Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
14-05-2024 19:11
Behavioral task
behavioral1
Sample
13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe
-
Size
1.2MB
-
MD5
13479ce2adfeb68235431878761f2bd0
-
SHA1
becd3db1ddb9494d64b2f8f28ca9dcfea5afdbb2
-
SHA256
56eb43e82dc6e809762241b8c517ad95557489df9f758e5d2f4104742ca892b7
-
SHA512
597d1bb3e5f090bd098bcf52ba37e132175e6c29161ba1e8398875c8de230ceb3efe47f88f435b639a8ec73fd3d0a559df072b0bf4b0b9e934540f58f9615785
-
SSDEEP
24576:VR28aergLxCcjZGKCKFuTBHNWdd2HAxWnUDTJ/yS3Rh:bJaDKf4p4UD1v
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 64 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1152 2644 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2844 2644 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2532 2644 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2632 2644 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2760 2644 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2492 2644 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2204 2644 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3008 2644 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2668 2644 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1220 2644 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2776 2644 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2824 2644 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2928 2644 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2536 2644 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2348 2644 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2412 2644 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2472 2644 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2208 2644 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2028 2644 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1608 2644 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1256 2644 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1672 2644 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1156 2644 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2132 2644 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2196 2644 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1336 2644 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1968 2644 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1972 2644 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1936 2644 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1948 2644 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 760 2644 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 704 2644 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2576 2644 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2104 2644 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1804 2644 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1492 2644 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1992 2644 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2176 2644 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2088 2644 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3024 2644 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1316 2644 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2008 2644 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3068 2644 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2700 2644 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2732 2644 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2684 2644 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2544 2644 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2540 2644 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2512 2644 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2656 2644 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2804 2644 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3036 2644 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2308 2644 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 564 2644 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2668 2644 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1976 2644 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2528 2644 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1676 2644 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2204 2644 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2924 2644 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2016 2644 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2044 2644 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2160 2644 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1908 2644 schtasks.exe -
Processes:
smss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exe13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exesmss.exesmss.exesmss.exesmss.exe13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exesmss.exesmss.exesmss.exesmss.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe -
Processes:
