Analysis
-
max time kernel
93s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
09/05/2024, 03:21
Behavioral task
behavioral1
Sample
dd8b1a389274333385f70328e758db60_NEIKI.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
dd8b1a389274333385f70328e758db60_NEIKI.exe
Resource
win10v2004-20240508-en
General
-
Target
dd8b1a389274333385f70328e758db60_NEIKI.exe
-
Size
141KB
-
MD5
dd8b1a389274333385f70328e758db60
-
SHA1
9df3755c94d6930be47a57ab3d7f52a9171023ff
-
SHA256
d53760f7fe344dbcbf14c8c30ac3406f6c76f9ba5874f76028d6270f789a2489
-
SHA512
5f33f61f78f1635350dc28e2e2416ae2b6ba8e670091e779da381ba812f1c306457517029b1057641189f038673230846a7157cb5457b6de9f22b7358b7e7d01
-
SSDEEP
3072:IeOhl2UF9wQ9bGCmBJFWpoPSkGFj/p7sW0l:0FF9N9bGCKJFtE/JK
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpmokb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkgmcjld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnhfee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njcpee32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnolfdcn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldohebqh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldohebqh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgbnmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgbnmm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lphfpbdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkncdifl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnmopdep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nqklmpdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkiqbl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcdegnep.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngedij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnepih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkpgck32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnhfee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnjbke32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njcpee32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laciofpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpmokb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcpebmkb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndidbn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqmhbpba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nggqoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdfofakp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjeddggd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcpebmkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkgmcjld.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqklmpdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Maaepd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkncdifl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnepih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lphfpbdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgghhlhq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mncmjfmk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Maaepd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcbiao32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkiqbl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcbahlip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mncmjfmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkjjij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnolfdcn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnjbke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nqmhbpba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcdegnep.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnocof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjeddggd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkjjij32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngpjnkpf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad dd8b1a389274333385f70328e758db60_NEIKI.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcnhmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngedij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcbahlip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngpjnkpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nddkgonp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgpagm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnlfigcc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdfofakp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkpgck32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjhqjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnlfigcc.exe -
