Analysis
-
max time kernel
142s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
09/05/2024, 14:06
Behavioral task
behavioral1
Sample
5479c93625eb65150f5d4121adb22a70_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
5479c93625eb65150f5d4121adb22a70_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
General
-
Target
5479c93625eb65150f5d4121adb22a70_NeikiAnalytics.exe
-
Size
256KB
-
MD5
5479c93625eb65150f5d4121adb22a70
-
SHA1
58e2a68ca78fa79bdbe21b5d64dc98eafed14755
-
SHA256
63aa66a0b5473119ab951194a9c1bb79098eb42932db85fec7c49ef2af106153
-
SHA512
7dce4487ad028498a39a76cd5120477bc2b390dcdf6ca70e6d563aa5113082439dedb2ac4dcdb6ef4e60091930cd1659c29693f739813a254dccc71f0dd5b2d7
-
SSDEEP
6144:WiRRqxZWbjlpmmxieQbWGRdA6sQc/Yp7TVX3J/1awbWGRdA6sQc/YRU:nRqCPlpJxifbWGRdA6sQhPbWGRdA6sQi
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ecgodpgb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fqphic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgmhcaac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnkfmm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlhqcgnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nimmifgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pqbala32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cienon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgqlcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmmlla32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdjblf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggccllai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlhqcgnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpqjjjjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkmeha32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggepalof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfkkqmiq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bigbmpco.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmbgdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dahfkimd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enlcahgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adhdjpjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nofefp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cajjjk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibqnkh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kolabf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enlcahgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbepme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbccge32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lebijnak.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epffbd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boenhgdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Padnaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfccogfc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfolacnc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcoccc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcffnbee.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdgdeppb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adhdjpjf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qiiflaoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdaile32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjhmbihg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnhbmgmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pafkgphl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klpakj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mqjbddpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ooibkpmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmphaaln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eqkondfl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebdlangb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bigbmpco.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hifmmb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpqjjjjl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enopghee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggepalof.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obnehj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epffbd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqkondfl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjhmbihg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omalpc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjeplijj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abjmkf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcpakn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojhiogdd.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/memory/4036-0-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0008000000023261-7.dat family_berbew behavioral2/memory/1708-8-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0008000000023265-15.dat family_berbew behavioral2/memory/3444-16-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0008000000023269-23.dat family_berbew behavioral2/memory/856-24-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x000700000002326b-31.dat family_berbew behavioral2/memory/2268-33-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x000700000002326d-38.dat family_berbew behavioral2/memory/4928-40-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x000700000002326f-47.dat family_berbew behavioral2/memory/2424-48-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0007000000023271-55.dat family_berbew behavioral2/memory/3588-57-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0007000000023274-58.dat family_berbew behavioral2/memory/216-64-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0007000000023276-71.dat family_berbew behavioral2/memory/4660-73-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0007000000023278-74.dat family_berbew behavioral2/memory/1660-80-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x000700000002327a-87.dat family_berbew behavioral2/memory/1028-88-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x000700000002327c-95.dat family_berbew