Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
14-05-2024 05:25
Behavioral task
behavioral1
Sample
857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe
Resource
win7-20240221-en
General
-
Target
857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe
-
Size
3.2MB
-
MD5
857ee271fe97719273d3a7df9586c7b0
-
SHA1
a815a6730abd1044c011e71a142e7d2aa370ba81
-
SHA256
ba26bbdfefe435d7ccf3bed77eeacdb9078a87468bce53916a05e6ed62091d77
-
SHA512
1bc69d4932d44fcaff533257d9b0ffca80714ec766bd676052d84a2b0e3ae2d71fbb936420d2a243d288a3ee468e9f41667a192ccd4ebd846e7595dbcfea0186
-
SSDEEP
49152:HC0Fl8v/911bwaEYpdYUVsk3DZGAy55kBsfJGAW6KyWUcPmWQpE:HC0Fl8v/qXYrv5tG9uKJGAWl5N
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 15 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2416 2388 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2364 2388 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2412 2388 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2912 2388 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2268 2388 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 548 2388 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1380 2388 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1372 2388 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2344 2388 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1348 2388 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2588 2388 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2744 2388 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2760 2388 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2756 2388 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2764 2388 schtasks.exe -
Processes:
dwm.exe857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exedwm.exedwm.exedwm.exedwm.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe -
Processes:
resource yara_rule behavioral1/memory/2904-1-0x0000000000F60000-0x000000000129C000-memory.dmp dcrat C:\Program Files\Mozilla Firefox\857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe dcrat C:\Windows\it-IT\857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe dcrat behavioral1/memory/784-143-0x00000000010C0000-0x00000000013FC000-memory.dmp dcrat behavioral1/memory/2024-220-0x0000000001130000-0x000000000146C000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 3036 powershell.exe 2820 powershell.exe 2280 powershell.exe 584 powershell.exe 2276 powershell.exe 2972 powershell.exe 2548 powershell.exe 2300 powershell.exe 528 powershell.exe 2136 powershell.exe 596 powershell.exe 2816 powershell.exe -
Executes dropped EXE 5 IoCs
Processes:
dwm.exedwm.exedwm.exedwm.exedwm.exepid process 784 dwm.exe 436 dwm.exe 2948 dwm.exe 1348 dwm.exe 2024 dwm.exe -
Processes:
dwm.exedwm.exe857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exedwm.exedwm.exedwm.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dwm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dwm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe -
Drops file in Program Files directory 5 IoCs
Processes:
857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exedescription ioc process File created C:\Program Files\Mozilla Firefox\857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe File created C:\Program Files\Mozilla Firefox\f152bbed07f526 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Mozilla Firefox\RCXAC50.tmp 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Mozilla Firefox\RCXAC61.tmp 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe File opened for modification C:\Program Files\Mozilla Firefox\857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe -
Drops file in Windows directory 5 IoCs
Processes:
857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exedescription ioc process File opened for modification C:\Windows\it-IT\RCXA4AC.tmp 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe File opened for modification C:\Windows\it-IT\RCXA52A.tmp 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe File opened for modification C:\Windows\it-IT\857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe File created C:\Windows\it-IT\857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe File created C:\Windows\it-IT\f152bbed07f526 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 15 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1348 schtasks.exe 2760 schtasks.exe 2912 schtasks.exe 1380 schtasks.exe 2588 schtasks.exe 2756 schtasks.exe 2364 schtasks.exe 2344 schtasks.exe 2416 schtasks.exe 2764 schtasks.exe 548 schtasks.exe 1372 schtasks.exe 2744 schtasks.exe 2412 schtasks.exe 2268 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedwm.exepid process 2904 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe 2904 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe 2904 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe 2904 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe 2904 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe 2904 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe 2904 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe 2904 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe 2904 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe 2904 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe 2904 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe 2904 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe 2904 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe 2904 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe 2904 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe 2904 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe 2904 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe 2904 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe 2904 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe 2904 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe 2904 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe 2904 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe 2904 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe 2904 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe 2904 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe 2904 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe 2904 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe 2904 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe 2904 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe 2904 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe 2820 powershell.exe 584 powershell.exe 2280 powershell.exe 2136 powershell.exe 2972 powershell.exe 2300 powershell.exe 2276 powershell.exe 2816 powershell.exe 596 powershell.exe 528 powershell.exe 2548 powershell.exe 3036 powershell.exe 784 dwm.exe 784 dwm.exe 784 dwm.exe 784 dwm.exe 784 dwm.exe 784 dwm.exe 784 dwm.exe 784 dwm.exe 784 dwm.exe 784 dwm.exe 784 dwm.exe 784 dwm.exe 784 dwm.exe 784 dwm.exe 784 dwm.exe 784 dwm.exe 784 dwm.exe 784 dwm.exe 784 dwm.exe 784 dwm.exe 784 dwm.exe 784 dwm.exe -
Suspicious use of AdjustPrivilegeToken 18 IoCs
Processes:
857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedwm.exedwm.exedwm.exedwm.exedwm.exedescription pid process Token: SeDebugPrivilege 2904 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe Token: SeDebugPrivilege 2820 powershell.exe Token: SeDebugPrivilege 584 powershell.exe Token: SeDebugPrivilege 2280 powershell.exe Token: SeDebugPrivilege 2136 powershell.exe Token: SeDebugPrivilege 2972 powershell.exe Token: SeDebugPrivilege 2300 powershell.exe Token: SeDebugPrivilege 2276 powershell.exe Token: SeDebugPrivilege 2816 powershell.exe Token: SeDebugPrivilege 596 powershell.exe Token: SeDebugPrivilege 528 powershell.exe Token: SeDebugPrivilege 2548 powershell.exe Token: SeDebugPrivilege 3036 powershell.exe Token: SeDebugPrivilege 784 dwm.exe Token: SeDebugPrivilege 436 dwm.exe Token: SeDebugPrivilege 2948 dwm.exe Token: SeDebugPrivilege 1348 dwm.exe Token: SeDebugPrivilege 2024 dwm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exedwm.exeWScript.exedwm.exeWScript.exedwm.exeWScript.exedescription pid process target process PID 2904 wrote to memory of 2136 2904 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe powershell.exe PID 2904 wrote to memory of 2136 2904 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe powershell.exe PID 2904 wrote to memory of 2136 2904 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe powershell.exe PID 2904 wrote to memory of 2276 2904 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe powershell.exe PID 2904 wrote to memory of 2276 2904 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe powershell.exe PID 2904 wrote to memory of 2276 2904 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe powershell.exe PID 2904 wrote to memory of 2972 2904 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe powershell.exe PID 2904 wrote to memory of 2972 2904 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe powershell.exe PID 2904 wrote to memory of 2972 2904 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe powershell.exe PID 2904 wrote to memory of 596 2904 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe powershell.exe PID 2904 wrote to memory of 596 2904 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe powershell.exe PID 2904 wrote to memory of 596 2904 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe powershell.exe PID 2904 wrote to memory of 2548 2904 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe powershell.exe PID 2904 wrote to memory of 2548 2904 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe powershell.exe PID 2904 wrote to memory of 2548 2904 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe powershell.exe PID 2904 wrote to memory of 2816 2904 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe powershell.exe PID 2904 wrote to memory of 2816 2904 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe powershell.exe PID 2904 wrote to memory of 2816 2904 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe powershell.exe PID 2904 wrote to memory of 2820 2904 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe powershell.exe PID 2904 wrote to memory of 2820 2904 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe powershell.exe PID 2904 wrote to memory of 2820 