Malware Dropper & Backdoor - Berbew 32 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x000c0000000233da-7.dat family_berbew behavioral2/files/0x0008000000023426-15.dat family_berbew behavioral2/files/0x0007000000023428-23.dat family_berbew behavioral2/files/0x000700000002342a-32.dat family_berbew behavioral2/files/0x000700000002342c-40.dat family_berbew behavioral2/files/0x0007000000023430-55.dat family_berbew behavioral2/files/0x000700000002342e-48.dat family_berbew behavioral2/files/0x0007000000023432-63.dat family_berbew behavioral2/files/0x0007000000023434-71.dat family_berbew behavioral2/files/0x0007000000023436-80.dat family_berbew behavioral2/files/0x0007000000023438-87.dat family_berbew behavioral2/files/0x000700000002343a-95.dat family_berbew behavioral2/files/0x000700000002343c-103.dat family_berbew behavioral2/files/0x000700000002343e-111.dat family_berbew behavioral2/files/0x0007000000023440-119.dat family_berbew behavioral2/files/0x0007000000023442-127.dat family_berbew behavioral2/files/0x0007000000023444-135.dat family_berbew behavioral2/files/0x0007000000023446-143.dat family_berbew behavioral2/files/0x0007000000023448-151.dat family_berbew behavioral2/files/0x000700000002344d-159.dat family_berbew behavioral2/files/0x000800000002344a-167.dat family_berbew behavioral2/files/0x000700000002344f-175.dat family_berbew behavioral2/files/0x0007000000023451-183.dat family_berbew behavioral2/files/0x0007000000023453-191.dat family_berbew behavioral2/files/0x0008000000023424-199.dat family_berbew behavioral2/files/0x0007000000023456-207.dat family_berbew behavioral2/files/0x0007000000023458-215.dat family_berbew behavioral2/files/0x000700000002345a-223.dat family_berbew behavioral2/files/0x000700000002345c-226.dat family_berbew behavioral2/files/0x000700000002345e-239.dat family_berbew behavioral2/files/0x0007000000023460-247.dat family_berbew behavioral2/files/0x000900000002338a-255.dat family_berbew -
Executes dropped EXE 39 IoCs
pid Process 4204 Lnepih32.exe 4400 Ldohebqh.exe 3240 Lcbiao32.exe 116 Lkiqbl32.exe 2380 Laciofpa.exe 1892 Lcdegnep.exe 4764 Lgpagm32.exe 1968 Lphfpbdi.exe 3044 Lgbnmm32.exe 4200 Mnlfigcc.exe 2000 Mdfofakp.exe 2016 Mkpgck32.exe 3644 Mnocof32.exe 4940 Mpmokb32.exe 3284 Mgghhlhq.exe 5068 Mjeddggd.exe 2784 Mcnhmm32.exe 712 Mjhqjg32.exe 1204 Mncmjfmk.exe 4948 Mcpebmkb.exe 708 Mkgmcjld.exe 2652 Maaepd32.exe 3760 Mcbahlip.exe 2372 Nkjjij32.exe 4012 Nnhfee32.exe 3740 Nqfbaq32.exe 1988 Ngpjnkpf.exe 4476 Nnjbke32.exe 3380 Nddkgonp.exe 1192 Nkncdifl.exe 4636 Nnmopdep.exe 1992 Nqklmpdd.exe 1688 Ngedij32.exe 4488 Njcpee32.exe 1272 Nnolfdcn.exe 432 Nqmhbpba.exe 3472 Ndidbn32.exe 2928 Nggqoj32.exe 5048 Nkcmohbg.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Lcdegnep.exe Laciofpa.exe File created C:\Windows\SysWOW64\Mglppmnd.dll Lgpagm32.exe File created C:\Windows\SysWOW64\Hlmobp32.dll Nkjjij32.exe File opened for modification C:\Windows\SysWOW64\Nqfbaq32.exe Nnhfee32.exe File created C:\Windows\SysWOW64\Jkeang32.dll Nddkgonp.exe File created C:\Windows\SysWOW64\Bidjkmlh.dll Lgbnmm32.exe File opened for modification C:\Windows\SysWOW64\Mjhqjg32.exe Mcnhmm32.exe File created C:\Windows\SysWOW64\Hhapkbgi.dll Mncmjfmk.exe File created C:\Windows\SysWOW64\Gpnkgo32.dll Mcnhmm32.exe File opened for modification C:\Windows\SysWOW64\Mkgmcjld.exe Mcpebmkb.exe File opened for modification C:\Windows\SysWOW64\Nnhfee32.exe Nkjjij32.exe File created C:\Windows\SysWOW64\Lidmdfdo.dll Ldohebqh.exe File created C:\Windows\SysWOW64\Ddpfgd32.dll Ngedij32.exe File created C:\Windows\SysWOW64\Bghhihab.dll Nnolfdcn.exe File created C:\Windows\SysWOW64\Dgcifj32.dll Mjeddggd.exe File created C:\Windows\SysWOW64\Ekiidlll.dll Lcbiao32.exe File created C:\Windows\SysWOW64\Khehmdgi.dll Lkiqbl32.exe File created C:\Windows\SysWOW64\Mcpebmkb.exe Mncmjfmk.exe File opened for