behavioral2/memory/676-96-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x000700000002327e-103.dat family_berbew behavioral2/memory/3900-104-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0007000000023280-111.dat family_berbew behavioral2/memory/4056-112-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0007000000023282-119.dat family_berbew behavioral2/memory/1716-121-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0007000000023284-122.dat family_berbew behavioral2/memory/1692-128-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0007000000023286-136.dat family_berbew behavioral2/memory/1180-137-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0007000000023288-143.dat family_berbew behavioral2/memory/2500-144-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x000700000002328a-152.dat family_berbew behavioral2/files/0x000700000002328c-154.dat family_berbew behavioral2/memory/2988-153-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/memory/1616-161-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/memory/1120-169-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x000700000002328e-168.dat family_berbew behavioral2/files/0x0007000000023290-175.dat family_berbew behavioral2/memory/3960-176-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0007000000023292-183.dat family_berbew behavioral2/memory/2964-185-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0007000000023294-191.dat family_berbew behavioral2/memory/1860-192-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0007000000023296-194.dat family_berbew behavioral2/files/0x0007000000023298-208.dat family_berbew behavioral2/files/0x000700000002329a-215.dat family_berbew behavioral2/memory/2352-217-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/memory/4316-224-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x000700000002329c-225.dat family_berbew behavioral2/files/0x000700000002329e-232.dat family_berbew behavioral2/memory/3640-233-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/memory/1368-241-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x00070000000232a0-240.dat family_berbew behavioral2/memory/4896-248-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x00070000000232a2-249.dat family_berbew behavioral2/files/0x00070000000232a4-255.dat family_berbew behavioral2/memory/2152-263-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x00070000000232a9-264.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 1708 Adhdjpjf.exe 3444 Bgkiaj32.exe 856 Boenhgdd.exe 2268 Cgqlcg32.exe 4928 Dnajppda.exe 2424 Ebdlangb.exe 3588 Eojiqb32.exe 216 Figgdg32.exe 4660 Fqeioiam.exe 1660 Fnkfmm32.exe 1028 Gejhef32.exe 676 Hlppno32.exe 3900 Hifmmb32.exe 4056 Ibqnkh32.exe 1716 Iiopca32.exe 1692 Ibjqaf32.exe 1180 Jekjcaef.exe 2500 Jemfhacc.exe 2988 Jeocna32.exe 1616 Jbccge32.exe 1120 Jbepme32.exe 3960 Kolabf32.exe 2964 Klpakj32.exe 1860 Kcmfnd32.exe 2036 Kcoccc32.exe 2192 Kofdhd32.exe 2352 Lljdai32.exe 4316 Lebijnak.exe 3640 Laiipofp.exe 1368 Legben32.exe 4896 Lfiokmkc.exe 4264 Mfkkqmiq.exe 2152 Mcoljagj.exe 1096 Mlhqcgnk.exe 4628 Mqjbddpl.exe 1032 Nmfmde32.exe 4392 Ncpeaoih.exe 3860 Nimmifgo.exe 4924 Nofefp32.exe 1160 Ooibkpmi.exe 3888 Ojnfihmo.exe 4576 Ofegni32.exe 2864 Oblhcj32.exe 5016 Omalpc32.exe 3956 Obnehj32.exe 1268 Oqoefand.exe 3648 Ojhiogdd.exe 1332 Pqbala32.exe 2308 Pfojdh32.exe 4480 Padnaq32.exe 1336 Pafkgphl.exe 3112 Pfccogfc.exe 4456 Pmmlla32.exe 4568 Pfepdg32.exe 4192 Pmphaaln.exe 1976 Pjcikejg.exe 2168 Qiiflaoo.exe 432 Qpbnhl32.exe 4176 Aibibp32.exe 1704 Abjmkf32.exe 1156 Bigbmpco.exe 4744 Bpqjjjjl.exe 2076 Bapgdm32.exe 4064 Bbaclegm.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Glofjfnn.dll Bigbmpco.exe File opened for modification C:\Windows\SysWOW64\Ekimjn32.exe Egkddo32.exe File created C:\Windows\SysWOW64\Lhaiafem.dll Ekimjn32.exe File created C:\Windows\SysWOW64\Enjfli32.exe Epffbd32.exe File created C:\Windows\SysWOW64\Kkcghg32.dll Enlcahgh.exe File created C:\Windows\SysWOW64\Ogeigbeb.dll Fnhbmgmk.exe File opened for modification C:\Windows\SysWOW64\Gbmadd32.exe Gclafmej.exe File created C:\Windows\SysWOW64\Dlhcmpgk.dll Hifmmb32.exe File created C:\Windows\SysWOW64\Mlmadjhb.dll Pfepdg32.exe File opened for modification C:\Windows\SysWOW64\Ibqnkh32.exe Hifmmb32.exe File created C:\Windows\SysWOW64\Ncpeaoih.exe Nmfmde32.exe File created C:\Windows\SysWOW64\Pfojdh32.exe Pqbala32.exe File opened for modification C:\Windows\SysWOW64\Enopghee.exe Eqkondfl.exe File created C:\Windows\SysWOW64\Jgjjlakk.dll Eqkondfl.exe File created C:\Windows\SysWOW64\Kfkklk32.dll Gdgdeppb.exe File created C:\Windows\SysWOW64\Hgeqca32.dll Eojiqb32.exe File created C:\Windows\SysWOW64\Benibond.dll Jbccge32.exe File opened for modification C:\Windows\SysWOW64\Epffbd32.exe Ekimjn32.exe File created C:\Windows\SysWOW64\Jhijep32.dll Boenhgdd.exe File created C:\Windows\SysWOW64\Ablmdkdf.dll Kolabf32.exe File opened for modification C:\Windows\SysWOW64\Legben32.exe Laiipofp.exe File created C:\Windows\SysWOW64\Lfiokmkc.exe Legben32.exe File created C:\Windows\SysWOW64\Oblhcj32.exe Ofegni32.exe File created C:\Windows\SysWOW64\Dpagekkf.dll Ccppmc32.exe File opened for modification C:\Windows\SysWOW64\Cdaile32.exe Cgmhcaac.exe File created C:\Windows\SysWOW64\Hjmgbm32.dll Gclafmej.exe File created C:\Windows\SysWOW64\Egopbhnc.dll Laiipofp.exe File created C:\Windows\SysWOW64\Pafkgphl.exe Padnaq32.exe File opened for modification C:\Windows\SysWOW64\Dnngpj32.exe Dahfkimd.exe File created C:\Windows\SysWOW64\Ondhkbee.dll Dnajppda.exe File created C:\Windows\SysWOW64\Kofdhd32.exe Kcoccc32.exe File created C:\Windows\SysWOW64\Eclbio32.dll Enopghee.exe File created C:\Windows\SysWOW64\Iffahdpm.dll Fjeplijj.exe File opened for modification C:\Windows\SysWOW64\Ggccllai.exe Fnhbmgmk.exe File created C:\Windows\SysWOW64\Mhbacd32.dll Kofdhd32.exe File opened for modification C:\Windows\SysWOW64\Laiipofp.exe Lebijnak.exe File created C:\Windows\SysWOW64\Mfnlgh32.dll Caqpkjcl.exe File created C:\Windows\SysWOW64\Fnkfmm32.exe Fqeioiam.exe File created C:\Windows\SysWOW64\Jbepme32.exe Jbccge32.exe File opened for modification C:\Windows\SysWOW64\Pmphaaln.exe