Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
22-07-2024 02:41
Behavioral task
behavioral1
Sample
40ac7d11ebb91612d8d5c16c05af0a13.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
40ac7d11ebb91612d8d5c16c05af0a13.exe
Resource
win10v2004-20240709-en
General
-
Target
40ac7d11ebb91612d8d5c16c05af0a13.exe
-
Size
2.0MB
-
MD5
40ac7d11ebb91612d8d5c16c05af0a13
-
SHA1
543a6c16f8f058fb6ba029ee3a9c5fde92aaa212
-
SHA256
4963827ab4881382f900255fa034f5c5f369cdc11d30863c69a04ed7f6abca5e
-
SHA512
223ecc008fe3b9818597c3870ef605674eb96c52f8f140edb1d7c878691ce16c604440be77107c795a2bbb4e1b5c28ba94141e5703d9488c3a06580e38bf953c
-
SSDEEP
49152:PbA3HdwWe2aSe6pcUwxE0G+dK7RB7/wWnm1Xl:Pbt2M4cUwxEII7RB0d1Xl
Malware Config
Signatures
-
DcRat 59 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeComInto.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe40ac7d11ebb91612d8d5c16c05af0a13.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 660 schtasks.exe 980 schtasks.exe 4396 schtasks.exe 2660 schtasks.exe 4080 schtasks.exe 3484 schtasks.exe 3464 schtasks.exe 5088 schtasks.exe 1688 schtasks.exe 3404 schtasks.exe 952 schtasks.exe 968 schtasks.exe 5104 schtasks.exe 3240 schtasks.exe 1976 schtasks.exe 2984 schtasks.exe 780 schtasks.exe 4288 schtasks.exe 1408 schtasks.exe 2488 schtasks.exe 796 schtasks.exe 4724 schtasks.exe 4336 schtasks.exe 1028 schtasks.exe 1988 schtasks.exe 4104 schtasks.exe 3340 schtasks.exe 3392 schtasks.exe 4712 schtasks.exe 3944 schtasks.exe 1048 schtasks.exe File created C:\Program Files\Windows Defender\en-US\56085415360792 ComInto.exe 1112 schtasks.exe 1540 schtasks.exe 2828 schtasks.exe 3328 schtasks.exe 4316 schtasks.exe 4388 schtasks.exe 1496 schtasks.exe 4260 schtasks.exe 1264 schtasks.exe 5116 schtasks.exe 4744 schtasks.exe 3564 schtasks.exe 1544 schtasks.exe 2768 schtasks.exe 1176 schtasks.exe 2340 schtasks.exe 3400 schtasks.exe 2796 schtasks.exe Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation 40ac7d11ebb91612d8d5c16c05af0a13.exe 736 schtasks.exe 3668 schtasks.exe 1444 schtasks.exe 3916 schtasks.exe 3580 schtasks.exe 4496 schtasks.exe 1432 schtasks.exe 4972 schtasks.exe -
Modifies WinLogon for persistence 2 TTPs 19 IoCs
Processes:
ComInto.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Defender\\en-US\\wininit.exe\", \"C:\\Program Files\\Microsoft Office 15\\ClientX64\\upfc.exe\", \"C:\\Program Files (x86)\\Google\\Temp\\Registry.exe\", \"C:\\Program Files\\Windows Security\\upfc.exe\", \"C:\\componentCommon\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Defender\\dllhost.exe\", \"C:\\Windows\\Temp\\MsEdgeCrashpad\\reports\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\es-ES\\dllhost.exe\"" ComInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Defender\\en-US\\wininit.exe\", \"C:\\Program Files\\Microsoft Office 15\\ClientX64\\upfc.exe\", \"C:\\Program Files (x86)\\Google\\Temp\\Registry.exe\", \"C:\\Program Files\\Windows Security\\upfc.exe\", \"C:\\componentCommon\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Defender\\dllhost.exe\", \"C:\\Windows\\Temp\\MsEdgeCrashpad\\reports\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\es-ES\\dllhost.exe\", \"C:\\Users\\Admin\\Registry.exe\"" ComInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Defender\\en-US\\wininit.exe\", \"C:\\Program Files\\Microsoft Office 15\\ClientX64\\upfc.exe\", \"C:\\Program Files (x86)\\Google\\Temp\\Registry.exe\", \"C:\\Program Files\\Windows Security\\upfc.exe\", \"C:\\componentCommon\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Defender\\dllhost.exe\", \"C:\\Windows\\Temp\\MsEdgeCrashpad\\reports\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\es-ES\\dllhost.exe\", \"C:\\Users\\Admin\\Registry.exe\", \"C:\\Windows\\debug\\taskhostw.exe\"" ComInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Defender\\en-US\\wininit.exe\", \"C:\\Program Files\\Microsoft Office 15\\ClientX64\\upfc.exe\", \"C:\\Program Files (x86)\\Google\\Temp\\Registry.exe\", \"C:\\Program Files\\Windows Security\\upfc.exe\", \"C:\\componentCommon\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Defender\\dllhost.exe\", \"C:\\Windows\\Temp\\MsEdgeCrashpad\\reports\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\es-ES\\dllhost.exe\", \"C:\\Users\\Admin\\Registry.exe\", \"C:\\Windows\\debug\\taskhostw.exe\", \"C:\\Windows\\Setup\\State\\dllhost.exe\"" ComInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Defender\\en-US\\wininit.exe\", \"C:\\Program Files\\Microsoft Office 15\\ClientX64\\upfc.exe\", \"C:\\Program Files (x86)\\Google\\Temp\\Registry.exe\", \"C:\\Program Files\\Windows