Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
01/11/2022, 11:39
Behavioral task
behavioral1
Sample
f71939c2246ae67bffba66e1363d80d059971cceea4f5b356c0ffd0e3927103f.exe
Resource
win10-20220812-en
General
-
Target
f71939c2246ae67bffba66e1363d80d059971cceea4f5b356c0ffd0e3927103f.exe
-
Size
1.3MB
-
MD5
a12831c75a8464f91cb0952e8a4d98db
-
SHA1
fe2edc85a4e8ec8c13e604fddfcd7f2ae7b26929
-
SHA256
f71939c2246ae67bffba66e1363d80d059971cceea4f5b356c0ffd0e3927103f
-
SHA512
dd090cb39e8d781e88c025fce90d1c83f07c72ca0e9595b6f6855568483f78c592623a2129a4c564aa3d72bbb5e47a89228dd3c32ede64f99fca106f83afe6cf
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 48 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4380 2280 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4332 2280 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4340 2280 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3652 2280 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5040 2280 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5024 2280 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4940 2280 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5036 2280 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4608 2280 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3176 2280 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3880 2280 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4304 2280 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4180 2280 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4680 2280 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4556 2280 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4476 2280 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4512 2280 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4460 2280 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4504 2280 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4436 2280 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 860 2280 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4656 2280 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4344 2280 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2572 2280 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1872 2280 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1052 2280 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 944 2280 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1432 2280 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 816 2280 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 844 2280 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 908 2280 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1944 2280 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3116 2280 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 188 2280 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 200 2280 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3256 2280 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4640 2280 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2236 2280 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2208 2280 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1440 2280 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 676 2280 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 752 2280 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 744 2280 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2108 2280 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2240 2280 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2408 2280 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2904 2280 schtasks.exe 70 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2716 2280 schtasks.exe 70 -
resource yara_rule behavioral1/files/0x000800000001ac0e-283.dat dcrat behavioral1/files/0x000800000001ac0e-284.dat dcrat behavioral1/memory/4772-285-0x00000000009D0000-0x0000000000AE0000-memory.dmp dcrat behavioral1/files/0x000600000001ac28-354.dat dcrat behavioral1/files/0x000600000001ac28-353.dat dcrat behavioral1/files/0x000600000001ac28-914.dat dcrat behavioral1/files/0x000600000001ac28-920.dat dcrat behavioral1/files/0x000600000001ac28-925.dat dcrat behavioral1/files/0x000600000001ac28-931.dat dcrat behavioral1/files/0x000600000001ac28-936.dat dcrat behavioral1/files/0x000600000001ac28-942.dat dcrat behavioral1/files/0x000600000001ac28-948.dat dcrat behavioral1/files/0x000600000001ac28-953.dat dcrat behavioral1/files/0x000600000001ac28-958.dat dcrat behavioral1/files/0x000600000001ac28-963.dat dcrat -
