Analysis
-
max time kernel
149s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30/12/2024, 01:41
Behavioral task
behavioral1
Sample
JaffaCakes118_5252936ea4faa18e6f659124fc84fbf531c50f08e40576054879f908fe9dba7b.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_5252936ea4faa18e6f659124fc84fbf531c50f08e40576054879f908fe9dba7b.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_5252936ea4faa18e6f659124fc84fbf531c50f08e40576054879f908fe9dba7b.exe
-
Size
1.3MB
-
MD5
b1b5524275637fecaae7f3321158a5b4
-
SHA1
ee9a306a28e33de1bc1e8fd0c8404b44ab5708f3
-
SHA256
5252936ea4faa18e6f659124fc84fbf531c50f08e40576054879f908fe9dba7b
-
SHA512
5c5a7017c47f35593bec1405a585906b03d3677bcc466d61a9d45f4cc4f4e74046d7007e238e32d910c5eafa911c7a9b4f061817015a0e910686d0200c455d06
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 15 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2540 2428 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2984 2428 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1012 2428 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 532 2428 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 972 2428 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1300 2428 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1400 2428 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1804 2428 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2764 2428 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2816 2428 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2856 2428 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2664 2428 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1704 2428 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2244 2428 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1936 2428 schtasks.exe 32 -
resource yara_rule behavioral1/files/0x0008000000014510-9.dat dcrat behavioral1/memory/2740-13-0x0000000000130000-0x0000000000240000-memory.dmp dcrat behavioral1/memory/1216-66-0x0000000000AD0000-0x0000000000BE0000-memory.dmp dcrat behavioral1/memory/2568-126-0x00000000002B0000-0x00000000003C0000-memory.dmp dcrat behavioral1/memory/2848-186-0x0000000000BE0000-0x0000000000CF0000-memory.dmp dcrat behavioral1/memory/2676-246-0x0000000000EC0000-0x0000000000FD0000-memory.dmp dcrat behavioral1/memory/624-306-0x00000000013A0000-0x00000000014B0000-memory.dmp dcrat behavioral1/memory/2816-366-0x0000000000170000-0x0000000000280000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1724 powershell.exe 800 powershell.exe 1988 powershell.exe 1316 powershell.exe 1068 powershell.exe 2404 powershell.exe -
Executes dropped EXE 14 IoCs
pid Process 2740 DllCommonsvc.exe 1216 Idle.exe 2568 Idle.exe 2848 Idle.exe 2676 Idle.exe 624 Idle.exe 2816 Idle.exe 1544 Idle.exe 880 Idle.exe 2668 Idle.exe 2232 Idle.exe 1468 Idle.exe 2724 Idle.exe 1044 Idle.exe -
Loads dropped DLL 2 IoCs
pid Process 2552 cmd.exe 2552 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs
flow ioc 39 raw.githubusercontent.com 42 raw.githubusercontent.com 4 raw.githubusercontent.com 16 raw.githubusercontent.com 23 raw.githubusercontent.com 29 raw.githubusercontent.com 32 raw.githubusercontent.com 35 raw.githubusercontent.com 5 raw.githubusercontent.com 9 raw.githubusercontent.com 13 raw.githubusercontent.com 19 raw.githubusercontent.com 26 raw.githubusercontent.com -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files (x86)\Windows Defender\it-IT\System.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Defender\it-IT\27d1bcfc3c54e0 DllCommonsvc.exe File created C:\Program Files (x86)\Common Files\System\de-DE\taskhost.exe DllCommonsvc.exe File created C:\Program Files (x86)\Common Files\System\de-DE\b75386f1303e64 DllCommonsvc.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Idle.exe DllCommonsvc.exe File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_64\Idle.exe DllCommonsvc.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\6ccacd8608530f DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_5252936ea4faa18e6f659124fc84fbf531c50f08e40576054879f908fe9dba7b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1400 schtasks.exe 2244 schtasks.exe 1936 schtasks.exe 2540 schtasks.exe 2764 schtasks.exe 2856 schtasks.exe 2664 schtasks.exe 1804 schtasks.exe 2984 schtasks.exe 1012 schtasks.exe 532 schtasks.exe 972 schtasks.exe 1300 schtasks.exe 2816 schtasks.exe 1704 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
pid Process 2740 DllCommonsvc.exe 2740 DllCommonsvc.exe 2740 DllCommonsvc.exe 1724 powershell.exe 2404 powershell.exe 1988 powershell.exe 1068 powershell.exe 1316 powershell.exe 800 powershell.exe 1216 Idle.exe 2568 Idle.exe 2848 Idle.exe 2676 Idle.exe 624 Idle.exe 2816 Idle.exe 1544 Idle.exe 880 Idle.exe 2668 Idle.exe 2232 Idle.exe 1468 Idle.exe 2724 Idle.exe 1044 Idle.exe -
Suspicious use of AdjustPrivilegeToken 20 IoCs
description pid Process Token: SeDebugPrivilege 2740 DllCommonsvc.exe Token: SeDebugPrivilege 1724 powershell.exe Token: SeDebugPrivilege 2404 powershell.exe Token: SeDebugPrivilege 1988 powershell.exe Token: SeDebugPrivilege 1068 powershell.exe Token: SeDebugPrivilege 1316 powershell.exe Token: SeDebugPrivilege 800 powershell.exe Token: SeDebugPrivilege 1216 Idle.exe Token: SeDebugPrivilege 2568 Idle.exe Token: SeDebugPrivilege 2848 Idle.exe Token: SeDebugPrivilege 2676 Idle.exe Token: SeDebugPrivilege 624 Idle.exe Token: SeDebugPrivilege 2816 Idle.exe Token: SeDebugPrivilege 1544 Idle.exe Token: SeDebugPrivilege 880 Idle.exe Token: SeDebugPrivilege 2668 Idle.exe Token: SeDebugPrivilege 2232 Idle.exe Token: SeDebugPrivilege 1468 Idle.exe Token: SeDebugPrivilege 2724 Idle.exe Token: SeDebugPrivilege 1044 Idle.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2960 wrote to memory of 2524 2960 JaffaCakes118_5252936ea4faa18e6f659124fc84fbf531c50f08e40576054879f908fe9dba7b.exe 28 PID 2960 wrote to memory of 2524 2960 JaffaCakes118_5252936ea4faa18e6f659124fc84fbf531c50f08e40576054879f908fe9dba7b.exe 28 PID 2960 wrote to memory of 2524 2960 JaffaCakes118_5252936ea4faa18e6f659124fc84fbf531c50f08e40576054879f908fe9dba7b.exe 28 PID 2960 wrote to memory of 2524 2960 JaffaCakes118_5252936ea4faa18e6f659124fc84fbf531c50f08e40576054879f908fe9dba7b.exe 28 PID 2524 wrote to memory of 2552 2524 WScript.exe 29 PID 2524 wrote to memory of 2552 2524 WScript.exe 29 PID 2524 wrote to memory of 2552 2524 WScript.exe 29 PID 2524 wrote to memory of 2552 2524 WScript.exe 29 PID 2552 wrote to memory of 2740 2552 cmd.exe 31 PID 2552 wrote to memory of 2740 2552 cmd.exe 31 PID 2552 wrote to memory