Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
16-06-2024 20:17
Behavioral task
behavioral1
Sample
0245eb6a7987a119f03f5f612ab5d580_NeikiAnalytics.exe
Resource
win7-20240611-en
windows7-x64
26 signatures
150 seconds
General
-
Target
0245eb6a7987a119f03f5f612ab5d580_NeikiAnalytics.exe
-
Size
255KB
-
MD5
0245eb6a7987a119f03f5f612ab5d580
-
SHA1
77fb33f36897ee7db0bb934806b0390d69d2e6a9
-
SHA256
dbd3ad202f45da2450c7b27e2f443bbef5ea51fc2aa74623cb434b4270f56a06
-
SHA512
6153a78a533685551f8daf6f18c492e6a7977d28a446ac78caa94b9ab256e38c85edf9e2aaa50542bc7acc0626324f8e9c7a4d8d4348170eb36f91093797fb07
-
SSDEEP
3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJD:1xlZam+akqx6YQJXcNlEHUIQeE3mmBI2
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" sigrdtlhia.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" sigrdtlhia.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" sigrdtlhia.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" sigrdtlhia.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" sigrdtlhia.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" sigrdtlhia.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" sigrdtlhia.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" sigrdtlhia.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation 0245eb6a7987a119f03f5f612ab5d580_NeikiAnalytics.exe -
Executes dropped EXE 5 IoCs
pid Process 388 sigrdtlhia.exe 2152 wvjmuniltrbskpb.exe 3608 anxmkxrg.exe 2696 ddysstexqnudg.exe 1740 anxmkxrg.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/memory/3228-0-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0007000000023421-5.dat upx behavioral2/files/0x000800000002341d-18.dat upx behavioral2/files/0x0007000000023422-24.dat upx behavioral2/files/0x0007000000023423-30.dat upx behavioral2/memory/2696-31-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3608-28-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3228-34-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1740-41-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0006000000016952-59.dat upx behavioral2/files/0x000600000001db0e-69.dat upx behavioral2/files/0x000400000001db63-75.dat upx behavioral2/memory/388-77-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2152-78-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2696-80-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3608-79-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1740-93-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/388-99-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x000400000001e1a2-101.dat upx behavioral2/memory/2152-105-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x000400000001e1a2-109.dat upx behavioral2/memory/388-111-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2152-112-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3608-113-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2696-114-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3608-116-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1740-115-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1740-117-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/388-118-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2152-119-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3608-120-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2696-121-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1740-122-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/388-123-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2696-126-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3608-125-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2152-124-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1740-127-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/388-128-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2152-129-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3608-130-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2696-131-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1740-132-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1740-135-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3608-136-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/388-140-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2152-141-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2696-142-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/388-143-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2152-144-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2696-145-