Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
900s -
max time network
900s -
platform
windows10-2004_x64 -
resource
win10v2004-20250207-uk -
resource tags
arch:x64arch:x86image:win10v2004-20250207-uklocale:uk-uaos:windows10-2004-x64systemwindows -
submitted
08/02/2025, 11:33
Behavioral task
behavioral1
Sample
nkth.exe
Resource
win10ltsc2021-20250207-uk
Behavioral task
behavioral2
Sample
nkth.exe
Resource
win10v2004-20250207-uk
Behavioral task
behavioral3
Sample
nkth.exe
Resource
win10ltsc2021-20250207-uk
Behavioral task
behavioral4
Sample
nkth.exe
Resource
win11-20250207-uk
General
-
Target
nkth.exe
-
Size
55KB
-
MD5
33644523cb6a6c01bbf2dd5c3a97aafc
-
SHA1
7fd0d35a09a32693d30ffdb49ecd69c1229d2a20
-
SHA256
e451ebc803766d533d92baf458485284fb64cc3e8d4491cf410ea7fb2d5ded45
-
SHA512
43bddd6e1cd6acf040fec6d2b51afd86daa0f5f8ef7990b7dab2e9a42bdcdec5fede30d0510e6fdfd1cb08a4028e5057061f7c4e91a8b5a300ae1af9505cef2b
-
SSDEEP
1536:5EOADn6cpNPmSpVcDGiwsNMDdXExI3pmsm:bADn6cPzLcDGiwsNMDdXExI3pm
Malware Config
Signatures
-
Njrat family
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 7 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\IsInstalled = "1" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Version = "43,0,0,0" setup.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components setup.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE} setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\ = "Microsoft Edge" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\StubPath = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\132.0.2957.140\\Installer\\setup.exe\" --configure-user-settings --verbose-logging --system-level --msedge --channel=stable" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Localized Name = "Microsoft Edge" setup.exe -
Downloads MZ/PE file 1 IoCs
flow pid Process 18 3076 Process not Found -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation nkth.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE 11 IoCs
pid Process 3144 790513c571684654ad33497c4491e1b3.exe 1456 setup.exe 5068 setup.exe 640 setup.exe 728 setup.exe 3520 setup.exe 4012 setup.exe 4560 setup.exe 1948 setup.exe 1324 setup.exe 1840 setup.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Installs/modifies Browser Helper Object 2 TTPs 8 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\NoExplorer = "1" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\NoExplorer = "1" setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO" setup.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Microsoft Edge.lnk setup.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\ne.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\identity_proxy\win11\identity_helper.Sparse.Beta.msix setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\EdgeWebView.dat setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\kk.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\edge_feedback\camera_mf_trace.wprp setup.exe File opened for modification C:\Program Files\MsEdgeCrashpad\settings.dat setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\de.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\ga.pak setup.exe File opened for modification C:\Program Files\MsEdgeCrashpad\throttle_store.dat setup.exe File opened for modification C:\Program Files\MsEdgeCrashpad\settings.dat setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\fa.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\mi.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\v8_context_snapshot.bin setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\is.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\it.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1BB775E6-7454-4A89-8CA0-8703DD7617C6}\EDGEMITMP_11418.tmp\setup.exe MicrosoftEdge_X64_132.0.2957.140.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\msedge.exe.sig setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\ar.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\telclient.dll setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\fi.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\ka.