of 2740 2552 cmd.exe 31 PID 2552 wrote to memory of 2740 2552 cmd.exe 31 PID 2740 wrote to memory of 1724 2740 DllCommonsvc.exe 48 PID 2740 wrote to memory of 1724 2740 DllCommonsvc.exe 48 PID 2740 wrote to memory of 1724 2740 DllCommonsvc.exe 48 PID 2740 wrote to memory of 2404 2740 DllCommonsvc.exe 49 PID 2740 wrote to memory of 2404 2740 DllCommonsvc.exe 49 PID 2740 wrote to memory of 2404 2740 DllCommonsvc.exe 49 PID 2740 wrote to memory of 1068 2740 DllCommonsvc.exe 51 PID 2740 wrote to memory of 1068 2740 DllCommonsvc.exe 51 PID 2740 wrote to memory of 1068 2740 DllCommonsvc.exe 51 PID 2740 wrote to memory of 1988 2740 DllCommonsvc.exe 52 PID 2740 wrote to memory of 1988 2740 DllCommonsvc.exe 52 PID 2740 wrote to memory of 1988 2740 DllCommonsvc.exe 52 PID 2740 wrote to memory of 800 2740 DllCommonsvc.exe 53 PID 2740 wrote to memory of 800 2740 DllCommonsvc.exe 53 PID 2740 wrote to memory of 800 2740 DllCommonsvc.exe 53 PID 2740 wrote to memory of 1316 2740 DllCommonsvc.exe 54 PID 2740 wrote to memory of 1316 2740 DllCommonsvc.exe 54 PID 2740 wrote to memory of 1316 2740 DllCommonsvc.exe 54 PID 2740 wrote to memory of 1840 2740 DllCommonsvc.exe 60 PID 2740 wrote to memory of 1840 2740 DllCommonsvc.exe 60 PID 2740 wrote to memory of 1840 2740 DllCommonsvc.exe 60 PID 1840 wrote to memory of 992 1840 cmd.exe 62 PID 1840 wrote to memory of 992 1840 cmd.exe 62 PID 1840 wrote to memory of 992 1840 cmd.exe 62 PID 1840 wrote to memory of 1216 1840 cmd.exe 63 PID 1840 wrote to memory of 1216 1840 cmd.exe 63 PID 1840 wrote to memory of 1216 1840 cmd.exe 63 PID 1216 wrote to memory of 2140 1216 Idle.exe 64 PID 1216 wrote to memory of 2140 1216 Idle.exe 64 PID 1216 wrote to memory of 2140 1216 Idle.exe 64 PID 2140 wrote to memory of 2960 2140 cmd.exe 66 PID 2140 wrote to memory of 2960 2140 cmd.exe 66 PID 2140 wrote to memory of 2960 2140 cmd.exe 66 PID 2140 wrote to memory of 2568 2140 cmd.exe 67 PID 2140 wrote to memory of 2568 2140 cmd.exe 67 PID 2140 wrote to memory of 2568 2140 cmd.exe 67 PID 2568 wrote to memory of 900 2568 Idle.exe 68 PID 2568 wrote to memory of 900 2568 Idle.exe 68 PID 2568 wrote to memory of 900 2568 Idle.exe 68 PID 900 wrote to memory of 532 900 cmd.exe 70 PID 900 wrote to memory of 532 900 cmd.exe 70 PID 900 wrote to memory of 532 900 cmd.exe 70 PID 900 wrote to memory of 2848 900 cmd.exe 73 PID 900 wrote to memory of 2848 900 cmd.exe 73 PID 900 wrote to memory of 2848 900 cmd.exe 73 PID 2848 wrote to memory of 1568 2848 Idle.exe 74 PID 2848 wrote to memory of 1568 2848 Idle.exe 74 PID 2848 wrote to memory of 1568 2848 Idle.exe 74 PID 1568 wrote to memory of 1296 1568 cmd.exe 76 PID 1568 wrote to memory of 1296 1568 cmd.exe 76 PID 1568 wrote to memory of 1296 1568 cmd.exe 76 PID 1568 wrote to memory of 2676 1568 cmd.exe 77 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5252936ea4faa18e6f659124fc84fbf531c50f08e40576054879f908fe9dba7b.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5252936ea4faa18e6f659124fc84fbf531c50f08e40576054879f908fe9dba7b.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1724
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\assembly\NativeImages_v4.0.30319_64\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2404
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1068
