Analysis
-
max time kernel
150s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
14/05/2024, 09:15 UTC
Static task
static1
Behavioral task
behavioral1
Sample
b972c00bf289a05a128a74d75f723c20_NeikiAnalytics.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
b972c00bf289a05a128a74d75f723c20_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
b972c00bf289a05a128a74d75f723c20_NeikiAnalytics.exe
-
Size
77KB
-
MD5
b972c00bf289a05a128a74d75f723c20
-
SHA1
38d43b1bf3f39b04a50a89776bb1b14961a6a4e4
-
SHA256
6d9f005b96f1ce8f3c0b009b36137155fb9e0eef124ee9be9c8575692837b91e
-
SHA512
91ec22d0c55f01dd78f5968d90ce25c96102fbf4843e60da3e39ad8ff2ba4ce59706d95e4ebf247d90a3b4ee17f589f43c1b4ac35b1bb7e17c779f68ac8e4078
-
SSDEEP
1536:ekeK40T/mx7y9v7Z/Z2V/GSAFRfBhpVoK5:FD40Dmx7y9DZ/Z2hGVkK5
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\"" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe," SVCHOST.EXE Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\"" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe," b972c00bf289a05a128a74d75f723c20_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\"" b972c00bf289a05a128a74d75f723c20_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe," SPOOLSV.EXE Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\recycled\\SVCHOST.exe\"" SPOOLSV.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe," SVCHOST.EXE -
Modifies visibility of file extensions in Explorer 2 TTPs 4 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" SPOOLSV.EXE Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" SVCHOST.EXE Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" SVCHOST.EXE Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" b972c00bf289a05a128a74d75f723c20_NeikiAnalytics.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" SVCHOST.EXE Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" b972c00bf289a05a128a74d75f723c20_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" SPOOLSV.EXE Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" SVCHOST.EXE -
Executes dropped EXE 12 IoCs
pid Process 2668 SVCHOST.EXE 1964 SVCHOST.EXE 2660 SVCHOST.EXE 2688 SVCHOST.EXE 2724 SVCHOST.EXE 1912 SPOOLSV.EXE 2592 SVCHOST.EXE 2588 SVCHOST.EXE 1636 SPOOLSV.EXE 3036 SPOOLSV.EXE 2228 SVCHOST.EXE 2220 SPOOLSV.EXE -
Loads dropped DLL 21 IoCs
pid Process 2440 b972c00bf289a05a128a74d75f723c20_NeikiAnalytics.exe 2440 b972c00bf289a05a128a74d75f723c20_NeikiAnalytics.exe 2668 SVCHOST.EXE 2668 SVCHOST.EXE 2668 SVCHOST.EXE 2660 SVCHOST.EXE 2660 SVCHOST.EXE 2660 SVCHOST.EXE 2660 SVCHOST.EXE 2660 SVCHOST.EXE 1912 SPOOLSV.EXE 1912 SPOOLSV.EXE 1912 SPOOLSV.EXE 1912 SPOOLSV.EXE 1912 SPOOLSV.EXE 2668 SVCHOST.EXE 2668 SVCHOST.EXE 2440 b972c00bf289a05a128a74d75f723c20_NeikiAnalytics.exe 2440 b972c00bf289a05a128a74d75f723c20_NeikiAnalytics.exe 2440 b972c00bf289a05a128a74d75f723c20_NeikiAnalytics.exe 2440 b972c00bf289a05a128a74d75f723c20_NeikiAnalytics.exe -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification C:\Recycled\desktop.ini b972c00bf289a05a128a74d75f723c20_NeikiAnalytics.exe File opened for modification F:\Recycled\desktop.ini b972c00bf289a05a128a74d75f723c20_NeikiAnalytics.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\T: SVCHOST.EXE File opened (read-only) \??\Z: SVCHOST.EXE File opened (read-only) \??\Y: SVCHOST.EXE File opened (read-only) \??\G: SVCHOST.EXE File opened (read-only) \??\H: SVCHOST.EXE File opened (read-only) \??