Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
17-07-2024 15:46
Behavioral task
behavioral1
Sample
13DA266DA3CB746AA680DB5C41148524.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
13DA266DA3CB746AA680DB5C41148524.exe
Resource
win10v2004-20240709-en
General
-
Target
13DA266DA3CB746AA680DB5C41148524.exe
-
Size
1.1MB
-
MD5
13da266da3cb746aa680db5c41148524
-
SHA1
1d56737f102966336681e40ae281e4d83b400de6
-
SHA256
9d58a6e3c205e75ce97cfb19ede8caab8edaba08c3c425757acd728a6cbd6796
-
SHA512
c7d738df05173767ace1af0c0660b275589808687024ab3670a32c9546b982dbd8addfa0f34764712b9a640c7748d29ac3d4446583535c5747cf358624554dd5
-
SSDEEP
24576:U2G/nvxW3Ww0t1rRGRMtRqFtFVc/pJGn4czXV:UbA301rRb+ip12l
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 64 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5092 2488 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3896 2488 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1460 2488 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4928 2488 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1376 2488 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3136 2488 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4996 2488 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 692 2488 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2276 2488 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2188 2488 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1928 2488 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2636 2488 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4776 2488 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2700 2488 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1720 2488 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3676 2488 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4028 2488 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3660 2488 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4968 2488 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1044 2488 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1612 2488 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4992 2488 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1440 2488 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1712 2488 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2448 2488 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4084 2488 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2956 2488 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4200 2488 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3592 2488 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5020 2488 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1812 2488 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4180 2488 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4564 2488 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5116 2488 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2292 2488 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1636 2488 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3996 2488 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3900 2488 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1416 2488 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4864 2488 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4640 2488 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1548 2488 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4304 2488 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4500 2488 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4008 2488 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5060 2488 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3724 2488 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2244 2488 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4824 2488 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3364 2488 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4516 2488 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1112 2488 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3272 2488 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3624 2488 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2796 2488 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4980 2488 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 920 2488 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3972 2488 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2552 2488 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3132 2488 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4620 2488 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1524 2488 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1948 2488 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 960 2488 schtasks.exe -
Processes:
resource yara_rule C:\containerwinBroker\hostCrtnet.exe dcrat behavioral2/memory/4228-13-0x0000000000D40000-0x0000000000E16000-memory.dmp dcrat -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
