Analysis
-
max time kernel
135s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
01-06-2024 23:13
Behavioral task
behavioral1
Sample
08a8bb86eb04fbe319c1991fa80768b0_NeikiAnalytics.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
08a8bb86eb04fbe319c1991fa80768b0_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
08a8bb86eb04fbe319c1991fa80768b0_NeikiAnalytics.exe
-
Size
161KB
-
MD5
08a8bb86eb04fbe319c1991fa80768b0
-
SHA1
da61ae0b807c4b6ae1ffb8a5ac5cb52e177641b5
-
SHA256
fc66d1ee7eae9136764b0164f42c4722728513bd2b8e1a7903b631305e1948cc
-
SHA512
dbea72e331176374bb5aac7cae2bf38148aeeda1a6735b0bbdab2c661a5275326b7fbbc0a0278b85e2979e0c5dbe1fc39cb6beab06994480699f94304b4dd921
-
SSDEEP
3072:jVJK+9BDKJt6pOVpy4lkuVwtCJXeex7rrIRZK8K8/kv:jVEgBmJtimyWkuVwtmeetrIyR
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Qmkadgpo.exeQmmnjfnl.exeBchomn32.exeChmndlge.exeNloiakho.exeOlcbmj32.exePjeoglgc.exeBjddphlq.exeBmbplc32.exeOnhhamgg.exePjjhbl32.exeAgjhgngj.exeDanecp32.exeNggjdc32.exePmoahijl.exeAqppkd32.exeOjjolnaq.exeBfdodjhm.exeDfpgffpm.exeCjbpaf32.exeCnffqf32.exeOlhlhjpd.exeOgnpebpj.exeBaicac32.exePdkcde32.exeCjmgfgdf.exeDodbbdbb.exeNpjebj32.exePgioqq32.exeCmqmma32.exePgllfp32.exePclgkb32.exeBapiabak.exeNdfqbhia.exeOcgmpccl.exePjmehkqk.exeQgqeappe.exeBcoenmao.exeDjgjlelk.exeAnmjcieo.exeBfabnjjp.exeDhkjej32.exeBffkij32.exeBmpcfdmg.exeBalpgb32.exeNlaegk32.exeOddmdf32.exePmfhig32.exeAfhohlbj.exeAfjlnk32.exePqmjog32.exeAeklkchg.exeAabmqd32.exeBnkgeg32.exeDhocqigp.exeBnbmefbg.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmkadgpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qmmnjfnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bchomn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Chmndlge.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nloiakho.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olcbmj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjeoglgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qmkadgpo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjddphlq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bmbplc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onhhamgg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjjhbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Agjhgngj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Danecp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nggjdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pmoahijl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aqppkd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojjolnaq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfdodjhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bjddphlq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dfpgffpm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjbpaf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnffqf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Olhlhjpd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ognpebpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Baicac32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfpgffpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pdkcde32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjmgfgdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dodbbdbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Npjebj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgioqq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmqmma32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgllfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pclgkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bapiabak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ndfqbhia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ocgmpccl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjmehkqk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qgqeappe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bcoenmao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Djgjlelk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ognpebpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pjeoglgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cjbpaf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anmjcieo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfabnjjp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhkjej32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdkcde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bffkij32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmpcfdmg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Balpgb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlaegk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oddmdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pmfhig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Afhohlbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Afjlnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pqmjog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aeklkchg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aabmqd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnkgeg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhocqigp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bnbmefbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Onhhamgg.exe -
