Analysis
-
max time kernel
149s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
13-05-2024 18:49
Behavioral task
behavioral1
Sample
00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe
Resource
win7-20240508-en
General
-
Target
00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe
-
Size
3.2MB
-
MD5
00195dc23ea8cc5cb728c411f684ff40
-
SHA1
604a8ca144781805d4ea73de01caee8ba98c176d
-
SHA256
5d911e8e304885f5489587b85e5a43101d5a1078cbcb27727bdd16b78dd45df1
-
SHA512
218d3eb66ed906759a695160e8984e95e75aa2c7c4e5558d5941c16658f3e1df718213e307a9f8d3823fd4eaa8713e8cfda95f5de70b9d29cd29ad2ca73c3ddd
-
SSDEEP
98304:2smfE8eD0M782w1JSdvi199xP9/ecsFjPSz:2QNBY2S99xl
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 45 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2456 3156 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4500 3156 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4776 3156 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 400 3156 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4440 3156 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4788 3156 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2800 3156 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 588 3156 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3716 3156 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2948 3156 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2940 3156 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4012 3156 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1356 3156 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1964 3156 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2812 3156 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4668 3156 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1468 3156 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4236 3156 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1600 3156 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3736 3156 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4632 3156 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4880 3156 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 836 3156 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3932 3156 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 536 3156 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4420 3156 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 732 3156 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2468 3156 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2832 3156 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 868 3156 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 840 3156 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3448 3156 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4308 3156 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3136 3156 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3204 3156 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1048 3156 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4176 3156 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4932 3156 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2756 3156 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1752 3156 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3168 3156 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3264 3156 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4676 3156 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 220 3156 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5096 3156 schtasks.exe -
Processes:
backgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exe00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" backgroundTaskHost.exe -
Processes:
resource yara_rule behavioral2/memory/64-1-0x0000000000EE0000-0x000000000121C000-memory.dmp dcrat C:\Recovery\WindowsRE\sysmon.exe dcrat C:\Recovery\WindowsRE\sysmon.exe dcrat C:\Program Files\Google\OfficeClickToRun.exe dcrat C:\Recovery\WindowsRE\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe dcrat C:\Windows\Installer\backgroundTaskHost.exe dcrat behavioral2/memory/5152-392-0x0000000000C50000-0x0000000000F8C000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 4980 powershell.exe 4836 powershell.exe 1524 powershell.exe 1064 powershell.exe 4676 powershell.exe 4512 powershell.exe 4472 powershell.exe 1972 powershell.exe 312 powershell.exe 5096 powershell.exe 220 powershell.exe -
Checks computer location settings 2 TTPs 15 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
backgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exe00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation backgroundTaskHost.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation backgroundTaskHost.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation backgroundTaskHost.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation backgroundTaskHost.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation backgroundTaskHost.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation backgroundTaskHost.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation backgroundTaskHost.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation backgroundTaskHost.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation backgroundTaskHost.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation backgroundTaskHost.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation backgroundTaskHost.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation backgroundTaskHost.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation backgroundTaskHost.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation backgroundTaskHost.exe -
Executes dropped EXE 14 IoCs
Processes:
backgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exepid process 5152 backgroundTaskHost.exe 5732 backgroundTaskHost.exe 3944 backgroundTaskHost.exe 3828 backgroundTaskHost.exe 5192 backgroundTaskHost.exe 2556 backgroundTaskHost.exe 5180 backgroundTaskHost.exe 5924 backgroundTaskHost.exe 5788 backgroundTaskHost.exe 4836 backgroundTaskHost.exe 3260 backgroundTaskHost.exe 4428 backgroundTaskHost.exe 2144 backgroundTaskHost.exe 4040 backgroundTaskHost.exe -
Processes:
backgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exe00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exebackgroundTaskHost.exebackgroundTaskHost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" backgroundTaskHost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" backgroundTaskHost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA backgroundTaskHost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA backgroundTaskHost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA backgroundTaskHost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA backgroundTaskHost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" backgroundTaskHost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA backgroundTaskHost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" backgroundTaskHost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" backgroundTaskHost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA backgroundTaskHost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" backgroundTaskHost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA backgroundTaskHost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" backgroundTaskHost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" backgroundTaskHost.exe -
Drops file in Program Files directory 31 IoCs
Processes:
00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exedescription ioc process File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\RuntimeBroker.exe 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\RuntimeBroker.exe 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\Idle.exe 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe File opened for modification C:\Program Files\Internet Explorer\es-ES\explorer.exe 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Microsoft\RCX46DB.tmp 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe File created C:\Program Files\Internet Explorer\es-ES\explorer.exe 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe File opened for modification C:\Program Files\Google\RCX4B13.tmp 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe File opened for modification C:\Program Files\Google\OfficeClickToRun.exe 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\sppsvc.exe 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe File created C:\Program Files\Mozilla Firefox\uninstall\sppsvc.exe 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe File opened for modification C:\Program Files\Google\RCX4B91.tmp 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\RCX5986.tmp 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe File created C:\Program Files\Google\OfficeClickToRun.exe 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe File opened for modification C:\Program Files\Internet Explorer\es-ES\RCX3F83.tmp 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\RCX5987.tmp 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\Idle.exe 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe File created C:\Program Files\Google\e6c9b481da804f 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RCX3CE0.tmp 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe File created C:\Program Files (x86)\Microsoft\27d1bcfc3c54e0 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe File created C:\Program Files\Mozilla Firefox\uninstall\0a1fd5f707cd16 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RCX3CF1.tmp 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\9e8d7a4ca61bd9 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\6ccacd8608530f 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe File created C:\Program Files\ModifiableWindowsApps\RuntimeBroker.exe 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe File created C:\Program Files\Internet Explorer\es-ES\7a0fd90576e088 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe File created C:\Program Files (x86)\Microsoft\System.exe 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\RCX3839.tmp 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe File opened for modification C:\Program Files\Internet Explorer\es-ES\RCX3F72.tmp 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Microsoft\RCX46FB.tmp 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Microsoft\System.exe 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\RCX3838.tmp 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe -
Drops file in Windows directory 5 IoCs
Processes:
00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exedescription ioc process File created C:\Windows\Installer\backgroundTaskHost.exe 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe File created C:\Windows\Installer\eddb19405b7ce1 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe File opened for modification C:\Windows\Installer\RCX526C.tmp 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe File opened for modification C:\Windows\Installer\RCX52EA.tmp 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe File opened for modification C:\Windows\Installer\backgroundTaskHost.exe 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 45 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 5096 schtasks.exe 4880 schtasks.exe 3136 schtasks.exe 3264 schtasks.exe 1600 schtasks.exe 4632 schtasks.exe 4676 schtasks.exe 4776 schtasks.exe 2940 schtasks.exe 4668 schtasks.exe 868 schtasks.exe 2756 schtasks.exe 2800 schtasks.exe 4012 schtasks.exe 1356 schtasks.exe 3932 schtasks.exe 4420 schtasks.exe 4308 schtasks.exe 4500 schtasks.exe 1964 schtasks.exe 3736 schtasks.exe 732 schtasks.exe 4176 schtasks.exe 4932 schtasks.exe 2948 schtasks.exe 2812 schtasks.exe 4236 schtasks.exe 2832 schtasks.exe 840 schtasks.exe 3448 schtasks.exe 1048 schtasks.exe 1468 schtasks.exe 836 schtasks.exe 536 schtasks.exe 1752 schtasks.exe 220 schtasks.exe 400 schtasks.exe 4788 schtasks.exe 588 schtasks.exe 2468 schtasks.exe 3204 schtasks.exe 3168 schtasks.exe 2456 schtasks.exe 4440 schtasks.exe 3716 schtasks.exe -
Modifies registry class 15 IoCs
Processes:
00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings backgroundTaskHost.exe Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings backgroundTaskHost.exe Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings backgroundTaskHost.exe Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings backgroundTaskHost.exe Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings backgroundTaskHost.exe Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings backgroundTaskHost.exe Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings backgroundTaskHost.exe Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings backgroundTaskHost.exe Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings backgroundTaskHost.exe Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings backgroundTaskHost.exe Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings backgroundTaskHost.exe Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings backgroundTaskHost.exe Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings backgroundTaskHost.exe Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings backgroundTaskHost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 64 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe 64 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe 64 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe 64 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe 64 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe 64 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe 64 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe 64 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe 64 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe 64 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe 64 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe 64 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe 64 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe 64 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe 64 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe 64 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe 64 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe 64 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe 64 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe 64 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe 64 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe 64 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe 64 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe 64 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe 64 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe 64 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe 64 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe 64 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe 64 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe 64 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe 64 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe 64 