Executes dropped EXE 12 IoCs
pid Process 4772 DllCommonsvc.exe 4900 dwm.exe 5980 dwm.exe 4476 dwm.exe 396 dwm.exe 5568 dwm.exe 412 dwm.exe 364 dwm.exe 2612 dwm.exe 4540 dwm.exe 4312 dwm.exe 4700 dwm.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in Program Files directory 13 IoCs
description ioc Process File created C:\Program Files\MSBuild\dwm.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Mail\en-US\69ddcba757bf72 DllCommonsvc.exe File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Sidebar\explorer.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Sidebar\7a0fd90576e088 DllCommonsvc.exe File created C:\Program Files (x86)\Windows Mail\en-US\smss.exe DllCommonsvc.exe File created C:\Program Files\Internet Explorer\de-DE\cmd.exe DllCommonsvc.exe File created C:\Program Files\Internet Explorer\de-DE\ebf1f9fa8afd6d DllCommonsvc.exe File created C:\Program Files (x86)\Windows NT\Accessories\fr-FR\Idle.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows NT\Accessories\fr-FR\6ccacd8608530f DllCommonsvc.exe File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\9e8d7a4ca61bd9 DllCommonsvc.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_1.1702.21039.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\System.exe DllCommonsvc.exe File created C:\Program Files\MSBuild\6cb0b6c459d5d3 DllCommonsvc.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Boot\Resources\dwm.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 48 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 860 schtasks.exe 1432 schtasks.exe 1944 schtasks.exe 744 schtasks.exe 2904 schtasks.exe 4380 schtasks.exe 4608 schtasks.exe 816 schtasks.exe 2108 schtasks.exe 4340 schtasks.exe 4504 schtasks.exe 4680 schtasks.exe 4512 schtasks.exe 2236 schtasks.exe 2716 schtasks.exe 4940 schtasks.exe 3880 schtasks.exe 200 schtasks.exe 676 schtasks.exe 5036 schtasks.exe 4344 schtasks.exe 4556 schtasks.exe 4476 schtasks.exe 2572 schtasks.exe 944 schtasks.exe 2240 schtasks.exe 3652 schtasks.exe 5040 schtasks.exe 3176 schtasks.exe 4304 schtasks.exe 4180 schtasks.exe 4656 schtasks.exe 1872 schtasks.exe 1440 schtasks.exe 4332 schtasks.exe 5024 schtasks.exe 752 schtasks.exe 3256 schtasks.exe 2208 schtasks.exe 2408 schtasks.exe 908 schtasks.exe 3116 schtasks.exe 1052 schtasks.exe 844 schtasks.exe 188 schtasks.exe 4640 schtasks.exe 4460 schtasks.exe 4436 schtasks.exe -
Modifies registry class 12 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings dwm.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings dwm.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings dwm.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings dwm.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings dwm.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings dwm.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings dwm.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings dwm.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings dwm.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings f71939c2246ae67bffba66e1363d80d059971cceea4f5b356c0ffd0e3927103f.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings dwm.exe Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings dwm.