Security\\upfc.exe\", \"C:\\componentCommon\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Defender\\dllhost.exe\", \"C:\\Windows\\Temp\\MsEdgeCrashpad\\reports\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\es-ES\\dllhost.exe\", \"C:\\Users\\Admin\\Registry.exe\", \"C:\\Windows\\debug\\taskhostw.exe\", \"C:\\Windows\\Setup\\State\\dllhost.exe\", \"C:\\Program Files\\VideoLAN\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\unsecapp.exe\"" ComInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Defender\\en-US\\wininit.exe\", \"C:\\Program Files\\Microsoft Office 15\\ClientX64\\upfc.exe\", \"C:\\Program Files (x86)\\Google\\Temp\\Registry.exe\", \"C:\\Program Files\\Windows Security\\upfc.exe\"" ComInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Defender\\en-US\\wininit.exe\", \"C:\\Program Files\\Microsoft Office 15\\ClientX64\\upfc.exe\", \"C:\\Program Files (x86)\\Google\\Temp\\Registry.exe\", \"C:\\Program Files\\Windows Security\\upfc.exe\", \"C:\\componentCommon\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Defender\\dllhost.exe\"" ComInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Defender\\en-US\\wininit.exe\", \"C:\\Program Files\\Microsoft Office 15\\ClientX64\\upfc.exe\", \"C:\\Program Files (x86)\\Google\\Temp\\Registry.exe\", \"C:\\Program Files\\Windows Security\\upfc.exe\", \"C:\\componentCommon\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Defender\\dllhost.exe\", \"C:\\Windows\\Temp\\MsEdgeCrashpad\\reports\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\es-ES\\dllhost.exe\", \"C:\\Users\\Admin\\Registry.exe\", \"C:\\Windows\\debug\\taskhostw.exe\", \"C:\\Windows\\Setup\\State\\dllhost.exe\", \"C:\\Program Files\\VideoLAN\\SearchApp.exe\"" ComInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Defender\\en-US\\wininit.exe\", \"C:\\Program Files\\Microsoft Office 15\\ClientX64\\upfc.exe\", \"C:\\Program Files (x86)\\Google\\Temp\\Registry.exe\", \"C:\\Program Files\\Windows Security\\upfc.exe\", \"C:\\componentCommon\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Defender\\dllhost.exe\", \"C:\\Windows\\Temp\\MsEdgeCrashpad\\reports\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\es-ES\\dllhost.exe\", \"C:\\Users\\Admin\\Registry.exe\", \"C:\\Windows\\debug\\taskhostw.exe\", \"C:\\Windows\\Setup\\State\\dllhost.exe\", \"C:\\Program Files\\VideoLAN\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\unsecapp.exe\", \"C:\\Windows\\tracing\\spoolsv.exe\", \"C:\\componentCommon\\RuntimeBroker.exe\"" ComInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Defender\\en-US\\wininit.exe\", \"C:\\Program Files\\Microsoft Office 15\\ClientX64\\upfc.exe\", \"C:\\Program Files (x86)\\Google\\Temp\\Registry.exe\", \"C:\\Program Files\\Windows Security\\upfc.exe\", \"C:\\componentCommon\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Defender\\dllhost.exe\", \"C:\\Windows\\Temp\\MsEdgeCrashpad\\reports\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\es-ES\\dllhost.exe\", \"C:\\Users\\Admin\\Registry.exe\", \"C:\\Windows\\debug\\taskhostw.exe\", \"C:\\Windows\\Setup\\State\\dllhost.exe\", \"C:\\Program Files\\VideoLAN\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\unsecapp.exe\", \"C:\\Windows\\tracing\\spoolsv.exe\", \"C:\\componentCommon\\RuntimeBroker.exe\", \"C:\\Users\\Public\\Desktop\\dllhost.exe\"" ComInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Defender\\en-US\\wininit.exe\", \"C:\\Program Files\\Microsoft Office 15\\ClientX64\\upfc.exe\", \"C:\\Program Files (x86)\\Google\\Temp\\Registry.exe\", \"C:\\Program Files\\Windows Security\\upfc.exe\", \"C:\\componentCommon\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Defender\\dllhost.exe\", \"C:\\Windows\\Temp\\MsEdgeCrashpad\\reports\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\es-ES\\dllhost.exe\", \"C:\\Users\\Admin\\Registry.exe\", \"C:\\Windows\\debug\\taskhostw.exe\", \"C:\\Windows\\Setup\\State\\dllhost.exe\", \"C:\\Program Files\\VideoLAN\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\unsecapp.exe\", \"C:\\Windows\\tracing\\spoolsv.exe\", \"C:\\componentCommon\\RuntimeBroker.exe\", \"C:\\Users\\Public\\Desktop\\dllhost.exe\", \"C:\\Program Files\\Windows Mail\\unsecapp.exe\", \"C:\\Recovery\\WindowsRE\\cmd.exe\"" ComInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Defender\\en-US\\wininit.exe\", \"C:\\Program Files\\Microsoft Office 15\\ClientX64\\upfc.exe\"" ComInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Defender\\en-US\\wininit.exe\", \"C:\\Program Files\\Microsoft Office 15\\ClientX64\\upfc.exe\", \"C:\\Program Files (x86)\\Google\\Temp\\Registry.exe\"" ComInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Defender\\en-US\\wininit.exe\", \"C:\\Program