Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
16-06-2024 16:02
Behavioral task
behavioral1
Sample
b45e3a1df0aa60ce4d1abcc1b7b474db_JaffaCakes118.exe
Resource
win7-20240611-en
General
-
Target
b45e3a1df0aa60ce4d1abcc1b7b474db_JaffaCakes118.exe
-
Size
2.2MB
-
MD5
b45e3a1df0aa60ce4d1abcc1b7b474db
-
SHA1
418d22bd28cf2f63089d1ea57f3a3802d4950386
-
SHA256
5c2450ce3bce154d92644899ddaa194dc16649238a1841157568519847f56f35
-
SHA512
c2c566eca9bc590cc174ca5b551050f12aa93d9afdbdb7f3d2ccef73ecdecbeb3463710c8abcd88b8d98eb1910a51743a87930d381abfc19429f406d12fc3a12
-
SSDEEP
24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZt:0UzeyQMS4DqodCnoe+iitjWww5
Malware Config
Extracted
pony
http://don.service-master.eu/gate.php
-
payload_url
http://don.service-master.eu/shit.exe
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe -
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b45e3a1df0aa60ce4d1abcc1b7b474db_JaffaCakes118.exe b45e3a1df0aa60ce4d1abcc1b7b474db_JaffaCakes118.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b45e3a1df0aa60ce4d1abcc1b7b474db_JaffaCakes118.exe b45e3a1df0aa60ce4d1abcc1b7b474db_JaffaCakes118.exe -
Executes dropped EXE 64 IoCs
pid Process 2496 explorer.exe 3364 explorer.exe 2332 spoolsv.exe 4444 spoolsv.exe 4336 spoolsv.exe 1232 spoolsv.exe 4668 spoolsv.exe 2008 spoolsv.exe 1200 spoolsv.exe 616 spoolsv.exe 1316 spoolsv.exe 1512 spoolsv.exe 3004 spoolsv.exe 992 spoolsv.exe 4440 spoolsv.exe 864 spoolsv.exe 2940 spoolsv.exe 1972 spoolsv.exe 4172 spoolsv.exe 4264 spoolsv.exe 4000 spoolsv.exe 5108 spoolsv.exe 4772 spoolsv.exe 1620 spoolsv.exe 5092 spoolsv.exe 4088 spoolsv.exe 512 spoolsv.exe 3752 spoolsv.exe 1988 spoolsv.exe 1772 spoolsv.exe 3412 spoolsv.exe 828 spoolsv.exe 3348 spoolsv.exe 3696 spoolsv.exe 3068 spoolsv.exe 3604 explorer.exe 2484 spoolsv.exe 4024 spoolsv.exe 1352 spoolsv.exe 2196 spoolsv.exe 3504 spoolsv.exe 1704 spoolsv.exe 1344 spoolsv.exe 3872 explorer.exe 3540 spoolsv.exe 8 spoolsv.exe 3032 spoolsv.exe 4992 spoolsv.exe 2420 spoolsv.exe 2956 spoolsv.exe 3148 spoolsv.exe 2600 explorer.exe 4524 spoolsv.exe 4756 spoolsv.exe 2568 spoolsv.exe 4980 spoolsv.exe 2256 spoolsv.exe 4492 spoolsv.exe 3708 spoolsv.exe 216 spoolsv.exe 1192 explorer.exe 3356 spoolsv.exe 4556 spoolsv.exe 4616 spoolsv.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe -
Suspicious use of SetThreadContext 54 IoCs
description pid Process procid_target PID 2808 set thread context of 4932 2808 b45e3a1df0aa60ce4d1abcc1b7b474db_JaffaCakes118.exe 87 PID 2496 set thread context of 3364 2496 explorer.exe 96 PID 2332 set thread context of 3068 2332 spoolsv.exe 129 PID 4444 set thread context of 2484 4444 spoolsv.exe 131 PID 4336 set thread context of 4024 4336 spoolsv.exe 132 PID 1232 set thread context of 1352 1232 spoolsv.exe 133 PID 4668 set thread context of 2196 4668 spoolsv.exe 134 PID 2008 set thread context of 1704 2008 spoolsv.exe 136 PID 1200 set thread context of 1344 1200 spoolsv.exe 137 PID 616 set thread context of 3540 616 spoolsv.exe 139 PID 1316 set thread context of 8 1316 spoolsv.exe 140 PID 1512 set thread context of 3032 1512 spoolsv.exe 141 PID 3004 set thread context of 2420 3004 spoolsv.exe 143 PID 992 set thread context of 2956 992 spoolsv.exe 144 PID 4440 set thread context of 3148 4440 spoolsv.exe 145 PID 864 set thread context of 4524 864 spoolsv.exe 147 PID 2940 set thread context of 4756 2940 spoolsv.exe 148 PID 1972 set thread context of 4980 1972 spoolsv.exe 150 PID 4172 set thread context of 2256 4172 spoolsv.exe 151 PID 4264 set thread context of 4492 4264 spoolsv.exe 152 PID 4000 set thread context of 3708 4000 spoolsv.exe 153 PID 5108 set thread context of 216 5108 spoolsv.exe 154 PID 4772 set thread context of 4556 4772 spoolsv.exe 157 PID 1620 set thread context of 4616 1620 spoolsv.exe 158 PID 5092 set thread context of 3128 5092 spoolsv.exe 159 PID 4088 set thread context of 3488 4088 spoolsv.exe 160 PID 512 set thread context of 2852 512 spoolsv.exe 161 PID 3752 set thread context of 1260 3752 spoolsv.exe 162 PID 1988 set thread context of 2248 1988 spoolsv.exe 163 PID 1772 set thread context of 1676 1772 spoolsv.exe 165 PID 3412 set thread context of 5080 3412 spoolsv.exe 167 PID 828 set thread context of 5048 828 spoolsv.exe 