modification C:\Windows\SysWOW64\Ldohebqh.exe Lnepih32.exe File opened for modification C:\Windows\SysWOW64\Lphfpbdi.exe Lgpagm32.exe File created C:\Windows\SysWOW64\Jfbhfihj.dll Mdfofakp.exe File opened for modification C:\Windows\SysWOW64\Nnolfdcn.exe Njcpee32.exe File created C:\Windows\SysWOW64\Nqmhbpba.exe Nnolfdcn.exe File created C:\Windows\SysWOW64\Eeandl32.dll Laciofpa.exe File created C:\Windows\SysWOW64\Maaepd32.exe Mkgmcjld.exe File opened for modification C:\Windows\SysWOW64\Nqklmpdd.exe Nnmopdep.exe File created C:\Windows\SysWOW64\Lgpagm32.exe Lcdegnep.exe File opened for modification C:\Windows\SysWOW64\Mcpebmkb.exe Mncmjfmk.exe File created C:\Windows\SysWOW64\Nnhfee32.exe Nkjjij32.exe File created C:\Windows\SysWOW64\Lcbiao32.exe Ldohebqh.exe File created C:\Windows\SysWOW64\Lcdegnep.exe Laciofpa.exe File created C:\Windows\SysWOW64\Jjblifaf.dll Mgghhlhq.exe File created C:\Windows\SysWOW64\Ndidbn32.exe Nqmhbpba.exe File opened for modification C:\Windows\SysWOW64\Nggqoj32.exe Ndidbn32.exe File created C:\Windows\SysWOW64\Nkcmohbg.exe Nggqoj32.exe File created C:\Windows\SysWOW64\Ldohebqh.exe Lnepih32.exe File created C:\Windows\SysWOW64\Egqcbapl.dll Mcbahlip.exe File created C:\Windows\SysWOW64\Lnepih32.exe dd8b1a389274333385f70328e758db60_NEIKI.exe File created C:\Windows\SysWOW64\Nnmopdep.exe Nkncdifl.exe File created C:\Windows\SysWOW64\Bgcomh32.dll Lnepih32.exe File opened for modification C:\Windows\SysWOW64\Lkiqbl32.exe Lcbiao32.exe File opened for modification C:\Windows\SysWOW64\Nnmopdep.exe Nkncdifl.exe File created C:\Windows\SysWOW64\Njcpee32.exe Ngedij32.exe File created C:\Windows\SysWOW64\Nggqoj32.exe Ndidbn32.exe File opened for modification C:\Windows\SysWOW64\Mpmokb32.exe Mnocof32.exe File created C:\Windows\SysWOW64\Mgghhlhq.exe Mpmokb32.exe File created C:\Windows\SysWOW64\Mkgmcjld.exe Mcpebmkb.exe File opened for modification C:\Windows\SysWOW64\Nkjjij32.exe Mcbahlip.exe File created C:\Windows\SysWOW64\Kmalco32.dll Ngpjnkpf.exe File created C:\Windows\SysWOW64\Nqklmpdd.exe Nnmopdep.exe File created C:\Windows\SysWOW64\Nnolfdcn.exe Njcpee32.exe File created C:\Windows\SysWOW64\Mnlfigcc.exe Lgbnmm32.exe File created C:\Windows\SysWOW64\Agbnmibj.dll Mpmokb32.exe File opened for modification C:\Windows\SysWOW64\Mcnhmm32.exe Mjeddggd.exe File opened for modification C:\Windows\SysWOW64\Nkncdifl.exe Nddkgonp.exe File created C:\Windows\SysWOW64\Cgfgaq32.dll Nkncdifl.exe File created C:\Windows\SysWOW64\Flfmin32.dll Mnlfigcc.exe File created C:\Windows\SysWOW64\Nkjjij32.exe Mcbahlip.exe File created C:\Windows\SysWOW64\Nngcpm32.dll dd8b1a389274333385f70328e758db60_NEIKI.exe File opened for modification C:\Windows\SysWOW64\Lgpagm32.exe Lcdegnep.exe File created C:\Windows\SysWOW64\Mcbahlip.exe Maaepd32.exe File created C:\Windows\SysWOW64\Ljfemn32.dll Nnmopdep.exe File created C:\Windows\SysWOW64\Mjeddggd.exe Mgghhlhq.exe File created C:\Windows\SysWOW64\Mncmjfmk.exe Mjhqjg32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2692 5048 WerFault.exe 121 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Laciofpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblifaf.dll" Mgghhlhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgcifj32.dll" Mjeddggd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll" Njcpee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} dd8b1a389274333385f70328e758db60_NEIKI.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npckna32.dll" Nnhfee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nddkgonp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njcpee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nnolfdcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nqmhbpba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mnlfigcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfbhfihj.dll" Mdfofakp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mncmjfmk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nnjbke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll" Nnmopdep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndidbn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nggqoj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgpagm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciiqgjgg.dll" Mjhqjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mcbahlip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lnepih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oedbld32.dll" Mkpgck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhapkbgi.dll" Mncmjfmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndidbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mdfofakp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lcdegnep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnlfigcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Maaepd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njcpee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lkiqbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkankc32.dll" Mnocof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll" Ngpjnkpf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mdfofakp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lidmdfdo.dll" Ldohebqh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lnepih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekipni32.dll" Mcpebmkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjeddggd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnhfee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngedij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll" Nnolfdcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbgkjl32.dll" Lcdegnep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll" Nggqoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mgghhlhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgpagm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nqfbaq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lcbiao32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjhqjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mkgmcjld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnmopdep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agbnmibj.dll" Mpmokb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lcbiao32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjeddggd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nddkgonp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nnmopdep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ldohebqh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mnocof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nkncdifl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekiidlll.dll" Lcbiao32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcpebmkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lkiqbl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcnhmm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgbnmm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Maaepd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nqfbaq32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3272 wrote to memory of 4204 3272 dd8b1a389274333385f70328e758db60_NEIKI.exe 80 PID 3272 wrote to memory of 4204 3272 dd8b1a389274333385f70328e758db60_NEIKI.exe 80 PID 3272 wrote to memory of 4204 3272 dd8b1a389274333385f70328e758db60_NEIKI.exe 80 PID 4204 wrote to memory of 4400 4204 Lnepih32.exe 81 PID 4204 wrote to memory of 4400 4204 Lnepih32.exe 81 PID 4204 wrote to memory of 4400 4204 Lnepih32.exe 81 PID 4400 wrote to memory of 3240 4400 Ldohebqh.exe 82 PID 4400 wrote to memory of 3240 4400 Ldohebqh.exe 82 PID 4400 wrote to memory of 3240 4400 Ldohebqh.exe 82 PID 3240 wrote to memory of 116 3240 Lcbiao32.exe 83 PID 3240 wrote to memory of 116 3240 Lcbiao32.exe 83 PID 3240 wrote to memory of 116 3240 Lcbiao32.exe 83 PID 116 wrote to memory of 2380 116 Lkiqbl32.exe 84 PID 116 wrote to memory of 2380 116 Lkiqbl32.exe 84 PID 116 wrote to memory of 2380 116 Lkiqbl32.exe 84 PID 2380 wrote to memory of 1892 2380 Laciofpa.exe 85 PID 2380 wrote to memory of 1892 2380 Laciofpa.exe 85 PID 2380 wrote to memory of 1892 2380 Laciofpa.exe 85 PID 1892 wrote to memory of 4764 1892 Lcdegnep.exe 86 PID 1892 wrote to memory of 4764 1892 Lcdegnep.exe 86 PID 1892 wrote to memory of 4764 1892 Lcdegnep.exe 86 PID 4764 wrote to memory of 1968 4764 Lgpagm32.exe 89 PID 4764 wrote to memory of 1968 