Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
106s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
10/05/2024, 01:18
Behavioral task
behavioral1
Sample
39cc45f4953d41988b920e0d9d7e8090_NeikiAnalytics.exe
Resource
win7-20240508-en
windows7-x64
26 signatures
150 seconds
General
-
Target
39cc45f4953d41988b920e0d9d7e8090_NeikiAnalytics.exe
-
Size
255KB
-
MD5
39cc45f4953d41988b920e0d9d7e8090
-
SHA1
4f1458801d6dff8a1c7ba78f9369a6d35228e592
-
SHA256
e5b21a143695a868c5dfd2408ef03cd8022b68cdadcfe1a372605896af776662
-
SHA512
8096e3ac9b0f83e612b2bf1b49ac46809c9497b1e4be2165c3c28711535c2e9f3fd1544b0b5dc6884cd9c6fd73c895be6ce053d41cd5270e3634188e7f08e2ad
-
SSDEEP
6144:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIRD:Plf5j6zCNa0xeE3mpD
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" rbwoicuaih.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" rbwoicuaih.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" rbwoicuaih.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" rbwoicuaih.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" rbwoicuaih.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" rbwoicuaih.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" rbwoicuaih.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" rbwoicuaih.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation 39cc45f4953d41988b920e0d9d7e8090_NeikiAnalytics.exe -
Executes dropped EXE 5 IoCs
pid Process 4868 rbwoicuaih.exe 3528 nrlruuuhqbktutg.exe 64 zljtjhho.exe 2420 nxjkyoxjhmtln.exe 3092 zljtjhho.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/memory/404-0-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x00080000000233e0-5.dat upx behavioral2/files/0x00090000000233c1-19.dat upx behavioral2/files/0x00070000000233e1-26.dat upx behavioral2/memory/4868-23-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2420-32-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x00070000000233e2-31.dat upx behavioral2/memory/64-30-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3092-35-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/404-37-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x00070000000233ef-67.dat upx behavioral2/files/0x00070000000233ee-63.dat upx behavioral2/memory/4868-71-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/64-73-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3092-75-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2420-74-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3528-72-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0008000000023412-173.dat upx behavioral2/files/0x0008000000023412-564.dat upx behavioral2/memory/3528-576-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3528-581-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4868-580-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3092-579-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2420-578-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/64-577-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4868-575-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3092-582-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2420-586-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/64-585-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3528-584-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4868-583-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3092-587-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4868-588-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2420-591-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3092-592-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/64-590-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3528-589-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3528-594-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2420-596-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3092-597-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/64-595-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4868-593-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3092-598-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/64-599-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4868-603-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2420-605-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3528-604-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2420-608-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3528-607