Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
16-06-2024 18:50
Behavioral task
behavioral1
Sample
b4a9c4c518e302640bf6804e68ad5a67_JaffaCakes118.exe
Resource
win7-20240611-en
General
-
Target
b4a9c4c518e302640bf6804e68ad5a67_JaffaCakes118.exe
-
Size
2.2MB
-
MD5
b4a9c4c518e302640bf6804e68ad5a67
-
SHA1
c1afb7e8d7fdd2821e70cb591d588062bc68ca0e
-
SHA256
40bf6e7752907843a906d07c8531691ae36d1ca974bbd7a331c0e936ba046dcf
-
SHA512
4a2a5cc44afb4e0d06eb1de8d15d1f2c70135b976830bbdaca22178dcc8ce51c38ff15e5f8feb24c8cbd8473f910fe26a1f33f9f17001925a94e0ec6e0efe161
-
SSDEEP
24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZY:0UzeyQMS4DqodCnoe+iitjWwwc
Malware Config
Extracted
pony
http://don.service-master.eu/gate.php
-
payload_url
http://don.service-master.eu/shit.exe
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b4a9c4c518e302640bf6804e68ad5a67_JaffaCakes118.exe b4a9c4c518e302640bf6804e68ad5a67_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b4a9c4c518e302640bf6804e68ad5a67_JaffaCakes118.exe b4a9c4c518e302640bf6804e68ad5a67_JaffaCakes118.exe -
Executes dropped EXE 64 IoCs
pid Process 2248 explorer.exe 4440 explorer.exe 3320 spoolsv.exe 212 spoolsv.exe 752 spoolsv.exe 5024 spoolsv.exe 3396 spoolsv.exe 4428 spoolsv.exe 4996 spoolsv.exe 2324 spoolsv.exe 1528 spoolsv.exe 4584 spoolsv.exe 3960 spoolsv.exe 4528 spoolsv.exe 448 spoolsv.exe 4968 spoolsv.exe 3488 spoolsv.exe 1444 spoolsv.exe 1572 spoolsv.exe 228 spoolsv.exe 1160 spoolsv.exe 3696 spoolsv.exe 3704 spoolsv.exe 2540 spoolsv.exe 4724 spoolsv.exe 5016 spoolsv.exe 3148 spoolsv.exe 3812 spoolsv.exe 1456 spoolsv.exe 1852 spoolsv.exe 1768 spoolsv.exe 4192 spoolsv.exe 232 spoolsv.exe 2240 explorer.exe 2548 spoolsv.exe 1628 spoolsv.exe 3984 spoolsv.exe 1004 explorer.exe 2536 spoolsv.exe 4648 spoolsv.exe 3672 spoolsv.exe 2644 spoolsv.exe 4952 spoolsv.exe 4340 spoolsv.exe 1116 spoolsv.exe 2468 explorer.exe 2072 spoolsv.exe 3992 spoolsv.exe 4564 spoolsv.exe 4368 spoolsv.exe 2412 spoolsv.exe 388 spoolsv.exe 2920 explorer.exe 2780 spoolsv.exe 1920 spoolsv.exe 2880 spoolsv.exe 1784 spoolsv.exe 4700 spoolsv.exe 4884 explorer.exe 2640 spoolsv.exe 1912 spoolsv.exe 1336 spoolsv.exe 4608 spoolsv.exe 2580 spoolsv.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe -
Suspicious use of SetThreadContext 54 IoCs
description pid Process procid_target PID 1448 set thread context of 4044 1448 b4a9c4c518e302640bf6804e68ad5a67_JaffaCakes118.exe 86 PID 2248 set thread context of 4440 2248 explorer.exe 95 PID 3320 set thread context of 232 3320 spoolsv.exe 126 PID 212 set thread context of 1628 212 spoolsv.exe 129 PID 752 set thread context of 3984 752 spoolsv.exe 130 PID 5024 set thread context of 2536 5024 spoolsv.exe 132 PID 3396 set thread context of 4648 3396 spoolsv.exe 133 PID 4428 set thread context of 2644 4428 spoolsv.exe 135 PID 4996 set thread context of 4952 4996 spoolsv.exe 136 PID 2324 set thread context of 4340 2324 spoolsv.exe 137 PID 1528 set thread context of 1116 1528 spoolsv.exe 138 PID 4584 set thread context of 3992 4584 spoolsv.exe 141 PID 3960 set thread context of 4564 3960 spoolsv.exe 142 PID 4528 set thread context of 4368 4528 spoolsv.exe 143 PID 448 set thread context of 2412 448 spoolsv.exe 144 PID 4968 set thread context of 388 4968 spoolsv.exe 145 PID 3488 set thread context of 1920 3488 spoolsv.exe 148 PID 1444 set thread context of 2880 1444 spoolsv.exe 149 PID 1572 set thread context of 1784 1572 spoolsv.exe 150 PID 228 set thread context of 4700 228 spoolsv.exe 151 PID 1160 set thread context of 1912 1160 spoolsv.exe 154 PID 3696 set thread context of 1336 3696 spoolsv.exe 155 PID 3704 set thread context of 4608 3704 spoolsv.exe 156 PID 2540 set thread context of 2580 2540 spoolsv.exe 157 PID 4724 set thread context of 4152 4724 spoolsv.exe 159 PID 5016 set thread context of 1436 5016 spoolsv.exe 161 PID 3148 set thread context of 2092 3148 spoolsv.exe 162 PID 3812 set thread context of 644 3812 spoolsv.exe 163 PID 1456 set thread context of 4424 1456 spoolsv.exe 165 PID 1852 set thread context of 1544 1852 spoolsv.exe 166 PID 1768 set thread context of 2428 1768 spoolsv.exe 168 PID 4192 set thread context of 2896 4192 spoolsv.exe 170 PID 2240 set thread context of 3380 2240 explorer.exe 171 