Malware Dropper & Backdoor - Berbew 42 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule C:\Windows\SysWOW64\Nlmllkja.exe family_berbew C:\Windows\SysWOW64\Ndcdmikd.exe family_berbew C:\Windows\SysWOW64\Nloiakho.exe family_berbew C:\Windows\SysWOW64\Npjebj32.exe family_berbew C:\Windows\SysWOW64\Ndfqbhia.exe family_berbew C:\Windows\SysWOW64\Ngdmod32.exe family_berbew C:\Windows\SysWOW64\Nlaegk32.exe family_berbew C:\Windows\SysWOW64\Nggjdc32.exe family_berbew C:\Windows\SysWOW64\Olcbmj32.exe family_berbew C:\Windows\SysWOW64\Odkjng32.exe family_berbew C:\Windows\SysWOW64\Ogifjcdp.exe family_berbew C:\Windows\SysWOW64\Oncofm32.exe family_berbew C:\Windows\SysWOW64\Odmgcgbi.exe family_berbew C:\Windows\SysWOW64\Ojjolnaq.exe family_berbew C:\Windows\SysWOW64\Olhlhjpd.exe family_berbew C:\Windows\SysWOW64\Ognpebpj.exe family_berbew C:\Windows\SysWOW64\Onhhamgg.exe family_berbew C:\Windows\SysWOW64\Ogpmjb32.exe family_berbew C:\Windows\SysWOW64\Ojoign32.exe family_berbew C:\Windows\SysWOW64\Oddmdf32.exe family_berbew C:\Windows\SysWOW64\Ocgmpccl.exe family_berbew C:\Windows\SysWOW64\Pmoahijl.exe family_berbew C:\Windows\SysWOW64\Pgefeajb.exe family_berbew C:\Windows\SysWOW64\Pnonbk32.exe family_berbew C:\Windows\SysWOW64\Pqmjog32.exe family_berbew C:\Windows\SysWOW64\Pclgkb32.exe family_berbew C:\Windows\SysWOW64\Pjeoglgc.exe family_berbew C:\Windows\SysWOW64\Pdkcde32.exe family_berbew C:\Windows\SysWOW64\Pgioqq32.exe family_berbew C:\Windows\SysWOW64\Pmfhig32.exe family_berbew C:\Windows\SysWOW64\Pgllfp32.exe family_berbew C:\Windows\SysWOW64\Pjjhbl32.exe family_berbew C:\Windows\SysWOW64\Qgcbgo32.exe family_berbew C:\Windows\SysWOW64\Afoeiklb.exe family_berbew C:\Windows\SysWOW64\Bffkij32.exe family_berbew C:\Windows\SysWOW64\Bmbplc32.exe family_berbew C:\Windows\SysWOW64\Chmndlge.exe family_berbew C:\Windows\SysWOW64\Cjmgfgdf.exe family_berbew C:\Windows\SysWOW64\Cnkplejl.exe family_berbew C:\Windows\SysWOW64\Dhkjej32.exe family_berbew C:\Windows\SysWOW64\Dfpgffpm.exe family_berbew C:\Windows\SysWOW64\Dhocqigp.exe family_berbew -
Executes dropped EXE 64 IoCs
Processes:
Nlmllkja.exeNdcdmikd.exeNloiakho.exeNpjebj32.exeNdfqbhia.exeNgdmod32.exeNlaegk32.exeNggjdc32.exeOlcbmj32.exeOdkjng32.exeOgifjcdp.exeOncofm32.exeOdmgcgbi.exeOjjolnaq.exeOlhlhjpd.exeOgnpebpj.exeOnhhamgg.exeOgpmjb32.exeOjoign32.exeOddmdf32.exeOcgmpccl.exePmoahijl.exePgefeajb.exePnonbk32.exePqmjog32.exePclgkb32.exePjeoglgc.exePdkcde32.exePgioqq32.exePmfhig32.exePgllfp32.exePjjhbl32.exePjmehkqk.exeQmkadgpo.exeQgqeappe.exeQjoankoi.exeQmmnjfnl.exeQcgffqei.exeQgcbgo32.exeAnmjcieo.exeAqkgpedc.exeAfhohlbj.exeAnogiicl.exeAeiofcji.exeAfjlnk32.exeAnadoi32.exeAqppkd32.exeAeklkchg.exeAgjhgngj.exeAabmqd32.exeAeniabfd.exeAfoeiklb.exeAccfbokl.exeBfabnjjp.exeBebblb32.exeBfdodjhm.exeBnkgeg32.exeBaicac32.exeBchomn32.exeBffkij32.exeBmpcfdmg.exeBalpgb32.exeBcjlcn32.exeBfhhoi32.exepid process 2068 Nlmllkja.exe 1436 Ndcdmikd.exe 1528 Nloiakho.exe 688 Npjebj32.exe 2384 Ndfqbhia.exe 1060 Ngdmod32.exe 4600 Nlaegk32.exe 2168 Nggjdc32.exe 2132 Olcbmj32.exe 960 Odkjng32.exe 4124 Ogifjcdp.exe 2396 Oncofm32.exe 1028 Odmgcgbi.exe 3272 Ojjolnaq.exe 412 Olhlhjpd.exe 4584 Ognpebpj.exe 884 Onhhamgg.exe 4424 Ogpmjb32.exe 1016 Ojoign32.exe 4104 Oddmdf32.exe 4528 Ocgmpccl.exe 4052 Pmoahijl.exe 2692 Pgefeajb.exe 1664 Pnonbk32.exe 212 Pqmjog32.exe 1512 Pclgkb32.exe 232 Pjeoglgc.exe 3664 Pdkcde32.exe 1004 Pgioqq32.exe 1116 Pmfhig32.exe 2912 Pgllfp32.exe 4636 Pjjhbl32.exe 3116 Pjmehkqk.exe 4212 Qmkadgpo.exe 3380 Qgqeappe.exe 940 Qjoankoi.exe 4256 Qmmnjfnl.exe 5020 Qcgffqei.exe 2800 Qgcbgo32.exe 1784 Anmjcieo.exe 2296 Aqkgpedc.exe 2376 Afhohlbj.exe 2212 Anogiicl.exe 3684 Aeiofcji.exe 1972 Afjlnk32.exe 3840 Anadoi32.exe 4956 Aqppkd32.exe 1168 Aeklkchg.exe 4232 Agjhgngj.exe 1820 Aabmqd32.exe 3732 Aeniabfd.exe 548 Afoeiklb.exe 4384 Accfbokl.exe 468 Bfabnjjp.exe 1236 Bebblb32.exe 3416 Bfdodjhm.exe 3120 Bnkgeg32.exe 5004 Baicac32.exe 4032 Bchomn32.exe 3144 Bffkij32.exe 2576 Bmpcfdmg.exe 4920 Balpgb32.exe 2824 Bcjlcn32.exe 744 Bfhhoi32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Caebma32.exeCjbpaf32.exeDhfajjoj.exeOjjolnaq.exePjjhbl32.exeAqppkd32.exeBchomn32.exeCnffqf32.exePgllfp32.exeNpjebj32.exeNggjdc32.exeAfhohlbj.exeBfkedibe.exeDaconoae.exe08a8bb86eb04fbe319c1991fa80768b0_NeikiAnalytics.exeOgpmjb32.exeBebblb32.exeAnmjcieo.exeBfabnjjp.exeOddmdf32.exeOcgmpccl.exeAfjlnk32.exeDaekdooc.exePqmjog32.exeQgqeappe.exeAabmqd32.exeBcjlcn32.exeBjddphlq.exeBcoenmao.exeChcddk32.exeNgdmod32.exeOlhlhjpd.exeQjoankoi.exeQmmnjfnl.exeBnkgeg32.exeDeokon32.exeAeklkchg.exeNlaegk32.exeDknpmdfc.exeBffkij32.exeDanecp32.exePgefeajb.exePjeoglgc.exeBaicac32.exeNdfqbhia.exeAnogiicl.exeAnadoi32.exeBalpgb32.exeOjoign32.exeQgcbgo32.exeAccfbokl.exeBfdodjhm.exeAgjhgngj.exedescription ioc process File created C:\Windows\SysWOW64\Ghekjiam.dll Caebma32.exe File opened for modification C:\Windows\SysWOW64\Cmqmma32.exe Cjbpaf32.exe File created C:\Windows\SysWOW64\Agjbpg32.dll Dhfajjoj.exe File opened for modification C:\Windows\SysWOW64\Olhlhjpd.exe Ojjolnaq.exe File created C:\Windows\SysWOW64\Hgaoidec.dll Pjjhbl32.exe File created C:\Windows\SysWOW64\Aeklkchg.exe Aqppkd32.exe File created C:\Windows\SysWOW64\Fpnnia32.dll Bchomn32.exe File created C:\Windows\SysWOW64\Caebma32.exe Cnffqf32.exe File created C:\Windows\SysWOW64\Odaoecld.dll Pgllfp32.exe File opened for modification C:\Windows\SysWOW64\Ndfqbhia.exe Npjebj32.exe File created C:\Windows\SysWOW64\Olcbmj32.exe Nggjdc32.exe File created C:\Windows\SysWOW64\Anogiicl.exe Afhohlbj.exe File opened for modification C:\Windows\SysWOW64\Aeklkchg.exe Aqppkd32.exe File created C:\Windows\SysWOW64\Bnbmefbg.exe Bfkedibe.exe File created C:\Windows\SysWOW64\Deokon32.exe Daconoae.exe File created C:\Windows\SysWOW64\Nlmllkja.exe 08a8bb86eb04fbe319c1991fa80768b0_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\Ojoign32.exe Ogpmjb32.exe File created C:\Windows\SysWOW64\Glbandkm.dll Bebblb32.exe File created C:\Windows\SysWOW64\Ehfnmfki.dll Anmjcieo.exe File created C:\Windows\SysWOW64\Phiifkjp.dll Bfabnjjp.exe File created C:\Windows\SysWOW64\Ocgmpccl.exe Oddmdf32.exe File created C:\Windows\SysWOW64\Pmoahijl.exe Ocgmpccl.exe File opened for modification C:\Windows\SysWOW64\Anadoi32.exe Afjlnk32.exe File created C:\Windows\SysWOW64\Dhocqigp.exe Daekdooc.exe File created C:\Windows\SysWOW64\Qhbepcmd.dll Pqmjog32.exe File created C:\Windows\SysWOW64\Chempj32.dll Qgqeappe.exe File opened for modification C:\Windows\SysWOW64\Aeniabfd.exe Aabmqd32.exe File created C:\Windows\SysWOW64\Bfhhoi32.exe Bcjlcn32.exe File opened for modification C:\Windows\SysWOW64\Bmbplc32.exe Bjddphlq.exe File opened for modification C:\Windows\SysWOW64\Cndikf32.exe Bcoenmao.exe File created C:\Windows\SysWOW64\Jgilhm32.dll Chcddk32.exe File opened for modification