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4772 DllCommonsvc.exe 4772 DllCommonsvc.exe 4772 DllCommonsvc.exe 4772 DllCommonsvc.exe 4772 DllCommonsvc.exe 4772 DllCommonsvc.exe 4772 DllCommonsvc.exe 4772 DllCommonsvc.exe 4772 DllCommonsvc.exe 4772 DllCommonsvc.exe 4772 DllCommonsvc.exe 4772 DllCommonsvc.exe 4772 DllCommonsvc.exe 4772 DllCommonsvc.exe 4772 DllCommonsvc.exe 2720 powershell.exe 2720 powershell.exe 2520 powershell.exe 2520 powershell.exe 2448 powershell.exe 2448 powershell.exe 3912 powershell.exe 3476 powershell.exe 3912 powershell.exe 3476 powershell.exe 4012 powershell.exe 4012 powershell.exe 4448 powershell.exe 4448 powershell.exe 2648 powershell.exe 2648 powershell.exe 592 powershell.exe 592 powershell.exe 4764 powershell.exe 4764 powershell.exe 2188 powershell.exe 2188 powershell.exe 4200 powershell.exe 4200 powershell.exe 1284 powershell.exe 1284 powershell.exe 1920 powershell.exe 1920 powershell.exe 4864 powershell.exe 4864 powershell.exe 4412 powershell.exe 4412 powershell.exe 4220 powershell.exe 4220 powershell.exe 4200 powershell.exe 1920 powershell.exe 4900 dwm.exe 4900 dwm.exe 2720 powershell.exe 2520 powershell.exe 592 powershell.exe 3912 powershell.exe 2448 powershell.exe 4448 powershell.exe 3476 powershell.exe 4012 powershell.exe 2648 powershell.exe 4764 powershell.exe 4864 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4772 DllCommonsvc.exe Token: SeDebugPrivilege 2720 powershell.exe Token: SeDebugPrivilege 2520 powershell.exe Token: SeDebugPrivilege 2448 powershell.exe Token: SeDebugPrivilege 3912 powershell.exe Token: SeDebugPrivilege 3476 powershell.exe Token: SeDebugPrivilege 4012 powershell.exe Token: SeDebugPrivilege 4448 powershell.exe Token: SeDebugPrivilege 2648 powershell.exe Token: SeDebugPrivilege 592 powershell.exe Token: SeDebugPrivilege 4764 powershell.exe Token: SeDebugPrivilege 4900 dwm.exe Token: SeDebugPrivilege 2188 powershell.exe Token: SeDebugPrivilege 4200 powershell.exe Token: SeDebugPrivilege 1284 powershell.exe Token: SeDebugPrivilege 1920 powershell.exe Token: SeDebugPrivilege 4864 powershell.exe Token: SeDebugPrivilege 4412 powershell.exe Token: SeDebugPrivilege 4220 powershell.exe Token: SeIncreaseQuotaPrivilege 1920 powershell.exe Token: SeSecurityPrivilege 1920 powershell.exe Token: SeTakeOwnershipPrivilege 1920 powershell.exe Token: SeLoadDriverPrivilege 1920 powershell.exe Token: SeSystemProfilePrivilege 1920 powershell.exe Token: SeSystemtimePrivilege 1920 powershell.exe Token: SeProfSingleProcessPrivilege 1920 powershell.exe Token: SeIncBasePriorityPrivilege 1920 powershell.exe Token: SeCreatePagefilePrivilege 1920 powershell.exe Token: SeBackupPrivilege 1920 powershell.exe Token: SeRestorePrivilege 1920 powershell.exe Token: SeShutdownPrivilege 1920 powershell.exe Token: SeDebugPrivilege 1920 powershell.exe Token: SeSystemEnvironmentPrivilege 1920 powershell.exe Token: SeRemoteShutdownPrivilege 1920 powershell.exe Token: SeUndockPrivilege 1920 powershell.exe Token: SeManageVolumePrivilege 1920 powershell.exe Token: 33 1920 powershell.exe Token: 34 1920 powershell.exe Token: 35 1920 powershell.exe Token: 36 1920 powershell.exe Token: SeIncreaseQuotaPrivilege 4200 powershell.exe Token: SeSecurityPrivilege 4200 powershell.exe Token: SeTakeOwnershipPrivilege 4200 powershell.exe Token: SeLoadDriverPrivilege 4200 powershell.exe Token: SeSystemProfilePrivilege 4200 powershell.exe Token: SeSystemtimePrivilege 4200 powershell.exe Token: SeProfSingleProcessPrivilege 4200 powershell.exe Token: SeIncBasePriorityPrivilege 4200 powershell.exe Token: SeCreatePagefilePrivilege 4200 powershell.exe Token: SeBackupPrivilege 4200 powershell.exe Token: SeRestorePrivilege 4200 powershell.exe Token: SeShutdownPrivilege 4200 powershell.exe Token: SeDebugPrivilege 4200 powershell.exe Token: SeSystemEnvironmentPrivilege 4200 powershell.exe Token: SeRemoteShutdownPrivilege 4200 powershell.exe Token: SeUndockPrivilege 4200 powershell.exe Token: SeManageVolumePrivilege 4200 powershell.exe Token: 33 4200 powershell.exe Token: 34 4200 powershell.exe Token: 35 4200 powershell.exe Token: 36 4200 powershell.exe Token: SeIncreaseQuotaPrivilege 592 powershell.exe Token: SeSecurityPrivilege 592 powershell.exe Token: SeTakeOwnershipPrivilege 592 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4696 wrote to memory of 5056 4696 f71939c2246ae67bffba66e1363d80d059971cceea4f5b356c0ffd0e3927103f.exe 66 PID 4696 wrote to memory of 5056 4696 f71939c2246ae67bffba66e1363d80d059971cceea4f5b356c0ffd0e3927103f.exe 66 PID 4696 wrote to memory of 5056 4696 f71939c2246ae67bffba66e1363d80d059971cceea4f5b356c0ffd0e3927103f.exe 66 PID 5056 wrote to memory of 3556 5056 WScript.exe 67 PID 