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\identity_proxy\canary.identity_helper.exe.manifest setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Edge.dat setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Trust Protection Lists\Mu\Entities setup.exe File created C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1BB775E6-7454-4A89-8CA0-8703DD7617C6}\EDGEMITMP_11418.tmp\SETUP.EX_ MicrosoftEdge_X64_132.0.2957.140.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\onramp.dll setup.exe File opened for modification C:\Program Files\MsEdgeCrashpad\throttle_store.dat setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\hu.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\identity_proxy\win11\identity_helper.Sparse.Stable.msix setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\lb.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\pt-BR.pak setup.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\delegatedWebFeatures.sccd setup.exe File opened for modification C:\Program Files\MsEdgeCrashpad\metadata setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\lt.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\bg.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\BHO\ie_to_edge_bho.dll setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\id.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\mi.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\msedge_wer.dll setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\lv.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\lo.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\tt.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\et.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\zh-CN.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\1948_13383488929895770_1948.pma setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Trust Protection Lists\Mu\Other setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\am.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\identity_proxy\win11\identity_helper.Sparse.Internal.msix setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\resources.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\VisualElements\LogoBeta.png setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\nb.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\pwahelper.exe setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Trust Protection Lists\Sigma\Staging setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\nb.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\tr.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\identity_proxy\beta.identity_helper.exe.manifest setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\hi.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\pl.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\edge_game_assist\VERSION setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\msedge_100_percent.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\VisualElements\SmallLogoBeta.png setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\en-US.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\gl.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\tt.pak setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nkth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2164 MicrosoftEdgeUpdate.exe 1352 MicrosoftEdgeUpdate.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\EnterpriseMode\MSEdgePath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application" setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights setup.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge setup.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EdgeIntegration setup.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main\EnterpriseMode setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy setup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\Policy = "3" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\132.0.2957.140\\BHO" setup.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute setup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\Policy = "3" setup.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge setup.exe Key created \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Software\Microsoft\Internet Explorer\GPU wwahost.