2904 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe powershell.exe PID 2904 wrote to memory of 3036 2904 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe powershell.exe PID 2904 wrote to memory of 3036 2904 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe powershell.exe PID 2904 wrote to memory of 3036 2904 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe powershell.exe PID 2904 wrote to memory of 2300 2904 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe powershell.exe PID 2904 wrote to memory of 2300 2904 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe powershell.exe PID 2904 wrote to memory of 2300 2904 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe powershell.exe PID 2904 wrote to memory of 2280 2904 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe powershell.exe PID 2904 wrote to memory of 2280 2904 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe powershell.exe PID 2904 wrote to memory of 2280 2904 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe powershell.exe PID 2904 wrote to memory of 584 2904 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe powershell.exe PID 2904 wrote to memory of 584 2904 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe powershell.exe PID 2904 wrote to memory of 584 2904 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe powershell.exe PID 2904 wrote to memory of 528 2904 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe powershell.exe PID 2904 wrote to memory of 528 2904 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe powershell.exe PID 2904 wrote to memory of 528 2904 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe powershell.exe PID 2904 wrote to memory of 784 2904 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe dwm.exe PID 2904 wrote to memory of 784 2904 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe dwm.exe PID 2904 wrote to memory of 784 2904 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe dwm.exe PID 784 wrote to memory of 2588 784 dwm.exe WScript.exe PID 784 wrote to memory of 2588 784 dwm.exe WScript.exe PID 784 wrote to memory of 2588 784 dwm.exe WScript.exe PID 784 wrote to memory of 2164 784 dwm.exe WScript.exe PID 784 wrote to memory of 2164 784 dwm.exe WScript.exe PID 784 wrote to memory of 2164 784 dwm.exe WScript.exe PID 2588 wrote to memory of 436 2588 WScript.exe dwm.exe PID 2588 wrote to memory of 436 2588 WScript.exe dwm.exe PID 2588 wrote to memory of 436 2588 WScript.exe dwm.exe PID 436 wrote to memory of 2808 436 dwm.exe WScript.exe PID 436 wrote to memory of 2808 436 dwm.exe WScript.exe PID 436 wrote to memory of 2808 436 dwm.exe WScript.exe PID 436 wrote to memory of 1960 436 dwm.exe WScript.exe PID 436 wrote to memory of 1960 436 dwm.exe WScript.exe PID 436 wrote to memory of 1960 436 dwm.exe WScript.exe PID 2808 wrote to memory of 2948 2808 WScript.exe dwm.exe PID 2808 wrote to memory of 2948 2808 WScript.exe dwm.exe PID 2808 wrote to memory of 2948 2808 WScript.exe dwm.exe PID 2948 wrote to memory of 944 2948 dwm.exe WScript.exe PID 2948 wrote to memory of 944 2948 dwm.exe WScript.exe PID 2948 wrote to memory of 944 2948 dwm.exe WScript.exe PID 2948 wrote to memory of 3008 2948 dwm.exe WScript.exe PID 2948 wrote to memory of 3008 2948 dwm.exe WScript.exe PID 2948 wrote to memory of 3008 2948 dwm.exe WScript.exe PID 944 wrote to memory of 1348 944 WScript.exe dwm.exe -
System policy modification 1 TTPs 18 IoCs
Processes:
857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exedwm.exedwm.exedwm.exedwm.exedwm.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dwm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2904 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2136
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2276
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2972
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:596
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2548
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2816
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2820
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3036
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2300
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2280
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:584
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:528
-
-
C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\dwm.exe"C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\dwm.exe"2⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:784 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4ba83656-d12f-4f89-916d-15242e1c09fa.vbs"3⤵
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\dwm.exeC:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\dwm.exe4⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:436 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8183a161-d181-4e1e-8579-30fcc550ae17.vbs"5⤵
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\dwm.exeC:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\dwm.exe6⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2948 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\76526ae5-a288-45b6-92bd-ca80efa389f3.vbs"7⤵