5056 wrote to memory of 3556 5056 WScript.exe 67 PID 5056 wrote to memory of 3556 5056 WScript.exe 67 PID 3556 wrote to memory of 4772 3556 cmd.exe 69 PID 3556 wrote to memory of 4772 3556 cmd.exe 69 PID 4772 wrote to memory of 2720 4772 DllCommonsvc.exe 119 PID 4772 wrote to memory of 2720 4772 DllCommonsvc.exe 119 PID 4772 wrote to memory of 2520 4772 DllCommonsvc.exe 120 PID 4772 wrote to memory of 2520 4772 DllCommonsvc.exe 120 PID 4772 wrote to memory of 2448 4772 DllCommonsvc.exe 121 PID 4772 wrote to memory of 2448 4772 DllCommonsvc.exe 121 PID 4772 wrote to memory of 3912 4772 DllCommonsvc.exe 124 PID 4772 wrote to memory of 3912 4772 DllCommonsvc.exe 124 PID 4772 wrote to memory of 3476 4772 DllCommonsvc.exe 125 PID 4772 wrote to memory of 3476 4772 DllCommonsvc.exe 125 PID 4772 wrote to memory of 4012 4772 DllCommonsvc.exe 129 PID 4772 wrote to memory of 4012 4772 DllCommonsvc.exe 129 PID 4772 wrote to memory of 4448 4772 DllCommonsvc.exe 130 PID 4772 wrote to memory of 4448 4772 DllCommonsvc.exe 130 PID 4772 wrote to memory of 592 4772 DllCommonsvc.exe 131 PID 4772 wrote to memory of 592 4772 DllCommonsvc.exe 131 PID 4772 wrote to memory of 2648 4772 DllCommonsvc.exe 133 PID 4772 wrote to memory of 2648 4772 DllCommonsvc.exe 133 PID 4772 wrote to memory of 4764 4772 DllCommonsvc.exe 135 PID 4772 wrote to memory of 4764 4772 DllCommonsvc.exe 135 PID 4772 wrote to memory of 2188 4772 DllCommonsvc.exe 136 PID 4772 wrote to memory of 2188 4772 DllCommonsvc.exe 136 PID 4772 wrote to memory of 1920 4772 DllCommonsvc.exe 140 PID 4772 wrote to memory of 1920 4772 DllCommonsvc.exe 140 PID 4772 wrote to memory of 4200 4772 DllCommonsvc.exe 153 PID 4772 wrote to memory of 4200 4772 DllCommonsvc.exe 153 PID 4772 wrote to memory of 1284 4772 DllCommonsvc.exe 142 PID 4772 wrote to memory of 1284 4772 DllCommonsvc.exe 142 PID 4772 wrote to memory of 4864 4772 DllCommonsvc.exe 143 PID 4772 wrote to memory of 4864 4772 DllCommonsvc.exe 143 PID 4772 wrote to memory of 4220 4772 DllCommonsvc.exe 145 PID 4772 wrote to memory of 4220 4772 DllCommonsvc.exe 145 PID 4772 wrote to memory of 4412 4772 DllCommonsvc.exe 148 PID 4772 wrote to memory of 4412 4772 DllCommonsvc.exe 148 PID 4772 wrote to memory of 4900 4772 DllCommonsvc.exe 151 PID 4772 wrote to memory of 4900 4772 DllCommonsvc.exe 151 PID 4900 wrote to memory of 5244 4900 dwm.exe 155 PID 4900 wrote to memory of 5244 4900 dwm.exe 155 PID 5244 wrote to memory of 5160 5244 cmd.exe 157 PID 5244 wrote to memory of 5160 5244 cmd.exe 157 PID 5244 wrote to memory of 5980 5244 cmd.exe 158 PID 5244 wrote to memory of 5980 5244 cmd.exe 158 PID 5980 wrote to memory of 6100 5980 dwm.exe 159 PID 5980 wrote to memory of 6100 5980 dwm.exe 159 PID 6100 wrote to memory of 4528 6100 cmd.exe 161 PID 6100 wrote to memory of 4528 6100 cmd.exe 161 PID 6100 wrote to memory of 4476 6100 cmd.exe 162 PID 6100 wrote to memory of 4476 6100 cmd.exe 162 PID 4476 wrote to memory of 4304 4476 dwm.exe 163 PID 4476 wrote to memory of 4304 4476 dwm.exe 163 PID 4304 wrote to memory of 3260 4304 cmd.exe 165 PID 4304 wrote to memory of 3260 4304 cmd.exe 165 PID 4304 wrote to memory of 396 4304 cmd.exe 166 PID 4304 wrote to memory of 396 4304 cmd.exe 166 PID 396 wrote to memory of 5400 396 dwm.exe 167 PID 396 wrote to memory of 5400 396 dwm.exe 167
Processes
-
C:\Users\Admin\AppData\Local\Temp\f71939c2246ae67bffba66e1363d80d059971cceea4f5b356c0ffd0e3927103f.exe"C:\Users\Admin\AppData\Local\Temp\f71939c2246ae67bffba66e1363d80d059971cceea4f5b356c0ffd0e3927103f.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4696 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:3556 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4772 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2720
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\csrss.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2520
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2448
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\explorer.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3912
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\Idle.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3476