C:\Windows\SysWOW64\Nlaegk32.exe Ngdmod32.exe File created C:\Windows\SysWOW64\Ognpebpj.exe Olhlhjpd.exe File created C:\Windows\SysWOW64\Jfpbkoql.dll Oddmdf32.exe File opened for modification C:\Windows\SysWOW64\Qmmnjfnl.exe Qjoankoi.exe File created C:\Windows\SysWOW64\Qcgffqei.exe Qmmnjfnl.exe File opened for modification C:\Windows\SysWOW64\Baicac32.exe Bnkgeg32.exe File opened for modification C:\Windows\SysWOW64\Dfpgffpm.exe Deokon32.exe File created C:\Windows\SysWOW64\Elkadb32.dll Daekdooc.exe File opened for modification C:\Windows\SysWOW64\Qcgffqei.exe Qmmnjfnl.exe File created C:\Windows\SysWOW64\Ffcnippo.dll Aeklkchg.exe File created C:\Windows\SysWOW64\Bebblb32.exe Bfabnjjp.exe File created C:\Windows\SysWOW64\Jlingkpe.dll 08a8bb86eb04fbe319c1991fa80768b0_NeikiAnalytics.exe File created C:\Windows\SysWOW64\Kmcjho32.dll Nlaegk32.exe File opened for modification C:\Windows\SysWOW64\Cfbkeh32.exe Caebma32.exe File created C:\Windows\SysWOW64\Dmllipeg.exe Dknpmdfc.exe File opened for modification C:\Windows\SysWOW64\Bmpcfdmg.exe Bffkij32.exe File created C:\Windows\SysWOW64\Beeppfin.dll Danecp32.exe File created C:\Windows\SysWOW64\Olhlhjpd.exe Ojjolnaq.exe File opened for modification C:\Windows\SysWOW64\Pnonbk32.exe Pgefeajb.exe File opened for modification C:\Windows\SysWOW64\Pdkcde32.exe Pjeoglgc.exe File created C:\Windows\SysWOW64\Pjjhbl32.exe Pgllfp32.exe File created C:\Windows\SysWOW64\Aeniabfd.exe Aabmqd32.exe File created C:\Windows\SysWOW64\Kbejge32.dll Baicac32.exe File created C:\Windows\SysWOW64\Fpkknm32.dll Ndfqbhia.exe File created C:\Windows\SysWOW64\Aeiofcji.exe Anogiicl.exe File opened for modification C:\Windows\SysWOW64\Aeiofcji.exe Anogiicl.exe File created C:\Windows\SysWOW64\Jlklhm32.dll Anadoi32.exe File created C:\Windows\SysWOW64\Hjjdjk32.dll Balpgb32.exe File created C:\Windows\SysWOW64\Oddmdf32.exe Ojoign32.exe File created C:\Windows\SysWOW64\Pkmlea32.dll Qgcbgo32.exe File created C:\Windows\SysWOW64\Fjbodfcj.dll Accfbokl.exe File opened for modification C:\Windows\SysWOW64\Bnkgeg32.exe Bfdodjhm.exe File opened for modification C:\Windows\SysWOW64\Aabmqd32.exe Agjhgngj.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 5448 5276 WerFault.exe Dmllipeg.exe -
Modifies registry class 64 IoCs
Processes:
08a8bb86eb04fbe319c1991fa80768b0_NeikiAnalytics.exeAabmqd32.exeBffkij32.exeCmqmma32.exeDeokon32.exeOddmdf32.exePgefeajb.exePjeoglgc.exeBfabnjjp.exeBanllbdn.exeOlhlhjpd.exePnonbk32.exeBjddphlq.exeDodbbdbb.exePqmjog32.exePjjhbl32.exeDhkjej32.exePgioqq32.exeBfkedibe.exeCfbkeh32.exeDfpgffpm.exeNggjdc32.exeOjjolnaq.exeBnkgeg32.exeDaqbip32.exePdkcde32.exeBcjlcn32.exeBnbmefbg.exeQmmnjfnl.exeBcoenmao.exeQcgffqei.exeAeniabfd.exeOnhhamgg.exePclgkb32.exePgllfp32.exeBfdodjhm.exeDanecp32.exeOcgmpccl.exeAqppkd32.exeBchomn32.exeCndikf32.exeDhocqigp.exeNdcdmikd.exeNgdmod32.exeAnmjcieo.exeOdkjng32.exeQgqeappe.exeCaebma32.exeOncofm32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID 08a8bb86eb04fbe319c1991fa80768b0_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aabmqd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bffkij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll" Cmqmma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll" Deokon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfpbkoql.dll" Oddmdf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pgefeajb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pjeoglgc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bfabnjjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnjaqjfh.dll" Banllbdn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Olhlhjpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oncmnnje.dll" Pnonbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcnha32.dll" Bjddphlq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll" Dodbbdbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhbepcmd.dll" Pqmjog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgaoidec.dll" Pjjhbl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cmqmma32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dhkjej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elcmjaol.dll" Pgioqq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bfkedibe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cfbkeh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dfpgffpm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nggjdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ojjolnaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oddmdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghngib32.dll" Pjeoglgc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bnkgeg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Daqbip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Olhlhjpd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pdkcde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jijjfldq.dll" Bffkij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kofpij32.dll" Bcjlcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bnbmefbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbnapki.dll" Pgefeajb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pgefeajb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdbnaa32.dll" Qmmnjfnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqjamcpe.dll" Bcoenmao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qmmnjfnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qcgffqei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aeniabfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfbgbeai.dll" Onhhamgg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pqmjog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbnamnpl.dll" Pclgkb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pgllfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmgmnjcj.dll" Bfdodjhm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bnbmefbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll" Danecp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 