PID 2548 set thread context of 4752 2548 spoolsv.exe 173 PID 1004 set thread context of 2764 1004 explorer.exe 177 PID 3672 set thread context of 1092 3672 spoolsv.exe 179 PID 2468 set thread context of 1616 2468 explorer.exe 184 PID 2072 set thread context of 428 2072 spoolsv.exe 185 PID 2920 set thread context of 2940 2920 explorer.exe 190 PID 2780 set thread context of 432 2780 spoolsv.exe 191 PID 4884 set thread context of 696 4884 explorer.exe 196 PID 2640 set thread context of 1448 2640 spoolsv.exe 197 PID 1596 set thread context of 696 1596 spoolsv.exe 202 PID 4984 set thread context of 2340 4984 explorer.exe 204 PID 2216 set thread context of 3256 2216 spoolsv.exe 207 PID 4716 set thread context of 376 4716 explorer.exe 209 PID 4392 set thread context of 4988 4392 spoolsv.exe 212 PID 4144 set thread context of 4796 4144 spoolsv.exe 215 PID 1472 set thread context of 2664 1472 explorer.exe 216 PID 4656 set thread context of 1040 4656 spoolsv.exe 217 PID 4084 set thread context of 856 4084 spoolsv.exe 219 PID 4332 set thread context of 4348 4332 spoolsv.exe 221 PID 3036 set thread context of 1740 3036 explorer.exe 222 PID 3328 set thread context of 4596 3328 spoolsv.exe 223 -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini b4a9c4c518e302640bf6804e68ad5a67_JaffaCakes118.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe b4a9c4c518e302640bf6804e68ad5a67_JaffaCakes118.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4044 b4a9c4c518e302640bf6804e68ad5a67_JaffaCakes118.exe 4044 b4a9c4c518e302640bf6804e68ad5a67_JaffaCakes118.exe 4440 explorer.exe 4440 explorer.exe 4440 explorer.exe 4440 explorer.exe 4440 explorer.exe 4440 explorer.exe 4440 explorer.exe 4440 explorer.exe 4440 explorer.exe 4440 explorer.exe 4440 explorer.exe 4440 explorer.exe 4440 explorer.exe 4440 explorer.exe 4440 explorer.exe 4440 explorer.exe 4440 explorer.exe 4440 explorer.exe 4440 explorer.exe 4440 explorer.exe 4440 explorer.exe 4440 explorer.exe 4440 explorer.exe 4440 explorer.exe 4440 explorer.exe 4440 explorer.exe 4440 explorer.exe 4440 explorer.exe 4440 explorer.exe 4440 explorer.exe 4440 explorer.exe 4440 explorer.exe 4440 explorer.exe 4440 explorer.exe 4440 explorer.exe 4440 explorer.exe 4440 explorer.exe 4440 explorer.exe 4440 explorer.exe 4440 explorer.exe 4440 explorer.exe 4440 explorer.exe 4440 explorer.exe 4440 explorer.exe 4440 explorer.exe 4440 explorer.exe 4440 explorer.exe 4440 explorer.exe 4440 explorer.exe 4440 explorer.exe 4440 explorer.exe 4440 explorer.exe 4440 explorer.exe 4440 explorer.exe 4440 explorer.exe 4440 explorer.exe 4440 explorer.exe 4440 explorer.exe 4440 explorer.exe 4440 explorer.exe 4440 explorer.exe 4440 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4440 explorer.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 4044 b4a9c4c518e302640bf6804e68ad5a67_JaffaCakes118.exe 4044 b4a9c4c518e302640bf6804e68ad5a67_JaffaCakes118.exe 4440 explorer.exe 4440 explorer.exe 4440 explorer.exe 4440 explorer.exe 232 spoolsv.exe 232 spoolsv.exe 1628 spoolsv.exe 1628 spoolsv.exe 3984 spoolsv.exe 3984 spoolsv.exe 2536 spoolsv.exe 2536 spoolsv.exe 4648 spoolsv.exe 4648 spoolsv.exe 2644 spoolsv.exe 2644 spoolsv.exe 4952 spoolsv.exe 4952 spoolsv.exe 4340 spoolsv.exe 4340 spoolsv.exe 1116 spoolsv.exe 1116 spoolsv.exe 3992 spoolsv.exe 3992 spoolsv.exe 4564 spoolsv.exe 4564 spoolsv.exe 4368 spoolsv.exe 4368 spoolsv.exe 2412 spoolsv.exe 2412 spoolsv.exe 388 spoolsv.exe 388 spoolsv.exe 1920 spoolsv.exe 1920 spoolsv.exe 2880 spoolsv.exe 2880 spoolsv.exe 1784 spoolsv.exe 1784 spoolsv.exe 4700 spoolsv.exe 4700 spoolsv.exe 1912 spoolsv.exe 1912 spoolsv.exe 1336 spoolsv.exe 1336 spoolsv.exe 4608 spoolsv.exe 4608 spoolsv.exe 2580 spoolsv.exe 2580 spoolsv.exe 4152 spoolsv.exe 4152 spoolsv.exe 1436 spoolsv.exe 1436 spoolsv.exe 2092 spoolsv.exe 2092 spoolsv.exe 644 spoolsv.exe 644 spoolsv.exe 4424 spoolsv.exe 4424 spoolsv.exe 1544 spoolsv.exe 1544 spoolsv.exe 2428 spoolsv.exe 2428 spoolsv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1448 wrote to memory of 624 1448 b4a9c4c518e302640bf6804e68ad5a67_JaffaCakes118.exe 81 PID 1448 wrote to memory of 624 1448 b4a9c4c518e302640bf6804e68ad5a67_JaffaCakes118.exe 81 PID 1448 wrote to memory of 4044 1448 