Analysis
-
max time kernel
144s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 19:22
Behavioral task
behavioral1
Sample
JaffaCakes118_455680ca039353336571aa714ce645000dad491df7d13ad75c58519b487160b3.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_455680ca039353336571aa714ce645000dad491df7d13ad75c58519b487160b3.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_455680ca039353336571aa714ce645000dad491df7d13ad75c58519b487160b3.exe
-
Size
1.3MB
-
MD5
c78d381d1da97ddd179f3a8fd6af44bd
-
SHA1
057884d32b575d1a82c584da00d973e906ee834b
-
SHA256
455680ca039353336571aa714ce645000dad491df7d13ad75c58519b487160b3
-
SHA512
5b0d8e86cb9b652442fd0eff9ea5d0a90f826aeb8be68498e09735423dadeded9ff7ba6da924aa2ec485cda999b660803e5f5d4d7194e73e8bd4e170636e7864
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 24 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2708 2832 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2824 2832 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1652 2832 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2592 2832 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2608 2832 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2664 2832 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3044 2832 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1668 2832 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2580 2832 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2692 2832 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1108 2832 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1992 2832 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2652 2832 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2500 2832 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1844 2832 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1020 2832 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1592 2832 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1212 2832 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1556 2832 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2912 2832 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2924 2832 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2876 2832 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 492 2832 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2284 2832 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x0007000000016db5-9.dat dcrat behavioral1/memory/1852-13-0x00000000003A0000-0x00000000004B0000-memory.dmp dcrat behavioral1/memory/2740-75-0x00000000011D0000-0x00000000012E0000-memory.dmp dcrat behavioral1/memory/2924-193-0x0000000000380000-0x0000000000490000-memory.dmp dcrat behavioral1/memory/2564-254-0x0000000000D30000-0x0000000000E40000-memory.dmp dcrat behavioral1/memory/3032-314-0x00000000011F0000-0x0000000001300000-memory.dmp dcrat behavioral1/memory/664-492-0x0000000000100000-0x0000000000210000-memory.dmp dcrat behavioral1/memory/2800-552-0x0000000000E10000-0x0000000000F20000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2172 powershell.exe 340 powershell.exe 2576 powershell.exe 2144 powershell.exe 2352 powershell.exe 2372 powershell.exe 1624 powershell.exe 1456 powershell.exe 1396 powershell.exe -
Executes dropped EXE 11 IoCs
pid Process 1852 DllCommonsvc.exe 2740 explorer.exe 1556 explorer.exe 2924 explorer.exe 2564 explorer.exe 3032 explorer.exe 2020 explorer.exe 2992 explorer.exe 664 explorer.exe 2800 explorer.exe 952 explorer.exe -
Loads dropped DLL 2 IoCs
pid Process 2296 cmd.exe 2296 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