\Z: b972c00bf289a05a128a74d75f723c20_NeikiAnalytics.exe File opened (read-only) \??\P: SVCHOST.EXE File opened (read-only) \??\R: SVCHOST.EXE File opened (read-only) \??\N: SPOOLSV.EXE File opened (read-only) \??\W: SPOOLSV.EXE File opened (read-only) \??\W: b972c00bf289a05a128a74d75f723c20_NeikiAnalytics.exe File opened (read-only) \??\G: SVCHOST.EXE File opened (read-only) \??\W: SVCHOST.EXE File opened (read-only) \??\P: SVCHOST.EXE File opened (read-only) \??\J: SPOOLSV.EXE File opened (read-only) \??\U: SPOOLSV.EXE File opened (read-only) \??\L: b972c00bf289a05a128a74d75f723c20_NeikiAnalytics.exe File opened (read-only) \??\U: b972c00bf289a05a128a74d75f723c20_NeikiAnalytics.exe File opened (read-only) \??\R: SVCHOST.EXE File opened (read-only) \??\I: SVCHOST.EXE File opened (read-only) \??\M: SVCHOST.EXE File opened (read-only) \??\U: SVCHOST.EXE File opened (read-only) \??\P: b972c00bf289a05a128a74d75f723c20_NeikiAnalytics.exe File opened (read-only) \??\V: SVCHOST.EXE File opened (read-only) \??\X: SVCHOST.EXE File opened (read-only) \??\V: SPOOLSV.EXE File opened (read-only) \??\X: SPOOLSV.EXE File opened (read-only) \??\V: b972c00bf289a05a128a74d75f723c20_NeikiAnalytics.exe File opened (read-only) \??\N: SVCHOST.EXE File opened (read-only) \??\E: SPOOLSV.EXE File opened (read-only) \??\Y: b972c00bf289a05a128a74d75f723c20_NeikiAnalytics.exe File opened (read-only) \??\J: SVCHOST.EXE File opened (read-only) \??\L: SVCHOST.EXE File opened (read-only) \??\T: SVCHOST.EXE File opened (read-only) \??\V: SVCHOST.EXE File opened (read-only) \??\H: b972c00bf289a05a128a74d75f723c20_NeikiAnalytics.exe File opened (read-only) \??\Q: b972c00bf289a05a128a74d75f723c20_NeikiAnalytics.exe File opened (read-only) \??\T: b972c00bf289a05a128a74d75f723c20_NeikiAnalytics.exe File opened (read-only) \??\G: SPOOLSV.EXE File opened (read-only) \??\Y: SPOOLSV.EXE File opened (read-only) \??\K: SVCHOST.EXE File opened (read-only) \??\K: SPOOLSV.EXE File opened (read-only) \??\S: SPOOLSV.EXE File opened (read-only) \??\Z: SPOOLSV.EXE File opened (read-only) \??\N: b972c00bf289a05a128a74d75f723c20_NeikiAnalytics.exe File opened (read-only) \??\S: b972c00bf289a05a128a74d75f723c20_NeikiAnalytics.exe File opened (read-only) \??\E: SVCHOST.EXE File opened (read-only) \??\N: SVCHOST.EXE File opened (read-only) \??\O: SVCHOST.EXE File opened (read-only) \??\Q: SVCHOST.EXE File opened (read-only) \??\I: SPOOLSV.EXE File opened (read-only) \??\I: b972c00bf289a05a128a74d75f723c20_NeikiAnalytics.exe File opened (read-only) \??\M: b972c00bf289a05a128a74d75f723c20_NeikiAnalytics.exe File opened (read-only) \??\L: SVCHOST.EXE File opened (read-only) \??\R: SPOOLSV.EXE File opened (read-only) \??\K: SVCHOST.EXE File opened (read-only) \??\W: SVCHOST.EXE File opened (read-only) \??\Q: SPOOLSV.EXE File opened (read-only) \??\U: SVCHOST.EXE File opened (read-only) \??\X: SVCHOST.EXE File opened (read-only) \??\H: SPOOLSV.EXE File opened (read-only) \??\L: SPOOLSV.EXE File opened (read-only) \??\G: b972c00bf289a05a128a74d75f723c20_NeikiAnalytics.exe File opened (read-only) \??\O: b972c00bf289a05a128a74d75f723c20_NeikiAnalytics.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\docicon.exe b972c00bf289a05a128a74d75f723c20_NeikiAnalytics.exe File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Office loads VBA resources, possible macro or embedded object present
-
