Analysis
-
max time kernel
142s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
02/06/2024, 06:45
Static task
static1
Behavioral task
behavioral1
Sample
4a610806fcbb507ea40dee8975ebb380_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
4a610806fcbb507ea40dee8975ebb380_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
4a610806fcbb507ea40dee8975ebb380_NeikiAnalytics.exe
-
Size
352KB
-
MD5
4a610806fcbb507ea40dee8975ebb380
-
SHA1
70d0ff8a00e8955ba0bd75db928017b03a7e3264
-
SHA256
8ebcbe41513157bd741fb35703b7899ddd52dde49f073b5273504b10b1217900
-
SHA512
5c351b9b79c97fc2f219f2c374880098205e4c7647e8553a8d2f2b2d6cb986862ef8e1a6be2a0718ed50865a58e890ff697ae3c410958158c0948445678f7371
-
SSDEEP
3072:p9zszwjBkdZ/OJF4EISi/i4gG4nv4H3EzkGSaXiT+9S+a1+s3wNxn:p9zsKBkdm4yjwHL/T7Gsyn
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 34 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gldkfl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hknach32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmlnoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flmefm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmlnoc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdhbam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hacmcfge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fiaeoang.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpocfncj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hacmcfge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gejcjbah.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkkemh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 4a610806fcbb507ea40dee8975ebb380_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gejcjbah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gacpdbej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdhbam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpapln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbijhg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdoclk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbijhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" 4a610806fcbb507ea40dee8975ebb380_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmhheqje.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flmefm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gldkfl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gacpdbej.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpapln32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iknnbklc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iknnbklc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdoclk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fiaeoang.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkkemh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hknach32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpocfncj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmhheqje.exe -
Executes dropped EXE 17 IoCs
pid Process 2088 Fdoclk32.exe 2604 Fmhheqje.exe 2580 Flmefm32.exe 2492 Fiaeoang.exe 2728 Gbijhg32.exe 2944 Gejcjbah.exe 288 Gldkfl32.exe 2760 Gacpdbej.exe 1640 Gkkemh32.exe 1560 Hknach32.exe 996 Hmlnoc32.exe 536 Hdhbam32.exe 2824 Hpocfncj.exe 1928 Hpapln32.exe 2196 Hacmcfge.exe 2800 Iknnbklc.exe 2328 Iagfoe32.exe -
Loads dropped DLL 38 IoCs
pid Process 2972 4a610806fcbb507ea40dee8975ebb380_NeikiAnalytics.exe 2972 4a610806fcbb507ea40dee8975ebb380_NeikiAnalytics.exe 2088 Fdoclk32.exe 2088 Fdoclk32.exe 2604 Fmhheqje.exe 2604 Fmhheqje.exe 2580 Flmefm32.exe 2580 Flmefm32.exe 2492 Fiaeoang.exe 2492 Fiaeoang.exe 2728 Gbijhg32.exe 2728 Gbijhg32.exe 2944 Gejcjbah.exe 2944 Gejcjbah.exe 288 Gldkfl32.exe 288 Gldkfl32.exe 2760 Gacpdbej.exe 2760 Gacpdbej.exe 1640 Gkkemh32.exe 1640 Gkkemh32.exe 1560 Hknach32.exe 1560 Hknach32.exe 996 Hmlnoc32.exe 996 Hmlnoc32.exe 536 Hdhbam32.exe 536 Hdhbam32.exe 2824 Hpocfncj.exe 2824 Hpocfncj.exe 1928 Hpapln32.exe 1928 Hpapln32.exe 2196 Hacmcfge.exe 2196 Hacmcfge.exe 2800 Iknnbklc.exe 2800 Iknnbklc.exe 1084 WerFault.exe 1084 WerFault.exe 1084 WerFault.exe 1084 WerFault.exe -