-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4868-606-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4868-609-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2420-611-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3528-610-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4868-612-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2420-614-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3528-613-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4868-636-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3528-637-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2420-638-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4868-639-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2420-641-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3528-640-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3528-643-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4868-642-0x0000000000400000-0x00000000004A0000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" rbwoicuaih.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" rbwoicuaih.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" rbwoicuaih.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" rbwoicuaih.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" rbwoicuaih.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" rbwoicuaih.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\bwrfigts = "rbwoicuaih.exe" nrlruuuhqbktutg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ckemvopf = "nrlruuuhqbktutg.exe" nrlruuuhqbktutg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "nxjkyoxjhmtln.exe" nrlruuuhqbktutg.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\p: zljtjhho.exe File opened (read-only) \??\x: zljtjhho.exe File opened (read-only) \??\u: zljtjhho.exe File opened (read-only) \??\e: zljtjhho.exe File opened (read-only) \??\h: zljtjhho.exe File opened (read-only) \??\m: zljtjhho.exe File opened (read-only) \??\u: zljtjhho.exe File opened (read-only) \??\g: zljtjhho.exe File opened (read-only) \??\j: zljtjhho.exe File opened (read-only) \??\y: zljtjhho.exe File opened (read-only) \??\l: zljtjhho.exe File opened (read-only) \??\j: rbwoicuaih.exe File opened (read-only) \??\n: rbwoicuaih.exe File opened (read-only) \??\s: zljtjhho.exe File opened (read-only) \??\m: rbwoicuaih.exe File opened (read-only) \??\a: zljtjhho.exe File opened (read-only) \??\b: zljtjhho.exe File opened (read-only) \??\s: rbwoicuaih.exe File opened (read-only) \??\n: zljtjhho.exe File opened (read-only) \??\r: zljtjhho.exe File opened (read-only) \??\o: zljtjhho.exe File opened (read-only) \??\g: rbwoicuaih.exe File opened (read-only) \??\h: rbwoicuaih.exe File opened (read-only) \??\r: rbwoicuaih.exe File opened (read-only) \??\v: zljtjhho.exe File opened (read-only) \??\v: zljtjhho.exe File opened (read-only) \??\y: zljtjhho.exe File opened (read-only) \??\j: zljtjhho.exe File opened (read-only) \??\p: rbwoicuaih.exe File opened (read-only) \??\w: rbwoicuaih.exe File opened (read-only) \??\x: rbwoicuaih.exe File opened (read-only) \??\z: zljtjhho.exe File opened (read-only) \??\i: rbwoicuaih.exe File opened (read-only) \??\y: rbwoicuaih.exe File opened (read-only) \??\z: rbwoicuaih.exe File opened (read-only) \??\t: zljtjhho.exe File opened (read-only) \??\l: rbwoicuaih.exe File opened (read-only) \??\h: zljtjhho.exe File opened (read-only) \??\l: zljtjhho.exe File opened (read-only) \??\p: zljtjhho.exe File opened (read-only) \??\q: zljtjhho.exe File opened (read-only) \??\b: rbwoicuaih.exe File opened (read-only) \??\e: zljtjhho.exe File opened (read-only) \??\k: zljtjhho.exe File opened (read-only) \??\r: zljtjhho.exe File opened (read-only) \??\w: zljtjhho.exe File opened (read-only) \??\i: zljtjhho.exe File opened (read-only) \??\x: zljtjhho.exe File opened (read-only) \??\n: zljtjhho.exe File opened (read-only) \??\b: zljtjhho.exe File opened (read-only) \??\g: zljtjhho.exe File opened (read-only) \??\i: zljtjhho.exe File opened (read-only) \??\e: rbwoicuaih.exe File opened (read-only) \??\k: rbwoicuaih.exe File opened (read-only) \??\a: zljtjhho.exe File opened (read-only) \??\q: zljtjhho.exe File opened (read-only) \??\z: zljtjhho.exe File opened (read-only) \??\o: rbwoicuaih.exe File opened (read-only) \??\q: rbwoicuaih.exe File opened (read-only) \??\t: rbwoicuaih.exe File opened (read-only) \??\u: rbwoicuaih.exe File opened (read-only) \??\o: zljtjhho.exe File opened (read-only) \??\t: zljtjhho.exe File opened (read-only) \??\w: zljtjhho.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" rbwoicuaih.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" rbwoicuaih.exe -
