Analysis
-
max time kernel
117s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
16-05-2024 02:46
Behavioral task
behavioral1
Sample
842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe
-
Size
2.7MB
-
MD5
842d88a85052060e936fdc2ea92b43a0
-
SHA1
4c2a334ee317b586bd284f5e4f514801cc65f3c5
-
SHA256
6ced96c3c9f628cd9caa61fdc4d146a792a612539c923de90a93414099f4eddb
-
SHA512
b6abab1932024a1c477716dc84c7b60714ec6e712cc5ce104c078972a20e89554b20c588233c5be33fef8a02ee10d653d34c9a3d0c490a596d6a068d1fa6c1eb
-
SSDEEP
49152:iH64y2XDuLlIY14o9/yDzr1xJ8XbRrC9mWvR08Yv7yP3GcY:iHfE5Ad8Xd295UmGc
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence 2 TTPs 9 IoCs
Processes:
842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Libraries\\smss.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\Skins\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\System.exe\", \"C:\\Program Files (x86)\\Uninstall Information\\taskhost.exe\", \"C:\\Windows\\Vss\\Writers\\Application\\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe\"" 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Libraries\\smss.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\Skins\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\System.exe\", \"C:\\Program Files (x86)\\Uninstall Information\\taskhost.exe\", \"C:\\Windows\\Vss\\Writers\\Application\\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe\", \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\audiodg.exe\", \"C:\\Users\\Public\\Libraries\\dwm.exe\"" 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Libraries\\smss.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\Skins\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\System.exe\"" 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Libraries\\smss.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\Skins\\csrss.exe\"" 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Libraries\\smss.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\Skins\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\System.exe\", \"C:\\Program Files (x86)\\Uninstall Information\\taskhost.exe\"" 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Libraries\\smss.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\Skins\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\System.exe\", \"C:\\Program Files (x86)\\Uninstall Information\\taskhost.exe\", \"C:\\Windows\\Vss\\Writers\\Application\\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe\", \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\audiodg.exe\"" 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Libraries\\smss.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\Skins\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\System.exe\", \"C:\\Program Files (x86)\\Uninstall Information\\taskhost.exe\", \"C:\\Windows\\Vss\\Writers\\Application\\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe\", \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\audiodg.exe\", \"C:\\Users\\Public\\Libraries\\dwm.exe\", \"C:\\Users\\Default User\\lsm.exe\"" 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Libraries\\smss.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\Skins\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\System.exe\", \"C:\\Program Files (x86)\\Uninstall Information\\taskhost.exe\", \"C:\\Windows\\Vss\\Writers\\Application\\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe\", \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\audiodg.exe\", \"C:\\Users\\Public\\Libraries\\dwm.exe\", \"C:\\Users\\Default User\\lsm.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\lsass.exe\"" 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Libraries\\smss.exe\"" 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe -
Process spawned unexpected child process 27 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2364 2124 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2380 2124 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2416 2124 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2868 2124 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2064 2124 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1380 2124 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2556 2124 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2604 2124 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2708 2124 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2744 2124 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1360 2124 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 500 2124 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2160 2124 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1752 2124 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 240 2124 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1440 2124 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 872 2124 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 332 2124 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2032 2124 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1256 2124 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2980 2124 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2752 2124 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2184 2124 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2188 2124 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1848 2124 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1916 2124 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 604 2124 schtasks.exe -
Processes:
842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exetaskhost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe -
Processes:
resource yara_rule behavioral1/memory/2156-1-0x0000000000100000-0x00000000003C0000-memory.dmp dcrat C:\Windows\Vss\Writers\Application\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe dcrat C:\Users\Default\RCX3126.tmp dcrat C:\Program Files (x86)\Uninstall Information\taskhost.exe dcrat behavioral1/memory/2068-122-0x0000000000C30000-0x0000000000EF0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Executes dropped EXE 1 IoCs
Processes:
taskhost.exepid process 2068 taskhost.exe -
Adds Run key to start application 2 TTPs 18 IoCs
Processes:
842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Users\\Public\\Libraries\\dwm.exe\"" 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Users\\Public\\Libraries\\dwm.exe\"" 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\lsass.exe\"" 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Users\\Public\\Libraries\\smss.exe\"" 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Windows Media Player\\Skins\\csrss.exe\"" 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\System.exe\"" 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Program Files (x86)\\Microsoft Synchronization Services\\audiodg.exe\"" 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\lsass.exe\"" 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Users\\Public\\Libraries\\smss.exe\"" 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Program Files (x86)\\Uninstall Information\\taskhost.exe\"" 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics = "\"C:\\Windows\\Vss\\Writers\\Application\\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe\"" 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Users\\Default User\\lsm.exe\"" 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Users\\Default User\\lsm.exe\"" 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Windows Media Player\\Skins\\csrss.exe\"" 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\System.exe\"" 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics = "\"C:\\Windows\\Vss\\Writers\\Application\\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe\"" 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Program Files (x86)\\Microsoft Synchronization Services\\audiodg.exe\"" 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Program Files (x86)\\Uninstall Information\\taskhost.exe\"" 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe -
Processes:
taskhost.exe842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe -
Drops file in Program Files directory 16 IoCs
Processes:
842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exedescription ioc process File created C:\Program Files (x86)\Windows Media Player\Skins\csrss.exe 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe File created C:\Program Files (x86)\Uninstall Information\taskhost.exe 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe File created C:\Program Files (x86)\Microsoft Synchronization Services\audiodg.exe 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe File created C:\Program Files (x86)\Microsoft Synchronization Services\42af1c969fbb7b 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Media Player\Skins\csrss.exe 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Uninstall Information\taskhost.exe 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Media Player\Skins\886983d96e3d3e 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe File created C:\Program Files (x86)\Microsoft.NET\RedistList\System.exe 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Microsoft.NET\RedistList\RCX25CC.tmp 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Microsoft Synchronization Services\RCX2CB2.tmp 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Microsoft Synchronization Services\audiodg.exe 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe File created C:\Program Files (x86)\Microsoft.NET\RedistList\27d1bcfc3c54e0 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe File created C:\Program Files (x86)\Uninstall Information\b75386f1303e64 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Media Player\Skins\RCX23C8.tmp 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Uninstall Information\RCX283D.tmp 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Microsoft.NET\RedistList\System.exe 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe -
Drops file in Windows directory 4 IoCs
Processes:
842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exedescription ioc process File created C:\Windows\Vss\Writers\Application\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe File created C:\Windows\Vss\Writers\Application\65cd17f60dedcf 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe File opened for modification C:\Windows\Vss\Writers\Application\RCX2AAE.tmp 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe File opened for modification C:\Windows\Vss\Writers\Application\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe -
Creates scheduled task(s) 1 TTPs 27 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2556 schtasks.exe 1256 schtasks.exe 2188 schtasks.exe 2380 schtasks.exe 2416 schtasks.exe 604 schtasks.exe 2708 schtasks.exe 2032 schtasks.exe 1360 schtasks.exe 2980 schtasks.exe 2064 schtasks.exe 1380 schtasks.exe 2868 schtasks.exe 240 schtasks.exe 872 schtasks.exe 1848 schtasks.exe 2364 schtasks.exe 1752 schtasks.exe 1440 schtasks.exe 2752 schtasks.exe 2184 schtasks.exe 2604 schtasks.exe 2160 schtasks.exe 2744 schtasks.exe 500 schtasks.exe 332 schtasks.exe 1916 schtasks.exe -
Processes:
taskhost.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 taskhost.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 taskhost.exe -
Suspicious behavior: EnumeratesProcesses 63 IoCs
Processes:
842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exepowershell.exetaskhost.exepid process 2156 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe 2156 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe 2156 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe 2156 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe 2156 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe 2156 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe 2156 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe 2156 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe 2156 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe 2156 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe 2156 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe 2156 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe 2156 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe 2156 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe 2156 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe 2156 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe 2156 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe 2156 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe 2156 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe 2156 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe 2156 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe 2156 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe 2156 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe 2156 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe 2156 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe 2156 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe 2156 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe 1280 powershell.exe 2068 taskhost.exe 2068 taskhost.exe 2068 taskhost.exe 2068 taskhost.exe 2068 taskhost.exe 2068 taskhost.exe 2068 taskhost.exe 2068 taskhost.exe 2068 taskhost.exe 2068 taskhost.exe 2068 taskhost.exe 2068 taskhost.exe 2068 taskhost.exe 2068 taskhost.exe 2068 taskhost.exe 2068 taskhost.exe 2068 taskhost.exe 2068 taskhost.exe 2068 taskhost.exe 2068 taskhost.exe 2068 taskhost.exe 2068 taskhost.exe 2068 taskhost.exe 2068 taskhost.exe 2068 taskhost.exe 2068 taskhost.exe 2068 taskhost.exe 2068 taskhost.exe 2068 taskhost.exe 2068 taskhost.exe 2068 taskhost.exe 2068 taskhost.exe 2068 taskhost.exe 2068 taskhost.exe 2068 taskhost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exepowershell.exetaskhost.exedescription pid process Token: SeDebugPrivilege 2156 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe Token: SeDebugPrivilege 1280 powershell.exe Token: SeDebugPrivilege 2068 taskhost.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.execmd.exedescription pid process target process PID 2156 wrote to memory of 1280 2156 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe powershell.exe PID 2156 wrote to memory of 1280 2156 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe powershell.exe PID 2156 wrote to memory of 1280 2156 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe powershell.exe PID 2156 wrote to memory of 832 2156 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe cmd.exe PID 2156 wrote to memory of 832 2156 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe cmd.exe PID 2156 wrote to memory of 832 2156 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe cmd.exe PID 832 wrote to memory of 572 832 cmd.exe w32tm.exe PID 832 wrote to memory of 572 832 cmd.exe w32tm.exe PID 832 wrote to memory of 572 832 cmd.exe w32tm.exe PID 832 wrote to memory of 2068 832 cmd.exe taskhost.exe PID 832 wrote to memory of 2068 832 cmd.exe taskhost.exe PID 832 wrote to memory of 2068 832 cmd.exe taskhost.exe -
System policy modification 1 TTPs 6 IoCs
Processes:
taskhost.exe842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2156 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1280 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J4ecGZdzFA.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:572
-
C:\Program Files (x86)\Uninstall Information\taskhost.exe"C:\Program Files (x86)\Uninstall Information\taskhost.exe"3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Libraries\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2364
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Public\Libraries\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2380
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Libraries\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2416
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Media Player\Skins\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Skins\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Media Player\Skins\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1380
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\System.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Uninstall Information\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1360
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Uninstall Information\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:500
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics8" /sc MINUTE /mo 6 /tr "'C:\Windows\Vss\Writers\Application\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2160
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\Application\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:240
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics8" /sc MINUTE /mo 14 /tr "'C:\Windows\Vss\Writers\Application\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1440
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:332
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Libraries\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1256
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Public\Libraries\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Libraries\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Default User\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2184
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2188
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:604
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD5ae624a87c9ff606c9145aae0a44aac94
SHA131d161fa9a297d4ec1d7d5004a59686fd7f84c04
SHA256839c430e1c22f5a5d6e83257b0581fe05733e4bea09d8903b1defe872a0fe655
SHA5121d9cc60afc4d3d876524216ffc9833298ddf05d45731e1b34321aac4e0ea5f61076ed0e255c5590fc6e8e4c43e4139e81dbefce64edff2920b75eb9375021105
-
Filesize
222B
MD513eb83412fde6b99e9ededb2127960c9
SHA103b4e85488cfdb3094278337d9f9cef049e6c6b6
SHA256addc3326f05360cf9e79117b8492a7980298d83cacc977841a23e5c8844e230d
SHA5121db95f03fa144b383c7c8dfcea7f082eb2414ed751bee02033fac96c9d23a1713fb5d5214bb1574b318f8c4ef1bfe71a8949fc2bfbc04e48b656319252722fee
-
Filesize
2.7MB
MD573c24f844a0956368802a3452aaac5f8
SHA16f0f376169076d420d2c7880eb595718c2ce6d5b
SHA2563efe7d2109957de103b0259ec8f4a3fcdb1f33cbf5bb53e6842fd51e2d63d276
SHA512219ca88b9a6d0bf9f14b7023ee27b22f236cccfed23dab62c53d2f77ed5fb1ccfa0daafaf6e021df2af2eed2e766198777577409834d19ab1f4a33ecc05a21a9
-
Filesize
2.7MB
MD5842d88a85052060e936fdc2ea92b43a0
SHA14c2a334ee317b586bd284f5e4f514801cc65f3c5
SHA2566ced96c3c9f628cd9caa61fdc4d146a792a612539c923de90a93414099f4eddb
SHA512b6abab1932024a1c477716dc84c7b60714ec6e712cc5ce104c078972a20e89554b20c588233c5be33fef8a02ee10d653d34c9a3d0c490a596d6a068d1fa6c1eb