Pfepdg32.exe File opened for modification C:\Windows\SysWOW64\Fjhmbihg.exe Fqphic32.exe File opened for modification C:\Windows\SysWOW64\Ibjqaf32.exe Iiopca32.exe File opened for modification C:\Windows\SysWOW64\Mqjbddpl.exe Mlhqcgnk.exe File created C:\Windows\SysWOW64\Qiiflaoo.exe Pjcikejg.exe File created C:\Windows\SysWOW64\Bagmdllg.exe Bkmeha32.exe File created C:\Windows\SysWOW64\Pknjieep.dll Bagmdllg.exe File created C:\Windows\SysWOW64\Hnmanm32.dll Cdhffg32.exe File created C:\Windows\SysWOW64\Gpmenm32.dll Ibqnkh32.exe File opened for modification C:\Windows\SysWOW64\Nofefp32.exe Nimmifgo.exe File opened for modification C:\Windows\SysWOW64\Ojnfihmo.exe Ooibkpmi.exe File created C:\Windows\SysWOW64\Obnehj32.exe Omalpc32.exe File created C:\Windows\SysWOW64\Ojhiogdd.exe Oqoefand.exe File created C:\Windows\SysWOW64\Aeodmbol.dll Pmphaaln.exe File opened for modification C:\Windows\SysWOW64\Dahfkimd.exe Dcffnbee.exe File created C:\Windows\SysWOW64\Anijgd32.dll Egkddo32.exe File opened for modification C:\Windows\SysWOW64\Enjfli32.exe Epffbd32.exe File created C:\Windows\SysWOW64\Jemfhacc.exe Jekjcaef.exe File created C:\Windows\SysWOW64\Ohfkgknc.dll Mfkkqmiq.exe File created C:\Windows\SysWOW64\Iocmhlca.dll Bapgdm32.exe File opened for modification C:\Windows\SysWOW64\Dckoia32.exe Dnngpj32.exe File created C:\Windows\SysWOW64\Kolabf32.exe Jbepme32.exe File created C:\Windows\SysWOW64\Hpkdfd32.dll Ojhiogdd.exe File created C:\Windows\SysWOW64\Padnaq32.exe Pfojdh32.exe File opened for modification C:\Windows\SysWOW64\Fnkfmm32.exe Fqeioiam.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5632 5308 WerFault.exe 198 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgqlcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dnajppda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dndfnlpc.dll" Oblhcj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fcpakn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeclnmik.dll" Lljdai32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mfkkqmiq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlhqcgnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnkoiaif.dll" Ooibkpmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cmbgdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cidcnbjk.dll" Figgdg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Laiipofp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfnlgh32.dll" Caqpkjcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddklbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eglfjicq.dll" Fqeioiam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngckdnpn.dll" Fnkfmm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hifmmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fqphic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jekjcaef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qiiflaoo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Enopghee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbjlpn32.dll" Ggccllai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbpkkeen.dll" Babcil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfchag32.dll" Bkmeha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eclbio32.dll" Enopghee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adhdjpjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojgljk32.dll" Pfojdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Caqpkjcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gdgdeppb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohfkgknc.dll" Mfkkqmiq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qidpon32.dll" Mqjbddpl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ooibkpmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Engdno32.dll" Aibibp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Babcil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkmeha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anijgd32.dll" Egkddo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gejhef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Omalpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ojhiogdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfgbakef.dll" Pfccogfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acajpc32.dll" Dmjmekgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bejceb32.dll" Fcpakn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfepdg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID 5479c93625eb65150f5d4121adb22a70_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebdlangb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lphdhn32.dll" Jeocna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehfomc32.dll" Jbepme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kcoccc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojnfihmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fknofqcc.dll" Padnaq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjcikejg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfojdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qiiflaoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cienon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Binfdh32.dll" Epffbd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} 5479c93625eb65150f5d4121adb22a70_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lebijnak.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omalpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oqoefand.