4764 Lgpagm32.exe 89 PID 4764 wrote to memory of 1968 4764 Lgpagm32.exe 89 PID 1968 wrote to memory of 3044 1968 Lphfpbdi.exe 90 PID 1968 wrote to memory of 3044 1968 Lphfpbdi.exe 90 PID 1968 wrote to memory of 3044 1968 Lphfpbdi.exe 90 PID 3044 wrote to memory of 4200 3044 Lgbnmm32.exe 91 PID 3044 wrote to memory of 4200 3044 Lgbnmm32.exe 91 PID 3044 wrote to memory of 4200 3044 Lgbnmm32.exe 91 PID 4200 wrote to memory of 2000 4200 Mnlfigcc.exe 92 PID 4200 wrote to memory of 2000 4200 Mnlfigcc.exe 92 PID 4200 wrote to memory of 2000 4200 Mnlfigcc.exe 92 PID 2000 wrote to memory of 2016 2000 Mdfofakp.exe 94 PID 2000 wrote to memory of 2016 2000 Mdfofakp.exe 94 PID 2000 wrote to memory of 2016 2000 Mdfofakp.exe 94 PID 2016 wrote to memory of 3644 2016 Mkpgck32.exe 95 PID 2016 wrote to memory of 3644 2016 Mkpgck32.exe 95 PID 2016 wrote to memory of 3644 2016 Mkpgck32.exe 95 PID 3644 wrote to memory of 4940 3644 Mnocof32.exe 96 PID 3644 wrote to memory of 4940 3644 Mnocof32.exe 96 PID 3644 wrote to memory of 4940 3644 Mnocof32.exe 96 PID 4940 wrote to memory of 3284 4940 Mpmokb32.exe 97 PID 4940 wrote to memory of 3284 4940 Mpmokb32.exe 97 PID 4940 wrote to memory of 3284 4940 Mpmokb32.exe 97 PID 3284 wrote to memory of 5068 3284 Mgghhlhq.exe 98 PID 3284 wrote to memory of 5068 3284 Mgghhlhq.exe 98 PID 3284 wrote to memory of 5068 3284 Mgghhlhq.exe 98 PID 5068 wrote to memory of 2784 5068 Mjeddggd.exe 99 PID 5068 wrote to memory of 2784 5068 Mjeddggd.exe 99 PID 5068 wrote to memory of 2784 5068 Mjeddggd.exe 99 PID 2784 wrote to memory of 712 2784 Mcnhmm32.exe 100 PID 2784 wrote to memory of 712 2784 Mcnhmm32.exe 100 PID 2784 wrote to memory of 712 2784 Mcnhmm32.exe 100 PID 712 wrote to memory of 1204 712 Mjhqjg32.exe 101 PID 712 wrote to memory of 1204 712 Mjhqjg32.exe 101 PID 712 wrote to memory of 1204 712 Mjhqjg32.exe 101 PID 1204 wrote to memory of 4948 1204 Mncmjfmk.exe 102 PID 1204 wrote to memory of 4948 1204 Mncmjfmk.exe 102 PID 1204 wrote to memory of 4948 1204 Mncmjfmk.exe 102 PID 4948 wrote to memory of 708 4948 Mcpebmkb.exe 103 PID 4948 wrote to memory of 708 4948 Mcpebmkb.exe 103 PID 4948 wrote to memory of 708 4948 Mcpebmkb.exe 103 PID 708 wrote to memory of 2652 708 Mkgmcjld.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\dd8b1a389274333385f70328e758db60_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\dd8b1a389274333385f70328e758db60_NEIKI.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3272 -
C:\Windows\SysWOW64\Lnepih32.exeC:\Windows\system32\Lnepih32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4204 -
C:\Windows\SysWOW64\Ldohebqh.exeC:\Windows\system32\Ldohebqh.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4400 -
C:\Windows\SysWOW64\Lcbiao32.exeC:\Windows\system32\Lcbiao32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3240 -
C:\Windows\SysWOW64\Lkiqbl32.exeC:\Windows\system32\Lkiqbl32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:116 -
C:\Windows\SysWOW64\Laciofpa.exeC:\Windows\system32\Laciofpa.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\Lcdegnep.exeC:\Windows\system32\Lcdegnep.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Windows\SysWOW64\Lgpagm32.exeC:\Windows\system32\Lgpagm32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4764 -
C:\Windows\SysWOW64\Lphfpbdi.exeC:\Windows\system32\Lphfpbdi.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\Lgbnmm32.exeC:\Windows\system32\Lgbnmm32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\Mnlfigcc.exeC:\Windows\system32\Mnlfigcc.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4200 -
C:\Windows\SysWOW64\Mdfofakp.exeC:\Windows\system32\Mdfofakp.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\SysWOW64\Mkpgck32.exeC:\Windows\system32\Mkpgck32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\Mnocof32.exeC:\Windows\system32\Mnocof32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3644 -
C:\Windows\SysWOW64\Mpmokb32.exeC:\Windows\system32\Mpmokb32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\Windows\SysWOW64\Mgghhlhq.exeC:\Windows\system32\Mgghhlhq.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3284 -
C:\Windows\SysWOW64\Mjeddggd.exeC:\Windows\system32\Mjeddggd.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5068 -