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1988
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\it-IT\System.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:800
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\System\de-DE\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1316
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IfRHWD7XoS.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:1840 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:992
-
-
C:\Windows\assembly\NativeImages_v4.0.30319_64\Idle.exe"C:\Windows\assembly\NativeImages_v4.0.30319_64\Idle.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uVUt9EuWwA.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:2960
-
-
C:\Windows\assembly\NativeImages_v4.0.30319_64\Idle.exe"C:\Windows\assembly\NativeImages_v4.0.30319_64\Idle.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qRj2XQE6t6.bat"9⤵
- Suspicious use of WriteProcessMemory
PID:900 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:532
-
-
C:\Windows\assembly\NativeImages_v4.0.30319_64\Idle.exe"C:\Windows\assembly\NativeImages_v4.0.30319_64\Idle.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\80JI9OTYea.bat"11⤵
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:1296
-
-
C:\Windows\assembly\NativeImages_v4.0.30319_64\Idle.exe"C:\Windows\assembly\NativeImages_v4.0.30319_64\Idle.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2676 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4JlC5zfAS6.bat"13⤵PID:1428
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:1520
-
-
C:\Windows\assembly\NativeImages_v4.0.30319_64\Idle.exe"C:\Windows\assembly\NativeImages_v4.0.30319_64\Idle.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:624 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4NR89d4K3E.bat"15⤵PID:2688
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:2792
-
-
C:\Windows\assembly\NativeImages_v4.0.30319_64\Idle.exe"C:\Windows\assembly\NativeImages_v4.0.30319_64\Idle.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2816 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yvlYFj4oEg.bat"17⤵PID:1624
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:1016
-
-
C:\Windows\assembly\NativeImages_v4.0.30319_64\Idle.exe"C:\Windows\assembly\NativeImages_v4.0.30319_64\Idle.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1544 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fq9TqI16of.bat"19⤵PID:2928
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:1960
-
-
C:\Windows\assembly\NativeImages_v4.0.30319_64\Idle.exe"C:\Windows\assembly\NativeImages_v4.0.30319_64\Idle.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:880 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pakqiPPahT.bat"21⤵PID:1924
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:1956
-
-
C:\Windows\assembly\NativeImages_v4.0.30319_64\Idle.exe"C:\Windows\assembly\NativeImages_v4.0.30319_64\Idle.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2668 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Oupdpj3XpI.bat"23⤵PID:1848
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵PID:2404
-
-
C:\Windows\assembly\NativeImages_v4.0.30319_64\Idle.exe"C:\Windows\assembly\NativeImages_v4.0.30319_64\Idle.exe"24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2232 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7JTBpj7DN0.bat"25⤵PID:1284