Drops file in System32 directory 51 IoCs
description ioc Process File created C:\Windows\SysWOW64\Pnnclg32.dll Gejcjbah.exe File opened for modification C:\Windows\SysWOW64\Gkkemh32.exe Gacpdbej.exe File created C:\Windows\SysWOW64\Iagfoe32.exe Iknnbklc.exe File opened for modification C:\Windows\SysWOW64\Fdoclk32.exe 4a610806fcbb507ea40dee8975ebb380_NeikiAnalytics.exe File created C:\Windows\SysWOW64\Gldkfl32.exe Gejcjbah.exe File created C:\Windows\SysWOW64\Hmlnoc32.exe Hknach32.exe File opened for modification C:\Windows\SysWOW64\Hpapln32.exe Hpocfncj.exe File created C:\Windows\SysWOW64\Hacmcfge.exe Hpapln32.exe File created C:\Windows\SysWOW64\Flmefm32.exe Fmhheqje.exe File opened for modification C:\Windows\SysWOW64\Flmefm32.exe Fmhheqje.exe File opened for modification C:\Windows\SysWOW64\Gejcjbah.exe Gbijhg32.exe File created C:\Windows\SysWOW64\Fiaeoang.exe Flmefm32.exe File created C:\Windows\SysWOW64\Hpocfncj.exe Hdhbam32.exe File created C:\Windows\SysWOW64\Gejcjbah.exe Gbijhg32.exe File created C:\Windows\SysWOW64\Ndabhn32.dll Hmlnoc32.exe File created C:\Windows\SysWOW64\Alogkm32.dll Hpapln32.exe File opened for modification C:\Windows\SysWOW64\Hacmcfge.exe Hpapln32.exe File opened for modification C:\Windows\SysWOW64\Iagfoe32.exe Iknnbklc.exe File created C:\Windows\SysWOW64\Fdoclk32.exe 4a610806fcbb507ea40dee8975ebb380_NeikiAnalytics.exe File created C:\Windows\SysWOW64\Jnmgmhmc.dll Fmhheqje.exe File created C:\Windows\SysWOW64\Ncolgf32.dll Hknach32.exe File created C:\Windows\SysWOW64\Olndbg32.dll 4a610806fcbb507ea40dee8975ebb380_NeikiAnalytics.exe File created C:\Windows\SysWOW64\Kcaipkch.dll Gacpdbej.exe File created C:\Windows\SysWOW64\Hdhbam32.exe Hmlnoc32.exe File created C:\Windows\SysWOW64\Gkkemh32.exe Gacpdbej.exe File opened for modification C:\Windows\SysWOW64\Hpocfncj.exe Hdhbam32.exe File opened for modification C:\Windows\SysWOW64\Iknnbklc.exe Hacmcfge.exe File created C:\Windows\SysWOW64\Fmhheqje.exe Fdoclk32.exe File created C:\Windows\SysWOW64\Cmbmkg32.dll Flmefm32.exe File opened for modification C:\Windows\SysWOW64\Gbijhg32.exe Fiaeoang.exe File opened for modification C:\Windows\SysWOW64\Hmlnoc32.exe Hknach32.exe File created C:\Windows\SysWOW64\Iknnbklc.exe Hacmcfge.exe File created C:\Windows\SysWOW64\Ldahol32.dll Gbijhg32.exe File created C:\Windows\SysWOW64\Eqpofkjo.dll Hacmcfge.exe File created C:\Windows\SysWOW64\Jeccgbbh.dll Fdoclk32.exe File opened for modification C:\Windows\SysWOW64\Fiaeoang.exe Flmefm32.exe File created C:\Windows\SysWOW64\Lnnhje32.dll Fiaeoang.exe File created C:\Windows\SysWOW64\Hpapln32.exe Hpocfncj.exe File opened for modification C:\Windows\SysWOW64\Fmhheqje.exe Fdoclk32.exe File created C:\Windows\SysWOW64\Gacpdbej.exe Gldkfl32.exe File created C:\Windows\SysWOW64\Jpajnpao.dll Gkkemh32.exe File created C:\Windows\SysWOW64\Hciofb32.dll Hdhbam32.exe File opened for modification C:\Windows\SysWOW64\Gacpdbej.exe Gldkfl32.exe File opened for modification C:\Windows\SysWOW64\Hknach32.exe Gkkemh32.exe File opened for modification C:\Windows\SysWOW64\Hdhbam32.exe Hmlnoc32.exe File created C:\Windows\SysWOW64\Hknach32.exe Gkkemh32.exe File created C:\Windows\SysWOW64\Gjenmobn.dll Iknnbklc.exe File created C:\Windows\SysWOW64\Gbijhg32.exe Fiaeoang.exe File opened for modification C:\Windows\SysWOW64\Gldkfl32.exe Gejcjbah.exe File created C:\Windows\SysWOW64\Elpbcapg.dll Gldkfl32.exe File created C:\Windows\SysWOW64\Glqllcbf.dll Hpocfncj.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1084 2328 WerFault.exe 44 -