AutoIT Executable 59 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/4868-23-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2420-32-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/64-30-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3092-35-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/404-37-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4868-71-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/64-73-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3092-75-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2420-74-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3528-72-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3528-576-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3528-581-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4868-580-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3092-579-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2420-578-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/64-577-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4868-575-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3092-582-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2420-586-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/64-585-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3528-584-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4868-583-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3092-587-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4868-588-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2420-591-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3092-592-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/64-590-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3528-589-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3528-594-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2420-596-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3092-597-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/64-595-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4868-593-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3092-598-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/64-599-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4868-603-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2420-605-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3528-604-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2420-608-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3528-607-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4868-606-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4868-609-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2420-611-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3528-610-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4868-612-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2420-614-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3528-613-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4868-636-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3528-637-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2420-638-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4868-639-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2420-641-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3528-640-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3528-643-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4868-642-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2420-644-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4868-645-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3528-646-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2420-647-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File created C:\Windows\SysWOW64\nxjkyoxjhmtln.exe 39cc45f4953d41988b920e0d9d7e8090_NeikiAnalytics.exe File created C:\Windows\SysWOW64\rbwoicuaih.exe 39cc45f4953d41988b920e0d9d7e8090_NeikiAnalytics.exe File created C:\Windows\SysWOW64\nrlruuuhqbktutg.exe 39cc45f4953d41988b920e0d9d7e8090_NeikiAnalytics.exe File created C:\Windows\SysWOW64\zljtjhho.exe 39cc45f4953d41988b920e0d9d7e8090_NeikiAnalytics.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe zljtjhho.exe File opened for modification C:\Windows\SysWOW64\nxjkyoxjhmtln.exe 39cc45f4953d41988b920e0d9d7e8090_NeikiAnalytics.