resource yara_rule behavioral1/memory/2100-1-0x00000000001F0000-0x000000000032A000-memory.dmp dcrat C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\taskhost.exe dcrat C:\Program Files\7-Zip\Lang\csrss.exe dcrat behavioral1/memory/588-91-0x0000000001340000-0x000000000147A000-memory.dmp dcrat behavioral1/memory/1904-170-0x0000000000200000-0x000000000033A000-memory.dmp dcrat behavioral1/memory/2384-181-0x0000000001070000-0x00000000011AA000-memory.dmp dcrat behavioral1/memory/1836-215-0x00000000000B0000-0x00000000001EA000-memory.dmp dcrat behavioral1/memory/352-227-0x0000000000EC0000-0x0000000000FFA000-memory.dmp dcrat behavioral1/memory/2960-250-0x0000000000F90000-0x00000000010CA000-memory.dmp dcrat behavioral1/memory/2284-262-0x0000000001060000-0x000000000119A000-memory.dmp dcrat behavioral1/memory/2580-318-0x00000000013D0000-0x000000000150A000-memory.dmp dcrat behavioral1/memory/2996-339-0x00000000000F0000-0x000000000022A000-memory.dmp dcrat -
Executes dropped EXE 17 IoCs
Processes:
13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exepid process 588 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe 1904 smss.exe 2384 smss.exe 2484 smss.exe 1912 smss.exe 1836 smss.exe 352 smss.exe 2716 smss.exe 2960 smss.exe 2284 smss.exe 2376 smss.exe 2052 smss.exe 276 smss.exe 1292 smss.exe 2580 smss.exe 904 smss.exe 2996 smss.exe -
Processes:
smss.exe13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA smss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA smss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA smss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA smss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA smss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA smss.exe -
Drops file in Program Files directory 25 IoCs
Processes:
13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exedescription ioc process File created C:\Program Files\7-Zip\Lang\886983d96e3d3e 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe File created C:\Program Files\Windows Portable Devices\886983d96e3d3e 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe File opened for modification C:\Program Files\Windows Portable Devices\csrss.exe 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe File opened for modification C:\Program Files\7-Zip\Lang\RCX30A5.tmp 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Photo Viewer\ja-JP\spoolsv.exe 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Defender\it-IT\csrss.exe 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\69ddcba757bf72 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe File created C:\Program Files (x86)\Microsoft Analysis Services\audiodg.exe 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\886983d96e3d3e 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\smss.exe 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\smss.exe 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe File created C:\Program Files\7-Zip\Lang\csrss.exe 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Defender\it-IT\csrss.exe 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe File created C:\Program Files (x86)\Uninstall Information\6203df4a6bafc7 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe File created C:\Program Files\Windows Portable Devices\csrss.exe 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\csrss.exe 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe File opened for modification C:\Program Files\7-Zip\Lang\csrss.exe 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Defender\it-IT\886983d96e3d3e 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\ja-JP\spoolsv.exe 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Microsoft Analysis Services\audiodg.exe 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Photo Viewer\ja-JP\f3b6ecef712a24 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe File created C:\Program Files (x86)\Uninstall Information\lsass.exe 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe File created C:\Program Files (x86)\Microsoft Analysis Services\42af1c969fbb7b 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Uninstall Information\lsass.exe 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\csrss.exe 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe -
Drops file in Windows directory 10 IoCs
Processes:
13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exedescription ioc process File created C:\Windows\Resources\Themes\Aero\csrss.exe 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe File created C:\Windows\Media\69ddcba757bf72 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe File created C:\Windows\de-DE\101b941d020240 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe File created C:\Windows\Resources\Themes\Aero\886983d96e3d3e 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe File opened for modification C:\Windows\Resources\Themes\Aero\RCX37AA.tmp 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe File opened for modification C:\Windows\Resources\Themes\Aero\csrss.exe 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe File created C:\Windows\Media\smss.exe 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe File created C:\Windows\de-DE\lsm.exe 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe File opened for modification C:\Windows\Media\smss.exe 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe File opened for modification C:\Windows\de-DE\lsm.exe 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 64 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2176 schtasks.exe 3068 schtasks.exe 2540 schtasks.exe 2472 schtasks.exe 2536 schtasks.exe 2348 schtasks.exe 1976 schtasks.exe 1676 schtasks.exe 2532 schtasks.exe 1256 schtasks.exe 1336 schtasks.exe 2544 schtasks.exe 2472 schtasks.exe 2028 schtasks.exe 2196 schtasks.exe 704 schtasks.exe 2632 schtasks.exe 2760 schtasks.exe 2668 schtasks.exe 2824 schtasks.exe 1804 schtasks.exe 2700 schtasks.exe 2044 schtasks.exe 1908 schtasks.exe 1652 schtasks.exe 1152 schtasks.exe 1220 schtasks.exe 1316 schtasks.exe 2008 schtasks.exe 2204 schtasks.exe 2776 schtasks.exe 2348 schtasks.exe 2132 schtasks.exe 2576 schtasks.exe 2412 schtasks.exe 1672 schtasks.exe 1972 schtasks.exe 1948 schtasks.exe 2684 schtasks.exe 2656 schtasks.exe 1744 schtasks.exe 3036 schtasks.exe 2016 schtasks.exe 2704 schtasks.exe 1752 schtasks.exe 2928 schtasks.exe 1608 schtasks.exe 1156 schtasks.exe 2512 schtasks.exe 564 schtasks.exe 3008 schtasks.exe 2308 schtasks.exe 2924 schtasks.exe 2732 schtasks.exe 2668 schtasks.exe 2528 schtasks.exe 316 schtasks.exe 2208 schtasks.exe 1936 schtasks.exe 1492 schtasks.exe 2088 schtasks.exe 2492 schtasks.exe 2804 schtasks.exe 2104 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exepid process 2100 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe 2100 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe 2100 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe 2100 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe 2100 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe 2100 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe 2100 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe 2100 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe 2100 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe 2100 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe 2100 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe 2100 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe 2100 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe 2100 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe 2100 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe 2100 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe 2100 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe 2100 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe 2100 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe 2100 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe 2100 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe 2100 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe 2100 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe 588 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe 588 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe 588 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe 588 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe 588 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe 588 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe 588 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe 588 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe 588 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe 588 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe 588 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe 588 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe 588 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe 588 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe 588 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe 588 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe 588 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe 588 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe 588 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe 588 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe 588 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe 588 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe 588 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe 588 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe 588 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe 588 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe 588 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe 588 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe 588 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe 588 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe 588 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe 588 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe 588 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe 588 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe 588 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe 588 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe 588 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe 588 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe 588 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe 588 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe 588 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe -
Suspicious use of AdjustPrivilegeToken 18 IoCs
Processes:
13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exedescription pid process Token: SeDebugPrivilege 2100 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe Token: SeDebugPrivilege 588 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe Token: SeDebugPrivilege 1904 smss.exe Token: SeDebugPrivilege 2384 smss.exe Token: SeDebugPrivilege 2484 smss.exe Token: SeDebugPrivilege 1912 smss.exe Token: SeDebugPrivilege 1836 smss.exe Token: SeDebugPrivilege 352 smss.exe Token: SeDebugPrivilege 2716 smss.exe Token: SeDebugPrivilege 2960 smss.exe Token: SeDebugPrivilege 2284 smss.exe Token: SeDebugPrivilege 2376 smss.exe Token: SeDebugPrivilege 2052 smss.exe Token: SeDebugPrivilege 276 smss.exe Token: SeDebugPrivilege 1292 smss.exe Token: SeDebugPrivilege 2580 smss.exe Token: SeDebugPrivilege 904 smss.exe Token: SeDebugPrivilege 2996 smss.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.execmd.exe13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exesmss.exeWScript.exesmss.exeWScript.exesmss.exeWScript.exesmss.exeWScript.exesmss.exeWScript.exesmss.exeWScript.exedescription pid process target process PID 2100 wrote to memory of 2476 2100 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe cmd.exe PID 2100 wrote to memory of 2476 2100 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe cmd.exe PID 2100 wrote to memory of 2476 2100 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe cmd.exe PID 2476 wrote to memory of 596 2476 cmd.exe w32tm.exe PID 2476 wrote to memory of 596 2476 cmd.exe w32tm.exe PID 2476 wrote to memory of 596 2476 cmd.exe w32tm.exe PID 2476 wrote to memory of 588 2476 cmd.exe 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe PID 2476 wrote to memory of 588 2476 cmd.exe 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe PID 2476 wrote to memory of 588 2476 cmd.exe 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe PID 588 wrote to memory of 1904 588 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe smss.exe PID 588 wrote to memory of 1904 588 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe smss.exe PID 588 wrote to memory of 1904 588 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe smss.exe PID 1904 wrote to memory of 1028 1904 smss.exe WScript.exe PID 1904 wrote to memory of 1028 1904 smss.exe WScript.exe PID 1904 wrote to memory of 1028 1904 smss.exe WScript.exe PID 1904 wrote to memory of 952 1904 smss.exe WScript.exe PID 1904 wrote to memory of 952 1904 smss.exe WScript.exe PID 1904 wrote to memory of 952 1904 smss.exe WScript.exe PID 1028 wrote to memory of 2384 1028 WScript.exe smss.exe PID 1028 wrote to memory of 2384 1028 WScript.exe smss.exe PID 1028 wrote to memory of 2384 1028 WScript.exe smss.exe PID 2384 wrote to memory of 1664 2384 smss.exe WScript.exe PID 2384 wrote to memory of 1664 2384 smss.exe WScript.exe PID 2384 wrote to memory of 1664 2384 smss.exe WScript.exe PID 2384 wrote to memory of 2612 2384 smss.exe WScript.exe PID 2384 wrote to memory of 2612 2384 smss.exe WScript.exe PID 2384 wrote to memory of 2612 2384 smss.exe WScript.exe PID 1664 wrote to memory of 2484 1664 WScript.exe smss.exe PID 1664 wrote to memory of 2484 1664 WScript.exe smss.exe PID 1664 wrote to memory of 2484 1664 WScript.exe smss.exe PID 2484 wrote to memory of 2700 2484 smss.exe WScript.exe PID 2484 wrote to memory of 2700 2484 smss.exe WScript.exe PID 2484 wrote to memory of 2700 2484 smss.exe WScript.exe PID 2484 wrote to memory of 2964 2484 smss.exe WScript.exe PID 2484 wrote to memory of 2964 2484 smss.exe WScript.exe PID 2484 wrote to memory of 2964 2484 smss.exe WScript.exe PID 2700 wrote to memory of 1912 2700 WScript.exe smss.exe PID 2700 wrote to memory of 1912 2700 WScript.exe smss.exe PID 2700 wrote to memory of 1912 2700 WScript.exe smss.exe PID 1912 wrote to memory of 1388 1912 smss.exe WScript.exe PID 1912 wrote to memory of 1388 1912 smss.exe WScript.exe PID 1912 wrote to memory of 1388 1912 smss.exe WScript.exe PID 1912 wrote to memory of 2536 1912 smss.exe WScript.exe PID 1912 wrote to memory of 2536 1912 smss.exe WScript.exe PID 1912 wrote to memory of 2536 1912 smss.exe WScript.exe PID 1388 wrote to memory of 1836 1388 WScript.exe smss.exe PID 1388 wrote to memory of 1836 1388 WScript.exe smss.exe PID 1388 wrote to memory of 1836 1388 WScript.exe smss.exe PID 1836 wrote to memory of 2856 1836 smss.exe WScript.exe PID 1836 wrote to memory of 2856 1836 smss.exe WScript.exe PID 1836 wrote to memory of 2856 1836 smss.exe WScript.exe PID 1836 wrote to memory of 2640 1836 smss.exe WScript.exe PID 1836 wrote to memory of 2640 1836 smss.exe WScript.exe PID 1836 wrote to memory of 2640 1836 smss.exe WScript.exe PID 2856 wrote to memory of 352 2856 WScript.exe smss.exe PID 2856 wrote to memory of 352 2856 WScript.exe smss.exe PID 2856 wrote to memory of 352 2856 WScript.exe smss.exe PID 352 wrote to memory of 1592 352 smss.exe WScript.exe PID 352 wrote to memory of 1592 352 smss.exe WScript.exe PID 352 wrote to memory of 1592 352 smss.exe WScript.exe PID 352 wrote to memory of 1944 352 smss.exe WScript.exe PID 352 wrote to memory of 1944 352 smss.exe WScript.exe PID 352 wrote to memory of 1944 352 smss.exe WScript.exe PID 1592 wrote to memory of 2716 1592 WScript.exe smss.exe -