Files\\Microsoft Office 15\\ClientX64\\upfc.exe\", \"C:\\Program Files (x86)\\Google\\Temp\\Registry.exe\", \"C:\\Program Files\\Windows Security\\upfc.exe\", \"C:\\componentCommon\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Defender\\dllhost.exe\", \"C:\\Windows\\Temp\\MsEdgeCrashpad\\reports\\StartMenuExperienceHost.exe\"" ComInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Defender\\en-US\\wininit.exe\", \"C:\\Program Files\\Microsoft Office 15\\ClientX64\\upfc.exe\", \"C:\\Program Files (x86)\\Google\\Temp\\Registry.exe\", \"C:\\Program Files\\Windows Security\\upfc.exe\", \"C:\\componentCommon\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Defender\\dllhost.exe\", \"C:\\Windows\\Temp\\MsEdgeCrashpad\\reports\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\es-ES\\dllhost.exe\", \"C:\\Users\\Admin\\Registry.exe\", \"C:\\Windows\\debug\\taskhostw.exe\", \"C:\\Windows\\Setup\\State\\dllhost.exe\", \"C:\\Program Files\\VideoLAN\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\unsecapp.exe\", \"C:\\Windows\\tracing\\spoolsv.exe\", \"C:\\componentCommon\\RuntimeBroker.exe\", \"C:\\Users\\Public\\Desktop\\dllhost.exe\", \"C:\\Program Files\\Windows Mail\\unsecapp.exe\"" ComInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Defender\\en-US\\wininit.exe\"" ComInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Defender\\en-US\\wininit.exe\", \"C:\\Program Files\\Microsoft Office 15\\ClientX64\\upfc.exe\", \"C:\\Program Files (x86)\\Google\\Temp\\Registry.exe\", \"C:\\Program Files\\Windows Security\\upfc.exe\", \"C:\\componentCommon\\Idle.exe\"" ComInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Defender\\en-US\\wininit.exe\", \"C:\\Program Files\\Microsoft Office 15\\ClientX64\\upfc.exe\", \"C:\\Program Files (x86)\\Google\\Temp\\Registry.exe\", \"C:\\Program Files\\Windows Security\\upfc.exe\", \"C:\\componentCommon\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\csrss.exe\"" ComInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Defender\\en-US\\wininit.exe\", \"C:\\Program Files\\Microsoft Office 15\\ClientX64\\upfc.exe\", \"C:\\Program Files (x86)\\Google\\Temp\\Registry.exe\", \"C:\\Program Files\\Windows Security\\upfc.exe\", \"C:\\componentCommon\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Defender\\dllhost.exe\", \"C:\\Windows\\Temp\\MsEdgeCrashpad\\reports\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\es-ES\\dllhost.exe\", \"C:\\Users\\Admin\\Registry.exe\", \"C:\\Windows\\debug\\taskhostw.exe\", \"C:\\Windows\\Setup\\State\\dllhost.exe\", \"C:\\Program Files\\VideoLAN\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\unsecapp.exe\", \"C:\\Windows\\tracing\\spoolsv.exe\"" ComInto.exe -
Process spawned unexpected child process 57 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 980 4216 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4336 4216 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4316 4216 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3340 4216 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5088 4216 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3668 4216 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2828 4216 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1988 4216 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1544 4216 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 660 4216 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1048 4216 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1028 4216 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1496 4216 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4744 4216 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4080 4216 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3328 4216 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4260 4216 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3564 4216 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3392 4216 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4388 4216 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 736 4216 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1408 4216 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2796 4216 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 968 4216 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4496 4216 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1688 4216 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4712 4216 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1264 4216 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5104 4216 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1176 4216 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1112 