hostCrtnet.exehostCrtnet.exe13DA266DA3CB746AA680DB5C41148524.exeWScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation hostCrtnet.exe Key value queried \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation hostCrtnet.exe Key value queried \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation 13DA266DA3CB746AA680DB5C41148524.exe Key value queried \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation WScript.exe -
Executes dropped EXE 3 IoCs
Processes:
hostCrtnet.exehostCrtnet.execonhost.exepid process 4228 hostCrtnet.exe 872 hostCrtnet.exe 4536 conhost.exe -
Drops file in System32 directory 1 IoCs
Processes:
hostCrtnet.exedescription ioc process File created C:\Windows\SysWOW64\en-US\Licenses\System.exe hostCrtnet.exe -
Drops file in Program Files directory 10 IoCs
Processes:
hostCrtnet.exedescription ioc process File created C:\Program Files\Windows Photo Viewer\it-IT\sysmon.exe hostCrtnet.exe File created C:\Program Files\Windows Photo Viewer\it-IT\121e5b5079f7c0 hostCrtnet.exe File created C:\Program Files\VideoLAN\VLC\plugins\conhost.exe hostCrtnet.exe File created C:\Program Files\VideoLAN\VLC\plugins\088424020bedd6 hostCrtnet.exe File created C:\Program Files\Mozilla Firefox\fonts\dwm.exe hostCrtnet.exe File created C:\Program Files\Windows Sidebar\Shared Gadgets\c5b4cb5e9653cc hostCrtnet.exe File created C:\Program Files\Mozilla Firefox\fonts\6cb0b6c459d5d3 hostCrtnet.exe File created C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe hostCrtnet.exe File created C:\Program Files (x86)\Windows Multimedia Platform\886983d96e3d3e hostCrtnet.exe File created C:\Program Files\Windows Sidebar\Shared Gadgets\services.exe hostCrtnet.exe -
Drops file in Windows directory 8 IoCs
Processes:
hostCrtnet.exedescription ioc process File created C:\Windows\Web\Screen\smss.exe hostCrtnet.exe File created C:\Windows\Web\Screen\69ddcba757bf72 hostCrtnet.exe File created C:\Windows\Speech_OneCore\Engines\Lexicon\en-US\sihost.exe hostCrtnet.exe File created C:\Windows\Speech_OneCore\Engines\Lexicon\en-US\66fc9ff0ee96c2 hostCrtnet.exe File created C:\Windows\BitLockerDiscoveryVolumeContents\csrss.exe hostCrtnet.exe File created C:\Windows\BitLockerDiscoveryVolumeContents\886983d96e3d3e hostCrtnet.exe File created C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\dwm.exe hostCrtnet.exe File created C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\6cb0b6c459d5d3 hostCrtnet.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
Processes:
13DA266DA3CB746AA680DB5C41148524.exehostCrtnet.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\Local Settings 13DA266DA3CB746AA680DB5C41148524.exe Key created \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\Local Settings hostCrtnet.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 4304 schtasks.exe 1928 schtasks.exe 3724 schtasks.exe 3364 schtasks.exe 4084 schtasks.exe 5116 schtasks.exe 3900 schtasks.exe 2188 schtasks.exe 4776 schtasks.exe 1712 schtasks.exe 960 schtasks.exe 4640 schtasks.exe 3972 schtasks.exe 3660 schtasks.exe 4968 schtasks.exe 1440 schtasks.exe 2244 schtasks.exe 2700 schtasks.exe 3676 schtasks.exe 1948 schtasks.exe 692 schtasks.exe 2636 schtasks.exe 4028 schtasks.exe 3996 schtasks.exe 1720 schtasks.exe 5092 schtasks.exe 1636 schtasks.exe 4516 schtasks.exe 3136 schtasks.exe 1548 schtasks.exe 4008 schtasks.exe 3592 schtasks.exe 4564 schtasks.exe 5060 schtasks.exe 4928 schtasks.exe 1928 schtasks.exe 4864 schtasks.exe 4500 schtasks.exe 1112 schtasks.exe 4980 schtasks.exe 920 schtasks.exe 4656 schtasks.exe 1460 schtasks.exe 692 schtasks.exe 1720 schtasks.exe 1612 schtasks.exe 5020 schtasks.exe 1416 schtasks.exe 4704 schtasks.exe 4996 schtasks.exe 4996 schtasks.exe 2188 schtasks.exe 4748 schtasks.exe 4180 schtasks.exe 2292 schtasks.exe 3272 schtasks.exe 1376 schtasks.exe 2448 schtasks.exe 4620 schtasks.exe 3896 schtasks.exe 3136 schtasks.exe 2552 schtasks.exe 1524 schtasks.exe 2420 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 36 IoCs
Processes:
hostCrtnet.exehostCrtnet.execonhost.exepid process 4228 hostCrtnet.exe 4228 hostCrtnet.exe 4228 hostCrtnet.exe 4228 hostCrtnet.exe 4228 hostCrtnet.exe 4228 hostCrtnet.exe 4228 hostCrtnet.exe 4228 hostCrtnet.exe 4228 hostCrtnet.exe 4228 hostCrtnet.exe 4228 hostCrtnet.exe 4228 hostCrtnet.exe 4228 hostCrtnet.exe 872 hostCrtnet.exe 872 hostCrtnet.exe 872 hostCrtnet.exe 872 hostCrtnet.exe 872 hostCrtnet.exe 872 hostCrtnet.exe 872 hostCrtnet.exe 872 hostCrtnet.exe 872 hostCrtnet.exe 872 hostCrtnet.exe 872 hostCrtnet.exe 872 hostCrtnet.exe 872 hostCrtnet.exe 872 hostCrtnet.exe 4536 conhost.exe 4536 conhost.exe 4536 conhost.exe 4536 conhost.exe 4536 conhost.exe 4536 conhost.exe 4536 conhost.exe 4536 conhost.exe 4536 conhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
conhost.exepid process 4536 conhost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
hostCrtnet.exehostCrtnet.execonhost.exedescription pid process Token: SeDebugPrivilege 4228 hostCrtnet.exe Token: SeDebugPrivilege 872 hostCrtnet.exe Token: SeDebugPrivilege 4536 conhost.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