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29} setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\ = "IEToEdge Handler" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppName = "ie_to_edge_stub.exe" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppName = "ie_to_edge_stub.exe" setup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\EdgeIntegration\AdapterLocations\C:\Program Files (x86)\Microsoft\Edge\Application = "1" setup.exe Key created \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\SOFTWARE\Microsoft\Internet Explorer\GPU wwahost.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29} setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\ = "IEToEdge Handler" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\132.0.2957.140\\BHO" setup.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute setup.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EdgeIntegration\AdapterLocations setup.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge setup.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge\InstallerPinned = "0" setup.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\MSEdgePDF\DefaultIcon setup.exe Key created \REGISTRY\MACHINE\Software\Classes\.xht setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.pdf\OpenWithProgids\MSEdgePDF setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ProgID\ setup.exe Key created \REGISTRY\MACHINE\Software\Classes\MSEdgeHTM setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\shell\runas\ProgrammaticAccessOnly setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\Application\ApplicationName = "Microsoft Edge" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\shell\runas\command\ = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --do-not-de-elevate --single-argument %1" setup.exe Key created \REGISTRY\MACHINE\Software\Classes\.mht\OpenWithProgids setup.exe Key created \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Explorer\EdpDomStorage\office.com wwahost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.xht\OpenWithProgIds\MSEdgeHTM setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO\CurVer\ = "ie_to_edge_bho.IEToEdgeBHO.1" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\image/svg+xml\Extension = ".svg" setup.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge\shell\open setup.exe Key created \REGISTRY\MACHINE\Software\Classes\MSEdgeHTM\DefaultIcon setup.exe Key created \REGISTRY\MACHINE\Software\Classes\MSEdgeMHT\DefaultIcon setup.exe Key created \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Explorer wwahost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{1FCBE96C-1697-43AF-9140-2897C7C69767}\LocalService = "MicrosoftEdgeElevationService" setup.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\InprocServer32\ setup.exe Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{C9C2B807-7731-4F34-81B7-44FF7779522B} setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\DefaultIcon\ = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\132.0.2957.140\\msedge.exe,11" setup.exe Key created \REGISTRY\MACHINE\Software\Classes\MSEdgeMHT\Application setup.exe Key created \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Explorer\DomStorageState wwahost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\InProcServer32 setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4A749F25-A9E2-4CBE-9859-CF7B15255E14}\LocalServer32\ServerExecutable = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\132.0.2957.140\\notification_click_helper.exe" setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\text/html setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\Application\ApplicationDescription = "Browse the web" setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Implemented Categories\ setup.exe Key created \REGISTRY\MACHINE\Software\Classes\MSEdgeHTM\shell\runas setup.exe Key created \REGISTRY\MACHINE\Software\Classes\.xht\OpenWithProgids setup.exe Key created \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Settings wwahost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\ = "Interface {C9C2B807-7731-4F34-81B7-44FF7779522B}" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\DisplayName = "PDF Preview Handler" setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\ie_to_edge_bho.dll\ setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\image/svg+xml setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\shell\open\command\ = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --single-argument %1" setup.exe Key created \REGISTRY\MACHINE\Software\Classes\.webp setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\Application\ApplicationDescription = "Browse the web" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\Application\ApplicationCompany = "Microsoft Corporation" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\TypeLib\ = "{2397ECFE-3237-400F-AE51-62B25B3F15B5}" setup.exe Key created \REGISTRY\MACHINE\Software\Classes\MSEdgePDF setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\Application\ApplicationDescription = "Browse the web" setup.exe Set value (str) \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:" wwahost.exe Key created \REGISTRY\MACHINE\Software\Classes\MSEdgeMHT\shell\runas\command setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Programmable\ setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\shell\runas\ProgrammaticAccessOnly setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\AppUserModelId = "MSEdge" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\DefaultIcon\ = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\132.0.2957.140\\msedge.exe,0" setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Implemented Categories setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\CLASSES\MIME\Database\Content Type\ setup.exe Set value (int) \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Explorer\EdpDomStorage\office.com\NumberOfSubdomains = "0" wwahost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\AppUserModelId = "MSEdge" setup.exe Key created \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Explorer\EdpDomStorage wwahost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C9C2B807-7731-4F34-81B7-44FF7779522B}\1.0\ = "TypeLib for Interface {C9C2B807-7731-4F34-81B7-44FF7779522B}" setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\InprocServer32\ setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge\shell\open\command\ = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" \"%1\"" setup.exe Key created \REGISTRY\MACHINE\Software\Classes\MSEdgeHTM\shell setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\VersionIndependentProgID\ = "ie_to_edge_bho.IEToEdgeBHO" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\Application\ApplicationName = "Microsoft Edge" setup.exe Set value (int) \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheVersion = "1" wwahost.exe Set value (int) \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheLimit = "1" wwahost.exe Set value (int) \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Explorer\DOMStorage\office.com\ = "0" wwahost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3144 790513c571684654ad33497c4491e1b3.exe 3144 790513c571684654ad33497c4491e1b3.exe 3144 790513c571684654ad33497c4491e1b3.exe 3144 790513c571684654ad33497c4491e1b3.exe 3144 790513c571684654ad33497c4491e1b3.exe 3144 790513c571684654ad33497c4491e1b3.exe 3144 790513c571684654ad33497c4491e1b3.exe 3144 790513c571684654ad33497c4491e1b3.exe 3144 790513c571684654ad33497c4491e1b3.exe 3144 790513c571684654ad33497c4491e1b3.exe 3144 790513c571684654ad33497c4491e1b3.exe 3144 790513c571684654ad33497c4491e1b3.exe 3144 790513c571684654ad33497c4491e1b3.exe 3144 790513c571684654ad33497c4491e1b3.exe 3144 790513c571684654ad33497c4491e1b3.exe 3144 790513c571684654ad33497c4491e1b3.exe 3144 790513c571684654ad33497c4491e1b3.exe 3144 790513c571684654ad33497c4491e1b3.exe 3144 790513c571684654ad33497c4491e1b3.exe 3144 790513c571684654ad33497c4491e1b3.exe 3144 790513c571684654ad33497c4491e1b3.exe 3144 790513c571684654ad33497c4491e1b3.exe 3144 790513c571684654ad33497c4491e1b3.exe 3144 790513c571684654ad33497c4491e1b3.exe 3144 790513c571684654ad33497c4491e1b3.exe 3144 790513c571684654ad33497c4491e1b3.exe 3144 790513c571684654ad33497c4491e1b3.exe 3144 