flow ioc 9 raw.githubusercontent.com 12 raw.githubusercontent.com 22 raw.githubusercontent.com 28 raw.githubusercontent.com 4 raw.githubusercontent.com 15 raw.githubusercontent.com 19 raw.githubusercontent.com 25 raw.githubusercontent.com 31 raw.githubusercontent.com 5 raw.githubusercontent.com -
Drops file in Program Files directory 7 IoCs
description ioc Process File created C:\Program Files\Windows Portable Devices\explorer.exe DllCommonsvc.exe File created C:\Program Files\Windows Portable Devices\7a0fd90576e088 DllCommonsvc.exe File created C:\Program Files (x86)\Windows Media Player\de-DE\audiodg.exe DllCommonsvc.exe File opened for modification C:\Program Files (x86)\Windows Media Player\de-DE\audiodg.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Media Player\de-DE\42af1c969fbb7b DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\conhost.exe DllCommonsvc.exe File created C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\088424020bedd6 DllCommonsvc.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\SoftwareDistribution\DataStore\Logs\WmiPrvSE.exe DllCommonsvc.exe File created C:\Windows\SoftwareDistribution\DataStore\Logs\24dbde2999530e DllCommonsvc.exe File created C:\Windows\Branding\Basebrd\it-IT\winlogon.exe DllCommonsvc.exe File created C:\Windows\Branding\Basebrd\it-IT\cc11b995f2a76d DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_455680ca039353336571aa714ce645000dad491df7d13ad75c58519b487160b3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1992 schtasks.exe 2912 schtasks.exe 2924 schtasks.exe 2876 schtasks.exe 1212 schtasks.exe 2824 schtasks.exe 2592 schtasks.exe 1108 schtasks.exe 2652 schtasks.exe 1844 schtasks.exe 2580 schtasks.exe 2692 schtasks.exe 2500 schtasks.exe 2708 schtasks.exe 2608 schtasks.exe 2664 schtasks.exe 3044 schtasks.exe 1668 schtasks.exe 1020 schtasks.exe 1592 schtasks.exe 1556 schtasks.exe 2284 schtasks.exe 1652 schtasks.exe 492 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 1852 DllCommonsvc.exe 1396 powershell.exe 2576 powershell.exe 1624 powershell.exe 1456 powershell.exe 2372 powershell.exe 2144 powershell.exe 340 powershell.exe 2352 powershell.exe 2172 powershell.exe 2740 explorer.exe 1556 explorer.exe 2924 explorer.exe 2564 explorer.exe 3032 explorer.exe 2020 explorer.exe 2992 explorer.exe 664 explorer.exe 2800 explorer.exe 952 explorer.exe -
Suspicious use of AdjustPrivilegeToken 20 IoCs
description pid Process Token: SeDebugPrivilege 1852 DllCommonsvc.exe Token: SeDebugPrivilege 1396 powershell.exe Token: SeDebugPrivilege 2576 powershell.exe Token: SeDebugPrivilege 1624 powershell.exe Token: SeDebugPrivilege 1456 powershell.exe Token: SeDebugPrivilege 2372 powershell.exe Token: SeDebugPrivilege 2144 powershell.exe Token: SeDebugPrivilege 340 powershell.exe Token: SeDebugPrivilege 2352 powershell.exe Token: SeDebugPrivilege 2172 powershell.exe Token: SeDebugPrivilege 2740 explorer.exe Token: SeDebugPrivilege 1556 explorer.exe Token: SeDebugPrivilege 2924 explorer.exe Token: SeDebugPrivilege 2564 explorer.exe Token: SeDebugPrivilege 3032 explorer.exe Token: SeDebugPrivilege 2020 explorer.exe Token: SeDebugPrivilege 2992 explorer.exe Token: SeDebugPrivilege 664 explorer.exe Token: SeDebugPrivilege 2800 explorer.exe Token: SeDebugPrivilege 952 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3000 wrote to memory of 2504 3000 JaffaCakes118_455680ca039353336571aa714ce645000dad491df7d13ad75c58519b487160b3.exe 30 PID 3000 wrote to memory of 2504 3000 JaffaCakes118_455680ca039353336571aa714ce645000dad491df7d13ad75c58519b487160b3.exe 30 PID 3000 wrote to memory of 2504 3000 JaffaCakes118_455680ca039353336571aa714ce645000dad491df7d13ad75c58519b487160b3.exe 30 PID 3000 wrote to memory of 2504 3000 