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aibibp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pknjieep.dll" Bagmdllg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgjjlakk.dll" Eqkondfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jacodldj.dll" Legben32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcoljagj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dncpkjoc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4036 wrote to memory of 1708 4036 5479c93625eb65150f5d4121adb22a70_NeikiAnalytics.exe 89 PID 4036 wrote to memory of 1708 4036 5479c93625eb65150f5d4121adb22a70_NeikiAnalytics.exe 89 PID 4036 wrote to memory of 1708 4036 5479c93625eb65150f5d4121adb22a70_NeikiAnalytics.exe 89 PID 1708 wrote to memory of 3444 1708 Adhdjpjf.exe 90 PID 1708 wrote to memory of 3444 1708 Adhdjpjf.exe 90 PID 1708 wrote to memory of 3444 1708 Adhdjpjf.exe 90 PID 3444 wrote to memory of 856 3444 Bgkiaj32.exe 91 PID 3444 wrote to memory of 856 3444 Bgkiaj32.exe 91 PID 3444 wrote to memory of 856 3444 Bgkiaj32.exe 91 PID 856 wrote to memory of 2268 856 Boenhgdd.exe 92 PID 856 wrote to memory of 2268 856 Boenhgdd.exe 92 PID 856 wrote to memory of 2268 856 Boenhgdd.exe 92 PID 2268 wrote to memory of 4928 2268 Cgqlcg32.exe 93 PID 2268 wrote to memory of 4928 2268 Cgqlcg32.exe 93 PID 2268 wrote to memory of 4928 2268 Cgqlcg32.exe 93 PID 4928 wrote to memory of 2424 4928 Dnajppda.exe 94 PID 4928 wrote to memory of 2424 4928 Dnajppda.exe 94 PID 4928 wrote to memory of 2424 4928 Dnajppda.exe 94 PID 2424 wrote to memory of 3588 2424 Ebdlangb.exe 95 PID 2424 wrote to memory of 3588 2424 Ebdlangb.exe 95 PID 2424 wrote to memory of 3588 2424 Ebdlangb.exe 95 PID 3588 wrote to memory of 216 3588 Eojiqb32.exe 96 PID 3588 wrote to memory of 216 3588 Eojiqb32.exe 96 PID 3588 wrote to memory of 216 3588 Eojiqb32.exe 96 PID 216 wrote to memory of 4660 216 Figgdg32.exe 97 PID 216 wrote to memory of 4660 216 Figgdg32.exe 97 PID 216 wrote to memory of 4660 216 Figgdg32.exe 97 PID 4660 wrote to memory of 1660 4660 Fqeioiam.exe 98 PID 4660 wrote to memory of 1660 4660 Fqeioiam.exe 98 PID 4660 wrote to memory of 1660 4660 Fqeioiam.exe 98 PID 1660 wrote to memory of 1028 1660 Fnkfmm32.exe 99 PID 1660 wrote to memory of 1028 1660 Fnkfmm32.exe 99 PID 1660 wrote to memory of 1028 1660 Fnkfmm32.exe 99 PID 1028 wrote to memory of 676 1028 Gejhef32.exe 100 PID 1028 wrote to memory of 676 1028 Gejhef32.exe 100 PID 1028 wrote to memory of 676 1028 Gejhef32.exe 100 PID 676 wrote to memory of 3900 676 Hlppno32.exe 101 PID 676 wrote to memory of 3900 676 Hlppno32.exe 101 PID 676 wrote to memory of 3900 676 Hlppno32.exe 101 PID 3900 wrote to memory of 4056 3900 Hifmmb32.exe 102 PID 3900 wrote to memory of 4056 3900 Hifmmb32.exe 102 PID 3900 wrote to memory of 4056 3900 Hifmmb32.exe 102 PID 4056 wrote to memory of 1716 4056 Ibqnkh32.exe 103 PID 4056 wrote to memory of 1716 4056 Ibqnkh32.exe 103 PID 4056 wrote to memory of 1716 4056 Ibqnkh32.exe 103 PID 1716 wrote to memory of 1692 1716 Iiopca32.exe 104 PID 1716 wrote to memory of 1692 1716 Iiopca32.exe 104 PID 1716 wrote to memory of 1692 1716 Iiopca32.exe 104 PID 1692 wrote to memory of 1180 1692 Ibjqaf32.exe 105 PID 1692 wrote to memory of 1180 1692 Ibjqaf32.exe 105 PID 1692 wrote to memory of 1180 1692 Ibjqaf32.exe 105 PID 1180 wrote to memory of 2500 1180 Jekjcaef.exe 106 PID 1180 wrote to memory of 2500 1180 Jekjcaef.exe 106 PID 1180 wrote to memory of 2500 1180 Jekjcaef.exe 106 PID 2500 wrote to memory of 2988 2500 Jemfhacc.exe 107 PID 2500 wrote to memory of 2988 2500 Jemfhacc.exe 107 PID 2500 wrote to memory of 2988 2500 Jemfhacc.exe 107 PID 2988 wrote to memory of 1616 2988 Jeocna32.exe 108 PID 2988 wrote to memory of 1616 2988 Jeocna32.exe 108 PID 2988 wrote to memory of 1616 2988 Jeocna32.exe 108 PID 1616 wrote to memory of 1120 1616 Jbccge32.exe 109 PID 1616 wrote to memory of 1120 1616 Jbccge32.exe 109 PID 1616 wrote to memory of 1120 1616 Jbccge32.exe 109 PID 1120 wrote to memory of 3960 1120 Jbepme32.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\5479c93625eb65150f5d4121adb22a70_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\5479c93625eb65150f5d4121adb22a70_NeikiAnalytics.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4036 -
C:\Windows\SysWOW64\Adhdjpjf.exeC:\Windows\system32\Adhdjpjf.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\SysWOW64\Bgkiaj32.exeC:\Windows\system32\Bgkiaj32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3444 -
C:\Windows\SysWOW64\Boenhgdd.exeC:\Windows\system32\Boenhgdd.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Windows\SysWOW64\Cgqlcg32.exeC:\Windows\system32\Cgqlcg32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\SysWOW64\Dnajppda.exeC:\Windows\system32\Dnajppda.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4928 -
C:\Windows\SysWOW64\Ebdlangb.exeC:\Windows\system32\Ebdlangb.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\Eojiqb32.exeC:\Windows\system32\Eojiqb32.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3588 -
C:\Windows\SysWOW64\Figgdg32.exeC:\Windows\system32\Figgdg32.exe9⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:216 -
C:\Windows\SysWOW64\Fqeioiam.exeC:\Windows\system32\Fqeioiam.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4660 -
C:\Windows\SysWOW64\Fnkfmm32.exeC:\Windows\system32\Fnkfmm32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\SysWOW64\Gejhef32.exeC:\Windows\system32\Gejhef32.exe12⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\Windows\SysWOW64\Hlppno32.exeC:\Windows\system32\Hlppno32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:676 -
C:\Windows\SysWOW64\Hifmmb32.exeC:\Windows\system32\Hifmmb32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3900 -
C:\Windows\SysWOW64\Ibqnkh32.exeC:\Windows\system32\Ibqnkh32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4056 -
C:\Windows\SysWOW64\Iiopca32.exeC:\Windows\system32\Iiopca32.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\SysWOW64\Ibjqaf32.exeC:\Windows\system32\Ibjqaf32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\SysWOW64\Jekjcaef.exeC:\Windows\system32\Jekjcaef.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Windows\SysWOW64\Jemfhacc.exeC:\Windows\system32\Jemfhacc.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\Jeocna32.exeC:\Windows\system32\Jeocna32.exe20⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\Jbccge32.exeC:\Windows\system32\Jbccge32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Windows\SysWOW64\Jbepme32.exeC:\Windows\system32\Jbepme32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1120 -
C:\Windows\SysWOW64\Kolabf32.exeC:\Windows\system32\Kolabf32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3960 -