08a8bb86eb04fbe319c1991fa80768b0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ocgmpccl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aqppkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bchomn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfdhbpg.dll" Bfkedibe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoglcqao.dll" Cndikf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll" Dhocqigp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ndcdmikd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ngdmod32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Anmjcieo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phiifkjp.dll" Bfabnjjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Odkjng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Odkjng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qgqeappe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Caebma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmfpfmmm.dll" Ojjolnaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohbkfake.dll" Oncofm32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
08a8bb86eb04fbe319c1991fa80768b0_NeikiAnalytics.exeNlmllkja.exeNdcdmikd.exeNloiakho.exeNpjebj32.exeNdfqbhia.exeNgdmod32.exeNlaegk32.exeNggjdc32.exeOlcbmj32.exeOdkjng32.exeOgifjcdp.exeOncofm32.exeOdmgcgbi.exeOjjolnaq.exeOlhlhjpd.exeOgnpebpj.exeOnhhamgg.exeOgpmjb32.exeOjoign32.exeOddmdf32.exeOcgmpccl.exedescription pid process target process PID 1548 wrote to memory of 2068 1548 08a8bb86eb04fbe319c1991fa80768b0_NeikiAnalytics.exe Nlmllkja.exe PID 1548 wrote to memory of 2068 1548 08a8bb86eb04fbe319c1991fa80768b0_NeikiAnalytics.exe Nlmllkja.exe PID 1548 wrote to memory of 2068 1548 08a8bb86eb04fbe319c1991fa80768b0_NeikiAnalytics.exe Nlmllkja.exe PID 2068 wrote to memory of 1436 2068 Nlmllkja.exe Ndcdmikd.exe PID 2068 wrote to memory of 1436 2068 Nlmllkja.exe Ndcdmikd.exe PID 2068 wrote to memory of 1436 2068 Nlmllkja.exe Ndcdmikd.exe PID 1436 wrote to memory of 1528 1436 Ndcdmikd.exe Nloiakho.exe PID 1436 wrote to memory of 1528 1436 Ndcdmikd.exe Nloiakho.exe PID 1436 wrote to memory of 1528 1436 Ndcdmikd.exe Nloiakho.exe PID 1528 wrote to memory of 688 1528 Nloiakho.exe Npjebj32.exe PID 1528 wrote to memory of 688 1528 Nloiakho.exe Npjebj32.exe PID 1528 wrote to memory of 688 1528 Nloiakho.exe Npjebj32.exe PID 688 wrote to memory of 2384 688 Npjebj32.exe Ndfqbhia.exe PID 688 wrote to memory of 2384 688 Npjebj32.exe Ndfqbhia.exe PID 688 wrote to memory of 2384 688 Npjebj32.exe Ndfqbhia.exe PID 2384 wrote to memory of 1060 2384 Ndfqbhia.exe Ngdmod32.exe PID 2384 wrote to memory of 1060 2384 Ndfqbhia.exe Ngdmod32.exe PID 2384 wrote to memory of 1060 2384 Ndfqbhia.exe Ngdmod32.exe PID 1060 wrote to memory of 4600 1060 Ngdmod32.exe Nlaegk32.exe PID 1060 wrote to memory of 4600 1060 Ngdmod32.exe Nlaegk32.exe PID 1060 wrote to memory of 4600 1060 Ngdmod32.exe Nlaegk32.exe PID 4600 wrote to memory of 2168 4600 Nlaegk32.exe Nggjdc32.exe PID 4600 wrote to memory of 2168 4600 Nlaegk32.exe Nggjdc32.exe PID 4600 wrote to memory of 2168 4600 Nlaegk32.exe Nggjdc32.exe PID 2168 wrote to memory of 2132 2168 Nggjdc32.exe Olcbmj32.exe PID 2168 wrote to memory of 2132 2168 Nggjdc32.exe Olcbmj32.exe PID 2168 wrote to memory of 2132 2168 Nggjdc32.exe Olcbmj32.exe PID 2132 wrote to memory of 960 2132 Olcbmj32.exe Odkjng32.exe PID 2132 wrote to memory of 960 2132 Olcbmj32.exe Odkjng32.exe PID 2132 wrote to memory of 960 2132 Olcbmj32.exe Odkjng32.exe PID 960 wrote to memory of 4124 960 Odkjng32.exe Ogifjcdp.exe PID 960 wrote to memory of 4124 960 Odkjng32.exe Ogifjcdp.exe PID 960 wrote to memory of 4124 960 Odkjng32.exe Ogifjcdp.exe PID 4124 wrote to memory of 2396 4124 Ogifjcdp.exe Oncofm32.exe PID 4124 wrote to memory of 2396 4124 Ogifjcdp.exe Oncofm32.exe PID 4124 wrote to memory of 2396 4124 Ogifjcdp.exe Oncofm32.exe PID 2396 wrote to memory of 1028 2396 Oncofm32.exe Odmgcgbi.exe PID 2396 wrote to memory of 1028 2396 Oncofm32.exe Odmgcgbi.exe PID 2396 wrote to memory of 1028 2396 Oncofm32.exe Odmgcgbi.exe PID 1028 wrote to memory of 3272 1028 Odmgcgbi.exe Ojjolnaq.exe PID 1028 wrote to memory of 3272 1028 Odmgcgbi.exe Ojjolnaq.exe PID 1028 wrote to memory of 3272 1028 Odmgcgbi.exe Ojjolnaq.exe PID 3272 wrote to memory of 412 3272 Ojjolnaq.exe Olhlhjpd.exe PID 3272 wrote to memory of 412 3272 Ojjolnaq.exe Olhlhjpd.exe PID 3272 wrote to memory of 412 3272 Ojjolnaq.exe Olhlhjpd.exe PID 412 wrote to memory of 4584 412 Olhlhjpd.exe Ognpebpj.exe PID 412 wrote to memory of 4584 412 Olhlhjpd.exe Ognpebpj.exe PID 412 wrote to memory of 4584 412 Olhlhjpd.exe Ognpebpj.exe PID 4584 wrote to memory of 884 4584 Ognpebpj.exe Onhhamgg.exe PID 4584 wrote to memory of 884 4584 Ognpebpj.exe Onhhamgg.exe PID 4584 wrote to memory of 884 4584 Ognpebpj.exe Onhhamgg.exe PID 884 wrote to memory of 4424 884 Onhhamgg.exe Ogpmjb32.exe PID 884 wrote to memory of 4424 884 Onhhamgg.exe Ogpmjb32.exe PID 884 wrote to memory of 4424 884 Onhhamgg.exe Ogpmjb32.exe PID 4424 wrote to memory of 1016 4424 Ogpmjb32.exe Ojoign32.exe PID 4424 wrote to memory of 1016 4424 Ogpmjb32.exe Ojoign32.exe PID 4424 wrote to memory of 1016 4424 Ogpmjb32.exe Ojoign32.exe PID 1016 wrote to memory of 4104 1016 Ojoign32.exe Oddmdf32.exe PID 1016 wrote to memory of 4104 1016 Ojoign32.exe Oddmdf32.exe PID 1016 wrote to memory of 4104 1016 Ojoign32.exe Oddmdf32.exe PID 4104 wrote to memory of 4528 4104 Oddmdf32.exe Ocgmpccl.exe PID 4104 wrote to memory of 4528 4104 Oddmdf32.exe Ocgmpccl.exe PID 4104 wrote to memory of 4528 4104 Oddmdf32.exe Ocgmpccl.exe PID 4528 wrote to memory of 4052 4528 Ocgmpccl.exe Pmoahijl.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\08a8bb86eb04fbe319c1991fa80768b0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\08a8bb86eb04fbe319c1991fa80768b0_NeikiAnalytics.exe"1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Windows\SysWOW64\Nlmllkja.exeC:\Windows\system32\Nlmllkja.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\SysWOW64\Ndcdmikd.exeC:\Windows\system32\Ndcdmikd.exe3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Windows\SysWOW64\Nloiakho.exeC:\Windows\system32\Nloiakho.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Windows\SysWOW64\Npjebj32.exeC:\Windows\system32\Npjebj32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:688 -