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵PID:1432
-
-
C:\Windows\assembly\NativeImages_v4.0.30319_64\Idle.exe"C:\Windows\assembly\NativeImages_v4.0.30319_64\Idle.exe"26⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1468 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\T7KIMELUbd.bat"27⤵PID:2316
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:228⤵PID:2600
-
-
C:\Windows\assembly\NativeImages_v4.0.30319_64\Idle.exe"C:\Windows\assembly\NativeImages_v4.0.30319_64\Idle.exe"28⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2724 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\12JaEZR6zX.bat"29⤵PID:1300
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:230⤵PID:1860
-
-
C:\Windows\assembly\NativeImages_v4.0.30319_64\Idle.exe"C:\Windows\assembly\NativeImages_v4.0.30319_64\Idle.exe"30⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1044
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Windows\assembly\NativeImages_v4.0.30319_64\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\assembly\NativeImages_v4.0.30319_64\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Windows\assembly\NativeImages_v4.0.30319_64\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1300
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1400
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\it-IT\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Common Files\System\de-DE\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\System\de-DE\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Common Files\System\de-DE\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a980ea706c95e4a5cf1eae2df694d43b
SHA1d4648e899326fe629439bbc5af41e4ae984cedb9
SHA256bf89e6edd8a9965691e951834629c67e70576a1f82ca231377be46bf1ed395ed
SHA512b652d34332cf1e26fe6dce81cc11ba38f805e2f92d8375da5914f8c81867ca9e8924fcb9c917fe846f693777ac29790bd793c84ec9ed217193f7049ecb7c496e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5eb6969c531b55a24a0a6091fb331b932
SHA165c7ec2b82b52ca4a0c4352ca000c05b7d4d8df5
SHA25613775c5d69fa3dfe230b52e1ceae80934004da8c13973efe192969f57137ea41
SHA51244148f331ec9ebd5ba69f3601789025e6fa497321c8ce91266bc31ac31c4843dd9e019a9164d0f6c64165f1b4a722df5b718a8ac0bf8297f3c37a7e6b2d899b9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5634a9015aef58350a32cce6bbebec911
SHA1e748d8fc6f577edb86faea164fbff768ccc5af02
SHA256783fbf7ff275b5c9d6f99c1b7637ca4638643ebcffd2da3d371e75771bb63d1f
SHA512b556ed492e576660a1e4e78d00e582f6898a9d778e934138c54cd5a0fe086e1721e21e22d6fb2310d07e0a2d3c322942ea04ed780c048e6fa87ee3eb20d2be30
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a86fadaf67037b96b5518ce17c7873c1
SHA1e8a599b8bbead30db726050d4b9df2f0957b888e
SHA256830f0411aca60f4d7d0b86d07106d1186a05c989bc8096edb085f24a5f350e20
SHA512cdcdade80d9991540227ba146d72b4ed351cf23cae50e652c712dee9bed694e454abdf6b9dba5cd7163797deec9ce714bb7855f09ec3884631d185412a2c1cb6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5686f81ebf9255879273e17c2a147e115
SHA14bff36bf79780c4955d5651d2f8cfa93977f3eb1
SHA256c607e9f627d11f8b94761286bb29c78758f6958f3676bb64754f7c3179d8887a