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/388-146-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2152-147-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2696-148-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2152-150-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2696-151-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/388-149-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/388-165-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2152-166-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2696-167-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2152-176-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2696-178-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/388-175-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/388-179-0x0000000000400000-0x00000000004A0000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" sigrdtlhia.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" sigrdtlhia.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" sigrdtlhia.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" sigrdtlhia.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" sigrdtlhia.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" sigrdtlhia.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qmfyultf = "sigrdtlhia.exe" wvjmuniltrbskpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\exgibpos = "wvjmuniltrbskpb.exe" wvjmuniltrbskpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "ddysstexqnudg.exe" wvjmuniltrbskpb.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\l: anxmkxrg.exe File opened (read-only) \??\z: sigrdtlhia.exe File opened (read-only) \??\v: anxmkxrg.exe File opened (read-only) \??\v: anxmkxrg.exe File opened (read-only) \??\n: sigrdtlhia.exe File opened (read-only) \??\e: anxmkxrg.exe File opened (read-only) \??\e: sigrdtlhia.exe File opened (read-only) \??\y: sigrdtlhia.exe File opened (read-only) \??\z: anxmkxrg.exe File opened (read-only) \??\b: anxmkxrg.exe File opened (read-only) \??\p: anxmkxrg.exe File opened (read-only) \??\t: sigrdtlhia.exe File opened (read-only) \??\p: anxmkxrg.exe File opened (read-only) \??\w: sigrdtlhia.exe File opened (read-only) \??\b: sigrdtlhia.exe File opened (read-only) \??\m: sigrdtlhia.exe File opened (read-only) \??\u: sigrdtlhia.exe File opened (read-only) \??\h: anxmkxrg.exe File opened (read-only) \??\w: anxmkxrg.exe File opened (read-only) \??\x: anxmkxrg.exe File opened (read-only) \??\y: anxmkxrg.exe File opened (read-only) \??\o: sigrdtlhia.exe File opened (read-only) \??\s: sigrdtlhia.exe File opened (read-only) \??\b: anxmkxrg.exe File opened (read-only) \??\m: anxmkxrg.exe File opened (read-only) \??\e: anxmkxrg.exe File opened (read-only) \??\g: anxmkxrg.exe File opened (read-only) \??\g: sigrdtlhia.exe File opened (read-only) \??\j: sigrdtlhia.exe File opened (read-only) \??\u: anxmkxrg.exe File opened (read-only) \??\n: anxmkxrg.exe File opened (read-only) \??\s: anxmkxrg.exe File opened (read-only) \??\u: anxmkxrg.exe File opened (read-only) \??\a: anxmkxrg.exe File opened (read-only) \??\l: anxmkxrg.exe File opened (read-only) \??\a: anxmkxrg.exe File opened (read-only) \??\q: anxmkxrg.exe File opened (read-only) \??\r: anxmkxrg.exe File opened (read-only) \??\g: anxmkxrg.exe File opened (read-only) \??\k: anxmkxrg.exe File opened (read-only) \??\k: sigrdtlhia.exe File opened (read-only) \??\x: sigrdtlhia.exe File opened (read-only) \??\h: anxmkxrg.exe File opened (read-only) \??\m: anxmkxrg.exe File opened (read-only) \??\w: anxmkxrg.exe File opened (read-only) \??\n: anxmkxrg.exe File opened (read-only) \??\s: anxmkxrg.exe File opened (read-only) \??\j: anxmkxrg.exe File opened (read-only) \??\j: anxmkxrg.exe File opened (read-only) \??\q: anxmkxrg.exe File opened (read-only) \??\x: anxmkxrg.exe File opened (read-only) \??\r: sigrdtlhia.exe File opened (read-only) \??\v: sigrdtlhia.exe File opened (read-only) \??\i: sigrdtlhia.exe File opened (read-only) \??\p: sigrdtlhia.exe File opened (read-only) \??\i: anxmkxrg.exe File opened (read-only) \??\t: anxmkxrg.exe File opened (read-only) \??\a: sigrdtlhia.exe File opened (read-only) \??\h: sigrdtlhia.exe File opened (read-only) \??\o: anxmkxrg.exe File opened (read-only) \??\t: anxmkxrg.exe File opened (read-only) \??\k: anxmkxrg.exe File opened (read-only) \??\r: anxmkxrg.exe File opened (read-only) \??\l: sigrdtlhia.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" sigrdtlhia.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" sigrdtlhia.exe -