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe 64 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe 64 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe 64 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe 64 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe 64 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe 64 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe 64 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe 64 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe 64 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe 64 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe 64 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe 64 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe 64 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe 64 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe 64 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe 64 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe 64 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe 64 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe 64 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe 64 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe 64 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe 64 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe 64 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe 64 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe 1524 powershell.exe 1524 powershell.exe 220 powershell.exe 220 powershell.exe 4836 powershell.exe 4836 powershell.exe 4472 powershell.exe 4472 powershell.exe -
Suspicious use of AdjustPrivilegeToken 26 IoCs
Processes:
00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exedescription pid process Token: SeDebugPrivilege 64 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe Token: SeDebugPrivilege 1064 powershell.exe Token: SeDebugPrivilege 1524 powershell.exe Token: SeDebugPrivilege 220 powershell.exe Token: SeDebugPrivilege 4836 powershell.exe Token: SeDebugPrivilege 4472 powershell.exe Token: SeDebugPrivilege 4980 powershell.exe Token: SeDebugPrivilege 5096 powershell.exe Token: SeDebugPrivilege 312 powershell.exe Token: SeDebugPrivilege 4512 powershell.exe Token: SeDebugPrivilege 1972 powershell.exe Token: SeDebugPrivilege 4676 powershell.exe Token: SeDebugPrivilege 5152 backgroundTaskHost.exe Token: SeDebugPrivilege 5732 backgroundTaskHost.exe Token: SeDebugPrivilege 3944 backgroundTaskHost.exe Token: SeDebugPrivilege 3828 backgroundTaskHost.exe Token: SeDebugPrivilege 5192 backgroundTaskHost.exe Token: SeDebugPrivilege 2556 backgroundTaskHost.exe Token: SeDebugPrivilege 5180 backgroundTaskHost.exe Token: SeDebugPrivilege 5924 backgroundTaskHost.exe Token: SeDebugPrivilege 5788 backgroundTaskHost.exe Token: SeDebugPrivilege 4836 backgroundTaskHost.exe Token: SeDebugPrivilege 3260 backgroundTaskHost.exe Token: SeDebugPrivilege 4428 backgroundTaskHost.exe Token: SeDebugPrivilege 2144 backgroundTaskHost.exe Token: SeDebugPrivilege 4040 backgroundTaskHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exebackgroundTaskHost.exeWScript.exebackgroundTaskHost.exeWScript.exebackgroundTaskHost.exeWScript.exebackgroundTaskHost.exeWScript.exebackgroundTaskHost.exeWScript.exebackgroundTaskHost.exeWScript.exebackgroundTaskHost.exedescription pid process target process PID 64 wrote to memory of 4676 64 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe powershell.exe PID 64 wrote to memory of 4676 64 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe powershell.exe PID 64 wrote to memory of 1064 64 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe powershell.exe PID 64 wrote to memory of 1064 64 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe powershell.exe PID 64 wrote to memory of 220 64 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe powershell.exe PID 64 wrote to memory of 220 64 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe powershell.exe PID 64 wrote to memory of 1524 64 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe powershell.exe PID 64 wrote to memory of 1524 64 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe powershell.exe PID 64 wrote to memory of 5096 64 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe powershell.exe PID 64 wrote to memory of 5096 64 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe powershell.exe PID 64 wrote to memory of 312 64 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe powershell.exe PID 64 wrote to memory of 312 64 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe powershell.exe PID 64 wrote to memory of 1972 64 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe powershell.exe PID 64 wrote to memory of 1972 64 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe powershell.exe PID 64 wrote to memory of 4836 64 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe powershell.exe PID 64 wrote to memory of 4836 64 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe powershell.exe PID 64 wrote to memory of 4472 64 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe powershell.exe PID 64 wrote to memory of 4472 64 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe powershell.exe PID 64 wrote to memory of 4512 64 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe powershell.exe PID 64 wrote to memory of 4512 64 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe powershell.exe PID 64 wrote to memory of 4980 64 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe powershell.exe PID 64 wrote to memory of 4980 64 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe powershell.exe PID 64 wrote to memory of 5152 64 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe backgroundTaskHost.exe PID 64 wrote to memory of 5152 64 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe backgroundTaskHost.exe PID 5152 wrote to memory of 5556 5152 backgroundTaskHost.exe WScript.exe PID 5152 wrote to memory of 5556 5152 backgroundTaskHost.exe WScript.exe PID 5152 wrote to memory of 5596 5152 backgroundTaskHost.exe WScript.exe PID 5152 wrote to memory of 5596 5152 backgroundTaskHost.exe WScript.exe PID 5556 wrote to memory of 5732 5556 WScript.exe backgroundTaskHost.exe PID 5556 wrote to memory of 5732 5556 WScript.exe backgroundTaskHost.exe PID 5732 wrote to memory of 5900 5732 backgroundTaskHost.exe WScript.exe PID 5732 wrote to memory of 5900 5732 backgroundTaskHost.exe WScript.exe PID 5732 wrote to memory of 5948 5732 backgroundTaskHost.exe WScript.exe PID 5732 wrote to memory of 5948 5732 backgroundTaskHost.exe WScript.exe PID 5900 wrote to memory of 3944 5900 WScript.exe backgroundTaskHost.exe PID 5900 wrote to memory of 3944 5900 WScript.exe backgroundTaskHost.exe PID 3944 wrote to memory of 3820 3944 backgroundTaskHost.exe WScript.exe PID 3944 wrote to memory of 3820 3944 backgroundTaskHost.exe WScript.exe PID 3944 wrote to memory of 512 3944 backgroundTaskHost.exe WScript.exe PID 3944 wrote to memory of 512 3944 backgroundTaskHost.exe WScript.exe PID 3820 wrote to memory of 3828 3820 WScript.exe backgroundTaskHost.exe PID 3820 wrote to memory of 3828 3820 WScript.exe backgroundTaskHost.exe PID 3828 wrote to memory of 1760 3828 backgroundTaskHost.exe WScript.exe PID 3828 wrote to memory of 1760 3828 backgroundTaskHost.exe WScript.exe PID 3828 wrote to memory of 3360 3828 backgroundTaskHost.exe WScript.exe PID 3828 wrote to memory of 3360 3828 backgroundTaskHost.exe WScript.exe PID 1760 wrote to memory of 5192 1760 WScript.exe backgroundTaskHost.exe PID 1760 wrote to memory of 5192 1760 WScript.exe backgroundTaskHost.exe PID 5192 wrote to memory of 1692 5192 backgroundTaskHost.exe WScript.exe PID 5192 wrote to memory of 1692 5192 backgroundTaskHost.exe WScript.exe PID 5192 wrote to memory of 2424 5192 backgroundTaskHost.exe WScript.exe PID 5192 wrote to memory of 2424 5192 backgroundTaskHost.exe WScript.exe PID 1692 wrote to memory of 2556 1692 WScript.exe backgroundTaskHost.exe PID 1692 wrote to memory of 2556 1692 WScript.exe backgroundTaskHost.exe PID 2556 wrote to memory of 2400 2556 backgroundTaskHost.exe WScript.exe PID 2556 wrote to memory of 2400 2556 backgroundTaskHost.exe WScript.exe PID 2556 wrote to memory of 5512 2556 backgroundTaskHost.exe WScript.exe PID 2556 wrote to memory of 5512 2556 backgroundTaskHost.exe WScript.exe PID 2400 wrote to memory of 5180 2400 WScript.exe backgroundTaskHost.exe PID 2400 wrote to memory of 5180 2400 WScript.exe backgroundTaskHost.exe PID 5180 wrote to memory of 5580 5180 backgroundTaskHost.exe WScript.exe PID 5180 wrote to memory of 5580 5180 backgroundTaskHost.exe WScript.exe PID 5180 wrote to memory of 5796 5180 backgroundTaskHost.exe WScript.exe PID 5180 wrote to memory of 5796 5180 backgroundTaskHost.exe WScript.exe -
System policy modification 1 TTPs 45 IoCs
Processes:
backgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exe00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exebackgroundTaskHost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" backgroundTaskHost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe"1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:64 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4676
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1064
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:220
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1524
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:5096
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:312
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1972
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4836
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4472
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4512
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4980
-
-
C:\Windows\Installer\backgroundTaskHost.exe"C:\Windows\Installer\backgroundTaskHost.exe"2⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5152 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dd466347-92fe-4b91-923b-4398af225e25.vbs"3⤵
- Suspicious use of WriteProcessMemory
PID:5556 -