System policy modification 1 TTPs 54 IoCs
Processes:
smss.exesmss.exesmss.exesmss.exesmss.exesmss.exe13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exe13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exesmss.exesmss.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2100 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jDRdKfCJCw.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:596
-
-
C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\13479ce2adfeb68235431878761f2bd0_NeikiAnalytics.exe"3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:588 -
C:\Windows\Media\smss.exe"C:\Windows\Media\smss.exe"4⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1904 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\43cefd7b-6e88-4ac7-a602-05260fe31e9e.vbs"5⤵
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\Windows\Media\smss.exeC:\Windows\Media\smss.exe6⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2384 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dfb2d52e-83a8-4a99-90ae-3720c660371e.vbs"7⤵
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\Media\smss.exeC:\Windows\Media\smss.exe8⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2484 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\799bc677-0fac-4adc-9a92-b960b97de8dc.vbs"9⤵
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\Media\smss.exeC:\Windows\Media\smss.exe10⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1912 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b16c6f76-e247-408c-a894-f4d349f6c600.vbs"11⤵
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Windows\Media\smss.exeC:\Windows\Media\smss.exe12⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1836 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8024b097-5de2-4f1e-81a2-02127186665c.vbs"13⤵
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\Media\smss.exeC:\Windows\Media\smss.exe14⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:352 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7bf7f696-be4a-41cd-8316-3a7beac2b137.vbs"15⤵
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Windows\Media\smss.exeC:\Windows\Media\smss.exe16⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2716 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d58aebe2-93f5-4c12-a45a-c34d83e36b35.vbs"17⤵PID:1992
-
C:\Windows\Media\smss.exeC:\Windows\Media\smss.exe18⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2960 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e1c60ae0-028d-4130-8c4b-9ca5aa13e98e.vbs"19⤵PID:3036
-
C:\Windows\Media\smss.exeC:\Windows\Media\smss.exe20⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2284 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9a1963a4-c2b1-4584-a121-b3aea982b305.vbs"21⤵PID:2636
-
C:\Windows\Media\smss.exeC:\Windows\Media\smss.exe22⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2376 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fc820fc2-6db9-4643-a898-85e0e30b4760.vbs"23⤵PID:3000
-
C:\Windows\Media\smss.exeC:\Windows\Media\smss.exe24⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2052 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\69ccb2bd-6a36-4291-9c39-8300aab3e561.vbs"25⤵PID:2296
-
C:\Windows\Media\smss.exeC:\Windows\Media\smss.exe26⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:276 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e0116909-81f8-4b54-aa90-d0fa89f4b2c6.vbs"27⤵PID:1236
-
C:\Windows\Media\smss.exeC:\Windows\Media\smss.exe28⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1292 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d68313b8-2f7b-4032-b6d7-24b38b9ca200.vbs"29⤵PID:2248
-
C:\Windows\Media\smss.exeC:\Windows\Media\smss.exe30⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2580 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\76086249-f61b-437a-ab99-d44f99ded0fe.vbs"31⤵PID:1156
-
C:\Windows\Media\smss.exeC:\Windows\Media\smss.exe32⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:904 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\18065e9e-5672-4baf-9203-613b4a3ca4ec.vbs"33⤵PID:1340
-
C:\Windows\Media\smss.exeC:\Windows\Media\smss.exe34⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2996 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b4c1917f-2bc8-4156-afc7-f20335cb0c46.vbs"35⤵PID:2300
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b9bdf99a-148f-44ec-8b0e-ab32b6cada7a.vbs"35⤵PID:1612
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\448d9363-eb90-4697-9078-15357ad4961f.vbs"33⤵PID:1996
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0d31a3bb-589a-41ea-bac3-3b70fd68e076.vbs"31⤵PID:2172
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fab14468-cb79-4657-958e-2b213e050e44.vbs"29⤵PID:636
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4215c45a-6261-4fc5-9a86-511274a6d2b1.vbs"27⤵PID:2348