C:\Windows\SysWOW64\Klpakj32.exeC:\Windows\system32\Klpakj32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2964 -
C:\Windows\SysWOW64\Kcmfnd32.exeC:\Windows\system32\Kcmfnd32.exe25⤵
- Executes dropped EXE
PID:1860 -
C:\Windows\SysWOW64\Kcoccc32.exeC:\Windows\system32\Kcoccc32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2036 -
C:\Windows\SysWOW64\Kofdhd32.exeC:\Windows\system32\Kofdhd32.exe27⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2192 -
C:\Windows\SysWOW64\Lljdai32.exeC:\Windows\system32\Lljdai32.exe28⤵
- Executes dropped EXE
- Modifies registry class
PID:2352 -
C:\Windows\SysWOW64\Lebijnak.exeC:\Windows\system32\Lebijnak.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4316 -
C:\Windows\SysWOW64\Laiipofp.exeC:\Windows\system32\Laiipofp.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3640 -
C:\Windows\SysWOW64\Legben32.exeC:\Windows\system32\Legben32.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1368 -
C:\Windows\SysWOW64\Lfiokmkc.exeC:\Windows\system32\Lfiokmkc.exe32⤵
- Executes dropped EXE
PID:4896 -
C:\Windows\SysWOW64\Mfkkqmiq.exeC:\Windows\system32\Mfkkqmiq.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4264 -
C:\Windows\SysWOW64\Mcoljagj.exeC:\Windows\system32\Mcoljagj.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:2152 -
C:\Windows\SysWOW64\Mlhqcgnk.exeC:\Windows\system32\Mlhqcgnk.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1096 -
C:\Windows\SysWOW64\Mqjbddpl.exeC:\Windows\system32\Mqjbddpl.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4628 -
C:\Windows\SysWOW64\Nmfmde32.exeC:\Windows\system32\Nmfmde32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1032 -
C:\Windows\SysWOW64\Ncpeaoih.exeC:\Windows\system32\Ncpeaoih.exe38⤵
- Executes dropped EXE
PID:4392 -
C:\Windows\SysWOW64\Nimmifgo.exeC:\Windows\system32\Nimmifgo.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3860 -
C:\Windows\SysWOW64\Nofefp32.exeC:\Windows\system32\Nofefp32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4924 -
C:\Windows\SysWOW64\Ooibkpmi.exeC:\Windows\system32\Ooibkpmi.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1160 -
C:\Windows\SysWOW64\Ojnfihmo.exeC:\Windows\system32\Ojnfihmo.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:3888 -
C:\Windows\SysWOW64\Ofegni32.exeC:\Windows\system32\Ofegni32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4576 -
C:\Windows\SysWOW64\Oblhcj32.exeC:\Windows\system32\Oblhcj32.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:2864 -
C:\Windows\SysWOW64\Omalpc32.exeC:\Windows\system32\Omalpc32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:5016 -
C:\Windows\SysWOW64\Obnehj32.exeC:\Windows\system32\Obnehj32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3956 -
C:\Windows\SysWOW64\Oqoefand.exeC:\Windows\system32\Oqoefand.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1268 -
C:\Windows\SysWOW64\Ojhiogdd.exeC:\Windows\system32\Ojhiogdd.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3648 -
C:\Windows\SysWOW64\Pqbala32.exeC:\Windows\system32\Pqbala32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1332 -
C:\Windows\SysWOW64\Pfojdh32.exeC:\Windows\system32\Pfojdh32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2308 -
C:\Windows\SysWOW64\Padnaq32.exeC:\Windows\system32\Padnaq32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4480 -
C:\Windows\SysWOW64\Pafkgphl.exeC:\Windows\system32\Pafkgphl.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1336 -
C:\Windows\SysWOW64\Pfccogfc.exeC:\Windows\system32\Pfccogfc.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3112 -
C:\Windows\SysWOW64\Pmmlla32.exeC:\Windows\system32\Pmmlla32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4456 -
C:\Windows\SysWOW64\Pfepdg32.exeC:\Windows\system32\Pfepdg32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4568 -
C:\Windows\SysWOW64\Pmphaaln.exeC:\Windows\system32\Pmphaaln.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4192 -
C:\Windows\SysWOW64\Pjcikejg.exeC:\Windows\system32\Pjcikejg.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1976 -
C:\Windows\SysWOW64\Qiiflaoo.exeC:\Windows\system32\Qiiflaoo.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2168 -
C:\Windows\SysWOW64\Qpbnhl32.exeC:\Windows\system32\Qpbnhl32.exe59⤵
- Executes dropped EXE
PID:432 -
C:\Windows\SysWOW64\Aibibp32.exeC:\Windows\system32\Aibibp32.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:4176 -
C:\Windows\SysWOW64\Abjmkf32.exeC:\Windows\system32\Abjmkf32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1704 -
C:\Windows\SysWOW64\Bigbmpco.exeC:\Windows\system32\Bigbmpco.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1156 -
C:\Windows\SysWOW64\Bpqjjjjl.exeC:\Windows\system32\Bpqjjjjl.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4744 -
C:\Windows\SysWOW64\Bapgdm32.exeC:\Windows\system32\Bapgdm32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2076 -
C:\Windows\SysWOW64\Bbaclegm.exeC:\Windows\system32\Bbaclegm.exe65⤵
- Executes dropped EXE
PID:4064 -
C:\Windows\SysWOW64\Babcil32.exeC:\Windows\system32\Babcil32.exe66⤵
- Modifies registry class
PID:4364 -
C:\Windows\SysWOW64\Bfolacnc.exeC:\Windows\system32\Bfolacnc.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:724 -
C:\Windows\SysWOW64\Bphqji32.exeC:\Windows\system32\Bphqji32.exe68⤵PID:4988
-
C:\Windows\SysWOW64\Bkmeha32.exeC:\Windows\system32\Bkmeha32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:3148 -
C:\Windows\SysWOW64\Bagmdllg.exeC:\Windows\system32\Bagmdllg.exe70⤵
- Drops file in System32 directory
- Modifies registry class
PID:1960 -
C:\Windows\SysWOW64\Cajjjk32.exeC:\Windows\system32\Cajjjk32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2532 -
C:\Windows\SysWOW64\Cdhffg32.exeC:\Windows\system32\Cdhffg32.exe72⤵
- Drops file in System32 directory
PID:2288 -
C:\Windows\SysWOW64\Cienon32.exeC:\Windows\system32\Cienon32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3692 -
C:\Windows\SysWOW64\Cdjblf32.exeC:\Windows\system32\Cdjblf32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5020 -
C:\Windows\SysWOW64\Cmbgdl32.exeC:\Windows\system32\Cmbgdl32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4596 -