AutoIT Executable 59 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/2696-31-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3608-28-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3228-34-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1740-41-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/388-77-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2152-78-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2696-80-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3608-79-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1740-93-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/388-99-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2152-105-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/388-111-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2152-112-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3608-113-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2696-114-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3608-116-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1740-115-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1740-117-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/388-118-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2152-119-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3608-120-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2696-121-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1740-122-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/388-123-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2696-126-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3608-125-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2152-124-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1740-127-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/388-128-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2152-129-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3608-130-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2696-131-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1740-132-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1740-135-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3608-136-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/388-140-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2152-141-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2696-142-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/388-143-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2152-144-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2696-145-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/388-146-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2152-147-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2696-148-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2152-150-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2696-151-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/388-149-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/388-165-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2152-166-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2696-167-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2152-176-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2696-178-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/388-175-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/388-179-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2152-180-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2696-181-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/388-182-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2696-184-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2152-183-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe anxmkxrg.exe File created C:\Windows\SysWOW64\sigrdtlhia.exe 0245eb6a7987a119f03f5f612ab5d580_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\wvjmuniltrbskpb.exe 0245eb6a7987a119f03f5f612ab5d580_NeikiAnalytics.exe File created C:\Windows\SysWOW64\anxmkxrg.exe 0245eb6a7987a119f03f5f612ab5d580_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\anxmkxrg.exe 0245eb6a7987a119f03f5f612ab5d580_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll sigrdtlhia.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe anxmkxrg.exe File opened for modification C:\Windows\SysWOW64\sigrdtlhia.exe 0245eb6a7987a119f03f5f612ab5d580_NeikiAnalytics.exe File created C:\Windows\SysWOW64\wvjmuniltrbskpb.exe 0245eb6a7987a119f03f5f612ab5d580_NeikiAnalytics.exe File created C:\Windows\SysWOW64\ddysstexqnudg.exe 0245eb6a7987a119f03f5f612ab5d580_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\ddysstexqnudg.exe 0245eb6a7987a119f03f5f612ab5d580_NeikiAnalytics.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe anxmkxrg.exe -