C:\Windows\Installer\backgroundTaskHost.exeC:\Windows\Installer\backgroundTaskHost.exe4⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5732 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e60444e0-ec8a-4512-a96a-9e8c27278085.vbs"5⤵
- Suspicious use of WriteProcessMemory
PID:5900 -
C:\Windows\Installer\backgroundTaskHost.exeC:\Windows\Installer\backgroundTaskHost.exe6⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3944 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1a71532b-f9ce-4534-8df9-4b221000b439.vbs"7⤵
- Suspicious use of WriteProcessMemory
PID:3820 -
C:\Windows\Installer\backgroundTaskHost.exeC:\Windows\Installer\backgroundTaskHost.exe8⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3828 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ea6cf745-b8c8-4d51-a3e3-9214842eddd2.vbs"9⤵
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\Installer\backgroundTaskHost.exeC:\Windows\Installer\backgroundTaskHost.exe10⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5192 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7f6e3723-c975-4187-af4e-1a03587fbbac.vbs"11⤵
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\Installer\backgroundTaskHost.exeC:\Windows\Installer\backgroundTaskHost.exe12⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2556 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\789b5567-4d03-457b-b34a-a8a336cdac71.vbs"13⤵
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\Installer\backgroundTaskHost.exeC:\Windows\Installer\backgroundTaskHost.exe14⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5180 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\84102f20-aa3c-41a3-b2ce-dc2a6492decb.vbs"15⤵PID:5580
-
C:\Windows\Installer\backgroundTaskHost.exeC:\Windows\Installer\backgroundTaskHost.exe16⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:5924 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7b892d72-d363-434a-96a9-40e0fdcb016d.vbs"17⤵PID:3960
-
C:\Windows\Installer\backgroundTaskHost.exeC:\Windows\Installer\backgroundTaskHost.exe18⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:5788 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6c51f102-bb6e-4a60-83e7-282963469afb.vbs"19⤵PID:4584
-
C:\Windows\Installer\backgroundTaskHost.exeC:\Windows\Installer\backgroundTaskHost.exe20⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4836 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8e9d9a49-1964-40e0-a87c-956dab7af13d.vbs"21⤵PID:452
-
C:\Windows\Installer\backgroundTaskHost.exeC:\Windows\Installer\backgroundTaskHost.exe22⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3260 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e509c3c8-ea34-49f8-810e-9046cb579038.vbs"23⤵PID:5492
-
C:\Windows\Installer\backgroundTaskHost.exeC:\Windows\Installer\backgroundTaskHost.exe24⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4428 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6bd621da-46e5-412f-b7e4-c55f0f04d253.vbs"25⤵PID:5716
-
C:\Windows\Installer\backgroundTaskHost.exeC:\Windows\Installer\backgroundTaskHost.exe26⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2144 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dba74704-55f4-48c4-b364-deafda8e0859.vbs"27⤵PID:6044
-
C:\Windows\Installer\backgroundTaskHost.exeC:\Windows\Installer\backgroundTaskHost.exe28⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4040 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\40633a2a-42d8-493b-97e7-45bc549b1f1a.vbs"29⤵PID:5984
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4f8c7ff4-8b41-42b1-a755-4efb9389b134.vbs"29⤵PID:4860
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b215e46b-e662-49ec-9a96-22aebdadc046.vbs"27⤵PID:6104
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f668c87d-67f1-44d1-aaab-ce327250d57b.vbs"25⤵PID:4180
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\537b7048-6230-4cd6-a6be-04b9a1e303d4.vbs"23⤵PID:1148
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0dc696be-1579-4f94-a57d-e5741f2001aa.vbs"21⤵PID:2132
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11b46a32-3a15-44cd-99ef-f934261178cc.vbs"19⤵PID:3908
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\43505a82-b053-43c4-82aa-5bd01f2f110d.vbs"17⤵PID:6136
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8d520f40-e0d2-4b96-b966-51eed767b24e.vbs"15⤵PID:5796
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\96842741-b1ea-4799-945e-1af8b0bab2c1.vbs"13⤵PID:5512
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d0d44e7f-73a8-4941-a0f2-87f432ce411b.vbs"11⤵PID:2424
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\73a7f493-a41e-4b05-a830-87dc0c8c0394.vbs"9⤵PID:3360
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3847b708-f7b1-4ffe-a090-eb1204cebec4.vbs"7⤵PID:512
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d84be767-7b84-4364-87e4-e05b952a2fb6.vbs"5⤵PID:5948
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\393a414d-170c-4035-9237-ccbab26d0fe4.vbs"3⤵PID:5596
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2456
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4500