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\ SPOOLSV.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\InfoTip = "prop:Type;Write;Size" SVCHOST.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document" SVCHOST.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\SHELL\INSTALL\COMMAND b972c00bf289a05a128a74d75f723c20_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\TileInfo = "prop:Type;Size" SVCHOST.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon\ = "C:\\Windows\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\docicon.exe" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\QuickTip = "prop:Type;Size" SPOOLSV.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\TileInfo = "prop:Type;Size" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\InfoTip = "prop:Type;Write;Size" SVCHOST.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 328 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1912 SPOOLSV.EXE 1912 SPOOLSV.EXE 1912 SPOOLSV.EXE 1912 SPOOLSV.EXE 1912 SPOOLSV.EXE 1912 SPOOLSV.EXE 1912 SPOOLSV.EXE 1912 SPOOLSV.EXE 2660 SVCHOST.EXE 2660 SVCHOST.EXE 2660 SVCHOST.EXE 2660 SVCHOST.EXE 2660 SVCHOST.EXE 2660 SVCHOST.EXE 2660 SVCHOST.EXE 2660 SVCHOST.EXE 2668 SVCHOST.EXE 2668 SVCHOST.EXE 2668 SVCHOST.EXE 2668 SVCHOST.EXE 2668 SVCHOST.EXE 2668 SVCHOST.EXE 2668 SVCHOST.EXE 2668 SVCHOST.EXE 2440 b972c00bf289a05a128a74d75f723c20_NeikiAnalytics.exe 2440 b972c00bf289a05a128a74d75f723c20_NeikiAnalytics.exe 2440 b972c00bf289a05a128a74d75f723c20_NeikiAnalytics.exe 2440 b972c00bf289a05a128a74d75f723c20_NeikiAnalytics.exe 2440 b972c00bf289a05a128a74d75f723c20_NeikiAnalytics.exe 2440 b972c00bf289a05a128a74d75f723c20_NeikiAnalytics.exe 2440 b972c00bf289a05a128a74d75f723c20_NeikiAnalytics.exe 2440 b972c00bf289a05a128a74d75f723c20_NeikiAnalytics.exe 2440 b972c00bf289a05a128a74d75f723c20_NeikiAnalytics.exe 2440 b972c00bf289a05a128a74d75f723c20_NeikiAnalytics.exe 2440 b972c00bf289a05a128a74d75f723c20_NeikiAnalytics.exe 2440 b972c00bf289a05a128a74d75f723c20_NeikiAnalytics.exe 2440 b972c00bf289a05a128a74d75f723c20_NeikiAnalytics.exe 2440 b972c00bf289a05a128a74d75f723c20_NeikiAnalytics.exe 2440 b972c00bf289a05a128a74d75f723c20_NeikiAnalytics.exe 2440 b972c00bf289a05a128a74d75f723c20_NeikiAnalytics.exe 2660 SVCHOST.EXE 2660 SVCHOST.EXE 2660 SVCHOST.EXE 2660 SVCHOST.EXE 2660 SVCHOST.EXE 2660 SVCHOST.EXE 2660 SVCHOST.EXE 2660 SVCHOST.EXE 1912 SPOOLSV.EXE 1912 SPOOLSV.EXE 1912 SPOOLSV.EXE 1912 SPOOLSV.EXE 1912 SPOOLSV.EXE 1912 SPOOLSV.EXE 1912 SPOOLSV.EXE 1912 SPOOLSV.EXE 1912 SPOOLSV.EXE 1912 SPOOLSV.EXE 2660 SVCHOST.EXE 2660 SVCHOST.EXE 2660 SVCHOST.EXE 2660 SVCHOST.EXE 2660 SVCHOST.EXE 2660 SVCHOST.EXE -
Suspicious use of SetWindowsHookEx 15 IoCs
pid Process 2440 b972c00bf289a05a128a74d75f723c20_NeikiAnalytics.exe 2668 SVCHOST.EXE 1964 SVCHOST.EXE 2660 SVCHOST.EXE 2688 SVCHOST.EXE 2724 SVCHOST.EXE 1912 SPOOLSV.EXE 2592 SVCHOST.EXE 2588 SVCHOST.EXE 1636 SPOOLSV.EXE 3036 SPOOLSV.EXE 2228 SVCHOST.EXE 2220 SPOOLSV.EXE 328 WINWORD.EXE 328 WINWORD.