C:\Windows\SysWOW64\Ccppmc32.exeC:\Windows\system32\Ccppmc32.exe76⤵
- Drops file in System32 directory
PID:4984 -
C:\Windows\SysWOW64\Caqpkjcl.exeC:\Windows\system32\Caqpkjcl.exe77⤵
- Drops file in System32 directory
- Modifies registry class
PID:4376 -
C:\Windows\SysWOW64\Cgmhcaac.exeC:\Windows\system32\Cgmhcaac.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1468 -
C:\Windows\SysWOW64\Cdaile32.exeC:\Windows\system32\Cdaile32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1908 -
C:\Windows\SysWOW64\Dmjmekgn.exeC:\Windows\system32\Dmjmekgn.exe80⤵
- Modifies registry class
PID:3128 -
C:\Windows\SysWOW64\Dcffnbee.exeC:\Windows\system32\Dcffnbee.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2196 -
C:\Windows\SysWOW64\Dahfkimd.exeC:\Windows\system32\Dahfkimd.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4560 -
C:\Windows\SysWOW64\Dnngpj32.exeC:\Windows\system32\Dnngpj32.exe83⤵
- Drops file in System32 directory
PID:540 -
C:\Windows\SysWOW64\Dckoia32.exeC:\Windows\system32\Dckoia32.exe84⤵PID:5180
-
C:\Windows\SysWOW64\Ddklbd32.exeC:\Windows\system32\Ddklbd32.exe85⤵
- Modifies registry class
PID:5240 -
C:\Windows\SysWOW64\Dncpkjoc.exeC:\Windows\system32\Dncpkjoc.exe86⤵
- Modifies registry class
PID:5284 -
C:\Windows\SysWOW64\Egkddo32.exeC:\Windows\system32\Egkddo32.exe87⤵
- Drops file in System32 directory
- Modifies registry class
PID:5328 -
C:\Windows\SysWOW64\Ekimjn32.exeC:\Windows\system32\Ekimjn32.exe88⤵
- Drops file in System32 directory
PID:5372 -
C:\Windows\SysWOW64\Epffbd32.exeC:\Windows\system32\Epffbd32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5416 -
C:\Windows\SysWOW64\Enjfli32.exeC:\Windows\system32\Enjfli32.exe90⤵PID:5460
-
C:\Windows\SysWOW64\Ecgodpgb.exeC:\Windows\system32\Ecgodpgb.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5504 -
C:\Windows\SysWOW64\Enlcahgh.exeC:\Windows\system32\Enlcahgh.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5548 -
C:\Windows\SysWOW64\Eqkondfl.exeC:\Windows\system32\Eqkondfl.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5592 -
C:\Windows\SysWOW64\Enopghee.exeC:\Windows\system32\Enopghee.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5636 -
C:\Windows\SysWOW64\Fclhpo32.exeC:\Windows\system32\Fclhpo32.exe95⤵PID:5680
-
C:\Windows\SysWOW64\Fjeplijj.exeC:\Windows\system32\Fjeplijj.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5724 -
C:\Windows\SysWOW64\Fqphic32.exeC:\Windows\system32\Fqphic32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5784 -
C:\Windows\SysWOW64\Fjhmbihg.exeC:\Windows\system32\Fjhmbihg.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5836 -
C:\Windows\SysWOW64\Fcpakn32.exeC:\Windows\system32\Fcpakn32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5896 -
C:\Windows\SysWOW64\Fdpnda32.exeC:\Windows\system32\Fdpnda32.exe100⤵PID:5940
-
C:\Windows\SysWOW64\Fnhbmgmk.exeC:\Windows\system32\Fnhbmgmk.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5992 -
C:\Windows\SysWOW64\Ggccllai.exeC:\Windows\system32\Ggccllai.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:6060 -
C:\Windows\SysWOW64\Gdgdeppb.exeC:\Windows\system32\Gdgdeppb.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:6120 -
C:\Windows\SysWOW64\Ggepalof.exeC:\Windows\system32\Ggepalof.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5160 -
C:\Windows\SysWOW64\Gnohnffc.exeC:\Windows\system32\Gnohnffc.exe105⤵PID:5248
-
C:\Windows\SysWOW64\Gclafmej.exeC:\Windows\system32\Gclafmej.exe106⤵
- Drops file in System32 directory
PID:5356 -
C:\Windows\SysWOW64\Gbmadd32.exeC:\Windows\system32\Gbmadd32.exe107⤵PID:5308
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5308 -s 400108⤵
- Program crash
PID:5632
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5308 -ip 53081⤵PID:5352
-
C:\Windows\System32\sihclient.exeC:\Windows\System32\sihclient.exe /cv ACMNA/1H10+Px2MZmhhQVA.0.21⤵PID:5356
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3808 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:81⤵PID:5748
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
256KB
MD5402180dcd6d3a8f18358c5d1de197b79
SHA10c53b6038ed17c614e0a20ea6ac879337897b07a
SHA256e778baf40ac0fd2eeb3a21e68209935dbc4f2ebe996079dc76a940b369f3e084
SHA512699c92fe0ce5f58b18a56c81166f74687dabd048c9a24b42cb0854543e4f96eb4526d595a99cf6c0d78e0542efe47bccc7fc20ad0f0c7b7d006be468876ea988
-
Filesize
256KB
MD558cd0af1883e50822973cea56a7eff9b
SHA189ebc86bbe54e136c0856bbfb1ef61956c671e60
SHA256e0475a042fe95cdfc93d95543ba86f75321089b211d24e228f551a53d25fac2d
SHA512a7151214c5994ca9f09d04591d8c55ed35d50fa7e0a1a4095a18ceddd5e03ad93bbaa84432028c5a4b246945c52a4f2572d1376781703d7c87dcc2412b1a6f09
-
Filesize
256KB
MD502042593446dbc597a7f7c5fccdfd243
SHA1ac5d134774abd273a3c573ba7ae048e03df47177
SHA2568946144b94a777d7076228c75372d8903939dc2957ae769fa880f40f879e6ba7
SHA512bced6fb1e5ff74b84324fd99eadef826d18cd48d11f30decfbd500a1e6814cac8f3c4f8c61ea35cc7753f07bf53e6285c058d9011b65ad8c1375375667923d37
-
Filesize
256KB
MD5a075aae1209ee0c3b5d1de48885bf335
SHA19cf41ff3c0416038b0a71e898f6dbec2346fee89
SHA25699fb1fcea51cd4dc3096c7dda5d3c814f014d54a803af7d8f3316795d380744d
SHA5122d074ee63a69b9aa083d9297eeed5037bfb6797f66783754d4fad608f572c59eb9250daa9e8bd5787d245d9dbeb1fb648a5da49e82f332833d2e3ee84ddefced
-
Filesize
256KB
MD51d5b734469e935cb86995deeb625a861
SHA15976eece7fcca26184e05d1a3d7fb61761bc4f27
SHA2563caaf50feef32ad59a38f4a25306c4fc1b2a336f7ce650638cb2f7b746ce4a08
SHA512633a32dc4b384078527cd6f4959c80ba19fb53cb3a7faf1b3fccb8621cb24fa99bee98e6a0fd678686f0c971b88c63333fb2f8fd86aec1e2fa45f2832322f040
-
Filesize
256KB
MD5f62d60024693e607e0c0878bc932c914
SHA1a8d69684b8ef1e920ce8762aa8cfb2cc83c2a801
SHA256e9116943f4e346d6e2c5ba52e83a215a94b8369164afa678b8206ec5729c808b
SHA5123fb23480d0feaf67585227ea85c1c0f2a49539bbb643146af18daba36a770a7aaf7b69d79f531e49fb1a56f61694033acf6715b2336ab1c63ada670a163509ec
-
Filesize
256KB
MD5bf73d9271e34e3d01f6700c5a351aac5
SHA182313f0360f50afe2232b3773744b893d2558465
SHA25654e0ae15c60624779981ffa2fdff838209f53008152b3772bde6a882cdf05977