168 PID 3348 set thread context of 2848 3348 spoolsv.exe 169 PID 3696 set thread context of 2572 3696 spoolsv.exe 174 PID 3604 set thread context of 2968 3604 explorer.exe 176 PID 3504 set thread context of 1044 3504 spoolsv.exe 180 PID 3872 set thread context of 408 3872 explorer.exe 183 PID 4992 set thread context of 3640 4992 spoolsv.exe 186 PID 2600 set thread context of 4364 2600 explorer.exe 191 PID 2568 set thread context of 5076 2568 spoolsv.exe 192 PID 3356 set thread context of 1448 3356 spoolsv.exe 200 PID 1192 set thread context of 1548 1192 explorer.exe 202 PID 5072 set thread context of 1728 5072 spoolsv.exe 205 PID 1596 set thread context of 2460 1596 explorer.exe 207 PID 3992 set thread context of 4036 3992 spoolsv.exe 208 PID 1924 set thread context of 2016 1924 spoolsv.exe 210 PID 4328 set thread context of 3516 4328 spoolsv.exe 213 PID 2752 set thread context of 3276 2752 spoolsv.exe 215 PID 2664 set thread context of 1668 2664 explorer.exe 217 PID 3592 set thread context of 3184 3592 spoolsv.exe 218 PID 4944 set thread context of 2396 4944 spoolsv.exe 219 PID 2296 set thread context of 4760 2296 spoolsv.exe 221 PID 4912 set thread context of 1360 4912 explorer.exe 222 PID 2272 set thread context of 3316 2272 spoolsv.exe 223 -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini b45e3a1df0aa60ce4d1abcc1b7b474db_JaffaCakes118.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe b45e3a1df0aa60ce4d1abcc1b7b474db_JaffaCakes118.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4932 b45e3a1df0aa60ce4d1abcc1b7b474db_JaffaCakes118.exe 4932 b45e3a1df0aa60ce4d1abcc1b7b474db_JaffaCakes118.exe 3364 explorer.exe 3364 explorer.exe 3364 explorer.exe 3364 explorer.exe 3364 explorer.exe 3364 explorer.exe 3364 explorer.exe 3364 explorer.exe 3364 explorer.exe 3364 explorer.exe 3364 explorer.exe 3364 explorer.exe 3364 explorer.exe 3364 explorer.exe 3364 explorer.exe 3364 explorer.exe 3364 explorer.exe 3364 explorer.exe 3364 explorer.exe 3364 explorer.exe 3364 explorer.exe 3364 explorer.exe 3364 explorer.exe 3364 explorer.exe 3364 explorer.exe 3364 explorer.exe 3364 explorer.exe 3364 explorer.exe 3364 explorer.exe 3364 explorer.exe 3364 explorer.exe 3364 explorer.exe 3364 explorer.exe 3364 explorer.exe 3364 explorer.exe 3364 explorer.exe 3364 explorer.exe 3364 explorer.exe 3364 explorer.exe 3364 explorer.exe 3364 explorer.exe 3364 explorer.exe 3364 explorer.exe 3364 explorer.exe 3364 explorer.exe 3364 explorer.exe 3364 explorer.exe 3364 explorer.exe 3364 explorer.exe 3364 explorer.exe 3364 explorer.exe 3364 explorer.exe 3364 explorer.exe 3364 explorer.exe 3364 explorer.exe 3364 explorer.exe 3364 explorer.exe 3364 explorer.exe 3364 explorer.exe 3364 explorer.exe 3364 explorer.exe 3364 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3364 explorer.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 4932 b45e3a1df0aa60ce4d1abcc1b7b474db_JaffaCakes118.exe 4932 b45e3a1df0aa60ce4d1abcc1b7b474db_JaffaCakes118.exe 3364 explorer.exe 3364 explorer.exe 3364 explorer.exe 3364 explorer.exe 3068 spoolsv.exe 3068 spoolsv.exe 2484 spoolsv.exe 2484 spoolsv.exe 4024 spoolsv.exe 4024 spoolsv.exe 1352 spoolsv.exe 1352 spoolsv.exe 2196 spoolsv.exe 2196 spoolsv.exe 1704 spoolsv.exe 1704 spoolsv.exe 1344 spoolsv.exe 1344 spoolsv.exe 3540 spoolsv.exe 3540 spoolsv.exe 8 spoolsv.exe 8 spoolsv.exe 3032 spoolsv.exe 3032 spoolsv.exe 2420 spoolsv.exe 2420 spoolsv.exe 2956 spoolsv.exe 2956 spoolsv.exe 3148 spoolsv.exe 3148 spoolsv.exe 4524 spoolsv.exe 4524 spoolsv.exe 4756 spoolsv.exe 4756 spoolsv.exe 4980 spoolsv.exe 4980 spoolsv.exe 2256 spoolsv.exe 2256 spoolsv.exe 4492 spoolsv.exe 4492 spoolsv.exe 3708 spoolsv.exe 3708 spoolsv.exe 216 spoolsv.exe 216 spoolsv.exe 4556 spoolsv.exe 4556 spoolsv.exe 4616 spoolsv.exe 4616 spoolsv.exe 3128 spoolsv.exe 3128 spoolsv.exe 3488 spoolsv.exe 3488 spoolsv.exe 2852 spoolsv.exe 2852 spoolsv.exe 1260 spoolsv.exe 1260 spoolsv.exe 2248 spoolsv.exe 2248 spoolsv.exe 1676 spoolsv.exe 1676 spoolsv.exe 5080 spoolsv.exe 5080 spoolsv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2808 wrote to memory of 2616 2808 b45e3a1df0aa60ce4d1abcc1b7b474db_JaffaCakes118.exe 82 PID 2808 wrote to memory of 2616 2808 b45e3a1df0aa60ce4d1abcc1b7b474db_JaffaCakes118.exe 