Modifies registry class 54 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gkkemh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hknach32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gldkfl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gacpdbej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glqllcbf.dll" Hpocfncj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gldkfl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hdhbam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hciofb32.dll" Hdhbam32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 4a610806fcbb507ea40dee8975ebb380_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" 4a610806fcbb507ea40dee8975ebb380_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeccgbbh.dll" Fdoclk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcaipkch.dll" Gacpdbej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hknach32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmlnoc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpapln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqpofkjo.dll" Hacmcfge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID 4a610806fcbb507ea40dee8975ebb380_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdoclk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnmgmhmc.dll" Fmhheqje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmbmkg32.dll" Flmefm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbijhg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gejcjbah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpajnpao.dll" Gkkemh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hpapln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hacmcfge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olndbg32.dll" 4a610806fcbb507ea40dee8975ebb380_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdoclk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmlnoc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpocfncj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll" Iknnbklc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iknnbklc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Flmefm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Flmefm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmhheqje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fiaeoang.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elpbcapg.dll" Gldkfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alogkm32.dll" Hpapln32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hacmcfge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gejcjbah.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkkemh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hpocfncj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node 4a610806fcbb507ea40dee8975ebb380_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnnhje32.dll" Fiaeoang.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fiaeoang.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbijhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnnclg32.dll" Gejcjbah.