C:\Windows\SysWOW64\Ndfqbhia.exeC:\Windows\system32\Ndfqbhia.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\Ngdmod32.exeC:\Windows\system32\Ngdmod32.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1060 -
C:\Windows\SysWOW64\Nlaegk32.exeC:\Windows\system32\Nlaegk32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4600 -
C:\Windows\SysWOW64\Nggjdc32.exeC:\Windows\system32\Nggjdc32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\SysWOW64\Olcbmj32.exeC:\Windows\system32\Olcbmj32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\Odkjng32.exeC:\Windows\system32\Odkjng32.exe11⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Windows\SysWOW64\Ogifjcdp.exeC:\Windows\system32\Ogifjcdp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4124 -
C:\Windows\SysWOW64\Oncofm32.exeC:\Windows\system32\Oncofm32.exe13⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\SysWOW64\Odmgcgbi.exeC:\Windows\system32\Odmgcgbi.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\Windows\SysWOW64\Ojjolnaq.exeC:\Windows\system32\Ojjolnaq.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3272 -
C:\Windows\SysWOW64\Olhlhjpd.exeC:\Windows\system32\Olhlhjpd.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:412 -
C:\Windows\SysWOW64\Ognpebpj.exeC:\Windows\system32\Ognpebpj.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4584 -
C:\Windows\SysWOW64\Onhhamgg.exeC:\Windows\system32\Onhhamgg.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:884 -
C:\Windows\SysWOW64\Ogpmjb32.exeC:\Windows\system32\Ogpmjb32.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4424 -
C:\Windows\SysWOW64\Ojoign32.exeC:\Windows\system32\Ojoign32.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1016 -
C:\Windows\SysWOW64\Oddmdf32.exeC:\Windows\system32\Oddmdf32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4104 -
C:\Windows\SysWOW64\Ocgmpccl.exeC:\Windows\system32\Ocgmpccl.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4528 -
C:\Windows\SysWOW64\Pmoahijl.exeC:\Windows\system32\Pmoahijl.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4052 -
C:\Windows\SysWOW64\Pgefeajb.exeC:\Windows\system32\Pgefeajb.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2692 -
C:\Windows\SysWOW64\Pnonbk32.exeC:\Windows\system32\Pnonbk32.exe25⤵
- Executes dropped EXE
- Modifies registry class
PID:1664 -
C:\Windows\SysWOW64\Pqmjog32.exeC:\Windows\system32\Pqmjog32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:212 -
C:\Windows\SysWOW64\Pclgkb32.exeC:\Windows\system32\Pclgkb32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1512 -
C:\Windows\SysWOW64\Pjeoglgc.exeC:\Windows\system32\Pjeoglgc.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:232 -
C:\Windows\SysWOW64\Pdkcde32.exeC:\Windows\system32\Pdkcde32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3664 -
C:\Windows\SysWOW64\Pgioqq32.exeC:\Windows\system32\Pgioqq32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1004 -
C:\Windows\SysWOW64\Pmfhig32.exeC:\Windows\system32\Pmfhig32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1116 -
C:\Windows\SysWOW64\Pgllfp32.exeC:\Windows\system32\Pgllfp32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2912 -
C:\Windows\SysWOW64\Pjjhbl32.exeC:\Windows\system32\Pjjhbl32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4636 -
C:\Windows\SysWOW64\Pjmehkqk.exeC:\Windows\system32\Pjmehkqk.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3116 -
C:\Windows\SysWOW64\Qmkadgpo.exeC:\Windows\system32\Qmkadgpo.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4212 -
C:\Windows\SysWOW64\Qgqeappe.exeC:\Windows\system32\Qgqeappe.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3380 -
C:\Windows\SysWOW64\Qjoankoi.exeC:\Windows\system32\Qjoankoi.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:940 -
C:\Windows\SysWOW64\Qmmnjfnl.exeC:\Windows\system32\Qmmnjfnl.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4256 -
C:\Windows\SysWOW64\Qcgffqei.exeC:\Windows\system32\Qcgffqei.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:5020 -
C:\Windows\SysWOW64\Qgcbgo32.exeC:\Windows\system32\Qgcbgo32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2800 -
C:\Windows\SysWOW64\Anmjcieo.exeC:\Windows\system32\Anmjcieo.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1784 -
C:\Windows\SysWOW64\Aqkgpedc.exeC:\Windows\system32\Aqkgpedc.exe42⤵
- Executes dropped EXE
PID:2296 -
C:\Windows\SysWOW64\Afhohlbj.exeC:\Windows\system32\Afhohlbj.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2376 -
C:\Windows\SysWOW64\Anogiicl.exeC:\Windows\system32\Anogiicl.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2212 -
C:\Windows\SysWOW64\Aeiofcji.exeC:\Windows\system32\Aeiofcji.exe45⤵
- Executes dropped EXE
PID:3684 -
C:\Windows\SysWOW64\Afjlnk32.exeC:\Windows\system32\Afjlnk32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1972 -
C:\Windows\SysWOW64\Anadoi32.exeC:\Windows\system32\Anadoi32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3840 -
C:\Windows\SysWOW64\Aqppkd32.exeC:\Windows\system32\Aqppkd32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4956 -
C:\Windows\SysWOW64\Aeklkchg.exeC:\Windows\system32\Aeklkchg.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1168 -
C:\Windows\SysWOW64\Agjhgngj.exeC:\Windows\system32\Agjhgngj.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4232 -
C:\Windows\SysWOW64\Aabmqd32.exeC:\Windows\system32\Aabmqd32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1820 -
C:\Windows\SysWOW64\Aeniabfd.exeC:\Windows\system32\Aeniabfd.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:3732 -
C:\Windows\SysWOW64\Afoeiklb.exeC:\Windows\system32\Afoeiklb.exe53⤵
- Executes dropped EXE
PID:548 -
C:\Windows\SysWOW64\Accfbokl.exeC:\Windows\system32\Accfbokl.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4384 -
C:\Windows\SysWOW64\Bfabnjjp.exeC:\Windows\system32\Bfabnjjp.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:468 -