Drops file in Program Files directory 16 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal anxmkxrg.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe anxmkxrg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal anxmkxrg.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe anxmkxrg.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe anxmkxrg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe anxmkxrg.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe anxmkxrg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe anxmkxrg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal anxmkxrg.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe anxmkxrg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal anxmkxrg.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe anxmkxrg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe anxmkxrg.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe anxmkxrg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe anxmkxrg.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe anxmkxrg.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf 0245eb6a7987a119f03f5f612ab5d580_NeikiAnalytics.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe anxmkxrg.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe anxmkxrg.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe anxmkxrg.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe anxmkxrg.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe anxmkxrg.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe anxmkxrg.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe anxmkxrg.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe anxmkxrg.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe anxmkxrg.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe anxmkxrg.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe anxmkxrg.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe anxmkxrg.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe anxmkxrg.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe anxmkxrg.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe anxmkxrg.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe anxmkxrg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EF5FF834F2982129042D6587D90BCE5E633593266426343D7EA" 0245eb6a7987a119f03f5f612ab5d580_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1845C77915E5DAB2B8BD7FE4ED9137CA" 0245eb6a7987a119f03f5f612ab5d580_NeikiAnalytics.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings 0245eb6a7987a119f03f5f612ab5d580_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" sigrdtlhia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc sigrdtlhia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs sigrdtlhia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BC9F9C9F967F19484753B3086EB39E4B38B038F4311023AE1C5459908A8" 0245eb6a7987a119f03f5f612ab5d580_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" sigrdtlhia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" sigrdtlhia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg sigrdtlhia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32402C089C5582226A4177D470532CD67D8764D8" 0245eb6a7987a119f03f5f612ab5d580_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat sigrdtlhia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf sigrdtlhia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" sigrdtlhia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" sigrdtlhia.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 0245eb6a7987a119f03f5f612ab5d580_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FCAB15D44E639EF53C5B9A133E8D7BE" 0245eb6a7987a119f03f5f612ab5d580_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F06BB8FE1D22D1D10CD0A28B7D9117" 0245eb6a7987a119f03f5f612ab5d580_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh sigrdtlhia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" sigrdtlhia.