4216 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1444 4216 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3404 4216 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3240 4216 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1432 4216 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4972 4216 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2488 4216 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1540 4216 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4104 4216 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 796 4216 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1976 4216 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3484 4216 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2340 4216 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3916 4216 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2984 4216 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3464 4216 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 780 4216 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4724 4216 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3400 4216 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 952 4216 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2660 4216 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3944 4216 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4288 4216 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4396 4216 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5116 4216 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3580 4216 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2768 4216 schtasks.exe -
Processes:
resource yara_rule C:\componentCommon\ComInto.exe dcrat behavioral2/memory/3972-13-0x0000000000BA0000-0x0000000000D4C000-memory.dmp dcrat -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
40ac7d11ebb91612d8d5c16c05af0a13.exeWScript.exeComInto.exedllhost.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation 40ac7d11ebb91612d8d5c16c05af0a13.exe Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation ComInto.exe Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation dllhost.exe -
Executes dropped EXE 2 IoCs
Processes:
ComInto.exedllhost.exepid process 3972 ComInto.exe 2800 dllhost.exe -
Adds Run key to start application 2 TTPs 38 IoCs
Processes:
ComInto.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Windows\\debug\\taskhostw.exe\"" ComInto.exe Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\Setup\\State\\dllhost.exe\"" ComInto.exe Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Program Files\\VideoLAN\\SearchApp.exe\"" ComInto.exe Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\Public\\Desktop\\dllhost.exe\"" ComInto.exe Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Program Files\\Windows Security\\upfc.exe\"" ComInto.exe Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Users\\Admin\\Registry.exe\"" ComInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\componentCommon\\RuntimeBroker.exe\"" ComInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\Public\\Desktop\\dllhost.exe\"" ComInto.exe Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Windows\\Temp\\MsEdgeCrashpad\\reports\\StartMenuExperienceHost.exe\"" ComInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\tracing\\spoolsv.exe\"" ComInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Windows Defender\\dllhost.exe\"" ComInto.exe Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Windows Photo Viewer\\es-ES\\dllhost.exe\"" ComInto.exe Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Recovery\\WindowsRE\\unsecapp.exe\"" ComInto.exe Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Recovery\\WindowsRE\\cmd.exe\"" ComInto.exe Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\componentCommon\\Idle.exe\"" ComInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\csrss.exe\"" ComInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Program Files\\Windows Mail\\unsecapp.exe\"" ComInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Recovery\\WindowsRE\\cmd.exe\"" ComInto.exe Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Windows Defender\\dllhost.exe\"" ComInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Windows\\Temp\\MsEdgeCrashpad\\reports\\StartMenuExperienceHost.exe\"" ComInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\Setup\\State\\dllhost.exe\"" ComInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Recovery\\WindowsRE\\unsecapp.exe\"" ComInto.exe Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Program Files (x86)\\Google\\Temp\\Registry.exe\"" ComInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\componentCommon\\Idle.exe\"" ComInto.exe Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Program Files\\Microsoft Office 15\\ClientX64\\upfc.exe\"" ComInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Program Files\\Windows Security\\upfc.exe\"" ComInto.exe Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Program Files\\Windows Mail\\unsecapp.exe\"" ComInto.exe Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\Windows Defender\\en-US\\wininit.exe\"" ComInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\Windows Defender\\en-US\\wininit.exe\"" ComInto.exe Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\csrss.exe\"" ComInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Users\\Admin\\Registry.exe\"" ComInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Program Files\\VideoLAN\\SearchApp.exe\"" ComInto.exe Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\tracing\\spoolsv.exe\"" ComInto.exe Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\componentCommon\\RuntimeBroker.exe\"" ComInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Program Files\\Microsoft Office 15\\ClientX64\\upfc.exe\"" ComInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Program Files (x86)\\Google\\Temp\\Registry.exe\"" ComInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Windows Photo Viewer\\es-ES\\dllhost.exe\"" ComInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Windows\\debug\\taskhostw.exe\"" ComInto.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 25 ipinfo.io 26 ipinfo.io -
Drops file in Program Files directory 19 IoCs
Processes:
ComInto.exedescription ioc process File created C:\Program Files\Windows Security\ea1d8f6d871115 ComInto.exe File created C:\Program Files\Windows Photo Viewer\es-ES\5940a34987c991 ComInto.exe File created C:\Program Files\Windows Mail\29c1c3cc0f7685 ComInto.exe File created C:\Program Files\Windows Defender\en-US\wininit.exe ComInto.exe File created C:\Program Files\Microsoft Office 15\ClientX64\ea1d8f6d871115 ComInto.exe File created C:\Program Files (x86)\Google\Temp\Registry.exe ComInto.exe File created C:\Program Files\Windows Security\upfc.exe ComInto.exe File created C:\Program Files (x86)\Windows Defender\5940a34987c991 ComInto.exe File created C:\Program Files\Windows Mail\unsecapp.exe ComInto.exe File opened for modification C:\Program Files\Windows Defender\en-US\wininit.exe ComInto.exe File created C:\Program Files\Windows Defender\en-US\56085415360792 ComInto.exe File created C:\Program Files (x86)\Google\Temp\ee2ad38f3d4382 ComInto.exe File created C:\Program Files (x86)\Windows Defender\dllhost.exe ComInto.exe File created C:\Program Files\Windows Photo Viewer\es-ES\dllhost.exe ComInto.exe File created C:\Program Files\Microsoft Office 15\ClientX64\upfc.exe ComInto.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\csrss.exe ComInto.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\886983d96e3d3e ComInto.exe File created C:\Program Files\VideoLAN\SearchApp.exe ComInto.exe File created C:\Program Files\VideoLAN\38384e6a620884 ComInto.exe -
Drops file in Windows directory 8 IoCs
Processes:
ComInto.exedescription ioc process File created C:\Windows\debug\taskhostw.exe ComInto.exe File created C:\Windows\debug\ea9f0e6c9e2dcd ComInto.exe File created C:\Windows\Setup\State\dllhost.exe ComInto.exe File created C:\Windows\Setup\State\5940a34987c991 ComInto.exe File created C:\Windows\tracing\spoolsv.exe ComInto.exe File created C:\Windows\tracing\f3b6ecef712a24 ComInto.exe File created C:\Windows\servicing\FodMetadata\dllhost.exe ComInto.exe File created C:\Windows\ImmersiveControlPanel\uk-UA\Registry.exe ComInto.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
Processes:
40ac7d11ebb91612d8d5c16c05af0a13.exedllhost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings 40ac7d11ebb91612d8d5c16c05af0a13.exe Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings dllhost.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 5104 schtasks.exe 1112 schtasks.exe 1444 schtasks.exe 796 schtasks.exe 3916 schtasks.exe 3400 schtasks.exe 4972 schtasks.exe 660 schtasks.exe 2660 schtasks.exe 1544 schtasks.exe 2984 schtasks.exe 4724 schtasks.exe 3668 schtasks.exe 1496 schtasks.exe 2796 schtasks.exe 4288 schtasks.exe 3580 schtasks.exe 2828 schtasks.exe 3404 schtasks.exe 980 schtasks.exe 1408 schtasks.exe 4712 schtasks.exe 1176 schtasks.exe 3944 schtasks.exe 2768 schtasks.exe 3328 schtasks.exe 4496 schtasks.exe 4104 schtasks.exe 1264 schtasks.exe 1976 schtasks.exe 3484 schtasks.exe 4080 schtasks.exe 4260 schtasks.exe 736 schtasks.exe 1432 schtasks.exe 5116 schtasks.exe 3464 schtasks.exe 4396 schtasks.exe 4336 schtasks.exe 4316 schtasks.exe 5088 schtasks.exe 1988 schtasks.exe 3240 schtasks.exe 2488 schtasks.exe 3340 schtasks.exe 1688 schtasks.exe 952 schtasks.exe 1048 schtasks.exe 1028 schtasks.exe 3392 schtasks.exe 4388 schtasks.exe 1540 schtasks.exe 780 schtasks.exe 3564 schtasks.exe 968 schtasks.exe 2340 schtasks.exe 4744 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