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmhheqje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncolgf32.dll" Hknach32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hdhbam32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} 4a610806fcbb507ea40dee8975ebb380_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldahol32.dll" Gbijhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gacpdbej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndabhn32.dll" Hmlnoc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iknnbklc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2972 wrote to memory of 2088 2972 4a610806fcbb507ea40dee8975ebb380_NeikiAnalytics.exe 28 PID 2972 wrote to memory of 2088 2972 4a610806fcbb507ea40dee8975ebb380_NeikiAnalytics.exe 28 PID 2972 wrote to memory of 2088 2972 4a610806fcbb507ea40dee8975ebb380_NeikiAnalytics.exe 28 PID 2972 wrote to memory of 2088 2972 4a610806fcbb507ea40dee8975ebb380_NeikiAnalytics.exe 28 PID 2088 wrote to memory of 2604 2088 Fdoclk32.exe 29 PID 2088 wrote to memory of 2604 2088 Fdoclk32.exe 29 PID 2088 wrote to memory of 2604 2088 Fdoclk32.exe 29 PID 2088 wrote to memory of 2604 2088 Fdoclk32.exe 29 PID 2604 wrote to memory of 2580 2604 Fmhheqje.exe 30 PID 2604 wrote to memory of 2580 2604 Fmhheqje.exe 30 PID 2604 wrote to memory of 2580 2604 Fmhheqje.exe 30 PID 2604 wrote to memory of 2580 2604 Fmhheqje.exe 30 PID 2580 wrote to memory of 2492 2580 Flmefm32.exe 31 PID 2580 wrote to memory of 2492 2580 Flmefm32.exe 31 PID 2580 wrote to memory of 2492 2580 Flmefm32.exe 31 PID 2580 wrote to memory of 2492 2580 Flmefm32.exe 31 PID 2492 wrote to memory of 2728 2492 Fiaeoang.exe 32 PID 2492 wrote to memory of 2728 2492 Fiaeoang.exe 32 PID 2492 wrote to memory of 2728 2492 Fiaeoang.exe 32 PID 2492 wrote to memory of 2728 2492 Fiaeoang.exe 32 PID 2728 wrote to memory of 2944 2728 Gbijhg32.exe 33 PID 2728 wrote to memory of 2944 2728 Gbijhg32.exe 33 PID 2728 wrote to memory of 2944 2728 Gbijhg32.exe 33 PID 2728 wrote to memory of 2944 2728 Gbijhg32.exe 33 PID 2944 wrote to memory of 288 2944 Gejcjbah.exe 34 PID 2944 wrote to memory of 288 2944 Gejcjbah.exe 34 PID 2944 wrote to memory of 288 2944 Gejcjbah.exe 34 PID 2944 wrote to memory of 288 2944 Gejcjbah.exe 34 PID 288 wrote to memory of 2760 288 Gldkfl32.exe 35 PID 288 wrote to memory of 2760 288 Gldkfl32.exe 35 PID 288 wrote to memory of 2760 288 Gldkfl32.exe 35 PID 288 wrote to memory of 2760 288 Gldkfl32.exe 35 PID 2760 wrote to memory of 1640 2760 Gacpdbej.exe 36 PID 2760 wrote to memory of 1640 2760 Gacpdbej.exe 36 PID 2760 wrote to memory of 1640 2760 Gacpdbej.exe 36 PID 2760 wrote to memory of 1640 2760 Gacpdbej.exe 36 PID 1640 wrote to memory of 1560 1640 Gkkemh32.exe 37 PID 1640 wrote to memory of 1560 1640 Gkkemh32.exe 37 PID 1640 wrote to memory of 1560 1640 Gkkemh32.exe 37 PID 1640 wrote to memory of 1560 1640 Gkkemh32.exe 37 PID 1560 wrote to memory of 996 1560 Hknach32.exe 38 PID 1560 wrote to memory of 996 1560 Hknach32.exe 38 PID 1560 wrote to memory of 996 1560 Hknach32.exe 38 PID 1560 wrote to memory of 996 1560 Hknach32.exe 38 PID 996 wrote to memory of 536 996 Hmlnoc32.exe 39 PID 996 wrote to memory of 536 996 Hmlnoc32.exe 39 PID 996 wrote to memory of 536 996 Hmlnoc32.exe 39 PID 996 wrote to memory of 536 996 Hmlnoc32.exe 39 PID 536 wrote to memory of 2824 536 Hdhbam32.exe 40 PID 536 wrote to memory of 2824 536 Hdhbam32.exe 40 PID 536 wrote to memory of 2824 536 Hdhbam32.exe 40 PID 536 wrote to memory of 2824 536 Hdhbam32.exe 40 PID 2824 wrote to memory of 1928 2824 Hpocfncj.exe 41 PID 2824 wrote to memory of 1928 2824 Hpocfncj.exe 41 PID 2824 wrote to memory of 1928 2824 Hpocfncj.exe 41 PID 2824 wrote to memory of 1928 2824 Hpocfncj.exe 41 PID 1928 wrote to memory of 2196 1928 Hpapln32.exe 42 PID 1928 wrote to memory of 2196 1928 Hpapln32.exe 42 PID 1928 wrote to memory of 2196 1928 Hpapln32.exe 42 PID 1928 wrote to memory of 2196 1928 Hpapln32.exe 42 PID 2196 wrote to memory of 2800 2196 Hacmcfge.exe 43 PID 2196 wrote to memory of 2800 2196 Hacmcfge.exe 43 PID 2196 wrote to memory of 2800 2196 Hacmcfge.exe 43 PID 2196 wrote to memory of 2800 2196 Hacmcfge.