13DA266DA3CB746AA680DB5C41148524.exeWScript.execmd.exehostCrtnet.exehostCrtnet.execmd.exedescription pid process target process PID 4808 wrote to memory of 4828 4808 13DA266DA3CB746AA680DB5C41148524.exe WScript.exe PID 4808 wrote to memory of 4828 4808 13DA266DA3CB746AA680DB5C41148524.exe WScript.exe PID 4808 wrote to memory of 4828 4808 13DA266DA3CB746AA680DB5C41148524.exe WScript.exe PID 4828 wrote to memory of 3000 4828 WScript.exe cmd.exe PID 4828 wrote to memory of 3000 4828 WScript.exe cmd.exe PID 4828 wrote to memory of 3000 4828 WScript.exe cmd.exe PID 3000 wrote to memory of 4228 3000 cmd.exe hostCrtnet.exe PID 3000 wrote to memory of 4228 3000 cmd.exe hostCrtnet.exe PID 4228 wrote to memory of 872 4228 hostCrtnet.exe hostCrtnet.exe PID 4228 wrote to memory of 872 4228 hostCrtnet.exe hostCrtnet.exe PID 872 wrote to memory of 2096 872 hostCrtnet.exe cmd.exe PID 872 wrote to memory of 2096 872 hostCrtnet.exe cmd.exe PID 2096 wrote to memory of 1932 2096 cmd.exe w32tm.exe PID 2096 wrote to memory of 1932 2096 cmd.exe w32tm.exe PID 2096 wrote to memory of 4536 2096 cmd.exe conhost.exe PID 2096 wrote to memory of 4536 2096 cmd.exe conhost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\13DA266DA3CB746AA680DB5C41148524.exe"C:\Users\Admin\AppData\Local\Temp\13DA266DA3CB746AA680DB5C41148524.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\containerwinBroker\e8Rlw8Qp2tIZEv6MWU8.vbe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4828 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\containerwinBroker\bc42ZgAN7HZpE65W.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\containerwinBroker\hostCrtnet.exe"C:\containerwinBroker\hostCrtnet.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4228 -
C:\containerwinBroker\hostCrtnet.exe"C:\containerwinBroker\hostCrtnet.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:872 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lPIHrWAFjU.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:1932
-
C:\Program Files\VideoLAN\VLC\plugins\conhost.exe"C:\Program Files\VideoLAN\VLC\plugins\conhost.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Pictures\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Public\Pictures\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Pictures\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1460
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\containerwinBroker\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4928
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\containerwinBroker\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1376
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\containerwinBroker\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3136
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\containerwinBroker\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\containerwinBroker\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\containerwinBroker\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2276
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\taskhostw.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Default User\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\containerwinBroker\Registry.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\containerwinBroker\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\containerwinBroker\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "hostCrtneth" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\AppData\hostCrtnet.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3676
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "hostCrtnet" /sc ONLOGON /tr "'C:\Users\Admin\AppData\hostCrtnet.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "hostCrtneth" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\AppData\hostCrtnet.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:1044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Application Data\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
PID:4992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1440
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Application Data\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\containerwinBroker\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\containerwinBroker\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4084
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\containerwinBroker\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Photo Viewer\it-IT\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
PID:4200
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\it-IT\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Photo Viewer\it-IT\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\containerwinBroker\conhost.exe'" /f1⤵
- Process spawned unexpected child process
PID:1812
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\containerwinBroker\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4180
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\containerwinBroker\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4564