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics0" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics" /sc ONLOGON /tr "'C:\Users\Default User\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:400
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics0" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4440
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files\Internet Explorer\es-ES\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\es-ES\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files\Internet Explorer\es-ES\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1356
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2812
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1468
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4236
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft\System.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3736
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Program Files\Google\OfficeClickToRun.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Google\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4420
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Program Files\Google\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:732
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2468
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics0" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics0" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\00195dc23ea8cc5cb728c411f684ff40_NeikiAnalytics.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4308
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Windows\Installer\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3136
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\Installer\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3204
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Windows\Installer\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1048
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\System.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4176
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Pictures\TextInputHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Users\Public\Pictures\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3168
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Pictures\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3264
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Mozilla Firefox\uninstall\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4676
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\uninstall\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:220
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Mozilla Firefox\uninstall\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5096
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.2MB
MD5dceca7f3ae5b7b4ca38a75686334b969
SHA1a52f18b1467bcfb97ba524f874cafd8c2d1ac232
SHA25615b8e3c8afe0b2dcb7f3398f0c97430e16fd4aa054eaff2bae8a7cbde711af60
SHA51213209c752372537374c8479e9998b9c4e14c383aa3a2fa57e4a09d63ff50cb28d45ab1a75cfb4319cc0bb3b7bedce7043c72a05c15df69bfdd69c74a63d336fb
-
Filesize
3.2MB
MD507e03442a170375f42e22b479ea0c7f9
SHA14d2726dc3fff0812950233be63b5264ff07b44bf
SHA2566c778e1f8c4e18077559753829514ebaffbd56e4a5f5cc95278663596865e272
SHA512f03a7db30a1a267beabcb43effc1364199403fa75c07073efc5a81f97a0474bd5f7f7b3acd4e46a1730a77bfce3d3c21012a101fca65c99ece03bc5343d43eae
-
Filesize
3.2MB
MD500195dc23ea8cc5cb728c411f684ff40
SHA1604a8ca144781805d4ea73de01caee8ba98c176d
SHA2565d911e8e304885f5489587b85e5a43101d5a1078cbcb27727bdd16b78dd45df1
SHA512218d3eb66ed906759a695160e8984e95e75aa2c7c4e5558d5941c16658f3e1df718213e307a9f8d3823fd4eaa8713e8cfda95f5de70b9d29cd29ad2ca73c3ddd
-
Filesize
3.2MB
MD5ff222e397f441a440de414c09064304a
SHA13e33e71af577bc1b7b354142db331e325dd0538a
SHA2567023170888f8977ee69849eb6116ce29f3e3d0bfaf5da693924c090d8c026d4b
SHA512deeb3fd3843ec75337e62498ca930f43ca4b354345ec17fe10da1d650aa6398dca45f9a245bc6c3243c36aa51a6e2aeb52404c4d5d01f4f814125a96c5b1aaa0
-
Filesize
1KB
MD549b64127208271d8f797256057d0b006
SHA1b99bd7e2b4e9ed24de47fb3341ea67660b84cca1
SHA2562a5d403a2e649d8eceef8f785eeb0f6d33888ec6bbf251b3c347e34cb32b1e77
SHA512f7c728923c893dc9bc88ad2159e0abcda41e1b40ff7e7756e6252d135ed238a2248a2662b3392449836dd1b0b580f0c866cc33e409527484fe4602e3d3f10e3e
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD56d3e9c29fe44e90aae6ed30ccf799ca8
SHA1c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA2562360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA51260c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a
-
Filesize
944B
MD52e907f77659a6601fcc408274894da2e
SHA19f5b72abef1cd7145bf37547cdb1b9254b4efe9d
SHA256385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233
SHA51234fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721
-
Filesize
944B
MD5e448fe0d240184c6597a31d3be2ced58
SHA1372b8d8c19246d3e38cd3ba123cc0f56070f03cd
SHA256c660f0db85a1e7f0f68db19868979bf50bd541531babf77a701e1b1ce5e6a391
SHA5120b7f7eae7700d32b18eee3677cb7f89b46ace717fa7e6b501d6c47d54f15dff7e12b49f5a7d36a6ffe4c16165c7d55162db4f3621db545b6af638035752beab4