790513c571684654ad33497c4491e1b3.exe 3144 790513c571684654ad33497c4491e1b3.exe 3144 790513c571684654ad33497c4491e1b3.exe 3144 790513c571684654ad33497c4491e1b3.exe 3144 790513c571684654ad33497c4491e1b3.exe 3144 790513c571684654ad33497c4491e1b3.exe 3144 790513c571684654ad33497c4491e1b3.exe 3144 790513c571684654ad33497c4491e1b3.exe 3144 790513c571684654ad33497c4491e1b3.exe 3144 790513c571684654ad33497c4491e1b3.exe 3144 790513c571684654ad33497c4491e1b3.exe 3144 790513c571684654ad33497c4491e1b3.exe 3144 790513c571684654ad33497c4491e1b3.exe 3144 790513c571684654ad33497c4491e1b3.exe 3144 790513c571684654ad33497c4491e1b3.exe 3144 790513c571684654ad33497c4491e1b3.exe 3144 790513c571684654ad33497c4491e1b3.exe 3144 790513c571684654ad33497c4491e1b3.exe 3144 790513c571684654ad33497c4491e1b3.exe 3144 790513c571684654ad33497c4491e1b3.exe 3144 790513c571684654ad33497c4491e1b3.exe 3144 790513c571684654ad33497c4491e1b3.exe 3144 790513c571684654ad33497c4491e1b3.exe 3144 790513c571684654ad33497c4491e1b3.exe 3144 790513c571684654ad33497c4491e1b3.exe 3144 790513c571684654ad33497c4491e1b3.exe 3144 790513c571684654ad33497c4491e1b3.exe 3144 790513c571684654ad33497c4491e1b3.exe 3144 790513c571684654ad33497c4491e1b3.exe 3144 790513c571684654ad33497c4491e1b3.exe 3144 790513c571684654ad33497c4491e1b3.exe 3144 790513c571684654ad33497c4491e1b3.exe 3144 790513c571684654ad33497c4491e1b3.exe 3144 790513c571684654ad33497c4491e1b3.exe 3144 790513c571684654ad33497c4491e1b3.exe 3144 790513c571684654ad33497c4491e1b3.exe 3144 790513c571684654ad33497c4491e1b3.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3436 nkth.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3436 nkth.exe Token: 33 3436 nkth.exe Token: SeIncBasePriorityPrivilege 3436 nkth.exe Token: 33 3436 nkth.exe Token: SeIncBasePriorityPrivilege 3436 nkth.exe Token: 33 3436 nkth.exe Token: SeIncBasePriorityPrivilege 3436 nkth.exe Token: 33 3436 nkth.exe Token: SeIncBasePriorityPrivilege 3436 nkth.exe Token: 33 3436 nkth.exe Token: SeIncBasePriorityPrivilege 3436 nkth.exe Token: SeDebugPrivilege 3144 790513c571684654ad33497c4491e1b3.exe Token: 33 3436 nkth.exe Token: SeIncBasePriorityPrivilege 3436 nkth.exe Token: 33 3436 nkth.exe Token: SeIncBasePriorityPrivilege 3436 nkth.exe Token: 33 3436 nkth.exe Token: SeIncBasePriorityPrivilege 3436 nkth.exe Token: 33 3436 nkth.exe Token: SeIncBasePriorityPrivilege 3436 nkth.exe Token: 33 3436 nkth.exe Token: SeIncBasePriorityPrivilege 3436 nkth.exe Token: 33 3436 nkth.exe Token: SeIncBasePriorityPrivilege 3436 nkth.exe Token: 33 3436 nkth.exe Token: SeIncBasePriorityPrivilege 3436 nkth.exe Token: 33 3436 nkth.exe Token: SeIncBasePriorityPrivilege 3436 nkth.exe Token: 33 3436 nkth.exe Token: SeIncBasePriorityPrivilege 3436 nkth.exe Token: 33 3436 nkth.exe Token: SeIncBasePriorityPrivilege 3436 nkth.exe Token: 33 3436 nkth.exe Token: SeIncBasePriorityPrivilege 3436 nkth.exe Token: 33 3436 nkth.exe Token: SeIncBasePriorityPrivilege 3436 nkth.exe Token: 33 3436 nkth.exe Token: SeIncBasePriorityPrivilege 3436 nkth.exe Token: 33 3436 nkth.exe Token: SeIncBasePriorityPrivilege 3436 nkth.exe Token: 33 3436 nkth.exe Token: SeIncBasePriorityPrivilege 3436 nkth.exe Token: 33 3436 nkth.exe Token: SeIncBasePriorityPrivilege 3436 nkth.exe Token: 33 3436 nkth.exe Token: SeIncBasePriorityPrivilege 3436 nkth.exe Token: 33 3436 nkth.exe Token: SeIncBasePriorityPrivilege 3436 nkth.exe Token: 33 3436 nkth.exe Token: SeIncBasePriorityPrivilege 3436 nkth.exe Token: 33 3436 nkth.exe Token: SeIncBasePriorityPrivilege 3436 nkth.exe Token: 33 3436 nkth.exe Token: SeIncBasePriorityPrivilege 3436 nkth.exe Token: 33 3436 nkth.exe Token: SeIncBasePriorityPrivilege 3436 nkth.exe Token: 33 3436 nkth.exe Token: SeIncBasePriorityPrivilege 3436 nkth.exe Token: 33 3436 nkth.exe Token: SeIncBasePriorityPrivilege 3436 nkth.exe Token: 33 3436 nkth.exe Token: SeIncBasePriorityPrivilege 3436 nkth.exe Token: 33 3436 nkth.exe Token: SeIncBasePriorityPrivilege 3436 nkth.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 636 wwahost.