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2440 wrote to memory of 2668 2440 b972c00bf289a05a128a74d75f723c20_NeikiAnalytics.exe 28 PID 2440 wrote to memory of 2668 2440 b972c00bf289a05a128a74d75f723c20_NeikiAnalytics.exe 28 PID 2440 wrote to memory of 2668 2440 b972c00bf289a05a128a74d75f723c20_NeikiAnalytics.exe 28 PID 2440 wrote to memory of 2668 2440 b972c00bf289a05a128a74d75f723c20_NeikiAnalytics.exe 28 PID 2668 wrote to memory of 1964 2668 SVCHOST.EXE 29 PID 2668 wrote to memory of 1964 2668 SVCHOST.EXE 29 PID 2668 wrote to memory of 1964 2668 SVCHOST.EXE 29 PID 2668 wrote to memory of 1964 2668 SVCHOST.EXE 29 PID 2668 wrote to memory of 2660 2668 SVCHOST.EXE 30 PID 2668 wrote to memory of 2660 2668 SVCHOST.EXE 30 PID 2668 wrote to memory of 2660 2668 SVCHOST.EXE 30 PID 2668 wrote to memory of 2660 2668 SVCHOST.EXE 30 PID 2660 wrote to memory of 2688 2660 SVCHOST.EXE 31 PID 2660 wrote to memory of 2688 2660 SVCHOST.EXE 31 PID 2660 wrote to memory of 2688 2660 SVCHOST.EXE 31 PID 2660 wrote to memory of 2688 2660 SVCHOST.EXE 31 PID 2660 wrote to memory of 2724 2660 SVCHOST.EXE 32 PID 2660 wrote to memory of 2724 2660 SVCHOST.EXE 32 PID 2660 wrote to memory of 2724 2660 SVCHOST.EXE 32 PID 2660 wrote to memory of 2724 2660 SVCHOST.EXE 32 PID 2660 wrote to memory of 1912 2660 SVCHOST.EXE 33 PID 2660 wrote to memory of 1912 2660 SVCHOST.EXE 33 PID 2660 wrote to memory of 1912 2660 SVCHOST.EXE 33 PID 2660 wrote to memory of 1912 2660 SVCHOST.EXE 33 PID 1912 wrote to memory of 2592 1912 SPOOLSV.EXE 34 PID 1912 wrote to memory of 2592 1912 SPOOLSV.EXE 34 PID 1912 wrote to memory of 2592 1912 SPOOLSV.EXE 34 PID 1912 wrote to memory of 2592 1912 SPOOLSV.EXE 34 PID 1912 wrote to memory of 2588 1912 SPOOLSV.EXE 35 PID 1912 wrote to memory of 2588 1912 SPOOLSV.EXE 35 PID 1912 wrote to memory of 2588 1912 SPOOLSV.EXE 35 PID 1912 wrote to memory of 2588 1912 SPOOLSV.EXE 35 PID 1912 wrote to memory of 1636 1912 SPOOLSV.EXE 36 PID 1912 wrote to memory of 1636 1912 SPOOLSV.EXE 36 PID 1912 wrote to memory of 1636 1912 SPOOLSV.EXE 36 PID 1912 wrote to memory of 1636 1912 SPOOLSV.EXE 36 PID 2668 wrote to memory of 3036 2668 SVCHOST.EXE 37 PID 2668 wrote to memory of 3036 2668 SVCHOST.EXE 37 PID 2668 wrote to memory of 3036 2668 SVCHOST.EXE 37 PID 2668 wrote to memory of 3036 2668 SVCHOST.EXE 37 PID 2440 wrote to memory of 2228 2440 b972c00bf289a05a128a74d75f723c20_NeikiAnalytics.exe 39 PID 2440 wrote to memory of 2228 2440 b972c00bf289a05a128a74d75f723c20_NeikiAnalytics.exe 39 PID 2440 wrote to memory of 2228 2440 b972c00bf289a05a128a74d75f723c20_NeikiAnalytics.exe 39 PID 2440 wrote to memory of 2228 2440 b972c00bf289a05a128a74d75f723c20_NeikiAnalytics.exe 39 PID 2668 wrote to memory of 2284 2668 SVCHOST.EXE 38 PID 2668 wrote to memory of 2284 2668 SVCHOST.EXE 38 PID 2668 wrote to memory of 2284 2668 SVCHOST.EXE 38 PID 2668 wrote to memory of 2284 2668 SVCHOST.EXE 38 PID 2440 wrote to memory of 2220 2440 b972c00bf289a05a128a74d75f723c20_NeikiAnalytics.exe 40 PID 2440 wrote to memory of 2220 2440 b972c00bf289a05a128a74d75f723c20_NeikiAnalytics.exe 40 PID 2440 wrote to memory of 2220 2440 b972c00bf289a05a128a74d75f723c20_NeikiAnalytics.exe 40 PID 2440 wrote to memory of 2220 2440 b972c00bf289a05a128a74d75f723c20_NeikiAnalytics.exe 40 PID 2284 wrote to memory of 1660 2284 userinit.exe 41 PID 2284 wrote to memory of 1660 2284 userinit.exe 41 PID 2284 wrote to memory of 1660 2284 userinit.exe 41 PID 2284 wrote to memory of 1660 2284 userinit.exe 41 PID 2440 wrote to memory of 328 2440 b972c00bf289a05a128a74d75f723c20_NeikiAnalytics.exe 42 PID 2440 wrote to memory of 328 2440 b972c00bf289a05a128a74d75f723c20_NeikiAnalytics.exe 42 PID 2440 wrote to memory of 328 2440 b972c00bf289a05a128a74d75f723c20_NeikiAnalytics.exe 42 PID 2440 wrote to memory of 328 2440 b972c00bf289a05a128a74d75f723c20_NeikiAnalytics.exe 42 PID 328 wrote to memory of 608 328 WINWORD.EXE 47 PID 328 wrote to memory of 608 328 WINWORD.EXE 47 PID 328 wrote to memory of 608 328 WINWORD.EXE 47 PID 328 wrote to memory of 608 328 WINWORD.EXE 47