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe zljtjhho.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe zljtjhho.exe File opened for modification C:\Windows\SysWOW64\rbwoicuaih.exe 39cc45f4953d41988b920e0d9d7e8090_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\zljtjhho.exe 39cc45f4953d41988b920e0d9d7e8090_NeikiAnalytics.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe zljtjhho.exe File opened for modification C:\Windows\SysWOW64\nrlruuuhqbktutg.exe 39cc45f4953d41988b920e0d9d7e8090_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll rbwoicuaih.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe zljtjhho.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe zljtjhho.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe zljtjhho.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal zljtjhho.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe zljtjhho.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe zljtjhho.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe zljtjhho.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal zljtjhho.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe zljtjhho.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe zljtjhho.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe zljtjhho.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal zljtjhho.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal zljtjhho.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe zljtjhho.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe zljtjhho.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe zljtjhho.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe zljtjhho.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe zljtjhho.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe zljtjhho.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe zljtjhho.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe zljtjhho.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe zljtjhho.exe File opened for modification C:\Windows\mydoc.rtf 39cc45f4953d41988b920e0d9d7e8090_NeikiAnalytics.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe zljtjhho.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe zljtjhho.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe zljtjhho.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe zljtjhho.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe zljtjhho.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe zljtjhho.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe zljtjhho.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe zljtjhho.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EC1B15F47E4389F53C4BAA1329DD7C9" 39cc45f4953d41988b920e0d9d7e8090_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFFFC8F482A851A9031D7287E9DBDE7E143594A66436332D79A" 39cc45f4953d41988b920e0d9d7e8090_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" rbwoicuaih.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 39cc45f4953d41988b920e0d9d7e8090_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABBF9CDF961F2E084753A44819E3999B38E028F4363023DE2CB459D08D4" 39cc45f4953d41988b920e0d9d7e8090_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" rbwoicuaih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" rbwoicuaih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F368B2FF6621DED279D0A98B7D9010" 39cc45f4953d41988b920e0d9d7e8090_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat rbwoicuaih.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf rbwoicuaih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" rbwoicuaih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" rbwoicuaih.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh rbwoicuaih.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc rbwoicuaih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" rbwoicuaih.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs rbwoicuaih.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg rbwoicuaih.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings 39cc45f4953d41988b920e0d9d7e8090_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32412C7A9D5583506A3576D377232CDF7D8764A8" 39cc45f4953d41988b920e0d9d7e8090_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "183AC67A15E7DAB6B9B97C90EC9E34CF" 39cc45f4953d41988b920e0d9d7e8090_NeikiAnalytics.