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 3436 wrote to memory of 3144 3436 nkth.exe 89 PID 3436 wrote to memory of 3144 3436 nkth.exe 89 PID 1928 wrote to memory of 1456 1928 MicrosoftEdge_X64_132.0.2957.140.exe 94 PID 1928 wrote to memory of 1456 1928 MicrosoftEdge_X64_132.0.2957.140.exe 94 PID 1456 wrote to memory of 5068 1456 setup.exe 95 PID 1456 wrote to memory of 5068 1456 setup.exe 95 PID 1456 wrote to memory of 640 1456 setup.exe 96 PID 1456 wrote to memory of 640 1456 setup.exe 96 PID 640 wrote to memory of 728 640 setup.exe 97 PID 640 wrote to memory of 728 640 setup.exe 97 PID 1456 wrote to memory of 3520 1456 setup.exe 98 PID 1456 wrote to memory of 3520 1456 setup.exe 98 PID 1456 wrote to memory of 4012 1456 setup.exe 99 PID 1456 wrote to memory of 4012 1456 setup.exe 99 PID 3520 wrote to memory of 4560 3520 setup.exe 101 PID 3520 wrote to memory of 4560 3520 setup.exe 101 PID 1456 wrote to memory of 1948 1456 setup.exe 100 PID 1456 wrote to memory of 1948 1456 setup.exe 100 PID 1948 wrote to memory of 1324 1948 setup.exe 102 PID 1948 wrote to memory of 1324 1948 setup.exe 102 PID 4012 wrote to memory of 1840 4012 setup.exe 104 PID 4012 wrote to memory of 1840 4012 setup.exe 104 -
System policy modification 1 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\ setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} = "1" setup.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\nkth.exe"C:\Users\Admin\AppData\Local\Temp\nkth.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3436 -
C:\Users\Admin\AppData\Local\Temp\790513c571684654ad33497c4491e1b3.exe"C:\Users\Admin\AppData\Local\Temp\790513c571684654ad33497c4491e1b3.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3144
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RjIzMzAzQ0EtRUQ4Qy00MjQ3LTkxRTMtRUIyQjNFQjQwMjYwfSIgdXNlcmlkPSJ7OTQ2QjVFNUUtN0Q2Qi00QzU2LTlFMzgtM0YzM0I2OTdGMjI5fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7RDYyQzBFMEUtQzlCNS00OTZGLTgxNDktMDQ3MTNEOUUxM0FCfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIwIiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDY4ODkiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxOTM2NTgwOTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MzYwODA5MzYxIi8-PC9hcHA-PC9yZXF1ZXN0Pg1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:2164
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1BB775E6-7454-4A89-8CA0-8703DD7617C6}\MicrosoftEdge_X64_132.0.2957.140.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1BB775E6-7454-4A89-8CA0-8703DD7617C6}\MicrosoftEdge_X64_132.0.2957.140.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1BB775E6-7454-4A89-8CA0-8703DD7617C6}\EDGEMITMP_11418.tmp\setup.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1BB775E6-7454-4A89-8CA0-8703DD7617C6}\EDGEMITMP_11418.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1BB775E6-7454-4A89-8CA0-8703DD7617C6}\MicrosoftEdge_X64_132.0.2957.140.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable2⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1456 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1BB775E6-7454-4A89-8CA0-8703DD7617C6}\EDGEMITMP_11418.tmp\setup.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1BB775E6-7454-4A89-8CA0-8703DD7617C6}\EDGEMITMP_11418.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1BB775E6-7454-4A89-8CA0-8703DD7617C6}\EDGEMITMP_11418.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff75a9ca818,0x7ff75a9ca824,0x7ff75a9ca8303⤵
- Executes dropped EXE
PID:5068
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1BB775E6-7454-4A89-8CA0-8703DD7617C6}\EDGEMITMP_11418.tmp\setup.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1BB775E6-7454-4A89-8CA0-8703DD7617C6}\EDGEMITMP_11418.tmp\setup.exe" --msedge --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1BB775E6-7454-4A89-8CA0-8703DD7617C6}\EDGEMITMP_11418.tmp\setup.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1BB775E6-7454-4A89-8CA0-8703DD7617C6}\EDGEMITMP_11418.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1BB775E6-7454-4A89-8CA0-8703DD7617C6}\EDGEMITMP_11418.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff75a9ca818,0x7ff75a9ca824,0x7ff75a9ca8304⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:728
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --msedge --channel=stable --register-package-identity --verbose-logging --system-level3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3520 -