SHA512dcba734ec7ad2173c5fbda6a6a2a6e9fcd3d38afc0574bbedcd045b8e9827d326e40f7dd323d8fb5ffcc6c304cec42de2dbf2ba5804462b6f5dc9865a2e13176
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5acfe2216cfca9397ea8e5986a388167e
SHA177558db84d77fc000b53a47e5e6980ebac413fb3
SHA256c9bba105b5ced11c09830212bae3f238df650c565a3d58c906d47414a0231587
SHA51270f64e85db3c3341ded0f1cd93a653146a48a8acc3a4c281d69e7c72009091ff6cc1b0b7935f6825ed532085f76dd38d65849dc2051e762e59d2740aef042d6a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a8bf57c09f852de4b7fcdd5f18a50ddc
SHA1e9b93abe59d9756a0bf322440990ca54325b8fcf
SHA2564497a77c8c3e1756284caff2effa802a8c0871b769a8db3d48c895339a55a94d
SHA51214a0eaadc426997de22c2781389c8c09d609c25b4bd0d0a532e80fd61a9348bcd66597fdfe19ef0eb10bf9290a2f22ce7df8242e3ce608324daea14025137cd1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a37c29d168db0e36cab9e5a7e149720e
SHA16c5ca4c3b414fd4156342a652d48302acf456ee1
SHA256693d80bf4230c9cdd914341e1bada3262853cb33c16e8faf625e25ea674a757e
SHA512e2ea1959e33f02f79d5d38daf3faec91d7abf658c65f1a5eefc0ed35776ccb1a4e8a6cb5c4ebef2afb967c7c7c4e376a0d89aa481a7fb8b9dbe9cdb22efb9f98
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57b58ce678a7890fe853dbaba16e94a30
SHA111551b9b6a7de788e2ada20058b91e554845dc3b
SHA2560f8bea8b311e8ca3525363ddef18f3da33cc7f3abd69c5c421896fd0b9026e5c
SHA5123afe4d8f69c6a01635dfde05044d54667b1565cc91b857255237af187fc62e898d22b9b740ef1be7a27e5be7fc2457064a8194f2b6d1eb7e3553eb49e1dcd894
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d1e991e77110153304dd13659e979f6d
SHA11b09eb9986b6f86e62c66d22db03d036643a820a
SHA256a013ab3b7c6dfcd8e500bf64e69b78981cb3fd050151d7f7eee1e3d8ccf2e312
SHA512b8e0dbe71fa4a9f5c55cd4e71345af3d954bb062a7e8b173bd58c716e8a3910aa327a25e52097e4845d67b6692c7d322814595940ff9febc98b91fa1b3d4ecf1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5eb3a9e4aa2b94a90369019e0b9c9b4a0
SHA1972b2b88015339dbe760c9a0969a6b87969620f6
SHA256cd8ac4780baaab5d5f38a7d4485a7d74be0fa48fe1a79a5ea5f655f6592a24b7
SHA5126c2c8454239101b9efafbb4c8caf9926b399a2d3960cdd0d03d60ee6a928c6207ce886422ada860f944720fb4c89ecfe70bf446dff44f6bba96fe9664c9af012
-
Filesize
220B
MD57bff7d63d373d6afc2a408921f9ae9fa
SHA19a86aa84c171028cfb1ca3a2ded541914641b622
SHA256dd8e12fac065e4d624dc18748448bfdedde87be08492d037283d0ce6d17ecf4a
SHA512aa2c962728ccbf1b43cedeee38f93eccf1c20b523c3e4954de3fc3d8641cef040674f31f70ada6b0a8ea00440b3f0e8c31455f23a8ac255b6b74b3762f5642bb
-
Filesize
220B
MD5f720f729bc99838838d610dff890942c
SHA10fce0756b50c8df64f893e414bf34306c35daf10
SHA256620ad03dba13c49e922429e6b3721e346bded127902123929af82b3acb577d6b
SHA51254e811bf81f29c140b872949ce1ae8f0de38492abb90e35a54b022d7ad308c2388010da503057c2495919c06284bdbf6eb626df166292ca1f2494e820aec8e44
-
Filesize
220B
MD5988f0b281743b6fd2f113023b4f70537
SHA1c232b4416faaa07757f538f92fcf68806d8df1d9
SHA25648b1ca4a0b67e4a78ff0bf5d73ec35ca3ca55b4334301fd6bfd0627a8c1ef3d9
SHA51253ddb8c1ce7c29d2f6699e777b3a265f5e61da80072f67b4abcf9dce9c8e41b42a20e638e1669e37a833a8b0adbf80d8c927d3cb0b032cf33fd4bfca6e1fa378
-
Filesize
220B
MD54bb8ef14eb9dc9235db33221199c546d
SHA149f893c7eb72f312f7fa29755298052f9f85c1d2
SHA256cb852716c5cb7c69e19d8fcb62e6694706a12382941d83a418ea24c5eee0e0c9
SHA512932c5c78084440d735434d5b40f9e4aa80aa1be2f622ade789ec03d7f4071a21bbf9c32a12f4a6cefa7b58f12c1f025fdb15bd5f471666a8463ad81c6bd92ad7