ComInto.exedllhost.exepid process 3972 ComInto.exe 3972 ComInto.exe 3972 ComInto.exe 3972 ComInto.exe 3972 ComInto.exe 3972 ComInto.exe 3972 ComInto.exe 3972 ComInto.exe 3972 ComInto.exe 3972 ComInto.exe 3972 ComInto.exe 3972 ComInto.exe 3972 ComInto.exe 3972 ComInto.exe 3972 ComInto.exe 2800 dllhost.exe 2800 dllhost.exe 2800 dllhost.exe 2800 dllhost.exe 2800 dllhost.exe 2800 dllhost.exe 2800 dllhost.exe 2800 dllhost.exe 2800 dllhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
dllhost.exepid process 2800 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
ComInto.exedllhost.exedescription pid process Token: SeDebugPrivilege 3972 ComInto.exe Token: SeDebugPrivilege 2800 dllhost.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
40ac7d11ebb91612d8d5c16c05af0a13.exeWScript.execmd.exeComInto.exedllhost.exedescription pid process target process PID 4604 wrote to memory of 2548 4604 40ac7d11ebb91612d8d5c16c05af0a13.exe WScript.exe PID 4604 wrote to memory of 2548 4604 40ac7d11ebb91612d8d5c16c05af0a13.exe WScript.exe PID 4604 wrote to memory of 2548 4604 40ac7d11ebb91612d8d5c16c05af0a13.exe WScript.exe PID 2548 wrote to memory of 4428 2548 WScript.exe cmd.exe PID 2548 wrote to memory of 4428 2548 WScript.exe cmd.exe PID 2548 wrote to memory of 4428 2548 WScript.exe cmd.exe PID 4428 wrote to memory of 3972 4428 cmd.exe ComInto.exe PID 4428 wrote to memory of 3972 4428 cmd.exe ComInto.exe PID 3972 wrote to memory of 2800 3972 ComInto.exe dllhost.exe PID 3972 wrote to memory of 2800 3972 ComInto.exe dllhost.exe PID 2800 wrote to memory of 116 2800 dllhost.exe WScript.exe PID 2800 wrote to memory of 116 2800 dllhost.exe WScript.exe PID 2800 wrote to memory of 1896 2800 dllhost.exe WScript.exe PID 2800 wrote to memory of 1896 2800 dllhost.exe WScript.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\40ac7d11ebb91612d8d5c16c05af0a13.exe"C:\Users\Admin\AppData\Local\Temp\40ac7d11ebb91612d8d5c16c05af0a13.exe"1⤵
- DcRat
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4604 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\componentCommon\TsZJDcKjHujznUYiyXhQefVwV2.vbe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\componentCommon\j1nvYpGjbyEFrc.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:4428 -
C:\componentCommon\ComInto.exe"C:\componentCommon\ComInto.exe"4⤵
- DcRat
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3972 -
C:\Program Files (x86)\Windows Defender\dllhost.exe"C:\Program Files (x86)\Windows Defender\dllhost.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\81ce3b56-c439-40a9-b2e4-c039547d6ac8.vbs"6⤵PID:116
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\621eaf17-544c-41c2-833b-ffcff2aefa6b.vbs"6⤵PID:1896
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Defender\en-US\wininit.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\en-US\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4336
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Defender\en-US\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\upfc.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3340
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\upfc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5088
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\upfc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\Temp\Registry.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\Registry.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Google\Temp\Registry.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Security\upfc.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\Windows Security\upfc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1048
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Security\upfc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\componentCommon\Idle.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1496
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\componentCommon\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\componentCommon\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4080
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3328
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4260
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3564
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\dllhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3392