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\34488273-3c6d-47e8-a5ab-cda0869006c3.vbs"25⤵PID:1476
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\756a9aec-a8bd-4042-89ac-5c3c97468ae0.vbs"23⤵PID:2096
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cb973434-3a47-4c2f-bab7-3804df8bda04.vbs"21⤵PID:1280
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0ec94f4a-0403-49fd-bf46-bf3de111a583.vbs"19⤵PID:2024
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5f6a4a44-4897-42d9-b70e-8c529744a298.vbs"17⤵PID:2804
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9df7be74-3352-4acd-9e66-c747da92421b.vbs"15⤵PID:1944
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6e69c453-372a-4c20-99a4-937191e4011f.vbs"13⤵PID:2640
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\21a95b86-bd4e-4ab3-8ff7-c3b64f854518.vbs"11⤵PID:2536
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\78ccda46-eaea-4073-926a-03ba0b8aa35e.vbs"9⤵PID:2964
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3d2e30a7-2ef5-4ad7-9712-62f730e12777.vbs"7⤵PID:2612
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f92a0191-12ee-4c70-8bf4-60d3f5aaa806.vbs"5⤵PID:952
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1152
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\7-Zip\Lang\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2204
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\7-Zip\Lang\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1220
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2824
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2928
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2348
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\Resources\Themes\Aero\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2412
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Resources\Themes\Aero\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2472
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\Resources\Themes\Aero\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2208
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Contacts\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Admin\Contacts\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Contacts\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1256
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\it-IT\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1156
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2132
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Local Settings\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2196
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Admin\Local Settings\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1336
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Local Settings\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:1968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\smss.exe'" /f1⤵
- Process spawned unexpected child process
PID:760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Templates\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2104
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\All Users\Templates\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1804
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Templates\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\System.exe'" /f1⤵
- Process spawned unexpected child process
PID:1992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2176
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2088
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
PID:3024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2732
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Windows\Media\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2684
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Media\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Windows\Media\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Documents\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Admin\Documents\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Documents\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2804
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2308
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:564
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\services.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Uninstall Information\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1676
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2204
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Uninstall Information\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2160
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Portable Devices\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:2348
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:2472
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\csrss.exe'" /f1⤵
- Creates scheduled task(s)
PID:2704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\csrss.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\csrss.exe'" /rl HIGHEST /f1⤵PID:1056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Windows\de-DE\lsm.exe'" /f1⤵