C:\Windows\SysWOW64\Mcnhmm32.exeC:\Windows\system32\Mcnhmm32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\Mjhqjg32.exeC:\Windows\system32\Mjhqjg32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:712 -
C:\Windows\SysWOW64\Mncmjfmk.exeC:\Windows\system32\Mncmjfmk.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Windows\SysWOW64\Mcpebmkb.exeC:\Windows\system32\Mcpebmkb.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4948 -
C:\Windows\SysWOW64\Mkgmcjld.exeC:\Windows\system32\Mkgmcjld.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:708 -
C:\Windows\SysWOW64\Maaepd32.exeC:\Windows\system32\Maaepd32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2652 -
C:\Windows\SysWOW64\Mcbahlip.exeC:\Windows\system32\Mcbahlip.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3760 -
C:\Windows\SysWOW64\Nkjjij32.exeC:\Windows\system32\Nkjjij32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2372 -
C:\Windows\SysWOW64\Nnhfee32.exeC:\Windows\system32\Nnhfee32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4012 -
C:\Windows\SysWOW64\Nqfbaq32.exeC:\Windows\system32\Nqfbaq32.exe27⤵
- Executes dropped EXE
- Modifies registry class
PID:3740 -
C:\Windows\SysWOW64\Ngpjnkpf.exeC:\Windows\system32\Ngpjnkpf.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1988 -
C:\Windows\SysWOW64\Nnjbke32.exeC:\Windows\system32\Nnjbke32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4476 -
C:\Windows\SysWOW64\Nddkgonp.exeC:\Windows\system32\Nddkgonp.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3380 -
C:\Windows\SysWOW64\Nkncdifl.exeC:\Windows\system32\Nkncdifl.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1192 -
C:\Windows\SysWOW64\Nnmopdep.exeC:\Windows\system32\Nnmopdep.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4636 -
C:\Windows\SysWOW64\Nqklmpdd.exeC:\Windows\system32\Nqklmpdd.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\Ngedij32.exeC:\Windows\system32\Ngedij32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1688 -
C:\Windows\SysWOW64\Njcpee32.exeC:\Windows\system32\Njcpee32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4488 -
C:\Windows\SysWOW64\Nnolfdcn.exeC:\Windows\system32\Nnolfdcn.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1272 -
C:\Windows\SysWOW64\Nqmhbpba.exeC:\Windows\system32\Nqmhbpba.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:432 -
C:\Windows\SysWOW64\Ndidbn32.exeC:\Windows\system32\Ndidbn32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3472 -
C:\Windows\SysWOW64\Nggqoj32.exeC:\Windows\system32\Nggqoj32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2928 -
C:\Windows\SysWOW64\Nkcmohbg.exeC:\Windows\system32\Nkcmohbg.exe40⤵
- Executes dropped EXE
PID:5048 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 40041⤵
- Program crash
PID:2692
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5048 -ip 50481⤵PID:3212
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
141KB
MD566f4cf7fe9c47461232eb0c3ccf7383e
SHA1586cfbfa35ed5ba5910134c13f60edf9b4d6be11
SHA2565dbb953a19abaa26318e0885191a3a435db52627260b6dc1758850d42461e744
SHA512174b847320830912f77811c1aa0eec9374a23acfa9f0d3e3a4cedbf5b78742c9bb1fe2f4f05588e9459d9aa0b4e9954c129e59d8a33be8c3b19fedd52cb776d1
-
Filesize
141KB
MD5d0e16033995d1fa5e1bc197a1ef323d6
SHA1fff65173fc31ebc2b4d193427c27a003a9da59e1
SHA256925975a7ad4000a3e1da8a0ee781bf70b94576dc32cac635cbcf733a56ff6c58
SHA5120b2ad95866fd9134b2f4dad43a3aa23e82d76c8f2dc9f541a1e7ba3b1469c682328cd3f8122d1acfb82dcc48cd918f9b734e9cbf8642d50f3d3214a139d7c070
-
Filesize
141KB
MD5044e6eb62969411d0ce5be7872c75871
SHA1b1e1c4564c478a21185aa94b22c91001b4821e1c
SHA256fffa37f4a8138703d77e9d5cddab4505100269e2ab32203665380134bdeccc93
SHA512c8232980d578e43478053e027e8daa65a452e30e3cb8669c0bd963b3cc3b53d991178df530b724d0f4c3f8addfe8fe25b407b3229811c924be945b609290c034
-
Filesize
141KB
MD5c998aa05bea137ad2def5218de4d7a70
SHA1eacbd28ba9e4ffd233ef04055d5972f4948e42bd
SHA25604ef758fa33dae1999f26eeb704e48fba9b73c38b72e0a45ebad7f003d9b6ba1
SHA512f5a5fc590ecf1aecb7e1b7d98061223edbb500647b212a168d1d2230dfc32c73a811ebb56e085cd9044032147a60828395bf752037fa19a96ca1f409f2e7e929
-
Filesize
141KB
MD51d2a6737f1281750089943e7d947f50d