C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff7a9e3a818,0x7ff7a9e3a824,0x7ff7a9e3a8304⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4560
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --msedge --channel=stable --remove-deprecated-packages --verbose-logging --system-level3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4012 -
C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff7a9e3a818,0x7ff7a9e3a824,0x7ff7a9e3a8304⤵
- Executes dropped EXE
PID:1840
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --msedge --channel=stable --update-game-assist-package --verbose-logging --system-level3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff7a9e3a818,0x7ff7a9e3a824,0x7ff7a9e3a8304⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1324
-
-
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k AppReadiness -p -s AppReadiness1⤵PID:1048
-
C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe"C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe" /InvokerPRAID: Microsoft.MicrosoftOfficeHub prelaunch1⤵PID:1712
-
C:\Windows\system32\wwahost.exe"C:\Windows\system32\wwahost.exe" -ServerName:Microsoft.MicrosoftOfficeHub.wwa1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:636
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RjIzMzAzQ0EtRUQ4Qy00MjQ3LTkxRTMtRUIyQjNFQjQwMjYwfSIgdXNlcmlkPSJ7OTQ2QjVFNUUtN0Q2Qi00QzU2LTlFMzgtM0YzM0I2OTdGMjI5fSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9IntFNzlDNjVBQy0wMDFGLTRGMzQtOUQzMS1CNEU4Q0MwMjQwODB9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iMiIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7VlBRb1AxRitmcTE1d1J6aDFrUEw0UE1wV2g4T1JNQjVpenZyT0MvY2hqUT0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7RjNDNEZFMDAtRUZENS00MDNCLTk1NjktMzk4QTIwRjFCQTRBfSIgdmVyc2lvbj0iMS4zLjE5NS40MyIgbmV4dHZlcnNpb249IiIgbGFuZz0iIiBicmFuZD0iSU5CWCIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjAiIGNvaG9ydD0icnJmQDAuMTkiPjx1cGRhdGVjaGVjay8-PHBpbmcgcj0iMSIgcmQ9IjY2MTIiIHBpbmdfZnJlc2huZXNzPSJ7M0E3N0FFN0UtQkVEOC00RTA1LTg2ODgtRDUzQ0RGMDlCRkRCfSIvPjwvYXBwPjxhcHAgYXBwaWQ9Ins1NkVCMThGOC1CMDA4LTRDQkQtQjZEMi04Qzk3RkU3RTkwNjJ9IiB2ZXJzaW9uPSI5Mi4wLjkwMi42NyIgbmV4dHZlcnNpb249IjEzMi4wLjI5NTcuMTQwIiBsYW5nPSIiIGJyYW5kPSJJTkJYIiBjbGllbnQ9IiIgZXhwZXJpbWVudHM9ImNvbnNlbnQ9ZmFsc2UiIGluc3RhbGxhZ2U9IjAiIGlzX3Bpbm5lZF9zeXN0ZW09InRydWUiIGxhc3RfbGF1bmNoX2NvdW50PSIxIiBsYXN0X2xhdW5jaF90aW1lPSIxMzM4MzQyOTY1ODY5ODgwMDAiPjx1cGRhdGVjaGVjay8-PGV2ZW50IGV2ZW50dHlwZT0iMTIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjU0MTkwOTA4MjEiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxMyIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTQxOTA5MDgyMSIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjE0IiBldmVudHJlc3VsdD0iMCIgZXJyb3Jjb2RlPSItMjE0NzAyMzgzOCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTMzMzgxNTI4ODQiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIGRvd25sb2FkZXI9ImRvIiB1cmw9Imh0dHA6Ly9tc2VkZ2UuYi50bHUuZGwuZGVsaXZlcnkubXAubWljcm9zb2Z0LmNvbS9maWxlc3RyZWFtaW5nc2VydmljZS9maWxlcy8wNzQwMDM2YS00ZTE4LTQ1NmQtOTZmYS1kMWQ5YzRjYTQ2NzY_UDE9MTczOTYxOTMzMyZhbXA7UDI9NDA0JmFtcDtQMz0yJmFtcDtQND1OWm8lMmJwZiUyZk5VdGFkY3RORWVodlNuMzllajFZclJGbzc0enRTOEUwN1pJQ1lmTnlJR2pDMFE0dlNzJTJmMnpXeTNPZlRmYzViYU1HN2lXJTJmZG5Wckp2b253JTNkJTNkIiBzZXJ2ZXJfaXBfaGludD0iIiBjZG5fY2lkPSItMSIgY2RuX2NjYz0iIiBjZG5fbXNlZGdlX3JlZj0iIiBjZG5fYXp1cmVfcmVmX29yaWdpbl9zaGllbGQ9IiIgY2RuX2NhY2hlPSIiIGNkbl9wM3A9IiIgZG93bmxvYWRlZD0iMCIgdG90YWw9IjAiIGRvd25sb2FkX3RpbWVfbXM9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNCIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTMzMzgzMDkwNTkiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIGRvd25sb2FkZXI9ImJpdHMiIHVybD0iaHR0cDovL21zZWRnZS5iLnRsdS5kbC5kZWxpdmVyeS5tcC5taWNyb3NvZnQuY29tL2ZpbGVzdHJlYW1pbmdzZXJ2aWNlL2ZpbGVzLzA3NDAwMzZhLTRlMTgtNDU2ZC05NmZhLWQxZDljNGNhNDY3Nj9QMT0xNzM5NjE5MzMzJmFtcDtQMj00MDQmYW1wO1AzPTImYW1wO1A0PU5abyUyYnBmJTJmTlV0YWRjdE5FZWh2U24zOWVqMVlyUkZvNzR6dFM4RTA3WklDWWZOeUlHakMwUTR2U3MlMmYyeld5M09mVGZjNWJhTUc3aVclMmZkblZySnZvbnclM2QlM2QiIHNlcnZlcl9pcF9oaW50PSIiIGNkbl9jaWQ9Ii0xIiBjZG5fY2NjPSIiIGNkbl9tc2VkZ2VfcmVmPSIiIGNkbl9henVyZV9yZWZfb3JpZ2luX3NoaWVsZD0iIiBjZG5fY2FjaGU9IiIgY