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 2464 WINWORD.EXE 2464 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3228 0245eb6a7987a119f03f5f612ab5d580_NeikiAnalytics.exe 3228 0245eb6a7987a119f03f5f612ab5d580_NeikiAnalytics.exe 3228 0245eb6a7987a119f03f5f612ab5d580_NeikiAnalytics.exe 3228 0245eb6a7987a119f03f5f612ab5d580_NeikiAnalytics.exe 3228 0245eb6a7987a119f03f5f612ab5d580_NeikiAnalytics.exe 3228 0245eb6a7987a119f03f5f612ab5d580_NeikiAnalytics.exe 3228 0245eb6a7987a119f03f5f612ab5d580_NeikiAnalytics.exe 3228 0245eb6a7987a119f03f5f612ab5d580_NeikiAnalytics.exe 3228 0245eb6a7987a119f03f5f612ab5d580_NeikiAnalytics.exe 3228 0245eb6a7987a119f03f5f612ab5d580_NeikiAnalytics.exe 3228 0245eb6a7987a119f03f5f612ab5d580_NeikiAnalytics.exe 3228 0245eb6a7987a119f03f5f612ab5d580_NeikiAnalytics.exe 3228 0245eb6a7987a119f03f5f612ab5d580_NeikiAnalytics.exe 3228 0245eb6a7987a119f03f5f612ab5d580_NeikiAnalytics.exe 3228 0245eb6a7987a119f03f5f612ab5d580_NeikiAnalytics.exe 3228 0245eb6a7987a119f03f5f612ab5d580_NeikiAnalytics.exe 388 sigrdtlhia.exe 388 sigrdtlhia.exe 388 sigrdtlhia.exe 388 sigrdtlhia.exe 388 sigrdtlhia.exe 388 sigrdtlhia.exe 388 sigrdtlhia.exe 388 sigrdtlhia.exe 388 sigrdtlhia.exe 388 sigrdtlhia.exe 2152 wvjmuniltrbskpb.exe 2152 wvjmuniltrbskpb.exe 2152 wvjmuniltrbskpb.exe 2152 wvjmuniltrbskpb.exe 2152 wvjmuniltrbskpb.exe 2152 wvjmuniltrbskpb.exe 2152 wvjmuniltrbskpb.exe 2152 wvjmuniltrbskpb.exe 2152 wvjmuniltrbskpb.exe 2152 wvjmuniltrbskpb.exe 3608 anxmkxrg.exe 3608 anxmkxrg.exe 3608 anxmkxrg.exe 3608 anxmkxrg.exe 3608 anxmkxrg.exe 3608 anxmkxrg.exe 3608 anxmkxrg.exe 3608 anxmkxrg.exe 2696 ddysstexqnudg.exe 2696 ddysstexqnudg.exe 2696 ddysstexqnudg.exe 2696 ddysstexqnudg.exe 2696 ddysstexqnudg.exe 2696 ddysstexqnudg.exe 2696 ddysstexqnudg.exe 2696 ddysstexqnudg.exe 2696 ddysstexqnudg.exe 2696 ddysstexqnudg.exe 2696 ddysstexqnudg.exe 2696 ddysstexqnudg.exe 2152 wvjmuniltrbskpb.exe 2152 wvjmuniltrbskpb.exe 1740 anxmkxrg.exe 1740 anxmkxrg.exe 1740 anxmkxrg.exe 1740 anxmkxrg.exe 1740 anxmkxrg.exe 1740 anxmkxrg.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 3228 0245eb6a7987a119f03f5f612ab5d580_NeikiAnalytics.exe 3228 0245eb6a7987a119f03f5f612ab5d580_NeikiAnalytics.exe 3228 0245eb6a7987a119f03f5f612ab5d580_NeikiAnalytics.exe 388 sigrdtlhia.exe 388 sigrdtlhia.exe 388 sigrdtlhia.exe 2152 wvjmuniltrbskpb.exe 2152 wvjmuniltrbskpb.exe 2152 wvjmuniltrbskpb.exe 3608 anxmkxrg.exe 2696 ddysstexqnudg.exe 3608 anxmkxrg.exe 2696 ddysstexqnudg.exe 3608 anxmkxrg.exe 2696 ddysstexqnudg.exe 1740 anxmkxrg.exe 1740 anxmkxrg.exe 1740 anxmkxrg.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 3228 0245eb6a7987a119f03f5f612ab5d580_NeikiAnalytics.exe 3228 0245eb6a7987a119f03f5f612ab5d580_NeikiAnalytics.exe 3228 0245eb6a7987a119f03f5f612ab5d580_NeikiAnalytics.exe 388 sigrdtlhia.exe 388 sigrdtlhia.exe 388 sigrdtlhia.exe 2152 wvjmuniltrbskpb.exe 2152 wvjmuniltrbskpb.exe 2152 wvjmuniltrbskpb.exe 3608 anxmkxrg.exe 2696 ddysstexqnudg.exe 3608 anxmkxrg.exe 2696 ddysstexqnudg.exe 3608 anxmkxrg.exe 2696 ddysstexqnudg.exe 1740 anxmkxrg.exe 1740 anxmkxrg.exe 1740 anxmkxrg.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 2464 WINWORD.EXE 2464 WINWORD.EXE 2464 WINWORD.EXE 2464 WINWORD.EXE 2464 WINWORD.EXE 2464 WINWORD.EXE 2464 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 3228 wrote to memory of 388 3228 0245eb6a7987a119f03f5f612ab5d580_NeikiAnalytics.exe 82 PID 3228 wrote to memory of 388 3228 0245eb6a7987a119f03f5f612ab5d580_NeikiAnalytics.exe 82 PID 3228 wrote to memory of 388 3228 0245eb6a7987a119f03f5f612ab5d580_NeikiAnalytics.exe 82 PID 3228 wrote to memory of 2152 3228 0245eb6a7987a119f03f5f612ab5d580_NeikiAnalytics.exe 83 PID 3228 wrote to memory of 2152 3228 0245eb6a7987a119f03f5f612ab5d580_NeikiAnalytics.exe 83 PID 3228 wrote to memory of 2152 3228 0245eb6a7987a119f03f5f612ab5d580_NeikiAnalytics.exe 83 PID 3228 wrote to memory of 3608 3228 0245eb6a7987a119f03f5f612ab5d580_NeikiAnalytics.exe 84 PID 3228 wrote to memory of 3608 3228 0245eb6a7987a119f03f5f612ab5d580_NeikiAnalytics.exe 84 PID 3228 wrote to memory of 3608 3228 0245eb6a7987a119f03f5f612ab5d580_NeikiAnalytics.exe 84 PID 3228 wrote to memory of 2696 3228 0245eb6a7987a119f03f5f612ab5d580_NeikiAnalytics.exe 85 PID 3228 wrote to memory of 2696 3228 0245eb6a7987a119f03f5f612ab5d580_NeikiAnalytics.exe 85 PID 3228 wrote to memory of 2696 3228 0245eb6a7987a119f03f5f612ab5d580_NeikiAnalytics.exe 85 PID 3228 wrote to memory of 2464 3228 0245eb6a7987a119f03f5f612ab5d580_NeikiAnalytics.exe 86 PID 3228 wrote to memory of 2464 3228 0245eb6a7987a119f03f5f612ab5d580_NeikiAnalytics.exe 86 PID 388 wrote to memory of 1740 388 sigrdtlhia.exe 88 PID 388 wrote to memory of 1740 388 sigrdtlhia.exe 88 PID 388 wrote to memory of 1740 388 sigrdtlhia.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\0245eb6a7987a119f03f5f612ab5d580_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\0245eb6a7987a119f03f5f612ab5d580_NeikiAnalytics.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3228 -