SHA151552219d5a0045a8e5ae822ca5b23df20f0a1ca
SHA2566f73c43b41fded118454a2a3f7383c158211fd18271b6e707e064a24c9c4403a
SHA512424441336e236c8347a524d1095e31f35d90f11a09c421b0855065a283593a7566810d8a0ca9cb1430206de5dcf7fb03093b1aa97cecca2e60f4a9acf21e3840
-
Filesize
141KB
MD5152c6a204d1c648943eb96c95199409a
SHA17aad794b9502a002486c5aa385cd28a16f446489
SHA256d9c0e02304c3088a9cb5b9f4ea7599a45410f61055a4f3fe15940d7ee10c1f19
SHA51292862312bb720b0e9bdff541bfd51f577be007657b36cc2c279e2711a03c579b998dd7de045aa3b96114df355eac9245ecd35568518b72c56ed9f0dd9415f76f
-
Filesize
141KB
MD558c46bf0694728d23581f01e0c722a09
SHA149c9149266f1dfe33ab276be3c45774323d50b19
SHA256f6173789149294a7d611c7c5af3d62d42c7a355dc1faacd0f7224d097c672734
SHA5128ce9dede3d2f8b1d0f304eacf7fb47755b1a5bc662cf4db538e1c1fbd7ec2f715d1ed69fd2272d458b802a805ebc7a01749f641008a8243c6ca06dd086502f9f
-
Filesize
141KB
MD5ef380381ede25c3527a140fd97a66e9f
SHA1329fa0a66e958bd1478042334fa80e435080aeca
SHA256b161f125317fa8bede02eaebe939af30d1264632973d8e5aebc46a832b688679
SHA51282fb04c63980258492b59385a17b57290c8b4eb6d11cddabca10691f1387f40dbf3b0d7e3f975ead7e1d5b0c7efb3fce016ca1afb38d5dfe2a73a54278f07000
-
Filesize
141KB
MD5bfcceed7bd82d454234f2ecf5bc9e8c8
SHA161d2ea76300a7d045550248e5cf375d1ec6fe0a2
SHA2568271e4b2a4be1b1f5f3195d7fbf1e6d3c112b4837fa8fafd6579b797115213c2
SHA51279ca3bc8b576661eb4dcdc3877df9e468d1bc4e5d257ff893d2c2759bbcd2e6725b8135013f9024c006f50f323f9016165feb21db9a09b7507c6079f54ee2683
-
Filesize
141KB
MD5308cc93cd9f294a9f056f884e4575f21
SHA12e487384f62fe678fcaef51e9309f2e9927c52e9
SHA2561f2de79c20bb11bf0a628648419c06271a347a91e95361bb38bc4c4de0cd55fc
SHA51228561d25b80d12ba11ac8e97804605d65d32063c4a52087d09f96e5f0e17b908c90746af208310e330b9c241e51978e12f52349af777820d84abf911f41b9be8
-
Filesize
141KB
MD51c141db94a6e38f3a82d7b4d40c8d798
SHA1de0514fb9ea47a9cbeb654d6ad1fad0a8d9d8833
SHA2560bba8366aa5ca55fd84634e3fdf6e555688bd32bc51f3fb42b4a3e75d758c261
SHA512e497a88024d03e68058ab5b8009a45eb154c89b8652c01bbbaee177fb312792435beaf717edca96287d1acfccab1396fb8efbfac6435d038a88e61a5119031ca
-
Filesize
141KB
MD5001db552eae26fe8ee60ebe5ee464dc8
SHA1367e262d65a9e365957ff3965e94a0293a3996bc
SHA256ce3b1d8ae6547535ff7d1d7c3d0b31aadd696261d37ee94f1cf3fc1e8f95cb0a
SHA512910b7f4de1bedf4b17e9d7732c4887874d78e0fb3be3bf2453ae0d2d9ff1b967ea0d9e285ad18176a86a33a252cbc6e28a005bfef68ff2cb6d0ef410927f71da
-
Filesize
141KB
MD5b185faf65650f31adbb9302137c1e913
SHA1d638c0e0204085341417b1c5111e8f15341e91bb
SHA2569625710841aebfc61918360dc03100890c2dc84bc3ee5799e5c7fd39470e224b
SHA5126f254a34997cd30955546faefef807882743a407e55a1c44a934d031796e32f29ce293dc9fdf08d11a996da15616b65e73cdb9ea4a9660c1e70215b69f9e13f5
-
Filesize
141KB
MD5701574d9b1b11aa7d1bd09b73423c999
SHA16a6d538ac1040989481182501053962f170f4b4c
SHA25697fa70a0b89e58f547ea91f89b3784a08dcd7c96cf6696ab688d54d86a1f40ad
SHA512ad48c168d4b7938774e90a23487448d6b4c4c61a9164789bc8ee8ee831155db3d72f6dc6ee586ab37220495aed152338ff9d6a83c7fb4db8540df461d66e3d0f
-
Filesize
141KB
MD500f70310e47ef5d0db480775e89421a1
SHA147df8d35a4ab8a2146010a82e0ab9531721787d5
SHA256003eda90fe1341b797fb4140258195e577c2ed1ab73b3d7bd4ee1772baf0be4f
SHA512de63c9c15798c02a83a9a805be1f969ab2dd32b061d6d42d6f29a1e53c5c6b7fdc2227e7996e024970b4a0fa96efe558a48c62f54ced29758e6edd39717e3be8
-
Filesize
141KB
MD5612138dfa3fa4de8d78dd2cdb14bb038
SHA133febeaa1945a979bc23eb6187e35ef763939428
SHA2560fbd97532f4a58bc315a9bd32eee48a7bcd279e00f2f1fc713d5f4d809df418f
SHA51242b764fc608c1259fbe074e674e20fb54b85cd9fb4451b5e21b0887a06261b17eb045f21f28cd24640c6c0b67d8aee2c61e3c46fe67ac385df91d597e952a976
-
Filesize
141KB
MD5e8a70e43caef07b8325912ba7dbaf88a
SHA1711911adfefe768c9ed6e4762451bfded0c876c8
SHA2569b14112026a4355cc67ceddeb5c41e8c079eb8e1cbbd4e48ab1a3d45c08a1f36
SHA512551ba0e148a72b11e76ead8b733b27873b931cfdc59583ce39a32f85bffb45be88d1ac4f5f573c9d2444bc5c10aca35887cea94508b22b58bd569ab8d562c6f5
-
Filesize
141KB
MD59579c3c8edc3503a131fbb9b22e6ec31
SHA1e6a4eca91983876159d868939e84b7143513b19b
SHA256c787f075e81f2344bf0f60f5a8e037880c59982426094fbf361567b39cb71701
SHA51297a6a0a935c221606c7202ac380c6cfa1532e0e4a2dc014029f66374959799dceb3f6f57907244666ab25ca15e20a4a216ef99ad31ca0e41d4e5a207928839e4
-
Filesize
141KB