b4a9c4c518e302640bf6804e68ad5a67_JaffaCakes118.exe 86 PID 1448 wrote to memory of 4044 1448 b4a9c4c518e302640bf6804e68ad5a67_JaffaCakes118.exe 86 PID 1448 wrote to memory of 4044 1448 b4a9c4c518e302640bf6804e68ad5a67_JaffaCakes118.exe 86 PID 1448 wrote to memory of 4044 1448 b4a9c4c518e302640bf6804e68ad5a67_JaffaCakes118.exe 86 PID 1448 wrote to memory of 4044 1448 b4a9c4c518e302640bf6804e68ad5a67_JaffaCakes118.exe 86 PID 4044 wrote to memory of 2248 4044 b4a9c4c518e302640bf6804e68ad5a67_JaffaCakes118.exe 87 PID 4044 wrote to memory of 2248 4044 b4a9c4c518e302640bf6804e68ad5a67_JaffaCakes118.exe 87 PID 4044 wrote to memory of 2248 4044 b4a9c4c518e302640bf6804e68ad5a67_JaffaCakes118.exe 87 PID 2248 wrote to memory of 4440 2248 explorer.exe 95 PID 2248 wrote to memory of 4440 2248 explorer.exe 95 PID 2248 wrote to memory of 4440 2248 explorer.exe 95 PID 2248 wrote to memory of 4440 2248 explorer.exe 95 PID 2248 wrote to memory of 4440 2248 explorer.exe 95 PID 4440 wrote to memory of 3320 4440 explorer.exe 96 PID 4440 wrote to memory of 3320 4440 explorer.exe 96 PID 4440 wrote to memory of 3320 4440 explorer.exe 96 PID 4440 wrote to memory of 212 4440 explorer.exe 97 PID 4440 wrote to memory of 212 4440 explorer.exe 97 PID 4440 wrote to memory of 212 4440 explorer.exe 97 PID 4440 wrote to memory of 752 4440 explorer.exe 98 PID 4440 wrote to memory of 752 4440 explorer.exe 98 PID 4440 wrote to memory of 752 4440 explorer.exe 98 PID 4440 wrote to memory of 5024 4440 explorer.exe 99 PID 4440 wrote to memory of 5024 4440 explorer.exe 99 PID 4440 wrote to memory of 5024 4440 explorer.exe 99 PID 4440 wrote to memory of 3396 4440 explorer.exe 100 PID 4440 wrote to memory of 3396 4440 explorer.exe 100 PID 4440 wrote to memory of 3396 4440 explorer.exe 100 PID 4440 wrote to memory of 4428 4440 explorer.exe 101 PID 4440 wrote to memory of 4428 4440 explorer.exe 101 PID 4440 wrote to memory of 4428 4440 explorer.exe 101 PID 4440 wrote to memory of 4996 4440 explorer.exe 102 PID 4440 wrote to memory of 4996 4440 explorer.exe 102 PID 4440 wrote to memory of 4996 4440 explorer.exe 102 PID 4440 wrote to memory of 2324 4440 explorer.exe 103 PID 4440 wrote to memory of 2324 4440 explorer.exe 103 PID 4440 wrote to memory of 2324 4440 explorer.exe 103 PID 4440 wrote to memory of 1528 4440 explorer.exe 104 PID 4440 wrote to memory of 1528 4440 explorer.exe 104 PID 4440 wrote to memory of 1528 4440 explorer.exe 104 PID 4440 wrote to memory of 4584 4440 explorer.exe 105 PID 4440 wrote to memory of 4584 4440 explorer.exe 105 PID 4440 wrote to memory of 4584 4440 explorer.exe 105 PID 4440 wrote to memory of 3960 4440 explorer.exe 106 PID 4440 wrote to memory of 3960 4440 explorer.exe 106 PID 4440 wrote to memory of 3960 4440 explorer.exe 106 PID 4440 wrote to memory of 4528 4440 explorer.exe 107 PID 4440 wrote to memory of 4528 4440 explorer.exe 107 PID 4440 wrote to memory of 4528 4440 explorer.exe 107 PID 4440 wrote to memory of 448 4440 explorer.exe 108 PID 4440 wrote to memory of 448 4440 explorer.exe 108 PID 4440 wrote to memory of 448 4440 explorer.exe 108 PID 4440 wrote to memory of 4968 4440 explorer.exe 109 PID 4440 wrote to memory of 4968 4440 explorer.exe 109 PID 4440 wrote to memory of 4968 4440 explorer.exe 109 PID 4440 wrote to memory of 3488 4440 explorer.exe 110 PID 4440 wrote to memory of 3488 4440 explorer.exe 110 PID 4440 wrote to memory of 3488 4440 explorer.exe 110 PID 4440 wrote to memory of 1444 4440 explorer.exe 111 PID 4440 wrote to memory of 1444 4440 explorer.exe 111 PID 4440 wrote to memory of 1444 4440 explorer.exe 111 PID 4440 wrote to memory of 1572 4440 explorer.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\b4a9c4c518e302640bf6804e68ad5a67_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b4a9c4c518e302640bf6804e68ad5a67_JaffaCakes118.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:624
-
-
C:\Users\Admin\AppData\Local\Temp\b4a9c4c518e302640bf6804e68ad5a67_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b4a9c4c518e302640bf6804e68ad5a67_JaffaCakes118.exe"2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4044 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2248 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4440 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3320 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:232 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2240 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:3380