C:\Windows\SysWOW64\Bebblb32.exeC:\Windows\system32\Bebblb32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1236 -
C:\Windows\SysWOW64\Bfdodjhm.exeC:\Windows\system32\Bfdodjhm.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3416 -
C:\Windows\SysWOW64\Bnkgeg32.exeC:\Windows\system32\Bnkgeg32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3120 -
C:\Windows\SysWOW64\Baicac32.exeC:\Windows\system32\Baicac32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:5004 -
C:\Windows\SysWOW64\Bchomn32.exeC:\Windows\system32\Bchomn32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4032 -
C:\Windows\SysWOW64\Bffkij32.exeC:\Windows\system32\Bffkij32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3144 -
C:\Windows\SysWOW64\Bmpcfdmg.exeC:\Windows\system32\Bmpcfdmg.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2576 -
C:\Windows\SysWOW64\Balpgb32.exeC:\Windows\system32\Balpgb32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4920 -
C:\Windows\SysWOW64\Bcjlcn32.exeC:\Windows\system32\Bcjlcn32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2824 -
C:\Windows\SysWOW64\Bfhhoi32.exeC:\Windows\system32\Bfhhoi32.exe65⤵
- Executes dropped EXE
PID:744 -
C:\Windows\SysWOW64\Bjddphlq.exeC:\Windows\system32\Bjddphlq.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:380 -
C:\Windows\SysWOW64\Bmbplc32.exeC:\Windows\system32\Bmbplc32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2764 -
C:\Windows\SysWOW64\Banllbdn.exeC:\Windows\system32\Banllbdn.exe68⤵
- Modifies registry class
PID:2116 -
C:\Windows\SysWOW64\Bfkedibe.exeC:\Windows\system32\Bfkedibe.exe69⤵
- Drops file in System32 directory
- Modifies registry class
PID:1084 -
C:\Windows\SysWOW64\Bnbmefbg.exeC:\Windows\system32\Bnbmefbg.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:376 -
C:\Windows\SysWOW64\Bapiabak.exeC:\Windows\system32\Bapiabak.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3392 -
C:\Windows\SysWOW64\Bcoenmao.exeC:\Windows\system32\Bcoenmao.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1080 -
C:\Windows\SysWOW64\Cndikf32.exeC:\Windows\system32\Cndikf32.exe73⤵
- Modifies registry class
PID:732 -
C:\Windows\SysWOW64\Chmndlge.exeC:\Windows\system32\Chmndlge.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3140 -
C:\Windows\SysWOW64\Cnffqf32.exeC:\Windows\system32\Cnffqf32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:384 -
C:\Windows\SysWOW64\Caebma32.exeC:\Windows\system32\Caebma32.exe76⤵
- Drops file in System32 directory
- Modifies registry class
PID:1492 -
C:\Windows\SysWOW64\Cfbkeh32.exeC:\Windows\system32\Cfbkeh32.exe77⤵
- Modifies registry class
PID:2580 -
C:\Windows\SysWOW64\Cjmgfgdf.exeC:\Windows\system32\Cjmgfgdf.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2540 -
C:\Windows\SysWOW64\Cdfkolkf.exeC:\Windows\system32\Cdfkolkf.exe79⤵PID:3808
-
C:\Windows\SysWOW64\Cfdhkhjj.exeC:\Windows\system32\Cfdhkhjj.exe80⤵PID:1524
-
C:\Windows\SysWOW64\Cnkplejl.exeC:\Windows\system32\Cnkplejl.exe81⤵PID:5008
-
C:\Windows\SysWOW64\Ceehho32.exeC:\Windows\system32\Ceehho32.exe82⤵PID:1072
-
C:\Windows\SysWOW64\Chcddk32.exeC:\Windows\system32\Chcddk32.exe83⤵
- Drops file in System32 directory
PID:3316 -
C:\Windows\SysWOW64\Cjbpaf32.exeC:\Windows\system32\Cjbpaf32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:116 -
C:\Windows\SysWOW64\Cmqmma32.exeC:\Windows\system32\Cmqmma32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2364 -
C:\Windows\SysWOW64\Dhfajjoj.exeC:\Windows\system32\Dhfajjoj.exe86⤵
- Drops file in System32 directory
PID:3752 -
C:\Windows\SysWOW64\Danecp32.exeC:\Windows\system32\Danecp32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:4880 -
C:\Windows\SysWOW64\Djgjlelk.exeC:\Windows\system32\Djgjlelk.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2872 -
C:\Windows\SysWOW64\Daqbip32.exeC:\Windows\system32\Daqbip32.exe89⤵
- Modifies registry class
PID:4388 -
C:\Windows\SysWOW64\Dhkjej32.exeC:\Windows\system32\Dhkjej32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2796 -
C:\Windows\SysWOW64\Dodbbdbb.exeC:\Windows\system32\Dodbbdbb.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3332 -
C:\Windows\SysWOW64\Daconoae.exeC:\Windows\system32\Daconoae.exe92⤵
- Drops file in System32 directory
PID:1976 -
C:\Windows\SysWOW64\Deokon32.exeC:\Windows\system32\Deokon32.exe93⤵
- Drops file in System32 directory
- Modifies registry class
PID:5076 -
C:\Windows\SysWOW64\Dfpgffpm.exeC:\Windows\system32\Dfpgffpm.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3136 -
C:\Windows\SysWOW64\Daekdooc.exeC:\Windows\system32\Daekdooc.exe95⤵
- Drops file in System32 directory
PID:5128 -
C:\Windows\SysWOW64\Dhocqigp.exeC:\Windows\system32\Dhocqigp.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5172 -
C:\Windows\SysWOW64\Dknpmdfc.exeC:\Windows\system32\Dknpmdfc.exe97⤵
- Drops file in System32 directory
PID:5216 -
C:\Windows\SysWOW64\Dmllipeg.exeC:\Windows\system32\Dmllipeg.exe98⤵PID:5276
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5276 -s 40899⤵
- Program crash
PID:5448
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5276 -ip 52761⤵PID:5376
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
161KB
MD56edd243dc54553b4d5f512faeb3e95c1
SHA19025f557e5d9a4756ad680e11a4bc352768f0883
SHA2562379d8c50127ef1a2bf980a221260e1fe9edae8336c4da61e0b7764b146cb5a9
SHA5129fd900e4fbfebaee057401c4c13c55101ae4941de57af8b5b6e98eefd15ba52bf5acac24901a39074a9df398ec41a12ad035a9e1391985eb8adff0d33047a967
-
Filesize
161KB
MD545f6bfdb1d0f83a7c3948eaca44f4e62
SHA165a6f4efdc7eacddcacf7be41727518199b3d17e
SHA256d37a2ab6fcc1fcf5c129b9e96a45bd6222526cb511f09b25c73e5ac36fac8d82
SHA512b715cb4ee801717f0d37fdcd3a6c0a7ccacf774b31ed8c46f7b1a710e3fb219de3ab1c46b1b374fd2ee68a2526afb205ec3e1263c117c6c39dc0685a5ce099c9
-
Filesize
7KB
MD58b21de4a4442894bb8b072eb9908709a
SHA14fc2bce2eb7fb7a5431e9880fd40604104f983b1
SHA256be1c2b76499a0f3c11ba591fcd08099f5304d80df2ae1e81af3576f14b99e7c0
SHA51218079aaecc57756d8640ce055fbf53eaec847336e654f15d8b4fb1e9ec5f6a95fc97be96f25bae6b515f368e4621fb294d6f498660787e9617e61583fd292825
-
Filesize
161KB