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\SearchUI.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4012
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\SearchUI.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4448
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\csrss.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:592
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\dwm.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2648
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dwm.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4764
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\wininit.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2188
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\en-US\smss.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1920
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\de-DE\cmd.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1284
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\Accessories\fr-FR\Idle.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4864
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Package Cache\conhost.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4220
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\SearchUI.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4412
-
-
C:\Program Files\MSBuild\dwm.exe"C:\Program Files\MSBuild\dwm.exe"5⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4900 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uOEGMIRuqZ.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:5244 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:5160
-
-
C:\Program Files\MSBuild\dwm.exe"C:\Program Files\MSBuild\dwm.exe"7⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5980 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CxpWyGgMb4.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:6100 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:4528
-
-
C:\Program Files\MSBuild\dwm.exe"C:\Program Files\MSBuild\dwm.exe"9⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4476 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AvSbArq942.bat"10⤵
- Suspicious use of WriteProcessMemory
PID:4304 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:3260
-
-
C:\Program Files\MSBuild\dwm.exe"C:\Program Files\MSBuild\dwm.exe"11⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BmKXfVMxAz.bat"12⤵PID:5400
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:4188
-
-
C:\Program Files\MSBuild\dwm.exe"C:\Program Files\MSBuild\dwm.exe"13⤵
- Executes dropped EXE
- Modifies registry class
PID:5568 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NczlPfxoCy.bat"14⤵PID:5304
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:4232
-
-
C:\Program Files\MSBuild\dwm.exe"C:\Program Files\MSBuild\dwm.exe"15⤵
- Executes dropped EXE
- Modifies registry class
PID:412 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\p6CE4ikEee.bat"16⤵PID:4248
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:4716
-
-
C:\Program Files\MSBuild\dwm.exe"C:\Program Files\MSBuild\dwm.exe"17⤵
- Executes dropped EXE
- Modifies registry class
PID:364 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zGIMjSYhT8.bat"18⤵PID:3816
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:5800
-
-
C:\Program Files\MSBuild\dwm.exe"C:\Program Files\MSBuild\dwm.exe"19⤵
- Executes dropped EXE
- Modifies registry class
PID:2612 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UWQnaEvoMY.bat"20⤵PID:4776
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:2232
-
-
C:\Program Files\MSBuild\dwm.exe"C:\Program Files\MSBuild\dwm.exe"21⤵
- Executes dropped EXE
- Modifies registry class
PID:4540 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\daA37ewxym.bat"22⤵PID:1224
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:3724
-
-
C:\Program Files\MSBuild\dwm.exe"C:\Program Files\MSBuild\dwm.exe"23⤵
- Executes dropped EXE
- Modifies registry class
PID:4312 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\53OVnhiNRT.bat"24⤵PID:3800
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:1120
-
-