-
Filesize
944B
MD559d97011e091004eaffb9816aa0b9abd
SHA11602a56b01dd4b7c577ca27d3117e4bcc1aa657b
SHA25618f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d
SHA512d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6
-
Filesize
944B
MD5bd5940f08d0be56e65e5f2aaf47c538e
SHA1d7e31b87866e5e383ab5499da64aba50f03e8443
SHA2562d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6
SHA512c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406
-
Filesize
719B
MD578fbd19b5729d075c90671a60e1b6eeb
SHA118e029ec56886688e1be129b233e857f79a6ee68
SHA2561f13fb1bd7e97e28aeaad93fe0616b3a0813496380b6b822e47e591845f605c9
SHA5122c915e2d2317cbe0ea5cb3e2bdff62ec7c5f1e43fe5fd769357e889bcbb369fea6cc83063f1f84918b8ba6544adefde1fffbb2e08c0c28233103fa6da5f96948
-
Filesize
495B
MD576accfec88f25e1895b4397b1ae1de3f
SHA12c6bd88e43758110e5feb8318a0481aded5e1d96
SHA256638222d3abd9eae17158735954f40dde467c86ce02eea50eeb86b19ca3b12409
SHA512e93e99f8ee24c64cf0b830d793f76cb6b0341d31e264d9a68fe829f1b61ce1d15c5fa34a95f3b0eafc01014d5aa9e81eceffe17b7a51cf3e5bcb93bd7ff9e5d9
-
Filesize
719B
MD5767a7a77da6392be81ab7aceb4f9397f
SHA177842c4216babc9f63f18b2947bf2f8cb85cf178
SHA256cdb65d15b590199349759fd9b392b959ce77c188a34f71a44aaab33aa69da5da
SHA512c275a770273e5f1b8342315d08d02e222b0f6224dd4864a0ab5458631a06ff22de36d4168d99281560ec1c66d1a7478fd423eacced41df38e79078494cd27a8c
-
Filesize
719B
MD57ff81542723378585958d10475087f80
SHA1d8d8487f890d6ee0dc0e825778a70df024541f24
SHA256116b714492325414fec24baea81d4ea75dc1943f02f3062944086cb19c2fdece
SHA512e97122b8350f9543b0b92a1abb0303cd65ae65cf8fac285fca804ba73f8ecaa15b6aeaaf95cefc4f51f5c744bc881975a96a194e413fdaf4be08648970db2a6c
-
Filesize
719B
MD536ba2b23fcd9b4b86fe5d58d50d47841
SHA185c9359fecf30d68ec3f9ce30f8a0f612f032fa2
SHA256927b8e4b15a8ff8e1824e01b16a28be07ba1e336ca3c75d6bc7c0327b32c178d
SHA512cd0122c1155034888415f2342e6b95ee5bb41ac35bc6eb4ee547ebc0ce86720c2b21d51fd277d99ce36bd34054042a1c9b9ab5757c9314f55220dd4aa78783ed
-
Filesize
719B
MD5c00b210c16ef39da9d6c1cc1abec1cb5
SHA137769fd6e528370a830b361beb05dcf32f268670
SHA256e1c254d8c77d6d2c14df56f4aa9354671274c0493b397365e7ec797307f0699e
SHA512037b884866c9045aa72d11f4b5e81854842846f362b884783d32a9ad42f03d27d0c9429c8ef853cbe72bbc6de451ec6c1e0636aee63be81b7850fc4aa34ed7e2
-
Filesize
719B
MD5d0c0ec367f9ea3220f47041faab49a7b
SHA10576a36c60545e5d4939023ecde7714c9c08a759
SHA2565742d4d41d63ddfcbffa9ee8de6e8ffc12bae4b11b3ab662a8663c9f93f43081
SHA5121d624ee24ce5ea658ba681b0263a273f064b47f73c9b8d72dec9c8f7a66a2230ee56b18e11ed733756ffd3e01374178cf307fc9e6bc7cdbbb282b4c7a6016b60
-
Filesize
719B
MD5efa9123c0bd5e1e1498fca82ca2efa71
SHA1d2b1fe555229875cb64aae262b5d982f8d6782e9
SHA256faa8dffc57f246ed7c5d0950e52f45723493e97667f6c51b683116e4666e1acd
SHA512ebe9b6d5e0f09be23b9dd4eb750b57225efe2f0cf9a7044c3880792abdd677d036a189eb0487a3ac8d2d9f147b3f03646ceb3b667649f797dae2262283ee8e01
-
Filesize
719B
MD5fc0a5ef0e9d30b74883bb204eef97d84
SHA1885e223a9dfacd2855ba225be5c400e0106b933d
SHA2568bd2f59616ab514bd7af390ca12f090cac97cf00ae94b3cccc989bf40d8175d0
SHA5123f032658c12bb016bff845848db6c28a0eec6587d170a06f9b85b30bb932a68aa10630366ba9bb7bb28e3cfe7884d282188aefc394a480225c998c132a4e3537
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
719B
MD518cfcb42776f8791b42e6eac73ebd112
SHA19be59a1f40696f49beac0e507b55c514f1b67c3d
SHA2565d3186519abc58a149cc5404092f8146339791da22723f8d3a1d01411a0448c7
SHA512b949ce8c71ef6b6075acf61471ad37593a6f7a1de72b04443e4a84a452b5c59b9bc00de92c89eece4d3173a89e6c90b9c59072a60b4780695affebbbcb41d04d
-
Filesize
719B
MD57e5c931533642b309539c913ab0a1693
SHA193f9e4afafe187a149c2615aafa558feeab19be8
SHA256f063f020fb833db7968561146312993d5dea5682c4469e8136bdeff50ca67d16
SHA5128956528c5bbd28c35806b019ba80e7749e2f0c6bab8fc835c3f3eda05ebf3aecd7d77702768d42fc0107496fb9d49e47a9e95ec46c9ddf094f18da9b76a65538
-
Filesize
719B
MD5b86b2f018fc23c0b0e8aebae21cbdb02
SHA1e30958f057d6a442413dd3656d4b88cd35677cf8
SHA256e58da27436a4fbedf817cacd8ce52ca392036119713964dfbceae4d720d108e0
SHA51236680c5f8ef7ada4235a27cc3e7f82262a2aef5a7fdb006ce0c149dc4bf8288920ddeee16f40181d31216b2cd99dbceaaa423c348561f68161e78dd6c2622396
-
Filesize
719B
MD5e824770de22711d3cd276a529b7075d9
SHA1611a3a69fd3391e7055f5f5b378116fb3fa55546
SHA2560bdd0708ff43d04705d0ba6934d70626bd686227bccc3113c0d7cb001feb71d8
SHA5127ca635b7979463cc4bd08580388bad1408fcba8ffe6f6e2e41913c7b19d73138607bf48144ac16e3356d76e9891903bd40bd11536652094a07796c84737daa73
-
Filesize
719B
MD52883e00831d45118ca620a379489dd7d
SHA199ce5af3de445e1a9b3bc4911194eaa653229656
SHA256229fbe0b441398d981423459c6360bd1c4b6df83c086b6d9893b87cd2e468443
SHA5125aaa7b3742f11bfb34aedb3eb5d5b4bcc8448f20a00150acf80a8ddd666949c15531e8898890ec1e79fee9292d7d7ef65dd5a75cc7b51d06ce58dcbe4c572e06
-
Filesize
3.2MB
MD597c77684fa148562c56a1b1da6a926b4
SHA1c690a41cc2fcd78047a3d25e4774248ea8b8ae1c
SHA256caf4418761f342717515e968e60c292b267379f1cc3aacd392551cc2a2e8f58b
SHA512127a3c036797d8ad4175288741e952151bf693ff2841ce327ef95004be67f6ed6cb5e98e68c0d96de228e07673c7dd47e59ad2b7b6b7e3c6c39a153147e88f29