JaffaCakes118_455680ca039353336571aa714ce645000dad491df7d13ad75c58519b487160b3.exe 30 PID 2504 wrote to memory of 2296 2504 WScript.exe 31 PID 2504 wrote to memory of 2296 2504 WScript.exe 31 PID 2504 wrote to memory of 2296 2504 WScript.exe 31 PID 2504 wrote to memory of 2296 2504 WScript.exe 31 PID 2296 wrote to memory of 1852 2296 cmd.exe 33 PID 2296 wrote to memory of 1852 2296 cmd.exe 33 PID 2296 wrote to memory of 1852 2296 cmd.exe 33 PID 2296 wrote to memory of 1852 2296 cmd.exe 33 PID 1852 wrote to memory of 2372 1852 DllCommonsvc.exe 59 PID 1852 wrote to memory of 2372 1852 DllCommonsvc.exe 59 PID 1852 wrote to memory of 2372 1852 DllCommonsvc.exe 59 PID 1852 wrote to memory of 1624 1852 DllCommonsvc.exe 60 PID 1852 wrote to memory of 1624 1852 DllCommonsvc.exe 60 PID 1852 wrote to memory of 1624 1852 DllCommonsvc.exe 60 PID 1852 wrote to memory of 2172 1852 DllCommonsvc.exe 61 PID 1852 wrote to memory of 2172 1852 DllCommonsvc.exe 61 PID 1852 wrote to memory of 2172 1852 DllCommonsvc.exe 61 PID 1852 wrote to memory of 2352 1852 DllCommonsvc.exe 62 PID 1852 wrote to memory of 2352 1852 DllCommonsvc.exe 62 PID 1852 wrote to memory of 2352 1852 DllCommonsvc.exe 62 PID 1852 wrote to memory of 2144 1852 DllCommonsvc.exe 65 PID 1852 wrote to memory of 2144 1852 DllCommonsvc.exe 65 PID 1852 wrote to memory of 2144 1852 DllCommonsvc.exe 65 PID 1852 wrote to memory of 2576 1852 DllCommonsvc.exe 66 PID 1852 wrote to memory of 2576 1852 DllCommonsvc.exe 66 PID 1852 wrote to memory of 2576 1852 DllCommonsvc.exe 66 PID 1852 wrote to memory of 340 1852 DllCommonsvc.exe 70 PID 1852 wrote to memory of 340 1852 DllCommonsvc.exe 70 PID 1852 wrote to memory of 340 1852 DllCommonsvc.exe 70 PID 1852 wrote to memory of 1396 1852 DllCommonsvc.exe 71 PID 1852 wrote to memory of 1396 1852 DllCommonsvc.exe 71 PID 1852 wrote to memory of 1396 1852 DllCommonsvc.exe 71 PID 1852 wrote to memory of 1456 1852 DllCommonsvc.exe 72 PID 1852 wrote to memory of 1456 1852 DllCommonsvc.exe 72 PID 1852 wrote to memory of 1456 1852 DllCommonsvc.exe 72 PID 1852 wrote to memory of 744 1852 DllCommonsvc.exe 77 PID 1852 wrote to memory of 744 1852 DllCommonsvc.exe 77 PID 1852 wrote to memory of 744 1852 DllCommonsvc.exe 77 PID 744 wrote to memory of 1912 744 cmd.exe 79 PID 744 wrote to memory of 1912 744 cmd.exe 79 PID 744 wrote to memory of 1912 744 cmd.exe 79 PID 744 wrote to memory of 2740 744 cmd.exe 81 PID 744 wrote to memory of 2740 744 cmd.exe 81 PID 744 wrote to memory of 2740 744 cmd.exe 81 PID 2740 wrote to memory of 2900 2740 explorer.exe 82 PID 2740 wrote to memory of 2900 2740 explorer.exe 82 PID 2740 wrote to memory of 2900 2740 explorer.exe 82 PID 2900 wrote to memory of 1988 2900 cmd.exe 84 PID 2900 wrote to memory of 1988 2900 cmd.exe 84 PID 2900 wrote to memory of 1988 2900 cmd.exe 84 PID 2900 wrote to memory of 1556 2900 cmd.exe 85 PID 2900 wrote to memory of 1556 2900 cmd.exe 85 PID 2900 wrote to memory of 1556 2900 cmd.exe 85 PID 1556 wrote to memory of 2256 1556 explorer.exe 86 PID 1556 wrote to memory of 2256 1556 explorer.exe 86 PID 1556 wrote to memory of 2256 1556 explorer.exe 86 PID 2256 wrote to memory of 1464 2256 cmd.exe 88 PID 2256 wrote to memory of 1464 2256 cmd.exe 88 PID 2256 wrote to memory of 1464 2256 cmd.exe 88 PID 2256 wrote to memory of 2924 2256 cmd.exe 89 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_455680ca039353336571aa714ce645000dad491df7d13ad75c58519b487160b3.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_455680ca039353336571aa714ce645000dad491df7d13ad75c58519b487160b3.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2372
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\de-DE\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1624