MD51592f14a179d553d1a32a938f8055428
SHA186d42238dd88e896ee60cfae028e3aee6a691099
SHA256bd7d8aedfec62efca2b2d3e7592c3a66116093ff28f6384b6913cc738e5b845b
SHA5129805ce0a2a6a3afd8eb14000a5a9d2b9ce256f440ab796718d98883b839c3cc1aa4dc6c3e0dedec8aa5a9b7b766bb2c3dd332a31fac0164e9eccc39332fe5d80
-
Filesize
161KB
MD5e3a1f4412c62df9c0c457a05a6a05a7f
SHA1a5a37f13324ce020a568f3be6fe78573bcfcbe20
SHA2562ff65a40865b5bdc79bf4bab4bfafe5c0165bbe49c0f5e569b655f971959dd12
SHA512a99b56dde9de995a58e640e7c0696c02c36d99d4986b3734a837f51e7f6613922056a8b1fd392755c54d4edad9d2d278adaee53f8549d1fb5764208f0ae88fb5
-
Filesize
161KB
MD5837cf50967b629503a4f1b168285ca08
SHA1808a8e0cac0a3567cb420c69b10768e472e935cb
SHA256f89d3d97df932f59d12ffcfd6d995c58dae3153382c74cb0abfb44330b65e480
SHA5129e5adcadb7bbb71cd1e5c111bc3ab7a16c053c1703ae1dcd259e5ba49c44348855ab4e028e188d6cfa52e66d96506b75dca1be2b08bf45ee0081700551a927b4
-
Filesize
161KB
MD5b8fe80f8554b4eaabc963df1131c28dc
SHA19adebf9ac1444ca8c08f289b9654fd462d73159d
SHA2560f0ee47f5edd536c0fd6fc5af9b9f8e1c239851609dc07bf35e76f8be3549acd
SHA512a291cb7dd9b1505093a491aa5e1907b402cea1fd25763bfce7f803e0d42a420a31eac981a64def94229166fba7e2b982ac8d6066d7cae08eeaa53338c8605e66
-
Filesize
161KB
MD5abb05f1abf9081020b5f8a9c35c6f3d9
SHA159e1264273276a5d7b253e0d6476bbb7db1862f3
SHA256a8e0980d87ef41f2e1197a36dfa54755042f19d9ac6e1c46cb8f422a87fa2ff3
SHA512553033457ea9684e79943b8d60276cc40dfb8454441d123331035caba786e7702a536ba67c814235efd80a4c1d98dfc32aa434eefcc22f9d75ae5082822511f3
-
Filesize
161KB
MD55fa359c920b460782d83577e457f6057
SHA130c55ee24fecaf752c2e21ed4703e8c60de11cce
SHA256e829162e46cf0879522980d10376396b7fb46513642491417fca2ce54e2bf764
SHA51267aabda643e7fd2070075e143ac4e99c41bef49c1d9cda0ab4937de8d5d05ddd29b398fff6ffe9b030524dcc831bfcd4c23a1dd44523291d9bae32354837dbfb
-
Filesize
161KB
MD569815f749dda0e5883c1f0f811ebf733
SHA148fba605cf678e8db2fe948dee9e71bdab6d9a0c
SHA2560f455e07500d6141073790e159e2597bf8c98ddb0312f0914df6ab1d93d46d9d
SHA512b491d6c1556d723a3aba9a4de4f7bedba9b7875c673d8e29da5501acee6b021ae2dfde53cd5b75b72364a2edea06a0ccf1dce0af2946b34850e62bb7b18b117b
-
Filesize
161KB
MD5950ed7ff6c2b9d089773d832952fcca0
SHA141a7e30f0da837206fb5704827d3e9c1e99f8efc
SHA256d87218e59f242bf5df8e6a6e0932b7633924fcc7217afe0d1c5767e32144503a
SHA512b4325ecc65afceecebced7dfec63c82b8446b3ce34ebec0c341c3818cf8802955b60b7994ecb5cfb467dc544aedabdf9eb31f235940dbbb6dd862ac0a969c9ec
-
Filesize
161KB
MD5f31c806a4c4f3644bf58331f83dd123d
SHA194b65c9f197d764135eeea1f1044ee3a18069fe0
SHA2565954011a744083af59a0fff6968c30dfe197a747afd85c6727d148fa3d4b8b53
SHA5128eb160875de78693637cf6dd6e7e98ea2cecae4feb2e3aae46e13e99c2081ad0e0146f38600cce70d994a5bc1be0a8fb18d3a122dd2060c5f03c5fcd6ce2d3ec
-
Filesize
161KB
MD517fcc8c082c3765610bc4e0fedc81493
SHA1e43fbb6216773210d6581493be834799b900264e
SHA2568430a36d1feb0f3ba0ef18859b2713748019812ebc91b8cec11cbd2a1907fcc0
SHA512eae49e7250ac176beac3c086bb490ed122cb6cf0e86fcbdda01733f88c4e523d84dd113a502db1aa8c5e2bf8529abfc79ec0c5771f46357d6209061bbc0f5981
-
Filesize
161KB
MD5bf98769c8989d8d7283d10bf7f74dd7e
SHA17371437b20de7641e2a23794a211c9f91f741b32
SHA2561c4172eecc6a9c121e71fa4a4e18f59a59150ec2f29796e588f9368a802fbbe4
SHA512cc9ccdcbec0bb3533ba194efd4889068e315e8e1bf61f210cb6faef86f70a471a1030a79a18c0286b1691ef3a00e4d4a8a2b814f5a2bc9f84e683c3ef914975c
-
Filesize
161KB
MD55af3a6b033ffe2db86a057d9e294e25f
SHA1dd885463d9de9a5bc533dd4450d4944121aedabe
SHA256613f6c8e31533c6bba684b360a9472e8c909483ba2e311c5a1dd549fb2e99c1a
SHA512ed29beb9d2ff9bfa7014304f341ea06e59d4b034f5a39db4779ad296277f0e02db3c60e3654927c8b2b3b2c6d121a4e069f8025853e536281f1a838380b3ddd5
-
Filesize
161KB
MD5f07c2cdb553cd5a991ec531d0d3548f6
SHA1d7b83aa3cb6727a3fd950f49fbc556d81263aa2c
SHA2566891bae8413aea1231947216e2c23f63274d0d45767c91a870560a1abb415c88
SHA5121b54a3ffeeafbdaf28f3f5480d7c6f9febc8ec01866de9d5881a56f840ab25b9314f6711bf66c5598f85ffc3be91b702dd8d1dcf444cc5e96c74b30b8cf6d246
-
Filesize
161KB
MD5df51109058ae2cd7b478623b960551a3
SHA15c4cf80d4bbeb2859ed4a5f8ad0ab50e60bb9917
SHA256ab1606a11fada1d757194512f84f5fcc1beb705c1ecc720e2bf72a85599b66af
SHA5121b831b14d7b6aa2380ee02484ee3d636d876c2853f7defb48a7fe30a1120615cf05257ce48d77d263603d62efc9b000c589e1e00f6277c1650e706899b143221
-
Filesize
161KB
MD5737fcb0f08ec74af274adbae1832c814
SHA1715fe7c267e0de1bc001a4c35ad8d565a0261b6b
SHA256074b1139f8d6f2f057c5f5deb69ebe92729f7c256fa04abba3c83bf29054ebf2
SHA512c29a64f886322fd61d6a86892c90348634a04da8bd7557a08cbac5a6029c8926eb3521fa91be8f0bd3eb2aad8d08f634b2cb533dd10812ba30848558fb7c2778
-
Filesize
161KB
MD594e4aaead70d1c3a7b7f32ca96a335c3
SHA179ce9197710df03a3fd108f27f2b2ce5820651c3
SHA2566750cd98a00a1fe29979aa14e6fd6cf1c8cb1b728ef5e3ef0cfc5b018c7cd45e
SHA5129cf1206ffa7c141d60a952c7662334cc721e26b9314112c0225dbd2e2a58cd7599cc96af70136d20d59daa3f778f01d84cbd792da8211f5a88ea5e6dcebfcfc9
-
Filesize
161KB
MD5e6ebc52cfdb6a1bf0bd82dab3b4715d2
SHA16f5d0d06be2af99a539bef0e6de0a08a775d990f
SHA256be9f592d4d39165d5c64093f0d4c0855ec048f71533ef47a05bd848289956dbb
SHA5121fcea63f16960d52d2b2956886541eb96c883eddf4389624c999684989a010a10baf04d33e2d9910fa6976de515093157155d85ab240aa727dc7589035a9b552
-
Filesize
161KB
MD5a160c1fafafaefaf6872ef6320676916
SHA120c224ef619dde74a383ed15ab74b4581b3fcd1f
SHA256f844db91f81395870c3299637b597b98d14be292681dfaaa9809b359771e40e0
SHA512b574278f81810016c9276a723d84291e2bcb87508b13ab19e10f80bb98db1414cc5b87b1b6a5ff4e93c46297b5c51caf13e12dcb4745509d7d060dc8705deb9a
-
Filesize
161KB
MD5ced7c28a3851ad2e16470475e46b7c7a
SHA10307185af19775336dd9f47b03304a5ae0896720
SHA25616e2f0d9520234de6e53e8cd2a7b4da423683f246465d65ab2535c66c1064b84
SHA51280fa53752d62d2e869857813a0864a50d4da41bd944f288c62b9de103c75819d4217f7a6870a42cd8d5ea98d4489b1deb52c6965daa36eb4c14121d1a75a4821
-
Filesize
161KB
MD599dd9c498cc761b2fc385848d40a3f1b
SHA13d30c45d2de4b11e9a625af4065565fe0801cf23
SHA2567f6a84ba801b9447eaa1151be358bb44c85007604133ef66008ce77eca3f4f74
SHA512a025eec9c774558cf14587aad8a9dea1151c4f74b0987387fc9d5e598610196b58ca788c91e386a9bf0ad8faab2b46168251d7b458e38afe67cdbf3846b53303
-
Filesize