-
Filesize
220B
MD5031f039e80d4d9cd11b91a0569697196
SHA1b8f3e1d7f3e06386be3cb4f1ae837724a5a37016
SHA256ef5b9b931591e0fb73468f54257f3643276c81b07e35ac1c8b4e9f68232c172c
SHA5128efce69840833debc531e995cad3d53ff631ad5d31c3d7fff56ce6a7e95465fb52b7b3a39d168cd69d4195f945cae763514fc6d41c1d25c20aa10e73e74a9052
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
220B
MD528c3c4d6f0e3218d5633b9a70d4e26a1
SHA117adc24705f84378615c60092c5fff20292cb7a5
SHA2569835b846b73b1ccca0a73627aa724c9084dd01d297cf5d125636f0e6268f94fb
SHA51265169ab50a5465647dc95b88a33ae1c416ec69a253a3a3ddb02e1bc85f32cc0214bc3554c5c9b91f0e554962a9608ca0fe4e35e1b8f1fa9975e2f67a50f68db7
-
Filesize
220B
MD5b520235120d928de19f1dc0fd3be006a
SHA1cfaac604b2e674a319bdec41ba6353fa28e1a25f
SHA25645944661cf62604fc719d64fde76d272f04af6f7a41ebb02b9fd06d0c905f66a
SHA5124322dd6b45cd55bc3c336650cd19ebfb1746bd665815860489d681aa1a289c73f438ba616cc31b9907005ab4dc18ef529070d7bc0531bcf5e9b21302f899a19a
-
Filesize
220B
MD5d65de4edde2eac94af70b16e2928415f
SHA10617a06519dd7620e815028d93ed1233cc3c1d6b
SHA256333cd719d96a6b32fcb80733be9583e97b862a0fae425ef768c20ef92b2d246a
SHA512044b159bc53a9b63c2edf6e65398dda6954c60b3f21d30da6bad352cabf7ae9a2680f795a656ceb08d92a05c29ab0aeffdbc9bf1ee245753b7530143dff8f763
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
220B
MD58c1d69d877bc364cd7b8aeaf1034e594
SHA16fb74645e3755fe64e8c0fda0f3fe97496e84107
SHA25656be72d89a90e3056863c73b8eea8ef76662f1c60e1366a1669a8197bd938d6e
SHA512a9eea14469c73fd884ad58c775fa7f2712fa91d13c5e332d12c93e83b6491ca2dbd6fbe4615e4842d4075868803fcbe0e72b498db1c5ed956598df95c91420c3
-
Filesize
220B
MD56f34587e4343638bbb29b00784998ce2
SHA1efe95e1c6afa3c62f60411960ab8ca5631bbc377
SHA25633afb8cc0c69e2cd1e9cda8fd1a18f798c47d0c506886595756084e26e55b34b
SHA51262e8beed6fc887777e9ae462c9147b133230be900afc8e27d4ed1597c4e58c9ddd9a463c9ec66f267c9cba785add1252f9fafd064592813489bdf9581a735b5e
-
Filesize
220B
MD5c652874b505cd4cb97302b487ea2b898
SHA1687288512e15ba6fc2d160eafa1ea67b621b2e2e
SHA256f393324db7e41d827fb09d04f9d5b5a4991fa0951486a3a2464c6049750f1c58
SHA51246ea8d24910c31dd89123bd7a293e94c383721fb35f0bb91b3f31f2f9e2ecc847a93c8021ce1c0cc2064adb9d3c92fe1e70250dbc19e14519ba55064844d8c9a
-
Filesize
220B
MD5c6a2f830aad61a49b8e472822eb723d2
SHA19fff72ca69e223ba51f983052c0ffd07bf569284
SHA256c115c20ad2ea88b04f2de3d6a13fee738bdd76ffcfffea223f01d45eea14f62e
SHA512bf3111f28c995153130eefa48cfd0114074c39fa06c2be56be3672fb71d876e92285993ce4e0d5154386acf9ff89a2084b181f9baf52cee3ef3d0f3944b77d85
-
Filesize
220B
MD5fc514d9dbafb6d23846e82071061f462
SHA198382e4036770f4f8144a8230397d5ee30966b24
SHA256f84ca0f97ef928682b2b1b84c9a8ae80c2dbc73a1a68fd58b76690b96272c607
SHA512e9b336c45509c620d3543275be61f007dd478ff68da8ee639fbd402893645480768863afaa3c1bf806e8063b7c300f4874fa518a7412095136ed54f534d2bf5f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD52f10e0cfa2a4ac448afaa78831570b2b
SHA1cf4c74b21fc2fde3419d095b8e995030dab4209b
SHA25613981d9ab25d1a23949b861cf21cf1297b05c78ebc422a99cc0e9aa38ad2bce3
SHA51231f6604fa9aed83863918e3b02ad5a787001c9d972ea525ad583f09f2d829c4dda9617096ec4f13e0e7391e02cf3bf1485520d19f389f3b546e1f7d5dbbfb668
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394