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2172
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2352
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2144
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\SendTo\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2576
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:340
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SoftwareDistribution\DataStore\Logs\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1396
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Branding\Basebrd\it-IT\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1456
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cHgl7hnF5p.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:744 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:1912
-
-
C:\Program Files\Windows Portable Devices\explorer.exe"C:\Program Files\Windows Portable Devices\explorer.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EtrZeLjFvq.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:1988
-
-
C:\Program Files\Windows Portable Devices\explorer.exe"C:\Program Files\Windows Portable Devices\explorer.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\B7rL9EqqPR.bat"9⤵
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:1464
-
-
C:\Program Files\Windows Portable Devices\explorer.exe"C:\Program Files\Windows Portable Devices\explorer.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2924 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kwOVarqRTQ.bat"11⤵PID:2532
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:1776
-
-
C:\Program Files\Windows Portable Devices\explorer.exe"C:\Program Files\Windows Portable Devices\explorer.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2564 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CPbxFudqw6.bat"13⤵PID:1668
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:2736
-
-
C:\Program Files\Windows Portable Devices\explorer.exe"C:\Program Files\Windows Portable Devices\explorer.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3032 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uZApDsIgYI.bat"15⤵PID:872
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:1408
-
-
C:\Program Files\Windows Portable Devices\explorer.exe"C:\Program Files\Windows Portable Devices\explorer.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2020 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ixgWq8OOYW.bat"17⤵PID:1068
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:2220
-
-
C:\Program Files\Windows Portable Devices\explorer.exe"C:\Program Files\Windows Portable Devices\explorer.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2992 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GvFVSjZSRs.bat"19⤵PID:2608
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:2076
-
-
C:\Program Files\Windows Portable Devices\explorer.exe"C:\Program Files\Windows Portable Devices\explorer.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:664 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ktiZWDSHsI.bat"21⤵PID:2052
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:2820
-
-
C:\Program Files\Windows Portable Devices\explorer.exe"C:\Program Files\Windows Portable Devices\explorer.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2800 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tfVhKC50lX.bat"23⤵PID:3008
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:2180
-
-
C:\Program Files\Windows Portable Devices\explorer.exe"C:\Program Files\Windows Portable Devices\explorer.exe"24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:952