C:\Program Files\MSBuild\dwm.exe"C:\Program Files\MSBuild\dwm.exe"25⤵
- Executes dropped EXE
- Modifies registry class
PID:4700 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZZzsG8LzQB.bat"26⤵PID:2392
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:227⤵PID:4912
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\services.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4200
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\odt\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4380
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4332
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4340
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Sidebar\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Sidebar\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3176
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4304
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 8 /tr "'C:\odt\SearchUI.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4180
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\odt\SearchUI.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 12 /tr "'C:\odt\SearchUI.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 13 /tr "'C:\odt\SearchUI.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4476
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\odt\SearchUI.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 11 /tr "'C:\odt\SearchUI.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4460
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\odt\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4504
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4436
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files\MSBuild\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\MSBuild\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4344
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Program Files\MSBuild\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\providercommon\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\odt\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1432
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\odt\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\odt\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Mail\en-US\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\en-US\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Mail\en-US\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\services.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:188
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:200
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3256
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Internet Explorer\de-DE\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\de-DE\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2236
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\de-DE\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2208
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\Accessories\fr-FR\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1440
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\fr-FR\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:676
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\Accessories\fr-FR\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Package Cache\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Package Cache\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2240
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\SearchUI.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2408
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\Users\Admin\SearchUI.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2904
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\SearchUI.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2716
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1KB
MD5d63ff49d7c92016feb39812e4db10419
SHA12307d5e35ca9864ffefc93acf8573ea995ba189b
SHA256375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12
SHA51200f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a
-
Filesize
3KB