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 1236 WINWORD.EXE 1236 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 404 39cc45f4953d41988b920e0d9d7e8090_NeikiAnalytics.exe 404 39cc45f4953d41988b920e0d9d7e8090_NeikiAnalytics.exe 404 39cc45f4953d41988b920e0d9d7e8090_NeikiAnalytics.exe 404 39cc45f4953d41988b920e0d9d7e8090_NeikiAnalytics.exe 404 39cc45f4953d41988b920e0d9d7e8090_NeikiAnalytics.exe 404 39cc45f4953d41988b920e0d9d7e8090_NeikiAnalytics.exe 404 39cc45f4953d41988b920e0d9d7e8090_NeikiAnalytics.exe 404 39cc45f4953d41988b920e0d9d7e8090_NeikiAnalytics.exe 404 39cc45f4953d41988b920e0d9d7e8090_NeikiAnalytics.exe 404 39cc45f4953d41988b920e0d9d7e8090_NeikiAnalytics.exe 404 39cc45f4953d41988b920e0d9d7e8090_NeikiAnalytics.exe 404 39cc45f4953d41988b920e0d9d7e8090_NeikiAnalytics.exe 404 39cc45f4953d41988b920e0d9d7e8090_NeikiAnalytics.exe 404 39cc45f4953d41988b920e0d9d7e8090_NeikiAnalytics.exe 404 39cc45f4953d41988b920e0d9d7e8090_NeikiAnalytics.exe 404 39cc45f4953d41988b920e0d9d7e8090_NeikiAnalytics.exe 4868 rbwoicuaih.exe 4868 rbwoicuaih.exe 4868 rbwoicuaih.exe 4868 rbwoicuaih.exe 4868 rbwoicuaih.exe 4868 rbwoicuaih.exe 4868 rbwoicuaih.exe 4868 rbwoicuaih.exe 3528 nrlruuuhqbktutg.exe 3528 nrlruuuhqbktutg.exe 3528 nrlruuuhqbktutg.exe 3528 nrlruuuhqbktutg.exe 3528 nrlruuuhqbktutg.exe 3528 nrlruuuhqbktutg.exe 3528 nrlruuuhqbktutg.exe 3528 nrlruuuhqbktutg.exe 4868 rbwoicuaih.exe 4868 rbwoicuaih.exe 3528 nrlruuuhqbktutg.exe 3528 nrlruuuhqbktutg.exe 2420 nxjkyoxjhmtln.exe 2420 nxjkyoxjhmtln.exe 2420 nxjkyoxjhmtln.exe 2420 nxjkyoxjhmtln.exe 2420 nxjkyoxjhmtln.exe 2420 nxjkyoxjhmtln.exe 2420 nxjkyoxjhmtln.exe 2420 nxjkyoxjhmtln.exe 2420 nxjkyoxjhmtln.exe 2420 nxjkyoxjhmtln.exe 2420 nxjkyoxjhmtln.exe 2420 nxjkyoxjhmtln.exe 64 zljtjhho.exe 64 zljtjhho.exe 64 zljtjhho.exe 64 zljtjhho.exe 64 zljtjhho.exe 64 zljtjhho.exe 64 zljtjhho.exe 64 zljtjhho.exe 3092 zljtjhho.exe 3092 zljtjhho.exe 3092 zljtjhho.exe 3092 zljtjhho.exe 3092 zljtjhho.exe 3092 zljtjhho.exe 3092 zljtjhho.exe 3092 zljtjhho.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 404 39cc45f4953d41988b920e0d9d7e8090_NeikiAnalytics.exe 404 39cc45f4953d41988b920e0d9d7e8090_NeikiAnalytics.exe 404 39cc45f4953d41988b920e0d9d7e8090_NeikiAnalytics.exe 4868 rbwoicuaih.exe 4868 rbwoicuaih.exe 4868 rbwoicuaih.exe 3528 nrlruuuhqbktutg.exe 3528 nrlruuuhqbktutg.exe 3528 nrlruuuhqbktutg.exe 2420 nxjkyoxjhmtln.exe 64 zljtjhho.exe 2420 nxjkyoxjhmtln.exe 64 zljtjhho.exe 2420 nxjkyoxjhmtln.exe 64 zljtjhho.exe 3092 zljtjhho.exe 3092 zljtjhho.exe 3092 zljtjhho.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 404 39cc45f4953d41988b920e0d9d7e8090_NeikiAnalytics.exe 404 39cc45f4953d41988b920e0d9d7e8090_NeikiAnalytics.exe 404 39cc45f4953d41988b920e0d9d7e8090_NeikiAnalytics.exe 4868 rbwoicuaih.exe 4868 rbwoicuaih.exe 4868 rbwoicuaih.exe 3528 nrlruuuhqbktutg.exe 3528 nrlruuuhqbktutg.exe 3528 nrlruuuhqbktutg.exe 2420 nxjkyoxjhmtln.exe 64 zljtjhho.exe 2420 nxjkyoxjhmtln.exe 64 zljtjhho.exe 2420 nxjkyoxjhmtln.exe 64 zljtjhho.exe 3092 zljtjhho.exe 3092 zljtjhho.exe 3092 zljtjhho.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 1236 WINWORD.EXE 1236 WINWORD.EXE 1236 WINWORD.EXE 1236 WINWORD.EXE 1236 WINWORD.EXE 1236 WINWORD.EXE 1236 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 404 wrote to memory of 4868 404 39cc45f4953d41988b920e0d9d7e8090_NeikiAnalytics.exe 82 PID 404 wrote to memory of 4868 404 39cc45f4953d41988b920e0d9d7e8090_NeikiAnalytics.exe 82 PID 404 wrote to memory of 4868 404 39cc45f4953d41988b920e0d9d7e8090_NeikiAnalytics.exe 82 PID 404 wrote to memory of 3528 404 39cc45f4953d41988b920e0d9d7e8090_NeikiAnalytics.exe 83 PID 404 wrote to memory of 3528 404 39cc45f4953d41988b920e0d9d7e8090_NeikiAnalytics.exe 83 PID 404 wrote to memory of 3528 404 39cc45f4953d41988b920e0d9d7e8090_NeikiAnalytics.exe 83 PID 404 wrote to memory of 64 404 39cc45f4953d41988b920e0d9d7e8090_NeikiAnalytics.exe 84 PID 404 wrote to memory of 64 404 39cc45f4953d41988b920e0d9d7e8090_NeikiAnalytics.exe 84 PID 404 wrote to memory of 64 404 39cc45f4953d41988b920e0d9d7e8090_NeikiAnalytics.exe 84 PID 404 wrote to memory of 2420 404 39cc45f4953d41988b920e0d9d7e8090_NeikiAnalytics.exe 85 PID 404 wrote to memory of 2420 404 39cc45f4953d41988b920e0d9d7e8090_NeikiAnalytics.exe 85 PID 404 wrote to memory of 2420 404 39cc45f4953d41988b920e0d9d7e8090_NeikiAnalytics.exe 85 PID 404 wrote to memory of 1236 404 39cc45f4953d41988b920e0d9d7e8090_NeikiAnalytics.exe 86 PID 404 wrote to memory of 1236 404 39cc45f4953d41988b920e0d9d7e8090_NeikiAnalytics.exe 86 PID 4868 wrote to memory of 3092 4868 rbwoicuaih.exe 87 PID 4868 wrote to memory of 3092 4868 rbwoicuaih.exe 87 PID 4868 wrote to memory of 3092 4868 rbwoicuaih.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\39cc45f4953d41988b920e0d9d7e8090_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\39cc45f4953d41988b920e0d9d7e8090_NeikiAnalytics.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:404 -