SHA5121d778905a6c0ae21afab2563ce0d3b10d6bc69c3932f8ff135e781a46c01303c1f33c99b5020772f82aa46372a9e8bff7e6c7dfc6491a9c3b877ea1a87a786b1
-
Filesize
256KB
MD5b51eeecd8e941d977d4d8a75b0458cfd
SHA140ab160832ca1dfb80b1c05f979526784d477564
SHA2566911decf305df23335902c2ff685ebdd85e0ef60c8cbadee202017c9727196b0
SHA5123d4d7f290d46ec3c2d93ee1914e2ca3a630b647fcba203b7a91bc36c351a593b6f67c3f404561c7b2b5304b7b53d8f2b1c91db43050a12a4c36ffd5d02eeabaf
-
Filesize
256KB
MD51c2861121cbc4087b1c8f92bd719c901
SHA134756d1301330901c37309fd2ed61fec97fca2b6
SHA256e69554415d14870f480a0290c5ffac15d61c0fd7dd9dbc877559b88d5006c92a
SHA512416d24f4c2d1c2941be6a2c8aa2069097af2858ea807216c2ea82cd64cf0e4c33dbbeeaee5af90dafc9f545463b7433957b13f5d4875ec6e9d8179ab20026376
-
Filesize
256KB
MD5a8b31bdbc0ff1b01d72dc503c4c850bb
SHA1f48baccd281e9d4b2086d2de4f7bbcf40dc2e0b7
SHA256e8f1e8561f4262edb5f65f9c21731be07a602157183819a0e4c95d9abda75b3c
SHA51234144729aec2069f887ff2d4c6b0758c5e77493690710fe6e1d5e7c844c6b133548298a824c31bd574b42cb32ce2b2f19a233d4518621309b3f528cf7e3a56b3
-
Filesize
256KB
MD5f555a883908d4bdca439125008f86c03
SHA182878350acf683bb53fa0b51e9b409d65d1734b5
SHA256ac5567dac07942b9082206b1db300c28bde239caff30582527d9d350e634d32b
SHA5120874e9851f77b5cdeb2a324e92ceb4e26ab75e4ae21e1800c29a29c527065170fe47822c215c319f458b43cb1a369883c27bb8c843a0e012ba92010237b3757c
-
Filesize
256KB
MD5292699cac03f5597c20476ba330a4dcf
SHA171dbf986347638c46d3292293ba2f014b626fb60
SHA256edeb36a9769a761c76d0960e9a403a89b8544e2e7263c2419b0031d803446499
SHA51217cd9f2ad601b4b95683d2c80b41be77c304a19c8bee3ed616127cb37223074d5f454644c8c19efbaf90133bccaadd7c1686b31c76e51723d435b061f3b76365
-
Filesize
256KB
MD59db856a037f125e6ff13bc19f7aad747
SHA11c6de18c64b3143474bce821c07e32421d36a0c4
SHA256c7018236384953eceea63a6846c060de7d792363303cb2c2bda7368e4bb0e967
SHA512ed6c7cde7370b0ab21a883c897a28666e7e78bf74e34a0020965d87c82fc9493e3cc31be258e605176c83fffceadad3f28d50e163443f3812b85e411d5774ad9
-
Filesize
256KB
MD55f6288db70b8a1f92e7a19a06315c4d5
SHA1c855dec152a0d0d7ce79b2d5cc498a39c5edb899
SHA256c974957dd2525c8791dec3ae20d436a29fba069fc93a86a2ffa3f6f4d1139d2e
SHA512c2060fa883a3048ba1a654e65b7ef9f00c567eeeb32298a56bf2966327871567daa8abc8bd58e809ad9d09b6c98ff83f2717edd14e4365c3404703f08a116842
-
Filesize
256KB
MD5c6479250fe843536bcd5ef11190fd994
SHA1f639aaec8b1449c442401e76bc8d6e180f0e40e4
SHA256e2a51c84d26c777475d5b05efb24b7b57fe202b996fe659a3c4a1c83d185c5bc
SHA5128bb5e0340567be93c9a2332245b2f07d1b3c2f6c1ec63979783d245bed23111d0ae9a84aad10a8b0b7818ae9cbddb2fe16bd37891301549f63f365d88c2d2ece
-
Filesize
256KB
MD5109e847cbc2f25c56c1aa9ce71d556c6
SHA1bff8870b78ebb27dca228afd299419522c773160
SHA256d4699b33527644c04d52e2def05e2f86f6491acf4a374e797504b999dd538b8e
SHA512c6e634a0da802236d4e6a62ce6235ebaa372ffc5992571460a777b7c634548094311b0ad8086c2da7e887f14496837b02bdc17934add0863c6bf2dbca3c82ccf
-
Filesize
256KB
MD535e108bed1f6951de71b7e61948c338e
SHA1d571847a15ab07b78fce3b84d9f3b198838131d9
SHA256dfd42432a432b4e3f053529800efaad60238176e8ae520cf7ff718df803a2dee
SHA512d5c3526e617d7ae6f47e066f26b5746626b6216144be67727de78eeaac8cc56174ef71977ef5d00764cc4bb5b8a008f351534142a4124737d7ec1983e609988c
-
Filesize
256KB
MD542ff91b89637f5f9faa923f69ec653b9
SHA16423afc3ad2ad1e6b2511263848138296c9a97e0
SHA2565d3c156c7f09403fb6aa8b43e5505619ab627e47d6aa285e8ae777518da74a65
SHA512d80b8f330abf00582c189fb48fc370ae95d0d7237fa57c46f12c21883e0dfe751b02989169cef72a06423df8d54fe7b9cf496ef8e307781a94d90b023ef2b515
-
Filesize
256KB
MD595707ff659128892ca1ab6ce8e128ec4
SHA190ba6db4bf48a493183a0577ddd530d20d6e2417
SHA25634b8f09775e63971143cf9ccb218aaa905504d9d6f93e7afa9801f2d7bb3f554
SHA5126bbea05c8479cdeb7146ed358221d35edc1d70af5cfaf56e73d842bffc055d18a2140f6998d04b4c0cea534c8f1e11a704d08e1780d55979692ed0b8ebbacc7c
-
Filesize
256KB
MD5193e1de808dffd15ab42f62d2671ebc9
SHA15891a82d72f757d536003f6279e8b8945be89956
SHA256586760787b717300be4b8cf81e6dab3f0159782676e8eb6b43683660bfd566a5
SHA51297489ae9f5ad2041083f6fa0ce3bd5327679533a3bc091bfafa22c6718c7edea257bb7493296636cdb313131f415dbd2376ce516733fbe9de6735811af6ef336
-
Filesize
256KB
MD52f274ed615f49dfbf641189142c87db4
SHA1964ddd4f64101878cbdb806e76f8d67c9b59d3c1
SHA256017bf42e542c1ff0aadc050c3cb97a93e69c67e67ee71c6e1f047ef9b939978e
SHA512de253532aa8f0778cbfb0ec70361dcfe50790dc17d505f98cbd4224fb285213f549343724e73727fcc38b012c0af370b8b6c1610f615c2f434b6d5fdab0b85dc
-
Filesize
256KB
MD5087d43deda46f410ff4b59c45223ca7c
SHA1773032a4e73e7615b57e960c66f4e56bd595e8f7
SHA2567092bf4f96d0d8a1e8af483f88692973f8ac48754e9306008cc5f64ff0382140
SHA5125a497ac8cfe7502721e92df8001e04366841c840559095723314d1551d45d853deedef453eeaef64af532bcd73cd849c715e56ba3e96e07208ca249f432fdf73
-
Filesize
256KB
MD5265bc1be3508dccdf5f73642f88cedce
SHA1386a664244aca3f0bd4203ed10c77b37d9329d89
SHA256b7c4e1e7466752cf006650ceed2a1c5e407f34d5d4784f7eb5fb157a0dce9bef
SHA512964c64ba3acfcc7377f7daf467070452accaa57ea9d81ba11323e3d012a8859fc593efda8484897f1b23830cdb4069d3f50e0adf81d055f8e96f85ca1746410f
-
Filesize
256KB
MD5d822b7a1206fa4700727e04b8df186c4
SHA1d39e45952f80c192c5802f586ceb248889db5205
SHA25675d9976b3663ba78ee917b6988ce1d88468af1d3863d26b9d6db8cd41ca336eb
SHA5125cf85f21a593b119251ca9f1ffbb9a016f76289cfa603c140870cf306bae05ee9a7cf8293a426e4a44212a342f9de274682d4ed2e546cbbaf144f1b37d52579b
-
Filesize
256KB
MD521a750274472739d358420bd8e0da2d9
SHA1883531d8b89846862b70c5c6599815a9ef99e96d
SHA2563d7a0f8635077e34b625c7f4b842eaa853ae36956ce7c3ab55c7fa06c7416a52
SHA51230a3cfa2089dab8c3509ab97ca8660104bfd50fe9655dd981992d5670c7e437cd538d650b76e330f32bab8a41b4248e59ceb20d70b5936929bd112b938bd233e
-
Filesize
256KB
MD5aa650d41ee059a8614ff5d8d44801211
SHA104278991b88cce19f69c77b8d9563116ad929d25
SHA256a6da02867b31cb870420f98c6c394c5ebdc04c6871a035a9815e55c9767dca0e
SHA5126aaba298ccb9818169af748cc0a5652a4fcbe3d7bf68ebef75a2d2a1356a14a290513792a9dadf3d11efc0f08398555e0bff7a52cf9ccf47b12a11d097f3e9f7
-
Filesize
256KB
MD5da46e9d64ddc5638c01e2e1671cf3268
SHA192e483535d7b1e7f7bb21eb1e3031c10ea548a1d
SHA256ce8a780877055b58f21d9683c758d81892b6feed1ff1fd2906ee18a8382c511e
SHA512abda639b3395e19da95630830d2a2b3da24258475edc6ec93319e1d8c7c54bd8fcb45741d9da16d9bafbd8cfae8caf63e3d61996d75b02db5b40479145438617