MD5ad5cd538ca58cb28ede39c108acb5785
SHA11ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13
-
Filesize
1KB
MD54dd63e07607ba0ddffea2322a093b96a
SHA1388b4318a9662adb8b08b11a58e021d479f97ae9
SHA256c0ad0fc641c5a85a002805a44b1412ee20e6982517b51927e2adb48606cc920c
SHA51238e975456e95ea2b1acebf92e6baedac67801454d0f9a487939f5b57d1ad14c16c825c152a922a0d609f69241d78abfed2a73bcad8257d65d2017efa0218293d
-
Filesize
1KB
MD53a664255c97733804f7f63100d93cbd6
SHA1a3075d899b36ee98e9cc2f85c9eb8df3a20abcf9
SHA256ab128874f205d3d7c305b6a8ab946e8268da98093110046ec42693e563040dce
SHA5123a36b4e8c6a1e8376ba667813a87f615deeb0b533d52a38941a0cd23b57fe10a8c2b12db6828d7c7ce345527eb1a45c64adf4bcd46d77576288d2b4b946dc813
-
Filesize
1KB
MD53a664255c97733804f7f63100d93cbd6
SHA1a3075d899b36ee98e9cc2f85c9eb8df3a20abcf9
SHA256ab128874f205d3d7c305b6a8ab946e8268da98093110046ec42693e563040dce
SHA5123a36b4e8c6a1e8376ba667813a87f615deeb0b533d52a38941a0cd23b57fe10a8c2b12db6828d7c7ce345527eb1a45c64adf4bcd46d77576288d2b4b946dc813
-
Filesize
1KB
MD594aca9ba1f84a489b4e97898bca4539b
SHA132bb3571fe4739ace62cf8704e039bbeead2939f
SHA25617c0363e17f591bf9f53fab05ff46b37ea6a6d78c807b05ce07367c065286e79
SHA5127430b7583ac55ee15f6c4bf8ae32d486dc6f0e187a040738e8e53785c4df1b722103eebb7970a985b96b5ae9746478376815913ba7d4a2a9e1029c4910af47be
-
Filesize
1KB
MD594aca9ba1f84a489b4e97898bca4539b
SHA132bb3571fe4739ace62cf8704e039bbeead2939f
SHA25617c0363e17f591bf9f53fab05ff46b37ea6a6d78c807b05ce07367c065286e79
SHA5127430b7583ac55ee15f6c4bf8ae32d486dc6f0e187a040738e8e53785c4df1b722103eebb7970a985b96b5ae9746478376815913ba7d4a2a9e1029c4910af47be
-
Filesize
1KB
MD5e9ba28f2d4217a343c8648d22fbe9737
SHA107b1892d6330f61f2ead872cd41a60ab19f403a0
SHA256da824bc99d5c24d7ca83e1e1cfee8288b7ad61736c3f143d816171b2044a4b73
SHA51229e202086d319135bb79ffd233e7b58eab0e7888485baaece1bc3a478b862c712ce061d1dd29017cb67ef0fe66037ec725996e19203a3f046ee46f94cfa35c35
-
Filesize
1KB
MD5bcd75daea7963167d3f8e40ba986ee7e
SHA16e0535c54ab8f7708932ba2f9674a2a6962c3943
SHA25699e82cbcc52a5f6b16bba8994228c35dba87abb8f047c5a210959b24c1f9b88f
SHA51238b27ccf948d4a81eaff88b8358cd5ec1e4ed688c743436302eaa39866ffdade4b4d5567b146211d633d3d64626899de7637e4780d5b6412c19cdebc4edc2268
-
Filesize
1KB
MD5d95a9865506ac32268c0388f8549a004
SHA130d102f0d293abe78b4594933dfceaaed69c2706
SHA25617b28959d997b5a2e0d6a7ab08798a76e7a7c3b37ed1a6494a5e90ddb844e08f
SHA512ff4fddb63ec196a5e0851866df4dc322ceb9e3c5b3817c30fc481b9acbaa9404479dcb990b935fb330e525fa90896852b35533a470dba9036483239fb87c482e
-
Filesize
1KB
MD5d95a9865506ac32268c0388f8549a004
SHA130d102f0d293abe78b4594933dfceaaed69c2706
SHA25617b28959d997b5a2e0d6a7ab08798a76e7a7c3b37ed1a6494a5e90ddb844e08f
SHA512ff4fddb63ec196a5e0851866df4dc322ceb9e3c5b3817c30fc481b9acbaa9404479dcb990b935fb330e525fa90896852b35533a470dba9036483239fb87c482e
-
Filesize
1KB
MD56451f086db7687095451e197015c8d10
SHA1a2c5fd63d4679e7ba4cafec585bd3aaf212d2476
SHA256be28a4bf8dc8962d3a3fd92bab88af741b57b571d507da5e6d73e2ced22b537d
SHA5126be7e42d2c7c72653b1b1f360f8252f3f3a4f703129ea5072998422243cb8a95f2402fc92a77a846f5a5843b92a74949b9287019d3b8bb28fa3ef6c71f29e692
-
Filesize
1KB
MD53ce3ed4732ea2563a7d5e88d3da49cd3
SHA1a2f686162e1e8b28fd5bb1dcbae15b4110f34100
SHA256e0e7157657b14528b91ee8d0b04bd16cabd21cbd00a97a5c35ec0d773931cc02
SHA51279db38e035fe56d1de5942c9941951c3bd564f13f871d32de50a626d7695be133cbae0cf63b56770f29f8016a25951a8bb7700934f48deb778c3418de3d1910c
-
Filesize
1KB
MD53ce3ed4732ea2563a7d5e88d3da49cd3
SHA1a2f686162e1e8b28fd5bb1dcbae15b4110f34100
SHA256e0e7157657b14528b91ee8d0b04bd16cabd21cbd00a97a5c35ec0d773931cc02
SHA51279db38e035fe56d1de5942c9941951c3bd564f13f871d32de50a626d7695be133cbae0cf63b56770f29f8016a25951a8bb7700934f48deb778c3418de3d1910c
-
Filesize
1KB
MD5aca575bb5b733dafbdc71372e52547ef
SHA1ed6bb9828fdf19693a86e6d74a0c7915be8d67e5
SHA256e9be6f64f6ef44b4e30ae07d77ad7dcb41c1c1c3afe5da15c5c016d11eb8bd7f
SHA512149bed98bc521acdc7392315c5b2bc132dff649ee6873f20c9bf7239100abbe12a61c767f094aa8c93e26b06a2ebbaa5938c669cc655f9dca0d38a5cfe02c493
-
Filesize
1KB
MD5aca575bb5b733dafbdc71372e52547ef
SHA1ed6bb9828fdf19693a86e6d74a0c7915be8d67e5
SHA256e9be6f64f6ef44b4e30ae07d77ad7dcb41c1c1c3afe5da15c5c016d11eb8bd7f