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:212 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1628
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:752 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3984 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1004 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:2764
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5024 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2536
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3396 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4648
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4428 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2644
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4996 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4952
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2324 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4340
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1528 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1116 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2468 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:1616
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4584 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3992
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3960 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4564
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4528 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4368
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:448 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2412
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4968 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:388 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2920 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:2940
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3488 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1920
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1444 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2880
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1572 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1784
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:228 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4700 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4884 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:696
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1160 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1912
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3696 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1336
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3704 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4608
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2540 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2580
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4724 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:4152 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4984 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:2340
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5016 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:1436
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3148 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:2092
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3812 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:644
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1456 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:4424
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1852 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:1544 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
PID:4716 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:376
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1768 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:2428
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4192 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2896
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2548 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4752
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1472 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:2664
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3672 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1092
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3036 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:1740
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2072 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:428
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:628
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2780 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:432
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:4156
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2640 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1448
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:4880
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1596 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:696
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:5040
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2216 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3256
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:4008
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4392 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4988
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:5068
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4144 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4796
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4656 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1040
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
PID:4084 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:856
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:2656
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4332 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4348
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
PID:3328 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4596
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4864 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1984
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4932
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:3744
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:1652
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:3056
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:2496
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:916
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4236
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:2272
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:3316
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:2328
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:4092
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2132
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:992
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:2868
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:2900
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:3392
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:1624
-
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:4128
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
74B
MD56687785d6a31cdf9a5f80acb3abc459b
SHA11ddda26cc18189770eaaa4a9e78cc4abe4fe39c9
SHA2563b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b
SHA5125fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962
-
Filesize
2.2MB
MD52e935672927befa255489b5a754c99e8
SHA1a2d12443dd4ef92964f49e9f4229ebb774d82172
SHA256fcf58ab27eb5c375cb7a5677a471375a16a846d5834527cb485696da30f6e2d8
SHA512374a145859c6c8e4a40a7820b6dc5022e5fb04755bad0a0e1cb0a62d7558fe9fae1cd5fdd984f953b35fb2779a55e214d2fca1df88b8c7f6fbdcd9f2396c8b9e
-
Filesize
2.2MB
MD5273424abf8086206ff981ad228ad65ab
SHA105402a37014a86e4caf27b0d5888e20fff2b8db5
SHA256b4c7557d7cfb90d07e2ba803413264b0c29b1a13ea23fba37a934f272a9780ff
SHA5124dcc80d5842b2abe6466813bd420b6d9dc6a56b686d606f0f530a777fa0da5d14e2e11fb243e735cb87d67e87c545b5727cf9ad577b35015d544aec439e9c939