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Media Player\de-DE\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\de-DE\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Media Player\de-DE\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\providercommon\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\SendTo\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\SendTo\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\SendTo\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Portable Devices\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1212
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Windows\SoftwareDistribution\DataStore\Logs\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\DataStore\Logs\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Windows\SoftwareDistribution\DataStore\Logs\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Windows\Branding\Basebrd\it-IT\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Branding\Basebrd\it-IT\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Windows\Branding\Basebrd\it-IT\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2284
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5501a8cd9f5d208a4b91419df3a1e2364
SHA17920c6dd1bd30f1d580100271f8e121dccb40a58
SHA2569ac49d78d87ec471208f7887fa9a689e5a78b190f2efe6725480ad60cef1ccbf
SHA51267164c242cb8de03225322a6415fdc54b9924311d833efdb4846fba055df4c3674f5e2d5cdc0c21371ab8abdedf95ddd1ce4694c0966bd4eb93cf590d5c67fcf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD557d862037076c0462b73aca81e54d4f8
SHA1226a6cb12b232659092849b7bdbf2f6ea22f5a87
SHA25692fb00021a83b4a800d383ba2caafc3f323e55c3b117c8d8aab505264e8e2884
SHA5124637322d367ad0c6a8aadc3d96356101f64c4bb031087122e63e65e3855cc1fe14dd144718c8d663b789180e7e0e7d07052d52eeeb8aa3cfce5823715427a37e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD525da8ac292fdd085c9ecdec47d2476d2
SHA101da1585ca8b3e4526f3c9ccc7f9ca5cce8326af
SHA256bf9899b60f646c5ae7fd5d3b933a94137a1ae77c3981712d99e84d6cfefdfb2f
SHA51250b464c9d4e51d351c5ce66955918d42ef15661f6a8f58a622577d54767bfe677c7dcbee0652b0da6ed3baab98474c290888341bb5aacd63c58df34df11b56ab
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b7d146d8a52d093910b0e1558aa46e40
SHA1405e2ed1885b0f4ff52af146e9fec3a8ef95727a
SHA2561a8b1dc5cc85f36a7b45c17de574301b59150f0c62959b343edad52fe076b2ab
SHA512a19ac63b78a13e4d39790632e6becf589815e683b12196f37cc192288c80674133eff66ff4896c992184d6868f021579240f3ef5cfab847896cfd4f102a56961
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5cde50b695a2bb1190105abf985da5ef8
SHA1ad7f80830f184434636bb6d3f97491deca5ac5d4
SHA2562b035a62bfb7da5280184fcc91b1fbad434a61b13d804ed3846c056ed71b5384
SHA512c27a2eef1472b7f39df5a0513f409040fa7be2ac02a0b5ae7b46dd76f7d9dbf3db0dab5293234fca35dfe425a24ea9de2b86a37bb5aa4c76a0bcc65747fb85ec
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD571c9f050d2e26fdf61c434e51c09fd3e
SHA14b4fa9e5643c4e786bb3277e3d30dfcf4cea9591
SHA25624b3e71b7b79365bdc5e191be878ade97116a8951a8f9af54c3dfea5ef97f3fa
SHA512fe1f9f6acf3aafe22b8d4cd33976965ec7d7d2da8e622fa25a35ba531132ebf68fecd0077aa0e2c4262f0b01efff24ae66930c86b88b2c2a44621d06b48d6560
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b82c268e07f461572152f53c63c76941
SHA19a1305691724096c3929dff748499943dabf1346
SHA256ece75028705946817fe386addd28fb9d789ac2084159a87c288389c0767648ec
SHA5120b0148f3eb6c1683693727d9ef1423ea3a4a821f2e028d17c6b5bdbff8752b17b7536d4c345db12fb4def380ab2d96cc6c7f21a0d0477b255fe4a97ff63436ca
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55df27226c27f866c7edb1a7e845e2839
SHA16aa55c9b8a9a1b0d62020b99ec5cda29baf55b2b
SHA2561d7e96b0831d4cd01200be562f2eb45dbc233a099683d31a097faef020266d05