Processes
-
C:\Users\Admin\AppData\Local\Temp\b972c00bf289a05a128a74d75f723c20_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\b972c00bf289a05a128a74d75f723c20_NeikiAnalytics.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1964
-
-
F:\recycled\SVCHOST.EXEF:\recycled\SVCHOST.EXE :agent3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2688
-
-
F:\recycled\SVCHOST.EXEF:\recycled\SVCHOST.EXE :agent4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2724
-
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2592
-
-
F:\recycled\SVCHOST.EXEF:\recycled\SVCHOST.EXE :agent5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2588
-
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1636
-
-
-
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3036
-
-
C:\Windows\SysWOW64\userinit.exeC:\Windows\system32\userinit.exe3⤵
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\SysWOW64\Explorer.exeExplorer.exe "C:\recycled\SVCHOST.exe"4⤵PID:1660
-
-
-
-
F:\recycled\SVCHOST.EXEF:\recycled\SVCHOST.EXE :agent2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2228
-
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2220
-
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\b972c00bf289a05a128a74d75f723c20_NeikiAnalytics.doc"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:328 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:608
-
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵PID:2512
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
65B
MD5ad0b0b4416f06af436328a3c12dc491b
SHA1743c7ad130780de78ccbf75aa6f84298720ad3fa
SHA25623521de51ca1db2bc7b18e41de7693542235284667bf85f6c31902547a947416
SHA512884cd0cae3b31a594f387dae94fc1e0aacb4fd833f8a3368bdec7de0f9f3dc44337c7318895d9549aad579f95de71ff45e1618e75065a04c7894ad1d0d0eac56
-
Filesize
1KB
MD50269b6347e473980c5378044ac67aa1f
SHA1c3334de50e320ad8bce8398acff95c363d039245
SHA25668f5bd85c17975419bb4eacf615286d749bcb951e487813361837580b39ffee2
SHA512e5c525fe688ecd3926ae634a61dc48c4837d7e56aae00b22e4f7d824df804cb536f6df077d5f6c67f63f73832ba00249ed3a75ed40ec9db6e026041b28404d7b
-
Filesize
2B
MD52b9d4fa85c8e82132bde46b143040142
SHA1a02431cf7c501a5b368c91e41283419d8fa9fb03
SHA2564658d6abbbaf7748c172ed5a3e003cdb8997648f88724834e41f75e54520e142
SHA512c37f27b442d578e94db6e5d879d026b0b3457f42b99ec56a9cb6fca3161540a32e207b942ef2ddb7be01fa9245ba4d8c859978a0f9a498c1ad8aa46d0890e6be
-
Filesize
77KB
MD5e4c8bd2e0baa0afb643b654d356c8d58
SHA1a266a14f0e0041bbc6087eb8401a562381f29f72
SHA25654d20cfcc9d323c038bca7ebd71cb8ba365d8fd976c5d6ebb670ab28ad8e5b4b
SHA512546d16eb6f1e8d4d234b044b55e2397858b5aee6b8478fe13bde96c6ad395ba15f1a2ce3ca30eaeaffac52f5d2c76391f4fdbdd2ad013d447c8c00e1d867d7a2
-
Filesize
77KB
MD5ac2bc019a89fe4f0a3d23fde54d1b63f
SHA1059b48338f817b6c5fa74f291595ff0653d0f479
SHA256045352165bd8edfd81aa8d083fb488694558efa423a3339738c20c700af97815
SHA5124703691e3c40982369b514992f95bdfd1fda74eb4adf3462c0ee37182311265762d39028d74f6c3d6cd9e91244b468f080737fba88ea937c1953e3c7fa0e9d00
-
Filesize
77KB
MD54f3f7d2325fb7be3d0fd040b90e4a4b0
SHA1b15e7e4dcd2fd570972c9f5c2c8de7901109352c
SHA256d38c7afc1af19e34f541f3e277fa37cdecf5ccf98d4f8b3f65b9f2c1d639f65f
SHA5123449765e4df42a2436e4c212ef19267d2d64a159c1633505866e6bbfb6b45b75e99193cf01461dd1015988f362b52429a55148734109ffc0c8e2ec41a24aa7a6