5ba4a7ccfd2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d8xutbrp.default-release\datareporting\glean\pending_pings\fd989264-ab92-412f-8a18-818e26ef9f0e
Filesize746B
MD5851c86aa56e10549ee6d2b98a13e2112
SHA1030ad525f8543fd1112bc497b77c89ea9df931d0
SHA256e8172b5f60b2fd205a7a2aaa3fe68b99cb6e95bea2ba8878d16fcae84e4f84e7
SHA51299ed516487e1950eb41acbb311ac4e0278a0b62bbe31d191462774b817b9e409f7c366d1c7dc4c4a2dd699c9d7128330f65352b0c7fbf20821fd9e284b3a7dd8
-
Filesize
6KB
MD5fd2a417f16658e172c2603b417f4c554
SHA1c714c6571edd692095fcd1618179b4fa82f8f378
SHA256ee558bba191e9c4c9b7e9db2ebbcdad08a15585b9f7f324f816c50418bd17651
SHA512b3b993d133dbc4003eaf5578fcc9c5a8960d69b15df9904a8a512b1769475a34b9a1be38240f68b1f019f4c042b6d62793c48f4c0e841d6f8cdaf94f16d971c8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d8xutbrp.default-release\sessionstore-backups\recovery.jsonlz4
Filesize1KB
MD5830a6ada65c7dd47c468deaf22fd6654
SHA1e8a4643316367393e1a535ad452e4dd4bf16ff3a
SHA256e51c7ee5219287776b767281e5f90ffbe39635b2aefcd0ab36c6522bbd278931
SHA512cfe58a28a1b2b1696f0517c7a72c890d3edc3d47104198c8e9de8ff8dd9e75404cb36657a92035a424dccd07068e01ea9697362c4f3b9cea1e237b7add4440c2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d8xutbrp.default-release\sessionstore.jsonlz4
Filesize922B
MD5d142a194559a0d100c356c01aae31881
SHA1fc785acc95779da62640578ed940e2bf81610018
SHA25642efe795d86de56c6268ed84e6f685e8caae027157fcd843f4e2c90bb5c8b708
SHA51278846be50cb3da0a1fc26bf8adc808256fb844dd2c5535240acb5b4c642a89208966384b7ccae1893b75b201cc71c53d6d8ae6d2c18de005e640fe166b562157
-
Filesize
8KB
MD51d791223b89c42804addd6a17f897679
SHA1e47b6257eee3e980c74e26dbb5d0c113a161f889
SHA25684d74b2696fe162ad0f77bc1101d628c8b52bb09a8db6c5db5a0ab1fa9a427cc
SHA512ad44e960d748157ef34781a1e116e3e3a08af0eae4b7e5035521dbc67a402c27d7bd197b17da32fa72e9216ca090f106c4b25df46097125934a0454eb086dfa2
-
Filesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98