MD5944687a72bb56f8387a58ea66e6deea4
SHA120ba2cb1e68cea5b712bcbf6c785527b679ed124
SHA2569a419cf30ab9a12c8441bab2d24c280dc1a45e5f7600d2fba03d2aec8306496a
SHA512f9fa2dbaa21b7e8138026f4377330693c81259e45c1a9bcee647b56e5959c25225d7c292bde5f1ba0c2568c9ffeacbd5892db740732d3fa8a40d53b81ea84b12
-
Filesize
141KB
MD57165b680a322fbdde9a7429bcd902701
SHA125734a89881af777baa1827d393d38c1e8cb6251
SHA2565f72d9ae612977767ed217b1eff506a81dfdad4e0320eb8103af3fd0214d7f78
SHA512b7f03a44584a56124ea57921857ad0c8e920e6a10c2c15e7abec1100a76369ecfaa5f3e200c736aefbdd359ad44faa8d7db01b298fc74be6ce52131c25e392bd
-
Filesize
141KB
MD57bce9ab401ffc60a5ca11432111e376d
SHA19c307e246e358959d1dffb80db61f1206539ae73
SHA2560f7c92ddfeb3c515909219c8c2124324d50e86f671ea0f88d38d2267cd6ef035
SHA512ae37d8b47bdacd63bd33edb8eb7f57a3dd63b9856c062ee74e5f3551deee8a865329f5a493fecc4f8368b0c3d9c75c5afe15b9bcd67aac6fedd2310a71a5d64e
-
Filesize
141KB
MD53a3b16bef57aae9db76f9567c36d9d9e
SHA137c9b911eab801c1e273e17c1d90f1cf150de2ed
SHA2566212443c3444eab7a0ea13c83157c60b3369b6bc667e19d09dca310f70954a63
SHA512befa4b50938dd1528783cc578414311908125a0ab54bb84e573e65e4432770b536fd9dd7029ad75ac9689034363b9a28ec864b8488b12424e101f58143ff2717
-
Filesize
141KB
MD5dcc1a044a8bd58eace12e4c471bed908
SHA17fc021846bc82d1bbbe32dc04d9dcc5b20b73741
SHA256bc70bbb826cf54661744a63db5c40da0f189e556094540ef424c65f19285e0c3
SHA512e18b97f65840ca595ea2f5de385a49ac17c5db2c7322837d0701e8cad46e3694518bffd8ec3c54f0ed4bc53511e0fb1fd1797dc74c45802bc30f5a97b2bc0ad6
-
Filesize
141KB
MD5da236c113bf7abc612abf16795bb0f62
SHA1a9e0623466ea7fe1008ff2e2b39241a8ebb69c21
SHA2564e33df02cf32e612053425891dd274c7f8a381f6e3d387e31c96c36ce2e9bd43
SHA51240103ff9152a0d0439afe05d09efd1100d09ce5bc66d99338c8eff889ca8cbeeb5f368bff5db940830428a91779b9d2bfbf8d26e3c53461507486e13bd283e4e
-
Filesize
141KB
MD587a64b6a26ee9890fc6fb9bc9b6c2400
SHA1aa8cbee9a8ad7baeaf41180b7a93a3b178ace80a
SHA2560eb1838996878079ca428ee36d65a849da0ab8b490c5d9779cc5308b2df77db6
SHA512078df08cfcc2bb7199df9989c1de1ba9fb1316f1e7945f19c729fb01d3e622608f012be2d4f592299a8298ccbd9bbd9e4c780af5be80758354a8e56d62578a6a
-
Filesize
141KB
MD58f3a1b838c3c772a288d6537869ec38c
SHA186828b068c380d244f5ca406c6aea2643986339f
SHA256b4c3430c614d6cb53185319aee00466f12c75abc38dcb7ba8f686a6b1337bf53
SHA512477c8899dc15c54e77709dceab6ea155ec9a9a4f12759b747a45cb4cdb7ce02326fcb2edabf6e35097c2f1ee189772a3a6b43f5cfe75efe35726d660dcf5c5e9
-
Filesize
141KB
MD5981163e745752c062a2fd62f3c767ae3
SHA1376c6f77c0bdfafae72e69d80ff41cd85080abf7
SHA256c5737c7613d9ceca7226ac142189d5d58ea037cdb3be881cc1af0a668370e21a
SHA5127d4fe92db13a6eeb577d54645d96c87cf8ea29d89cec1d1cd6778d05777dfa889b88a087539cd8324d322dda461f2b0129e3012f3cab42fc785040756e4c0a7a
-
Filesize
141KB
MD5c834d7ac6bb9758115828ce5d7e324fd
SHA1c73f4c2a7d7c37af7aec0e98e03fda851c0d9153
SHA256edf6bb304a32609280c8fab5c2fc461d68c15fe35cfbb91fc520a943f668458e
SHA512caeeb4882c2fb4e6757c761a59d04597012b4786d735f33466b026d6cef835202a3a863d6e1d8dd116de963c6e7dfd65c61af086005a464e2b8f5e3da9be703a
-
Filesize
141KB
MD5509c6be7add62220f81b49815152f7a6
SHA1d88ea7c5a03316b8268ec7e2862fe511a3eafd2a
SHA256081264ba47767953ff51426be5ea7b5c5647c6d95320a02cb3c0b752b8b44e1a
SHA51252898d379b3329df442ace033aa1d982cc195f3f0ca967849b04d59c880d8ab8afa2e8600b2e09701815568a04c25aa9d0944abe5aa3ec1a67c67613748dfd66
-
Filesize
141KB
MD58eaf995a09e4b241dbe48637334fc608
SHA1a7d5171b762d91e57f0e708a03e23dc3844a0939
SHA256b13f0de1f9a3c315b7493e5db75f16c987e5e2e65954d10751000b4b0dbca4e1
SHA512102d1e704e04829ef93229e9a617e83eea2a63a0ae3d450707a382e4daa01d5d1a55e104985e2eebd1e324683f7187d93f455d3035da86b4000af585e4b6abd4
-
Filesize
141KB
MD5b990fde3acb5c0b51a7b86a6ff6da16b
SHA1379eefccbe778f1698332c47d88f0fc3b6f95f53
SHA25690e508347f7542df4914ca2839299c26e547795f103fa0b817224362c16a70e9
SHA5120de242e1307dcd1f36967ad9d30f0a26736d3f7b68fc524af9b9031e12c07eac2ece24f69e418c72b0a4af6a73c1a4278a1a65be21bb83c21bf89cc6124e1710
-
Filesize
141KB
MD528193d5848bf18132eef355104d47e06
SHA1a8ff033e9ae2190650656e14ab17d32704f5840c
SHA256c39e23d742e493c0ce4e7399a45ddf7ce5f2dbe4df0b55e144619cdf3d7a431f
SHA512258883b69a0cbf5ada4eaf6b8fcc4fdb85ea2909d83371d9801c82bc63003a3163c473f498ef2035779f26a654bc074ef9400e79a2b53fe6cf0d375d0ddd6693