82 PID 2808 wrote to memory of 4932 2808 b45e3a1df0aa60ce4d1abcc1b7b474db_JaffaCakes118.exe 87 PID 2808 wrote to memory of 4932 2808 b45e3a1df0aa60ce4d1abcc1b7b474db_JaffaCakes118.exe 87 PID 2808 wrote to memory of 4932 2808 b45e3a1df0aa60ce4d1abcc1b7b474db_JaffaCakes118.exe 87 PID 2808 wrote to memory of 4932 2808 b45e3a1df0aa60ce4d1abcc1b7b474db_JaffaCakes118.exe 87 PID 2808 wrote to memory of 4932 2808 b45e3a1df0aa60ce4d1abcc1b7b474db_JaffaCakes118.exe 87 PID 4932 wrote to memory of 2496 4932 b45e3a1df0aa60ce4d1abcc1b7b474db_JaffaCakes118.exe 88 PID 4932 wrote to memory of 2496 4932 b45e3a1df0aa60ce4d1abcc1b7b474db_JaffaCakes118.exe 88 PID 4932 wrote to memory of 2496 4932 b45e3a1df0aa60ce4d1abcc1b7b474db_JaffaCakes118.exe 88 PID 2496 wrote to memory of 3364 2496 explorer.exe 96 PID 2496 wrote to memory of 3364 2496 explorer.exe 96 PID 2496 wrote to memory of 3364 2496 explorer.exe 96 PID 2496 wrote to memory of 3364 2496 explorer.exe 96 PID 2496 wrote to memory of 3364 2496 explorer.exe 96 PID 3364 wrote to memory of 2332 3364 explorer.exe 97 PID 3364 wrote to memory of 2332 3364 explorer.exe 97 PID 3364 wrote to memory of 2332 3364 explorer.exe 97 PID 3364 wrote to memory of 4444 3364 explorer.exe 98 PID 3364 wrote to memory of 4444 3364 explorer.exe 98 PID 3364 wrote to memory of 4444 3364 explorer.exe 98 PID 3364 wrote to memory of 4336 3364 explorer.exe 99 PID 3364 wrote to memory of 4336 3364 explorer.exe 99 PID 3364 wrote to memory of 4336 3364 explorer.exe 99 PID 3364 wrote to memory of 1232 3364 explorer.exe 100 PID 3364 wrote to memory of 1232 3364 explorer.exe 100 PID 3364 wrote to memory of 1232 3364 explorer.exe 100 PID 3364 wrote to memory of 4668 3364 explorer.exe 101 PID 3364 wrote to memory of 4668 3364 explorer.exe 101 PID 3364 wrote to memory of 4668 3364 explorer.exe 101 PID 3364 wrote to memory of 2008 3364 explorer.exe 102 PID 3364 wrote to memory of 2008 3364 explorer.exe 102 PID 3364 wrote to memory of 2008 3364 explorer.exe 102 PID 3364 wrote to memory of 1200 3364 explorer.exe 103 PID 3364 wrote to memory of 1200 3364 explorer.exe 103 PID 3364 wrote to memory of 1200 3364 explorer.exe 103 PID 3364 wrote to memory of 616 3364 explorer.exe 104 PID 3364 wrote to memory of 616 3364 explorer.exe 104 PID 3364 wrote to memory of 616 3364 explorer.exe 104 PID 3364 wrote to memory of 1316 3364 explorer.exe 105 PID 3364 wrote to memory of 1316 3364 explorer.exe 105 PID 3364 wrote to memory of 1316 3364 explorer.exe 105 PID 3364 wrote to memory of 1512 3364 explorer.exe 106 PID 3364 wrote to memory of 1512 3364 explorer.exe 106 PID 3364 wrote to memory of 1512 3364 explorer.exe 106 PID 3364 wrote to memory of 3004 3364 explorer.exe 107 PID 3364 wrote to memory of 3004 3364 explorer.exe 107 PID 3364 wrote to memory of 3004 3364 explorer.exe 107 PID 3364 wrote to memory of 992 3364 explorer.exe 108 PID 3364 wrote to memory of 992 3364 explorer.exe 108 PID 3364 wrote to memory of 992 3364 explorer.exe 108 PID 3364 wrote to memory of 4440 3364 explorer.exe 109 PID 3364 wrote to memory of 4440 3364 explorer.exe 109 PID 3364 wrote to memory of 4440 3364 explorer.exe 109 PID 3364 wrote to memory of 864 3364 explorer.exe 110 PID 3364 wrote to memory of 864 3364 explorer.exe 110 PID 3364 wrote to memory of 864 3364 explorer.exe 110 PID 3364 wrote to memory of 2940 3364 explorer.exe 111 PID 3364 wrote to memory of 2940 3364 explorer.exe 111 PID 3364 wrote to memory of 2940 3364 explorer.exe 111 PID 3364 wrote to memory of 1972 3364 explorer.exe 112 PID 3364 wrote to memory of 1972 3364 explorer.exe 112 PID 3364 wrote to memory of 1972 3364 explorer.exe 112 PID 3364 wrote to memory of 4172 3364 explorer.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\b45e3a1df0aa60ce4d1abcc1b7b474db_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b45e3a1df0aa60ce4d1abcc1b7b474db_JaffaCakes118.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:2616
-
-
C:\Users\Admin\AppData\Local\Temp\b45e3a1df0aa60ce4d1abcc1b7b474db_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b45e3a1df0aa60ce4d1abcc1b7b474db_JaffaCakes118.exe"2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4932 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2496 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3364 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2332 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3068 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3604 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:2968