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\4a610806fcbb507ea40dee8975ebb380_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\4a610806fcbb507ea40dee8975ebb380_NeikiAnalytics.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\Fdoclk32.exeC:\Windows\system32\Fdoclk32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\Fmhheqje.exeC:\Windows\system32\Fmhheqje.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\Flmefm32.exeC:\Windows\system32\Flmefm32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\Fiaeoang.exeC:\Windows\system32\Fiaeoang.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\SysWOW64\Gbijhg32.exeC:\Windows\system32\Gbijhg32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Gejcjbah.exeC:\Windows\system32\Gejcjbah.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\Gldkfl32.exeC:\Windows\system32\Gldkfl32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:288 -
C:\Windows\SysWOW64\Gacpdbej.exeC:\Windows\system32\Gacpdbej.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Gkkemh32.exeC:\Windows\system32\Gkkemh32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\SysWOW64\Hknach32.exeC:\Windows\system32\Hknach32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\Windows\SysWOW64\Hmlnoc32.exeC:\Windows\system32\Hmlnoc32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:996 -
C:\Windows\SysWOW64\Hdhbam32.exeC:\Windows\system32\Hdhbam32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Windows\SysWOW64\Hpocfncj.exeC:\Windows\system32\Hpocfncj.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\Hpapln32.exeC:\Windows\system32\Hpapln32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\SysWOW64\Hacmcfge.exeC:\Windows\system32\Hacmcfge.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\Iknnbklc.exeC:\Windows\system32\Iknnbklc.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2800 -
C:\Windows\SysWOW64\Iagfoe32.exeC:\Windows\system32\Iagfoe32.exe18⤵
- Executes dropped EXE
PID:2328 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2328 -s 14019⤵
- Loads dropped DLL
- Program crash
PID:1084
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
352KB
MD578157a5ab233f0f0c6582e32a76a0006
SHA1ddbbdc4dc2da051ab7030ff8efeb0b3714827554
SHA256beab6c214343f3ae13a976b2c6e3dec46c0b564d36e7ccd27b3aa74c6e44ac79
SHA512f96cb7f2737e3bf3b2f905616adacf314bccdeb506e7a3777bed0bf4b1725f0712bcaad1666bd0bb168e1f25785b54e327bbcd204d2932b1fb133c6749ecac9b
-
Filesize
352KB
MD5ea1a2b0ffeaf5df681f35cd5c5143ec3
SHA1f6026134bca965a85c5d69ed3cc6a85f04d972b0
SHA256a2485f0586ce07d4d2bbfab525425cc0ab83603eea88e2dd59ca33164bc186f2
SHA5123b46a12c421de6a600bf0b2aeba16cdf9220ba38f94e35f23404eaa40a0e8cb8dbce7c6c0c5bc470a9d57ade30925bf6d456143bc6cfa81799c9fe9ff694984b
-
Filesize
352KB
MD5e22f5af5ee7fcf6abf70428a28cb62fb
SHA184f602d59c6c578a2ccce49c02730784882ff247
SHA256a561d0dd795d6d941067483a70c92a899a0ccb17bbbd59337f4ce72a5f77856a
SHA5124a23ddc6d3c210a6e72a8f13956386395812492307b06eb89d24fbf4adc7e19105031103bfb8c9078cc2eeb0584929ec4a90455c9ec65a9102e5da14d2013eff
-
Filesize
352KB
MD55a9e9f679ee71a25ab2d59bb49a9c104
SHA1256ce6273d2105b2f9822e55b10a2cc16988d430
SHA2563480c1170d556d806d4a306545416e4d6a5b81e73fed3ad52ca8a4ad2e342713
SHA5122f314d1be38ad830b8fccce5072dbc112415bb4c427286882721c43ba422c65c7742aaa387f9e992296451749ecb37bc2808f7c3c1028107deb9f1b256fbe3c1
-
Filesize
352KB
MD5c738628d2fea9dd05d7ea6aeee2ba93e
SHA1adb28e1771a61515c37b30a699a558a91d98474f
SHA256c3a62e5847203999e4bcbbd557e5c21e5564220bdad60d05384a772d2fa53822
SHA512fff3f85b306a74f75c5a211034b596738922a50ef15c47fc1c8615f638508e2fc05a12c422b8335b0abce18c9d09b075035e6c252a0ec792087aa615cd49d9f4