-
Filesize
256KB
MD58bed5ccdce33bb0ca2a5366e6c1957bf
SHA1ffedd40712b08692828306e28f8d643f8c2efe3e
SHA256b17b84ad4f38d03374778202f8e63462bfcdc9c1db08dba362e6c08aee6fa7a9
SHA512c1faeaa147a49df6b007c347f02c290f0a3566d09e2f359fd60060a228a8cf7c531c08c20bd5682bf2564317f846050d33515cc4ca2d958788debb2f88309f57
-
Filesize
256KB
MD5e63f773dd4cad5c6b285bc1b06b0e2e6
SHA19bcb36d8ff7738e7188853a222ac99f1adf98f40
SHA256acaedeb8148b4ff35db8ad5026e356154d1157e0b24a75edfd7341c3f2b4fa7b
SHA51296773ce23f0663a8f95be0ea3ba97f30de2cc3d525bac172f58234b352cc18645fa005b19617bfbffa4ef36f110943c7d1d8916b2c924039d76de8d0c01fe626
-
Filesize
256KB
MD517c6a7d86d4a785097cc16659c1bd9fe
SHA10d363d81e74e6570e4de80ab5a4136ac69162cbe
SHA256d719ef6d898fe9e2ffa5fb7fcf95ddd0bb1df5623752379c9cb69e3aa2881242
SHA512c447c3179e1092fb8c5f456956cad23f5ff5ac00981e05d850a3507ea6b72d60c21fd3337a799625aca121b6b8703030dfc70768dd928e6342b1d0e32ff67fcb
-
Filesize
256KB
MD5ab4fbf2c81e66d058f301b74e6c57bf2
SHA103da72e4a6ce6a1e69cb7b44dda8f3e8f0b7dafc
SHA256eb1f16661a0c0222e762108ca317472b8ddf3c5e494b463e87348b45cd9d0fb1
SHA5128a229dac9f2e2d154a8a9da7af2c1b978b14938b84abeecee77a0ac17619ea65f8362411b932505d71cd15616f8b9f41d25b0b63e7e6e319fd26c08d9d2e21c2
-
Filesize
256KB
MD57cfa38f0a2bda6d321477445f954345b
SHA1fd033394aa3469153acb35421a326ee4a5fa8fb6
SHA25663ddd43e119b883bedbe4ef92403531398b859cf5d62b0a3d8904d5b8e5d109c
SHA512363ae549b28ba08920ea20176943b9b2fcc4bfcc16beed2e2f4bd6f51257f7f8897bd2aa83dbb39ecde4ba62ba198a06ecd66f0ce65e452014c51bb1079fe163
-
Filesize
256KB
MD593be7775128bd3165c77e177dac20fe7
SHA15c9e9a243ff09e0d9a7927e36d8cc4056e95bb1a
SHA25607018277dadf1207b2154b44d4426d04bc468fff23943e7dae97d8728a924de1
SHA512aa0f7bb668b96d86111bf5d6f20386c29a81e18dd397d825bb42ff5b6eceb166d8d6df395111e614978faf9587064fcdf4fb1c038aa2c64cc6e9411ec9f9e3c2
-
Filesize
256KB
MD5621c56789485a03ed02506ddc519576a
SHA13920c7c094d17eb94fab08b2aafd92cf786e4d22
SHA25687065b0a66512faef9f4ddcac27a3d5baa1f19121225deab8dea1aafe8db6e56
SHA512dd360809fb937dc4e418bcadaa599761de4cd02f0a24dbd7535f311c241e61d1772d4e489e7279109e18a3a5eb5fe8caad81625964fa5dc9e9e1540c393fc661
-
Filesize
256KB
MD5df5f78371506b323657b4ecdbea0e4cf
SHA10298c26f869a9f829c38f7ffceb4f035614ed827
SHA25688e8d73c5b2eaf6a1eff07f97f81cdb3cac588a131f8233c3bb0930f86d8f5d2
SHA512f82d58f991ccc337d100bda11f080d19bbec630582c728710efd3f4a55ef2becac7f4d94466aaf7f1b0869ecf6f543757fdef3bf2610c2d7e0f5aba9223f7ed4
-
Filesize
256KB
MD5a4d5c1193a6799f726da5a3a6d9570c1
SHA148a9cdc5cccf5df5ccc59635697a653bb0f88d6f
SHA25617587ab5d78c7302ed9802c1e97c6efe2c52c52bcc1b8fb37d0273b56f79ad67
SHA51255ea38b83216c2211bac42c2dc68010b656f1e0240356481ab7eb177e0b6f50c0f5b0eedbcf59d781799e9adcd25604aabe4442f73c487dd4f59619c24b40ba3
-
Filesize
256KB
MD5cade036b7b70d45cf1ac157d3073716d
SHA123e787cefb19b8c039419b3447cdc3f624c31e49
SHA25677a8cec87f8447a902c66250e0301f713267b6ab3e711b1f52abcca105eb8b63
SHA512766e114484bd64af2475635aa93165c92973b57056db087deca7ce5eb178c5914514cc9bb11f6908463a2f026167309f340cbbcead93eda179475e144e82a7f8
-
Filesize
256KB
MD5c05859c0596a9a0566a0f138f09a21e5
SHA176c74b04a781716a4f0d9b7ab9aaa1860aa6425b
SHA2563ba9fb5f3fb40b027374908c9194f1f736b860a33fcbf8ce4a969c1eedd0615e
SHA5129c159e102b19bf22ff24eb6c09a4e6f0b10692a4d30e3cb75c73ff3f42d3a37606bad37c5fa668fb1d355eec7d957e51e75b12b41305e354a76cbfa16ba227cb
-
Filesize
256KB
MD5a2d39546568d0ad9fd05686a3556eb77
SHA10a510ffdd1265380ab4058adfd3f0fc2bb4e15c4
SHA256b783353f5bf3f08e9852c291d5639cbb0f73dd911e9841f039186c138b4c2c1d
SHA512a05227dbfdf58a97fcc3cadd3c147233e178a5b7e29028c65a448a79636b7daa2aa07f99de9fc83730587d3be53ae06f315c41ebe9a87a9b5a7b7e0aab3b55d8
-
Filesize
256KB
MD5c5223643a7a25e0ad0c47b2091e3118e
SHA185a31e3ca4fb33af740952c52ec7d9750a07ea17
SHA2566dc171d485b2a2af628b24bba7604beb721f8eccb528285a113d182947af893f
SHA512c307118d9f739958a4be94af0eeb51d2708e3ad13932941562677705ca489a180b7716b813da35a34d4393da51f78653e936bac865b6b5687c6c9b3904439bee
-
Filesize
256KB
MD599acf05737109a98f230dd2718c3d9ff
SHA1a0a26397868989289fca05e7a92ff858d374e90f
SHA2566af0851f77f5d7d07f3f63a9df9ef739ad7b6c9a6aa79a20aa82e3d5cfd42779
SHA512d3dd5922daef0cf212a57e868219f88930ade912d034dc2837f4b4a9027231510e665a745da57a9bbef27dc9d0fb287aa91d15f512e81561189ecaa232d28c3c
-
Filesize
256KB
MD54cbf02c70fb0c92a27e4c3e4d54072c7
SHA185a3e4db91bc5c692c4e14e783d33fecddc40696
SHA2562a7bb86a4d056591e3352a4be74b05cf1a0d6adcdc2c5eaec9b6bdb14aca7fa8
SHA512b5f3489b8a1696a5bdbb65325377747a1c1f6bbdb665c3c8b3292c33129a994c35b61980360c66dd7e13fe27a964cc362ee57bf35b03f9f80c7f5ea25d80d011
-
Filesize
256KB
MD50dd0bc0589c07ba28d1a437e85518347
SHA1213a2366d0ad9cfda3fb6479368e920c7e9e5f8f
SHA2561edb52426e811fbb70a14d405fe03630c28c28d4508e5fa6d39b70b9a7a02b92
SHA5129b94586ab30bee1aeec0160fadf49b2d05b9b22723b24fffd52ae4c528df735ceccf7b5fddfd6a0f07fe9be6297b317c18e4670c490298bc0a2d72b2a5d5f214
-
Filesize
256KB
MD5eeaabdfa270f1fb97995effe8b493a82
SHA15ba45658efd240d8137d5f0c7ba35897c67bf2d2
SHA256c8949e83c0f6b9b8fcdf0b2b643ef1f63e993917a81705b5a6b9ef2910c7bd3b
SHA5128ab9be2b0e7468e763266102baf5fc4d909cde9b6b3ab3ca421bab12b2a78c5e1b297b2b272301c52c4d5104f93ec98aa2de0f594500396dd5fe3cea7dd479c9
-
Filesize
256KB
MD547f772f81b6e3722607fb6ec5861af2c
SHA1cd1f889f7e788f4f8db71a9124979aa0352cf964
SHA25644ceb4ff2f8e7e0ab6028747f17213a65e86d2ccb3573d18e03413f6b7ec9d46
SHA51261310812ff935ebe71c618550e7a59a11cff6d3fc0f2a2c1f1da5ab4d0cebbb62336ea099220f039d480dc4e1ad1815434bbd1708be83ec774129bca8f84bd23
-
Filesize
256KB
MD521ce1c46cf585c2ed7c07f539d4905aa
SHA1f9c374d8c289d5015c1428e83a1c67820cb64624
SHA256ddc049849a42dc6c69bb4e9307915755cd1765a39686c4b620117a32de047050
SHA51229254f59a529d41cd33bf856fabda0a3d80a72f9e73e85ff18ffb9accd015b267086ff9790faac31810784d45f4ac0ec1ca1c990e5820596e0eb15469944aeac
-
Filesize
256KB
MD57c06bec53d244ceb77c945c3b06fc76b
SHA14e37aa31481cce1904305afa6244ec2159c1ba07
SHA256554b906dc223d75cb29cf5a74b96a3ce8499de24e15e74a2de2043e706f48c0b
SHA51238f141e9e135d1f5f4ad26316ad32a34143eba5c4da784fde0370dea85e03be006dff3ac9fe3c671db477ff8508eeed8d034449270a9bf67ef57e01e6bcb8147