- Suspicious use of WriteProcessMemory
PID:944 -
C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\dwm.exeC:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\dwm.exe8⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1348 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2a6b5df9-73d8-42d8-8823-557bb8097d02.vbs"9⤵PID:1676
-
C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\dwm.exeC:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\dwm.exe10⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2024 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\30081e1a-09b9-43b8-8b67-e4ffcf574cb3.vbs"11⤵PID:1556
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\303c278f-9933-4efa-9b7e-a2dd17928cd5.vbs"11⤵PID:2480
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fb8584f1-d6b6-4443-b82a-a7feafc25815.vbs"9⤵PID:2156
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\73543e1e-e29b-4e60-b64e-23182db324ae.vbs"7⤵PID:3008
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dde5a6f7-1060-4b33-8610-a623bd6d932d.vbs"5⤵PID:1960
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2d2de0ec-336c-4417-be36-975c01f98375.vbs"3⤵PID:2164
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2416
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2364
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2412
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics8" /sc MINUTE /mo 9 /tr "'C:\Windows\it-IT\857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics" /sc ONLOGON /tr "'C:\Windows\it-IT\857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2268
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics8" /sc MINUTE /mo 8 /tr "'C:\Windows\it-IT\857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1380
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1372
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2344
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1348
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics8" /sc MINUTE /mo 11 /tr "'C:\Program Files\Mozilla Firefox\857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics8" /sc MINUTE /mo 5 /tr "'C:\Program Files\Mozilla Firefox\857ee271fe97719273d3a7df9586c7b0_NeikiAnalytics.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2764
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.2MB
MD5857ee271fe97719273d3a7df9586c7b0
SHA1a815a6730abd1044c011e71a142e7d2aa370ba81
SHA256ba26bbdfefe435d7ccf3bed77eeacdb9078a87468bce53916a05e6ed62091d77
SHA5121bc69d4932d44fcaff533257d9b0ffca80714ec766bd676052d84a2b0e3ae2d71fbb936420d2a243d288a3ee468e9f41667a192ccd4ebd846e7595dbcfea0186
-
Filesize
732B
MD513eb8398ea280a2b6527d03727749577
SHA1cae7f040045bc207fcc765563d79f9b849f471f2
SHA256684e12a6039fecc7c7843373900aab598eab1472d989a739f2a6af3be11d3347
SHA51228fa5faafba064aadf6e1e0c4d5b0c328751fa94c970f6d0eb835bdd4769f432ef6220470dc4f5ad7a09a9f523453e4ae5bddba4e5bbf3fe86c1bae5e837fdae
-
Filesize
508B
MD5b8a44a700a807942fdd0b7d7007281b3
SHA1217d970ece8d9492784e7bff22cff68aef56813a
SHA256f40b86e35c085a21bffc410f07907620b64faa904cb70937d51850bfef097921
SHA512fcd7f678e058d3ad83472c42b7932166b42c7cd1208475afd80baa391d55e032dfd7be59639d9d54b968d174504c1ad1f95bcb9df71a8c4c640bcb54f0744cf5
-
Filesize
732B
MD5715447dd0bf26df95d96a7b6bd3f7ef4
SHA1dc1ac461b8adfbf339be251c16498d09475d7abe
SHA2567a1f4bba94e7f98db374a24250cc3a6673fa558b2970fd874f4e1592305c5dda
SHA51210a8a368832013a05e24e745ffef7e850156f23e49afda4900101c27ee2ae259925dac65c5d9b2d59a776b11df5cc35d35054d0d1e92919860d935a76cdaed94
-
Filesize
731B
MD5fb2a80e7b7c83d87b3181d9fc5d9c793
SHA150c3271cde25d5faad4422cfb0e9063be8572ede
SHA25622a63e097c57ce9b4ac33c120b83615d6b79ef9f9f74328ece04427f1c9f3842
SHA512a7b592def6d66fc0668e6e3f1ece73ba4c22d90ae5c9afd0ebd2c86675a35a6d56e280daf3e2dc73f92ab513d6adaa6aca9845486de3473d055da34a48dc4a21
-
Filesize
732B
MD5a4ece57f95de0cac0da5614b08fed98e
SHA16f0129aae9fbbbfaaa81c9e900c4b875339d6781
SHA256d80a27e001fcff844e4cefa349b5616588562a6a18ad9933a19992af863c09fd
SHA51262539a9a83d2d74a9ff7841896d2e5e86e213db2fe3d991c2d7854603f8a23dfc07755aa90112824105e736654c21c8646d01152b29b12cbad45cdfed298e799
-
Filesize
731B
MD5241c8397cc593e71bb6a60c2d902bc2b
SHA1e74b5cb96fc6c5ce9eff60ab03f0981d6183991c
SHA256152a3dd814220bd88d5ec0f96da8594c2e9159211e7d1a114e687e6bbb56a595
SHA5120bda382286d43d44215e0ea0ab5d0891dcb54dc0f9bd482f41faa67d9fa752b947dbdde5d3419df8f4219ffbd335fcbc7d87663dd3b216fb6c75129d01b44e78
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD568358a40558030737fa4da427a622a9b
SHA1437dd3419c0857abd7ca35638f56064d4a0f0265
SHA256af01e205540fd58b868b502e8abfd9454ebb45e29d6da558711f63651016e416
SHA5127bb10fbdcedeb863514feca8c984c808b3d7e4ea1f26c9f435e333500cb0b55a0233a5e2df556b2cc989c01e2102dded765f1735e7941400f7ffe875cbaf3792
-
Filesize
3.2MB
MD518e8e8a4bfa52b6c17f325dac752e749
SHA155a46737e5861a159a2b8fe86699301a13bc6fe9
SHA2566f88202002f9b3da982358b5a816250c189f6539ee986e8c6dbd1834bcc57b86
SHA5124e3b5d4d778e849f0d7488bb8f5e3ee0dcb453bdc02ae80abee58832d5f91570eaedac306d632bb3a5b02817aef10192134fd25f6df8b6013cadb8048bd6fe2e