C:\Windows\SysWOW64\sigrdtlhia.exesigrdtlhia.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:388 -
C:\Windows\SysWOW64\anxmkxrg.exeC:\Windows\system32\anxmkxrg.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1740
-
-
-
C:\Windows\SysWOW64\wvjmuniltrbskpb.exewvjmuniltrbskpb.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2152
-
-
C:\Windows\SysWOW64\anxmkxrg.exeanxmkxrg.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3608
-
-
C:\Windows\SysWOW64\ddysstexqnudg.exeddysstexqnudg.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2696
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2464
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
239B
MD51459a67e7603529e2bd4067a2a106783
SHA150364cbc787a8be7195e9f7847e1087a8426f3d7
SHA256c989778e2fd3711e7ec2d1578a84da327ba9ef65015084c9f4fcf3e4c9e1a9cc
SHA512b21324f7d9bbb59a64f178c735dd70496629ad0a08b2b5a6eee2346664104b03c13805102347cf5263f8b2e797f08fadaec01e231bc2db1f7716e1f7b257c373
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5128a58d521abe6e5f9edee320c495674
SHA127c624336a8b67a03f652aeeebb7563691120fe7
SHA256afcd4f437a9837e15bd89e79f9d3a65e12ffa86fead747725b8338922c5b9ca4
SHA5122875e7e2ddb4ad24ddc87ce3bd90ef22bc7b021ec45ec9d48ee2b2cf2dd3aa94748f589c4316cacd2c73bb3d20441a65f4360e2acd1cc8b4584f698f417f1e70
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5f82d3b4c43c6781ea107b5b3841b39ec
SHA1c742cc8ec20aa5c071c771bb4c01ea7d4789aab7
SHA256a2b1c0b1d68abc0052cbee76ad16ca726a0cf231a3721eccda981650a7799762
SHA512fcd8aab44b07e4c810974a4dd727bbceafc2c249673db0f9bf9a0bf967a0882432021b4a250fba1d3000c60700806b96f3bf21543f452ed39ec8e9dbc6608317
-
Filesize
255KB
MD50c249370915891a92b778f3f4a841d44
SHA18e0bab21e6f1da7920a78faf5adaadeba8619651
SHA256156ce765f19b307dd8ed04ac640911b60ff5fac3fa522c796dbda7042aab3a83
SHA512a7e8da204895eda4fa636baffd9ddbc1a5e272f64524e8f678d8ef2b6bcf95135343f33e90d15ac43a9068271edcc54efaa82d022056a44531c4fbe731675044
-
Filesize
255KB
MD54038ae29a2c4e58e534253fd071226df
SHA15fcd0a253757dfc754f1f16191ca0e04611cae07
SHA256ae6a1c576da48aa0a92f687fe2a64efc2e2f3fad8b3d48cf6c05f1307ec73a65
SHA512c0773c9b644388668fd132471c00687ced836e2b7a35dc5d7114ce7dbd1a69a99dfa690331f3a74da96448a899cdb388d87847248dad641cdf57c3f2af2eaa32
-
Filesize
255KB
MD54fd9f190b4d09b0f09988e8266640a27
SHA19c796febc8b40ece135a68fcb5df99c75057e530
SHA2563864e9084cc7e8637bbf713e6b5ad5ed4bf35e0288adb4d4d53063ecf3eefd82
SHA512d34f14102073adba6e91e49a54502642d357856f7b58a4163efb42275d740b9de5d653d1ce3e8b2e4e39702b8a9b322df6c77f9c68c4d6d639b4bca6ef00cdee
-
Filesize
255KB
MD5046d861076139f74249f14c0e1c4f334
SHA15613f79ba2f2f89fda6e6d3e3fac0c6c7f04c8fb
SHA25634f16d121d22ee05c737ff4bd94febc150401beff98ebfd2d78e11097f65d47d
SHA512eb40135b4a4f85fd2dc5b5800842170d6f5da31cc548d73951e3dae2059a137878a68a51172040a9a0a7e78bf7f9ad0ab251f0c272f819ca7d711d17ccd8ffed
-
Filesize
255KB
MD5c281be5f2708613ee8d465fbeac0624e
SHA15dbf60d40be1426ffd73ce2ad07775d783b3f6a4
SHA256bc515c7e9133db8beec994ef4a519a0c0a38a36b9d97021223ba62bec3110c77
SHA51249fd7223c173eeee5c9f8a0ed7fc6cf1f4a848fe52e786d00de74a81ad1048cc98ef7f73598ece5f33e9ba7e414ff9d0310216f57a207dce7d94a9af7019ca7d
-
Filesize
255KB
MD5b307901e7f844f1bae3bdbb4afaff081
SHA169b666832fca46e2dd9170c54abe12e60db75381
SHA2563e3dc18723c1f75e9d463fdbe8dc4030cddf3e2744da7de071ec27556edb3bc5
SHA512cc77db4a380a548f08571de97cbceab895f6070d19e029bd9af005d5f83f9d956f6c334353b670b9c0494ca2f144c9d358e1903e407195f2526b219d40002e24
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
255KB
MD568d7e9b7d1629779b8b99d2ab15acb0e
SHA1e7581843a32fd72537b89f5e4179ad562bc436b1
SHA256340b59fa8e3d196b8ff18f14d8af11b5824c6c09c0ade1453eaa474c159a4536
SHA5128ac4cfef13483c66aa02658d17b6e60f129bf26a701a3cf55fd1ab05156f4af4e81205e92121389bb6780794943b81fba3e03b34d93db5448c5954657432cf6b
-
Filesize
255KB
MD54f8536c876d8158be708983858913283
SHA16a2b2142c01fb7b3ca3526d1ee8f3a49f69b49e1
SHA25676991f17c596993331a2bd83a2e84fb7de3f5960b1fe099383d13d2bf2a80427
SHA512a13e4506d8cc11d9d3d019325a852c119c116040e5c5bb785c01f2dbe0a545c5d1331453afd62b1933e367408b2d4a4b558d805775c21df69bf5bbf10b313947
-
Filesize
255KB
MD52728185162e643ec3b06d81795580c2c
SHA1a3dc79d0a93bab2955f85007a3acdfea1988af68
SHA256b033b4234c8d004fa3b43b2508633a040ea217b3a8014b01e18c91601e8d35f1
SHA51298ed471d83e7b2a4c1402a005004fcd9fdea9b9b14da5c118b2ff9ba3e98320c8d9a7515a7b42ce7397d55a0e2759973aa06e45387ceeea1352d327d9fe3e2d9