161KB
MD52a1a140954d63944b92d21abc9aace09
SHA12f03dd5d9bfd40f923d50acf180bb7dc07b15551
SHA25621d879317244e8a311260eeb90b4f302416d5bb822dc5d34d932c1f96e6eb088
SHA512357d684be45a412d2793c2987328e7b0cf71068a305d263f82514593e25902a914407ece8fbad69b88ddb7b1be1783a729f7d7655aae194c8b4e0ba30e4da1e7
-
Filesize
161KB
MD5f25470302c71f41c88b877604352d7b1
SHA1d166b7059bad49e67936ca74afa2f4e5a3a19b13
SHA256e9e723a593b337151738c2225fcad6e050f9e34d40e9b0740d4a6282cca529be
SHA5125bf62d9bea7b50717095cf4d0baabe2e5fd1a08aa34a5dbd89585c745553369dc5a9e869148d79dabfb502d5c36b4c2045f99dd42444c7678ff5b4f0cce9a798
-
Filesize
161KB
MD57bb91847b5d482307ebaeb61080581f1
SHA13d1ff155667d8a051a498ebdb1d9e4cf150e8dd0
SHA2563e3366f1049ade9cd29f36c50e685ea251e0b390ae397b9a550013bac1192646
SHA512f23eacca4a3502903e3142393e9f9c92bc548c851c6b7a2d0a97804c0bdfdbf22512f45a88cc4723453c9baff01e24077113390326bc9de7b4757a4b3e113b0a
-
Filesize
161KB
MD589535e6f68b9b6fa40107ab623d85ceb
SHA152360b7c070c23f89294e3a6fcb49d9ea32811da
SHA256d7037deb8f009cb9ca8eec28e4cb48317804de1ffe072a50f57b926da8708928
SHA512710100d15429d7e56bca8d2061d808e5133d44b6aa7a852ca094229e3832bc3aa5d70b281f1edf7266bde789e1672362be3811714fbb2bc994a7c3a4d61d7dac
-
Filesize
161KB
MD51ca9167ae963a5ba64ce486d16754e64
SHA14a95c8ef700b35467ef40de4590ed41c0c3e3213
SHA2569260b560c90898f8341a0b67420e08a0b889501b76de112a632f139b17011116
SHA512aa9a7afbef44e1d832c37df2f1b3c6e4cce376f64202d9b9d530856086ef3013bed793b0def07e24370d4972afc270ca15f570136395ade20b94549a97e5a74c
-
Filesize
161KB
MD5900cec50d00ff66486487e70afc0cf04
SHA14e464ccb7b15ce5def5e1593fe4ed8983f8aa78b
SHA256ec3716e8497789e8964579749c00bf07edcc58e0e937215ce6b40e65ea821458
SHA512c7f9398d31e6a87b38a264d20876b622e11a69653044a22f53fe513ac4bfbb123cf0468bfb5dfc3b3ae25802a03e99f342c443f8e0c8a4ce77e8c9722d6a38c5
-
Filesize
161KB
MD5b016514a5837b87feec216a121651d96
SHA12f7defb97cdc84fb91e2bf334cce2efc3a671443
SHA2564b7d794d769bc25ddfad1f49019084cb486a53aba45b8dce8815fc5ac85692d5
SHA5127002e6bee2ab246b023ed3f5a7e57de89a7e3c7a5b3ad4fec241ecc4ba43188f20edcafa0a041d133885a0a697b7baf2964f40b8f8b69c072e61af0d401db0b5
-
Filesize
161KB
MD5392966ad1c6526550239e0c7935718f9
SHA1c7eecee105e60012ec5a3c0301fe1056de7d8336
SHA256966107e36d69eeaf5b55acf318cb4c44bb5e82def93efbd19fee0722ec35fb74
SHA51283d991a457e1fcdc6e6d96731253872ae6409abc99c86976fe418d9d947aa6e8a36e39370ff1f08b04a1622db21e91c687991f14bdbf60d598c822d108dc2d60
-
Filesize
161KB
MD59e69d8cbd15173b9504746e2f1accf07
SHA1724615861f83ae47ef8aaf5b686c1310f060e1c6
SHA25694203fdf98f0ea65146be3af39e770bd094cb7e2f9f3f9d0a77443f122c2ac8a
SHA51247e365c8b95eb77e6b98df5b08da7a5ce3fb3c93b7074be5ecb0ae8379c6f1d8b328085020501bc455f84270c576ee99dd84b91d462b9e3d61e5b83ec622c12b
-
Filesize
161KB
MD59b925e2d86777b0a2710e5abf46066f9
SHA12294861f77a8d749de4bd15bd9abdf613e986d5a
SHA256a87890a99fa728331b4fa0b75ca1700557525078ccc64a49d080c3c907eda7dc
SHA512cb4d192386771f7b5e093e1da1d30ab10d734bd3e82a943361afdb9b4482bffdd8441f88814c118ed7d2912a96c44ad47963c87c9a30fd8158ca498c1a3e8383
-
Filesize
161KB
MD51b13f82510086b4207ad988b0097abb0
SHA1d4e137a62c8d145c1a3b29d16ee4ab122401783e
SHA25698b298f698962688e3f09af03de36e73b3791a80eed7408f5f34ac584adad20d
SHA512ff99745f66fcfe8adfd651969485432295453d48e0d0dbd162115f274c3af56340844f6515992190d71c8c5efa48cfb370c1f6d4fb6be30843524097e624661f
-
Filesize
161KB
MD551ac0cbf987e1ac997db6cfcadfa5881
SHA1050a5753b51d257ec219bcec42102d1ddb9bca98
SHA25679154df8ed85e431822b472f90cd9c0e34db0441f408999e979ebd12e8711c2d
SHA51248ea8bf101304c9d0177b4088f142d38034c8c7b9df3a7fc506158686a982e3715f9b662c64ef699216cdb00ed9073996eff6e4d7113b574983864b2a2d31d6d
-
Filesize
161KB
MD5c71651771cf318b1362b3369ede9c467
SHA10f3d649b438ee4994bf94476307009bb5bcd246d
SHA25626b76dcf4fbfb848dc06f0627a3432fda374a3ae6e80fff326112114c47ed2f0
SHA51290e3eb29bf599cb4884f8c46a936c5b42f8949aef6452155ab791543c6aae0fc1d08254fd5a5581663d53eb6285f192a172ba094724c58adcdc3693bf644a298
-
Filesize
161KB
MD541a5f17f0ad4019550b2516cd05b8a10
SHA189ab3d8267dfa6e38b6db5fbfe0d8941502b2d39
SHA256bb79942a88051c92d65a24821b58e5fe9c4b1b2315a8084702347b23158b6eb7
SHA51298bb953f7f295232e1c582c458903c1d380f233890691de416ba8e2891d79c42e67a84927e3e9e4646d14b82920fb3445f605dae5b66daf903ac6b17ef5d098f
-
Filesize
161KB
MD546f8a2f7af2e0fa0f3720589f27f06da
SHA1720a5cc697e4ab57e56d112d566eb15409462358
SHA25649bfc6c26ab972e432d6eaa604f702c8f30ffa49a7d7119aa46e769486ef216a
SHA51241be76305d46aaebd298bd4ba6224780e2468b848778046e73b46e23481511be091e6c3e756116aff824c1cf27f0a4bafdd125055f42c4d2c36605cef5a442ef
-
Filesize
161KB
MD50a97ec0a29b9def8441cfca3d46a960d
SHA1ba08fc5946f37116e1b3c67086291908f31000a9
SHA2561506c9de54e231eb014e3bf77b7ba0e071ab81aac20a60f60b567a77e7da2b44
SHA51274241f4ab04d4a60f551a38f02a465e625916905c442b11f41b99533ca3afa0c08c7483b5ea4b50b2c8ae3a1172adbcc949a510b40b0bc17c44eef40eb25b4a4
-
Filesize
161KB
MD592e3b12db704cec301a9abef29876560
SHA136bb85c48bf089f41a41eac644671d14daf7236e
SHA256a99de58e25590d2b13a708c0a23f29d22e52c3bac05a2bc4ca8a7169e9f2f263
SHA51298810f31d5bd080bd5ef70aa9077b7a02be780e751bac4816c7cc457e9716e38ff8cfa7ce0a587edd13fcfb31947920437c0e009b85f2c95a1457aa8b60e6a72
-
Filesize
161KB
MD5c825c99bceea18d72ada67b6cc35016a
SHA13165c94bab62c1748a4cf15e3fb7df2b8ca823ff
SHA256425785280089eb8473af4c02fb2874d544a05191b137fa59cef0e1b4cd698144
SHA5123f2082a6314495a8e74e578ae118aa444c91f50ab7a0e983eac081d42cd3df09519074dbfdab6642003b5f77b5986ea75e0b88dd429daf9d2f218361764c7b8d
-
Filesize
161KB
MD5637a9cda8f9ae2b37553a24b84447dbe
SHA194c5ee4a6b871350657b5dfa07adcc64c74d1ce3
SHA256beca06bc36370fac1d8a5cd2ca6b8de50407fa093c39191b05ee42c424d858d6
SHA5128b18220b15da98ac457ac9399726267c7ddce9017d3416594d3d7ff348bd063d96200953c61a60f207342cf4a7dad3aff10d8efa7b4466096ec330ae1179535a
-
Filesize
161KB
MD5bf66477c9a139430e5f10b58ad1aeb4b
SHA1dba9fc295906b7cf25eb45d399896260e305932c
SHA25633eebebe91f819b69ae1f30b18ef15a303ce0eb91b37e8b24d272cfdc94e114e
SHA512c5e2f9c715c538c92a9761a567dff8aa47a9fc7e571934b482e43c6ab88b7f071e2b7708f5a9260ff92beadf23754ace64114e9a82da51d387c6bc098598e0ca