2RuX3AzcD0iIiBkb3dubG9hZGVkPSIxNzcxODAyMTYiIHRvdGFsPSIxNzcxODAyMTYiIGRvd25sb2FkX3RpbWVfbXM9Ijc4NTc1MCIvPjxldmVudCBldmVudHR5cGU9IjE0IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxMzMzODMwOTA1OSIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjE1IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxMzM1MTU5MDY3NCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjMiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjE5Njc1NyIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTM4OTI2ODQzNjYiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIHVwZGF0ZV9jaGVja190aW1lX21zPSI0MjUwIiBkb3dubG9hZF90aW1lX21zPSI3OTE5MjIiIGRvd25sb2FkZWQ9IjE3NzE4MDIxNiIgdG90YWw9IjE3NzE4MDIxNiIgcGFja2FnZV9jYWNoZV9yZXN1bHQ9IjAiIGluc3RhbGxfdGltZV9tcz0iNTQxMTAiLz48cGluZyBhY3RpdmU9IjEiIGE9IjEiIHI9IjEiIGFkPSI2NjEyIiByZD0iNjYxMiIgcGluZ19mcmVzaG5lc3M9Ins3MTNBQjhDMy05QkQ3LTQxMTAtOTlERi1ERTk4MjNFN0RGMTV9Ii8-PC9hcHA-PGFwcCBhcHBpZD0ie0YzMDE3MjI2LUZFMkEtNDI5NS04QkRGLTAwQzNBOUE3RTRDNX0iIHZlcnNpb249IjEzMi4wLjI5NTcuMTQwIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJHR0xTIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMCIgaW5zdGFsbGRhdGU9IjY2MDgiIGNvaG9ydD0icnJmQDAuNzAiPjx1cGRhdGVjaGVjay8-PHBpbmcgcj0iMSIgcmQ9IjY2MTIiIHBpbmdfZnJlc2huZXNzPSJ7MTBGNjIyOEEtMjhEOC00OTk1LUFGMUQtQjIyQUFENEVDNUU5fSIvPjwvYXBwPjwvcmVxdWVzdD41⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:1352
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Active Setup
1Browser Extensions
1Event Triggered Execution
1Component Object Model Hijacking
1Privilege Escalation
Boot or Logon Autostart Execution
1Active Setup
1Event Triggered Execution
1Component Object Model Hijacking
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1BB775E6-7454-4A89-8CA0-8703DD7617C6}\EDGEMITMP_11418.tmp\setup.exe
Filesize6.6MB
MD5b4c8ad75087b8634d4f04dc6f92da9aa
SHA17efaa2472521c79d58c4ef18a258cc573704fb5d
SHA256522a25568bb503cf8b44807661f31f0921dee91d37691bf399868733205690bf
SHA5125094505b33a848badcffd6b3b93aad9ad73f391e201dee052376c4f8573ba351f0b8c102131216088ffb38d0ed7b5fe70ba95c3ac2c33a50c993584fe7c435e3
-
Filesize
3.7MB
MD53646786aea064c0845f5bb1b8e976985
SHA1a31ba2d2192898d4c0a01511395bdf87b0e53873
SHA256a129a6de7b90500483226192b260eaca1ee116a007771d421aa3eee38af48d6f
SHA512145f8abf2ecffd8ecc3745dbd9ab2e360826fa46d6f21dbebece7802b9b5980f4ab19e2dfd180ce0cfb84366f3ac5c87cd1b74a085e1a0dd620b6c097900e0f4
-
Filesize
70KB
MD51c4c7389dd7aafd8a2a70d36fbe70e6b
SHA13d3d9782801aabf1a1edcb6eb534e12225512fbc
SHA256e7ab642d43b762d440ca99bd4925fdd5eca57c7469272a22b69cf440efd46588
SHA512470071942572f174477e10db9f8940cb63da4213eca52f82bfc5e1bf2dbcd553b92f2e3e5022b39609e7ca3efe2c8debd20143fbe24b58350a5c18a4577aeddc
-
Filesize
96KB
MD57daa9cbe5c885bd3fcbc95e0cc5ccc65
SHA172498815de2fab7baafde293695edea77c5699d5
SHA25643c71151812126c7113a6df8c28251e012a48c5aa9a4949526d9c36c55c1a8f7
SHA5126b8e63ec4823100dc83b5566f28a88116d4271b4a4a58de0f78d1184a891c87271cc245e23e0801d7a354de295834d3b8781f6bec1b6de525f84ebbfa75dd4d5
-
Filesize
101KB
MD5ef041b93fe3647aa894c7dd271998dde
SHA1d1e8bcb08e7be75b71d9066a0efcad980846c949
SHA256ea03ce086b39dbb8a8930d6f8faf31b204202cf16715b6104974b041fdeb204a
SHA51208fc5f4c4b2b041c5a4b647b883d0444fcd967f382eb384bebe5ac98c4da5f59dcad9e15c95602ff810b7f27f708d8bd0a69e005fa05157da66224771e029310
-
Filesize
102KB
MD5d1bab77678c3cf29a239e62c09a7a406
SHA1a103b45f4b6d715d10db72fb0c285937a88f2748
SHA256f8971aa2fe297a0b44bf19603b7b7abeae6d4549a4543e3da9516da49d9740a3
SHA512784e11bdac9e669cd48e008ab5a43e7f9b07399d4d598324b156342f183a9bf08fb56cb83c05c9aef236c6b1c1e8e359b7c8b642711ab7a6aa64c6c22da0f42a
-
Filesize
1.3MB
MD55e700bc9ace8593aaff634e63ec48017
SHA11916226b9f1a53cbc627412ad5b8199c69cf0566
SHA256697e76a8c63793dabc98fbbd221321406444f3dfb67c7cb727f7cb71b20de5fd
SHA512f5a18f71e8d3625bf2b50922dbfd656456147fff2aae717e86c23e083cc684d43f00270c0f540fc61a2c32e0b1aea2ffdc44436d4bb7cb77586f50e6e307f338
-
Filesize
16KB
MD5683bcb1f86f4410931abe39a63eb7057
SHA1d338aac5ff479fc94d3c840e862665de1dac8c8f
SHA256c9f03a39789f7322ae43604db6ce7da86765ad4b13207091683cf47bdea8de12
SHA51260b596947d93fdb196fcf338af92d26cdd82396283316352ead078ce1a85943bb85264901318f7061e6b0e49058ace521831a9275c025526373d9168c757cdd2