-
Filesize
352KB
MD54f9b3150b8f5db8ee7e0657bc8b5984a
SHA1c4e020fdfcd8af8ec658c697c95cd03ddb90760e
SHA256a9b572047b131284749e1aca31716310eb5c449f1f58573a6e352ffb8ee77a13
SHA51266e0b59b7fbeae5d277aedcadf40516fd514514de5e3c509cd6ff4aff840390620a7298b1640ed844fc2d81d12c24b7a869d08eaccc613b551617fc0af04b43a
-
Filesize
352KB
MD5b1457f5f1bb20de3bf779c76d78bc029
SHA13b06a6a1e9d840d8ba18a1cdd72ae3e9d2eb1fe8
SHA25695d5ee116940f044cddd3b62765476b9ae3b49ff6cc1ce90b65ba67a30c78fe4
SHA51210c934f6071b308b7ff41b8e97f3340355d368faf06838b5ef63dd8eda42aa61b6af9a34ac5e0da182348710bb59107f55ec97e7cc4c00b1ab9a3b7d3452f0e0
-
Filesize
352KB
MD58df18f122c20dd38e6e1644fcdda0b87
SHA1230075b1e88307eb070a42b7147ebd7cad0604cc
SHA25699ed54dee32bac6cc575254e36d0bfcbac6ff17a70217c2df42f877201632598
SHA51271cfd201c7f0e3c871f24c9fcf248ce293e496f1ec88b09ff91bc5355b678fe65a5227c6064c80c76695ef47ca5932d866c086f77321b6fb259cbc22f818030c
-
Filesize
352KB
MD505fdd4f9cd018e095e3a9a75cd79b0b0
SHA1b3b07f9af6dc2de2dfcc343c2521329a48068b94
SHA256520a1fd5ab26528e876a80da56fd3b03a273c70ad831da1d5ed816c29f05bdcf
SHA512e62fdd79b5e83e54acc0237f9ded77e3c68d35cbb77b4489235092d2c193e6dd4b878c566de08d2c86c9be1e60fa56ead5a1f7452c7bb6d2a8d3c94afddb2dbb
-
Filesize
352KB
MD5c395e50062e7a38c9f3d3ade0bd75c8e
SHA10df96a62eec4d0dbc5dd714e6053a35029e8296a
SHA2568f7de98ee46ea853255d9770c95b6e72733f80f9fd2da023c18c62af2afa32e2
SHA512154f61b3356d87ea582e4c7bf8cd8586a08c3b1b8241b6e3ca9fa1aa291f866ea656f3edcee28e28cce742cec2f2ecaca651b4e37a3ee7fa0607d9c205837501
-
Filesize
352KB
MD5abdd287693e7fc6074711ee3343f5c43
SHA1765da0b366b81345d237dea3a18301da5f3fc624
SHA2564e6779a906e99202ee9feb39a580e801f1c179b82f569cc4f0c7c8365eb4f163
SHA512dbb4e3f5483826e7fe3f1f15317ac25ad11c03ef0d7070a0fa57ead3f4ebf778caa5a88f81deef36e4078b7172b8876c0a74852383af095abbefd8b4629aa178
-
Filesize
352KB
MD5ec92a4d4259316ffcd2aa44786289682
SHA108cdc60c4a4a04eaf28df903f8904ca520b70f27
SHA2560a4c46913c2e492d612d962806b8126a4162588933b5204469593fea4195fe76
SHA512eadcf39fb2cc6fb0a07f831f05c74aca2368758143fbddacb2110b5e6991949f7c0f0529243e0265975612105347097146cf5c23532e956cc9fda2d4a88326df
-
Filesize
352KB
MD50e08af5e40855252a205de99ae1316ea
SHA1352359ffb70afb2d2314ccf67628e5e452806444
SHA2560226c090fe49b96e5d7753b221d811d201dd0772188c370cedf8ff8566da9fe2
SHA51274280a53fcfdcb732dcd0c204a6e8f5b3003ce40128b20535366491e923a3da34568518f565da54183d331f5ef11e16f13cf8cd9205ae7ecef244880ea2d691c
-
Filesize
352KB
MD51136d74bcda0a3999e5c10ccecd7991f
SHA13970866da9142f6831850b5149960270469b90c8
SHA256e589db1980cbd93f5ad51b596ca8d30ef00e8c2ca3e53a26fa96ae0bd248a396
SHA512811f952e83d9ba6e55ec9f51137479ef280194626d069fd73db1ba5442d9316860c92b82c9d17d649490e6d32c22e6d1e350beff7ee9b576b6a013ce54ab0a6f
-
Filesize
352KB
MD5822e5912a5b0bcc01970b90ada2b5f64
SHA182fc3546d1ea28e82a742fb828ea2d91f4798d5d
SHA25616ea5ee727fa1540899550fd318abf1b0ef852a71ac6231d14e65bf2ec8206d5
SHA5121c3c13f26e70c77abb1736fbaf4b89c7a02ed794b83d07cf0da52213f1a1cbfec0df016172c2c4de398c5c8d3316fd8f85d809ee45e26edcdc88efedb876d8b8
-
Filesize
352KB
MD50279539ef5634eac5cb13a6731e85f2a
SHA15a249a7af8424e33325c5fea13eabd542bd9c3e4
SHA25615c3ab10b7c56e03d0c9cc92665c309c881165ea7a44cdaafbde061ebc4f0eb3
SHA5126b5888d1116e8fa41b6c771765a989913156c68100e3ac0880e5a28475599cf41257903e51828a12b1f9d73ffa514cfc8dc61826f6edf91139db39c6ae95cfed
-
Filesize
352KB
MD542d5263d302019bf0f52951a1572046c
SHA1e933142c650cecfa6be5e463fa254f6d7f88598c
SHA2564bea7666f290c7a81be7d3a7c642ed19dc651d7b2735050d769c105f8012dd7a
SHA5129fa8e17381334e41e4b80f8495c95ab5f6463b8811eb9328460e9bb45c8ed7e001579748fbee15d25ff5c8655245e2ff09b95a2527ad6177c926a27c53c871f1