C:\Windows\SysWOW64\rbwoicuaih.exerbwoicuaih.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4868 -
C:\Windows\SysWOW64\zljtjhho.exeC:\Windows\system32\zljtjhho.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3092
-
-
-
C:\Windows\SysWOW64\nrlruuuhqbktutg.exenrlruuuhqbktutg.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3528
-
-
C:\Windows\SysWOW64\zljtjhho.exezljtjhho.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:64
-
-
C:\Windows\SysWOW64\nxjkyoxjhmtln.exenxjkyoxjhmtln.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2420
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1236
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
255KB
MD5e959de05475c0c26746a0bac8e20aa61
SHA17d92383eb5460e2b9aa5c7d5728cb13ab32344f0
SHA256f8c4691e744255b10ba45ce90ac6f837ff19033fae4c6ed0fdc3ee024e8e2ed6
SHA51216b24106e337ec1cb7f8fc022f5828fdc79a526c778d1422cd21b53b1589bf104f70a1632e0e51becc0ffbe92475bf5086cf8fff9ef4e3ae306a679ebe025712
-
Filesize
255KB
MD5f8492e43e925b0a697c7f112a4e79ba9
SHA1d6f53241c74d4f171f9015e1ff93902ecbae75f4
SHA25608e6fc76d06a3e376ec33f8fbffdd024d75b0719e19d4c81687ec9526407b2a6
SHA51272fb545ed60d90326d81a773d2e0943d09a915c930bd574edf74a4bae51ab51c248bc6c37915ab6219a427c370109f96c6f3d734d64ac6c56cf4de04937157db
-
Filesize
263KB
MD5ff0e07eff1333cdf9fc2523d323dd654
SHA177a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA2563f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5170eff718cd453b2a4e272019526a612
SHA1d8b9927355d098b5e22c70ec42846931743bb4bb
SHA2561e55abd4d7b0367c98168a07265518287548038e71dc13b9c70a23af25254e06
SHA512d7bc99ef1926b8db3cc7a7f87b6471610f71ee740f5a21b72b1b95421f201d5f55ce6cb978edd9aa23f61c86dc75bef38ac77e7d0b79810b5d11bda106d1daee
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD58ecd1565cff5232d18c26fc24d767025
SHA1a13cad24e1038bda2779b6a4a1a4b86922f5c89a
SHA256997e6b389eaf7be3d0e5f2fa8ba9e6c69094f987e6047cc4ea420c981ce71319
SHA512702502d759099e123cbc39a150fe5f8e2f94fc212e6b45c511f646186a26d594ba747edc24ffa609c37859aae6494de33b557cc0474ecad090d14e3a0ee81120
-
Filesize
255KB
MD57e794f3ac91907c635213404880d6a30
SHA18d39ce669e6d574c037889feeb8d28a909191175
SHA2566e4137c8b31c4d7d68f2d8bc2da18d69836ab4382ede050f4909b0ea97d288b7
SHA512c6b48de4e76e8757567e26b1716485bfcccb59d1c0bf0845d96873f584f79827aa1ce118496a8a943f450b3559ca2ad88be28e644a75afa7566d091c2105b3e7
-
Filesize
255KB
MD5999819192b9c63563d5b242c60511b77
SHA194686a0f4b2600751885dc198d427624756fb408
SHA2568a2d3f59b9a977c42ac0b462e990c2701b7de7fbdfef7ab2e3136f5e2a1cdad4
SHA5121d1ddea312639ed62027480daaefbaee6728ecc7c45a92c246f4e517bf4cf9dd8a0455d33bab9b2d2dd965a64a1be1b1d82e1f416ffa65bab46ac745163eba44
-
Filesize
255KB
MD5a2491d99c0a58f40f1b61cfc19d88f0b
SHA1273033846177b01b2523d6198f26d185de805f6e
SHA256f07154321dbccdb75edcc929da1588502afc3ace5c357d40c0c30a3717fe9e14
SHA512f0e994ec696e0ead12252a3735bfef979c4dc2b8c06e4b413cb92ddb2b88c7b42dc319f0635cb6091d3da400a392141bd9b7e5cc6ecc796d013edf44cd6d8158
-
Filesize
255KB
MD56c9faa6ee4958a260effb47d092acb98
SHA19dee66a241f66e52be3485bdaef79fb08d9ad832
SHA2568c60235433035c22923df7ce4dca4689f38fc7c0a4b83887a9279f30901f6e24
SHA512266505643dcd19bacf47f6b8ef4dbe3441f2d94e4698d3978ee8f79241d6d36a463ea632ddc5976295d530c3da61f30de7e504dc77768d4d2f13a85f469974a8
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
255KB
MD51dc2f67c3ec8fa52aa2a73acd959363f
SHA129b8fcabefae16d109f235c31a4ccb1bd15c328f
SHA2566614ccf3472bb2e691c1d9fc418a176c5ba390193eca510217e850e01326bd47
SHA5126cfa71e88f6133b1a15985fe42565c76d1948c1bc598c567cd1b2f71ce9d1e5d809171c8bac2a7ec5746dd84373042e5dd13750cde8be1d638305a7b35b1d6bc
-
Filesize
255KB
MD5df9acda54e5ca0665c6bd4d332a09d45
SHA1806807ef49d312d168dbf217122dc1b1da7f5a3a
SHA256f71d69011eac21b2d8d1393e13c29cfb233e013c475b440fae8c1c739ca047a0
SHA5129be1527abdb551a9508ff37e01ac3fb69c39521421573f674618455f84838a4e90369a83d9d15df5c5ed73d8a00e7f3957e5dd6abe61635d55db48f7bd27c4a6