SHA512149bed98bc521acdc7392315c5b2bc132dff649ee6873f20c9bf7239100abbe12a61c767f094aa8c93e26b06a2ebbaa5938c669cc655f9dca0d38a5cfe02c493
-
Filesize
1KB
MD51aada366135da6f493d1fb63feaefe9e
SHA17a2e7a5dfb5c0374b719c7b050b0adaf48d451aa
SHA2568f8fd98c392da6385211f970c638104f11407dcf935b062bb5f333d8daf46391
SHA512bd88dc26e7f615e3aa02cf7dcc88a103b1c7df3b40abd6795b08964a15dc0b0a61554a33d2b280a1cebc01b0e0f3af05b22e63c5701c4ef18d18ef58d819b33e
-
Filesize
1KB
MD51aada366135da6f493d1fb63feaefe9e
SHA17a2e7a5dfb5c0374b719c7b050b0adaf48d451aa
SHA2568f8fd98c392da6385211f970c638104f11407dcf935b062bb5f333d8daf46391
SHA512bd88dc26e7f615e3aa02cf7dcc88a103b1c7df3b40abd6795b08964a15dc0b0a61554a33d2b280a1cebc01b0e0f3af05b22e63c5701c4ef18d18ef58d819b33e
-
Filesize
197B
MD50b982405a999928e2ccbe8427bd714e3
SHA1ab7528f5d605efa4d0630272cc6055951d8f3306
SHA2562b6649a587c39b9d53559d8a1b4a09d7aa72664ea8b29f7d55a763635a94bc21
SHA512ccd54ffe25c36ad3e10f083fb88e1b766a17b555283fa7de18454158df09b1e005f1f0de8a4b032afdc406e0bd17accd86282b68670758a22b3f38211ea75ecd
-
Filesize
197B
MD5fcb02c8d1310b991994a853fbc77f907
SHA1a40f1b5403bbf05ed8194854be55fa2aed93a271
SHA256c4fb72fefdf1411abcf347db5d002a6fef2559ab6c00065a72f9ff90376dff20
SHA51293ba1ef90582fc3375049c5e9d2df818f6e91ab7f01a88e00fbe7872a00d9046166a7508d38172e72da257badf1b7f4742606d5b782da3f7f1573418a61f2e73
-
Filesize
197B
MD55f34dd91b67e3e6cce9bff23023fba1e
SHA16e1c508d36895de29d7f822950c5418e3669d7f4
SHA2562e5c642c995124b651def3c03d99b7d911f0dbfeb15952a79a36753a24abf762
SHA512de7b1a2559f098c6370c0d1db1bdd3bff7c8338f28ec3e4d7fe66828b512c4a9002e1971d983cc42f9d372768776739160f6bd28648505b71fd5918456a3239e
-
Filesize
197B
MD500a7d2623671304e88923e97e449aade
SHA11364efd78d24e1e8153aaadaf2def767717aa130
SHA256c95b5e1165bd305657aed3278499e3536587b8ae65cf8aaa99a8c30904d865a7
SHA512a1f8b444aa9a5d06ed21e38dd844ffcafdd6dc1f480414b41cc9d2c637984407633555f50a864da375048a5b2069b3713786976cc46ec6621eced4f925e9ecce
-
Filesize
197B
MD54d4247814705e009157329a520f9e3b3
SHA17cfa598425716ff5c42ed51122f32131c6d4daa6
SHA2563ec0eb5c5b71f1ad28b4392c52dbb52ac0ba119e6af18f5fef17c146af49c045
SHA512fb5f1f5983d91dc48f37e10647236278d0f1274aa73686a027730e87bce9b07ad6e9ad5e0fa54becee850f0b33b3b3ed090ccd0b80a731c0e6adb48a7455d76c
-
Filesize
197B
MD5399924d5ceaded76fc71ddc01192ca5b
SHA1adf654ba327349b572f6703c9fbd482659591829
SHA256b07c9606420b77a721404206b43cf47eb1a4a185181c8c2d03a8130c9a110242
SHA512a05261b00c7f850dccda5a466ab55f307f74156ee7e1ddf3562e257219b424840f2c28473fc5ba1b3c70287da1bf127d6cae86d7bffba80bdf91e84d46a33d78
-
Filesize
197B
MD554fbf3131a7a654b542fda33da55a207
SHA148e9d33d10484efa36edbc696692eec402fb3fcc
SHA25664b6de21a44c7a9904505311ac5f0d4f85e0947604f94e6c3b9e51f047e481fd
SHA5129992b88c803b7b35c1171e6a67619254749af39084a141e82e8e24dda22428ef73f5630284d06c4ae8fe067f0d8895d77f722156344c34effec6cce6a980b24b
-
Filesize
197B
MD51de03e5acfa59717c6b97693f4c16438
SHA177ac6d79588b0f06fb5f9b28a03915ddcd5b7808
SHA256809b7412b35b7ba8c2aabb48f659d90db58264c5f930dd0ec341b95d655a9181
SHA5125f224684ac1085094eec4d2216a8450bae791510e32ad5ed9d28dde6f464e7ba105891a62aeed284478ae8019529b1d11ba9990665c3a90b677ebb45d2c5ad8a
-
Filesize
197B
MD587252dedc67e686a8047ac03ecd2310e
SHA1b9973782e07c20e5b389d9a19baa39309b6a07fd
SHA256d63e5da2af9a93aed6b873fa2bf798ca754bbd360c60415b4e26a3eaef3daf21
SHA512a96acae6a507894172646861132ad708665145d8fed2a8ff406a4567521f8d49e2dd60409753badd86f65ffd79745e9384b9c7b635a2ec9378305472a21d063a
-
Filesize
197B
MD57db8a8e4ba082515d2ba89a386caacfd
SHA105afc9082e37c1e90a91139149ac17963398b03d
SHA256341c4bbc8ced38be49120599fd92257fc418824217001007a944a93a35087f80
SHA512e11d4a56cd8b8085327e19cb3c5bb0a8a6bd9de76bd52c1d1d0aeb2651a5d2087da2b3491dd2d0bc1446154ed894e7826472bfe5a3b405fd28852dbc2f6e6923
-
Filesize
197B
MD53fe4dc2bc049629dcf4a8aa5eea56e59
SHA111f38aef6314fa5663b41354c0fd47ac38d4dc9a
SHA256600821eff272a1d3b102977888a930e55430d5d8200157ba1dc44903ba6487a8
SHA51239af477bbe44cd8259777cb6a9b1e39404368d00ea096d6d4bfc705bbb03906dbb6fd1fc5a66e7e3cfa3cd06c465c1b953b62aaa6bbf0222da34d12b8764d81c
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478