SHA5123cd14e0e532aed634b54f3ab4823351428b355157107aa24e830d69085ba1f089e20303ab5e07ae3a9a2a531be8f2f36d6f728d3c7562bed4f7d81c91e373f22
-
Filesize
219B
MD54262e3efafe5df89ac9ad0854868e1d3
SHA1223630633b11dfc8f368ad8425cdad44852bfa81
SHA2560aa5d4af7164c310705f551005719cd64cf0e269e170c466176e5e28a3c9401a
SHA5125f05c458be639b9f76992524c5bca5089132df2c20aaadc8268ad5fcd1f801bdba45cee26eab26dfa98f01a3a297543bda3a0aa5e9176876c95520d1315ded2b
-
Filesize
219B
MD5ac53658dddeb7886e223f6740aa0202d
SHA1ea356f3ae5b0f30b1f3906910f8c4c6a3e94efe8
SHA2562de87bc6bc19a7ae4eea7ec2d3005b0f9536b62ff725e5914ddf1f1193343132
SHA51297fda527fd45350f9ee5da5fba4565019981351f3e141d2d1cbc0a2c0669a8c1f7df8886568aee73260557a6c5db45902c618b4e888c384cb909c01c73f8f9c8
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
219B
MD59b6768d132f9166498c65622a1aa19b4
SHA1bba33051dc26ac582adec47a72d7f18713ff78b0
SHA256d613e99db1506c286efa9debe1574941283c67080c9ea1699adac69728119a50
SHA512c626b0f6847860fe7d9f314c40a79c9fc2b6c747910c372be106af1d7721e1c0be0c83645e707ac0ae141400131df73e69ef370543a1aa6e224748d075390c6f
-
Filesize
219B
MD53395a236e6a9277fed6e90a66a30d7dd
SHA1b1c2b8784d0e3c3aeee981b2de5fa37332a6913f
SHA256bf46f744adab983fa74581dafd13e5c86a52e9c5a3f8f7ed318bb5878afd9065
SHA512d95ba69ed2246b1e18e0d0bf200f169d9524ce2ee5da2f3e8b00a73804afad557f35e6e2ded0281a1974f493131818f813fbbfc64d185ae5447a76aaee9c7ca6
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
219B
MD51cc19d635f5beda29270b00cac2da143
SHA1101526cc6550e51df72fa29b4d03cbbc496fa644
SHA2562c9ba57dc43bcc2eebda09d418c0e83494544aff3e959aa2a3c313f5f205b789
SHA512167e7ee5b567fe637eb726f5fb87d6f33a44d69f7a6fbd7e5df7bb7307068a1ee9ab77831421c6e89a143b784aa87f5815191d1f2743a4571ae7924afe405742
-
Filesize
219B
MD537a4530fcaa1bfb7da8a91d34723df1e
SHA103b0f741a496f07b3207cdd20ea70755fa2e7a8b
SHA256966ef0bcc18326d6be9f82a5a55432a932b10efe406e359c92e1b3f35769d631
SHA5125537d0b75a418d06a6859e7be8876c9a0d78267a2573f0ea91e5a1ba19ea2dacbd05d2e6b1cb81cb0df0bd92b6c10a65e424b2b42fb92713872e24e53ffdbb58
-
Filesize
219B
MD56142ed0b2e6310ec70ca28f6f1d27570
SHA191904b3dbac88e3693d5f26b8f5e29634511994a
SHA2563c0caa7785c80e8cb7f17fef54e1b0803a4e1be6abecbe79a9a05db5c0b23a86
SHA5124e1ac5726d99b1443a0133b87d5f9d8a7432cfa1e144396d821bd104c006cc930aa4e722446753a553ce657d3bca7f92b84074870ba06c138506c1aa572bff5c
-
Filesize
219B
MD52fc0df1141354f6887837d197e39e067
SHA1405bacf740f78053dba4edf96bd5eaa8e4db16d8
SHA2568250c961932a1678dc255b301f7bb91d0072a4e67b21af7de1c28a07d2034c81
SHA51252fb10adafd183de6fc5ff88352035f3aedc20ad22e189d92fb16505b41ffa835c25d15763f266561ad07af1902db1eb96c958421e121ef328a390a114b7ac6e
-
Filesize
219B
MD5246b45ff5f49c5f1489a971bb6c27c40
SHA13e6b7c667c880b939c000dc58808e28dbbbee234
SHA2562cc0be22d7ad79f3c31449c9fe4d3d1b10a7bf8b57a7e3feb1cd4b077520201e
SHA512af779275f5c5db15dbf1e1b52414e9e39ca9e63fa3d321bb81635fa92787fd5baa20ba603764000f6c42b81d5fa2dcd30f2e675ac66badfed1c040877af7b57a
-
Filesize
219B
MD5525158a42a95aa2b69809b34d2df1637
SHA165b5cfe849c852b4f6d8540013313486ccc5195c
SHA2561eec0f50f9fc5e29f6eb36c61fe4c2e830accad689ea5d4e5688394089b74ad1
SHA512bb6db0da2a48168f87497170416c8f06fa6ebb9ea6f3c0e0dd957b6663c4eda2ea3b56a029f015ae7760be248788cca6db19089cc5abb7d00eeaffc030f6b70b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD57031fa66cea383e62a93818a398a2c5e
SHA1158f99294167efdaa7b327d2ce714807fb1a2b85
SHA25626ec1a2b511dbfdb3c232e90bba9034157ff76ae0852cc986afd1cc1f4c0ef4c
SHA5122b29a684e49d36183a53759c93c0868ab0910c7747899c0666908b7e89f85b757493fe48a38366c55e75d20bab54c8c9274d3763ba7c5da34ef4bbda37eac65b
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394