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4388
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:736
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Windows\Temp\MsEdgeCrashpad\reports\StartMenuExperienceHost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1408
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\Temp\MsEdgeCrashpad\reports\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Windows\Temp\MsEdgeCrashpad\reports\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Photo Viewer\es-ES\dllhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4496
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\es-ES\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Photo Viewer\es-ES\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Registry.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1264
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\Admin\Registry.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5104
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Registry.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1176
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Windows\debug\taskhostw.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\debug\taskhostw.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Windows\debug\taskhostw.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Windows\Setup\State\dllhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3240
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Setup\State\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1432
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\Setup\State\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Program Files\VideoLAN\SearchApp.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2488
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\SearchApp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Program Files\VideoLAN\SearchApp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4104
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Windows\tracing\spoolsv.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2340
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\tracing\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Windows\tracing\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\componentCommon\RuntimeBroker.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3464
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\componentCommon\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\componentCommon\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Desktop\dllhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3400
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Public\Desktop\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Desktop\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Mail\unsecapp.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\unsecapp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4288
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\unsecapp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4396
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
503B
MD540a4581b40e538be706ff140ced2849f
SHA1000c20d3dd5a37e2105472a815e3c0e1dc57cfe8
SHA256cf0416e18b02570e67bd846b3c94c480df5f592023a1610e34c465800b4edfa0
SHA512687f5af2a193ebb26ba35c6e588df0beb909c2cb305fa6c48d552dd72ba93d2af65adaeff5599b19e6d2adcb4f274e24cd35f39ca9ec5efec355ff7c73ce3804
-
Filesize
727B
MD5aaeddf27e7fb662184f1a594b1fb0420
SHA172433379c9e2d42e92f7d2422f43b837628fe22b
SHA256bd82f6ab6d924fe115457226d518a3d471b332a57f59880e498b578a1c6b22ce
SHA5127fbabffbfbf2b786f7289daee17fb57dd8d0000322e281f046023c665481f3c71762595e49d04f628d6b12e0527b51bab370d1a6c9b8fd553b1924c0a3746ac7
-
Filesize
1.6MB
MD59a0cee5a5ce317b7a70f88bb6aaa49e1
SHA195a779063656075a8ddc2f2164393fa59e3c93d9
SHA256701924dd5d93b99a1e90fcd92f399c4453455e78375125f7a06aca20b84956bc
SHA512d9c6240b6809c3decbdf4d97aca246f308670097b704b47449c53d8dc121f391d3ec6596f7947c36a01a388eeefe6f9ac9785698cf743f8a89c7cbf7b9da41a4
-
Filesize
206B
MD5e986ea5d4cac976a6de65d3f1ef8b332
SHA16465da0abcfac05b8ed1f32b9cca57e2e2f54aea
SHA2563ad8783bacfea22158df341d1bbedf8f6f0dcc4d9504555b36a756d2fcd83831
SHA512896934c1a2941a8edfd38b03a858fc589cfb6622ae75019a542638be0c9c4e436aacd0916196dd71442d1a90404afa29d2864c92401222ff5ec2a712d873fa11
-
Filesize
32B
MD5a0b9b0891c2cae67cd1beae705d09d4f
SHA1997953188d6226de19faa0ab4e8fdbddf1fb5617
SHA25613593fab7a2113730fdbe4cbf436dde9a26116cda0bd4a33dff27d5678e9f9fc
SHA512bdcd0c6a765c3927180706f7b30f2ea0f7cab6f27e512433839ebe3f6cb148923a6733ae954c24fa6eedeca97b8dc01cae945eea07e1121ff74885a69b34f2bb