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\containerwinBroker\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\containerwinBroker\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\containerwinBroker\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\containerwinBroker\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\containerwinBroker\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\containerwinBroker\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1416
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Microsoft OneDrive\setup\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4304
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft OneDrive\setup\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4500
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Microsoft OneDrive\setup\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Program Files\VideoLAN\VLC\plugins\conhost.exe'" /f1⤵
- Process spawned unexpected child process
PID:4824
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\plugins\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3364
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Program Files\VideoLAN\VLC\plugins\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\containerwinBroker\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\containerwinBroker\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3272
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\containerwinBroker\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:3624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Mozilla Firefox\fonts\dwm.exe'" /f1⤵
- Process spawned unexpected child process
PID:2796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\fonts\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Mozilla Firefox\fonts\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Desktop\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\Desktop\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Desktop\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:3132
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:4704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:3136
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Windows\Web\Screen\smss.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:4996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Web\Screen\smss.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Windows\Web\Screen\smss.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:4656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Windows\Speech_OneCore\Engines\Lexicon\en-US\sihost.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2188
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\Speech_OneCore\Engines\Lexicon\en-US\sihost.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:1928
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Windows\Speech_OneCore\Engines\Lexicon\en-US\sihost.exe'" /rl HIGHEST /f1⤵PID:2636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\services.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2420
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\services.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:4748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\services.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:1720
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD57f3c0ae41f0d9ae10a8985a2c327b8fb
SHA1d58622bf6b5071beacf3b35bb505bde2000983e3
SHA256519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900
SHA5128a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125
-
Filesize
214B
MD5ef60ec0d16286376b09ebd4d316e9c18
SHA1376962c289c1e315584a560caedac75c8e26f05a
SHA2564d8bab467d09d14e641675d0ccbcce82837c826dd755e9528e9fbf8a0cedd52d
SHA5127ac6e99c24963f9c8b3fd969ad87e74492df53abb2ef9d9654cbf5ff63dbac682a33665496e1675046fb5db4cbd522fb81d14dfa4b76e663ee822cb35d922e03
-
Filesize
520B
MD5e1d009764c0968e9e294589775b3f30a
SHA1195bdc065b571340dfb74295355ff981744bfe0c
SHA2566b5e1e96e863afae864d1b3e246ffc0d6043598c9d00785ac3cd85c97014e6dc
SHA5123f0c4bdc80d855453027f2f3e605985b650d2b78b5ebf5a0c9199bb4af9c8310c9a0a76379c50d9aef62b2230355e0a00a462897f7a8d696c0f2b6e3e38b4220
-
Filesize
38B
MD5196b374439b47033484388410d253f0a
SHA1de7a5511926ea62f37cad9a69fc8e294b1f0298a
SHA256e23d98ea0e60b2406ff8a3fd9f38eeca302af3c64e3a31ccd785cfbc624f59e8
SHA512d5c79063c0d863ce7c0bfca3eb00d27c0b072fb2c73a7c6453e105d1eb1df672d394f3add6dac7ecabfbae0d593d76b9b638a077f39d29d26e6ac09a5a40b9da
-
Filesize
211B
MD5f1a9dd02c8a9a467956dcc1840a64471
SHA16547289aa1da405deda3493955d0ef4fc4932637
SHA256013a7cef251cc1f5665f20aa516762582b37a13d9225e973625c68e0778f45e4
SHA512397fbec54b88034093bdfe9694cae48527af71055b7dcc5bfdff2ac9a5796d5a279b90a3c45ae0db63f4724a886f1713c9415bf58ef9215efc647f91702091d2
-
Filesize
828KB
MD5d4bae6d782c8dd872ca7f43ed837fc62
SHA16b09e88a37cee804b17d7f61d7af6d6140eba32d
SHA2566087c2c5696e21141be618103de53764253007890df7f61b70be61214a1ff6e0
SHA51216b3a5478332e851c2c1ffb6a77cdab723edd17de70ebff4a0a8652646bc7702b0d128068cea7b00f83163e11dd5b17b1406a87779c766c47cebf6ad4cf77930