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4444 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2484
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4336 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4024
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1232 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1352
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4668 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2196
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2008 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1704
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1200 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1344 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3872 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:408
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:616 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3540
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1316 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:8
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1512 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3032
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3004 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2420
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:992 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2956
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4440 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3148 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2600 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:4364
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:864 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4524
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2940 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4756
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1972 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4980
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4172 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2256
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4264 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4492
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4000 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3708
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5108 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:216 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1192 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:1548
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4772 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4556
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1620 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4616
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5092 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:3128
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4088 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:3488
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:512 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:2852
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3752 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:1260
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1988 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:2248
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1772 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:1676 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1596 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:2460
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3412 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:5080
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:828 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5048
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3348 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2848
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3696 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2572
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2664 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:1668
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3504 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1044
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4912 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:1360
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4992 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3640
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:1824
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2568 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5076
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:2260
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3356 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1448
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:3952
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5072 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1728
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:3972
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3992 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4036
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
PID:1924 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2016
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:5008
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4328 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3516
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2752 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3276
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:2076
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3592 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3184
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4944 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2396
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2296 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4760
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2272 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3316
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:1920
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4616 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2592
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:1120
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:2152
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4976
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2456
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4732
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:1356
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:3680
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4452
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4548
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:2676
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:2440
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:5012
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4308
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:1036
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:760
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4340
-
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:1888
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
74B
MD56687785d6a31cdf9a5f80acb3abc459b
SHA11ddda26cc18189770eaaa4a9e78cc4abe4fe39c9
SHA2563b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b
SHA5125fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962
-
Filesize
2.2MB
MD543a19b7adbafb607053b483c17f35e82
SHA184f7716fd7632b505c0f367052e285a555892066
SHA256ad29dea226508ce62b49cd3b80351fd5613dd22b0d539929dcd8a68cf77a627e
SHA5129c3fb440e15c0f99ede258c0e072226d1b1965759d97c2d2f8845ff0e7eac06f9b076fa2cccfa91905fbe939c9e8f8b8569b66aea678e77eef0cd15db516749e
-
Filesize
2.2MB
MD506b9944af273a66d289c0a96830c1439
SHA1fd216ea5fe83e34b203d6a69557c68bd6d09b5a6
SHA2569832e3897df396c8c745389f9773c1e2fb7fcdf3df69d67200f64467edabd402
SHA51215a2df36912ee8816e76070020efb35bcf74409c41684377e0de46f3d4533d685007869a0f0fa954c9a72dbc9bde416734a3b21bd0562d393b589c4e5ccfc81e