- Creates scheduled task(s)
PID:1744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\de-DE\lsm.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:1652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Windows\de-DE\lsm.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:1752
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD58dd1faa68cde0e812a381903d33692de
SHA1a55eb88a7b454a1e2b45ca797a0715d946d0f426
SHA25658b96de5d5d00d208062c0813530aaf43515356c028a2b34fc54a173161398e5
SHA5125de46c2a0f23bd255ee90fc50ebf1a5643b1b7e3fa09a05d2d408b0a95f8eeebaa3027ea2169e53043c20fae7971f1331b1d969a853b5a413708bb69eabf7ad4
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
1.2MB
MD513479ce2adfeb68235431878761f2bd0
SHA1becd3db1ddb9494d64b2f8f28ca9dcfea5afdbb2
SHA25656eb43e82dc6e809762241b8c517ad95557489df9f758e5d2f4104742ca892b7
SHA512597d1bb3e5f090bd098bcf52ba37e132175e6c29161ba1e8398875c8de230ceb3efe47f88f435b639a8ec73fd3d0a559df072b0bf4b0b9e934540f58f9615785
-
Filesize
700B
MD527837288ba3b4f35fbf253f84ae684d4
SHA14aaa0515c7f5ddb817c99f1c7a40ca5b989d7ca3
SHA256c72ec4057c8169ced3060e2033074c96755601b6eeba4f301b22fbf6fc6f109c
SHA5122e99b7bf90f5e88ce70c1b0a790097622ab22ae4c2dea3d3fd019ef8322e608ac8477b6931c21ff4926d23792e60a4a8460357b85816415d1f4c6be5218e82b4
-
Filesize
701B
MD5a2690f7c29639a2bda303bf3681a942b
SHA1d66814cab43023047dcc60bc1b2d65fe6f1bf04a
SHA2562ab971890dc461581eab64568eeb84e1f2eb9d85e3f2b726c5feb10b470e378a
SHA512d8716f4e06227a8ec8cc9588210aafb7f9126f10fdbe6f7cba99772c2744dbba65a0f8b01d9b282247eb7a628948371f6f50abad83560d3aa3d832a1e38199a7
-
C:\Users\Admin\AppData\Local\Temp\59a07570a8a8386aa1a299e6ab573f686e7e81544.5.321e942f7529053d3bf5a939edfacdca5e36682859
Filesize1KB
MD53a225a063946b08a53a0c15d78ccc3d2
SHA198a4f4a89f08156c7ec875e37c10e7aaf023e0d7
SHA25611995a323ae3bda3575b2271b2774dd1ae84fd241b285ff49566b510b088216e
SHA5129a136356979f16598f5cffd1a17e7304c38d3caccf89d1690af5b5cced0527436377642abdf6c042976f0ffd804ad22001fbd4336bb38e5b7089fa1e5c26595b
-
Filesize
701B
MD54455118f17744376a1e4d0f34689858d
SHA122e671d6a717de0328fea0d6ea3b9ef8d10a1d42
SHA2562bc3facc661f41d8302b2af886fbf3adedf0bd56d69400c6cc3c69f759694705
SHA512a9cf9de629f6b15902c5dc11e0a64940762cdd79d0048169e1892f3c71dbb45d0a3602f2fa2d9fa5399d1977caeafaee72bc625c2dd650d2570aa1d791bdd21b
-
Filesize
701B
MD5e472e20165a4bb94474d7ffe5487c4a3
SHA13b73d0d95dc54588b97d7b682cf5ac499c4cabab
SHA2561c69bd873068096a545aa8d46da52ac43db88c2684403eba35dc59467825ab31
SHA512c99ad189f47c2a91961a9c48bc10718fe6069e33b405aea84991f3d644a49271fdb9df1755e0ec0fa8963bc3b07abcbde1b45682f7062684891aafe0d47666e7
-
Filesize
701B
MD5fa44ca3284f2e1eddff392a8f0c8fcd8
SHA1a8b36d50ca97bdb2d48c67f9284e4d9eae008762
SHA256ef05c1f56837f6e770325f03505e799a6e219d7a606624c1ee72598b8518a6b3
SHA512b6f9252a6d850662a1be0b171a7968432ab840cbd84bcce4a0ffdafe9c5a2ae09a8dcd6de1628395ba13c293785dc4a9a39b6d6b4fc858b91e1ccfc42798a866
-
Filesize
700B
MD58415707aa1ad109d89da3b4250e35059
SHA1e8f6108c86b7ab588418f89e369ac9c786208406
SHA2564f2cc22adb5abf148737a45f07dfcf648fef2a446d6c0723d139f489fb5d542d
SHA51204d4a0592619f4b7afa1311e2b7c981950768aaf2af6afa09c99b48fea190decb7e8b8371f61ba1358e73aa6b7315296828e64483942a64e9dee342ed600117a
-
Filesize
701B
MD5857ab19c11ed26bd453da5000ffdfdeb
SHA19cac53a060548d0278e0c98a11fcc51f93dc1310
SHA25658dd27e344c10fc77eee19524da4551b48d070e8e3cc4b580258937f1b3b1df3
SHA512121bb37cd28269668a9d98395031c3f02557fa89a31a25047e2706462755728364d82daca7b46360411947b5d0b93f6f9d1281da1c512f6e5a77f32bcd7eefb8
-
Filesize
701B
MD5c2ccdd86f92764f5df76181681eb42db
SHA10ebe5e0ec018265ac783b5183f94d23394ad141d
SHA2564b05d71254db504055668ea7658249a66f83c3e14e98ffbfac2998b3bab4d514
SHA512debc77b40ca5bfd877b9987e710afc0764b099663382ccc5e3cd40ed0437f2fe958592b7741a1f1a056baafe234ebe1a9e380a2ee33e99beca9e3f54b291f0f4
-
Filesize
701B
MD572af41a91497c7bb36072492c9c83be0
SHA162469c691670a430b9b9471216eb81e238030cf4
SHA2566322c98ede3a41f07b40f01b3fbfbaa4621291314d719c3e4a5b969b6f636770
SHA512cdf96eaad60dae2d4f481e3ed9c5c3e2d23017534b0e2bbd22b0d9364e5677688d5c9e2cdbce22e9d64c4e32cf78969666325a97bba96ff956eb2a8d1ed1034e
-
Filesize
701B
MD5d7c42b5f49df229b3b19366bf7b56390
SHA1cb6095be7c504a130aed7ddd8337599a9086d2c2
SHA256f1d1e0790bff9093c87eaba982eed77f0e8cb36085414c6fd0408c23ddde8f01
SHA5127e1e9a48a2c295f9e783509ec9f68bd39ee16ed5eda4bb588d91ed1bad77b711081391fb2ed57f2c7aeb0c6c35460c86c3f5ec2073968bddd93569dfa56ceaf8
-
Filesize
701B
MD5649435c2b51bcd3011e67affcc457772
SHA1ef4733d85116975b0ca6e0f847fc91078ed0b27b
SHA256a6e8d26b29cd97eb20ea6ea93a1c2110f95778398c532aba04ed327e4ac7c070
SHA5121098454ac1800cfd0496568d3d15d729274e8c713146be708280ddf7358ddbe825b54fc3a5d52f4f2971b9532d66229f0d6a979e58256e21b689748b3e59dd96
-
Filesize
1.2MB
MD56bb133ad7863bf2b0919d49cfc84fb53
SHA16c6d8e7d38baa8eef16db3c50b592d51aac0f48e
SHA256368a3045eeeb3899c8456e25e5404ce4d621b6b7dc5a0f3867d0cf3f451bc01b
SHA512c862c4194a00ad411e6494720288dadc5fee13215d52ec2eabdc8a861dbcdc2f5c695e92c42291830f322fb377cb82f326d73abca57e79f898c9c2ddd80e1a44
-
Filesize
701B
MD5996eb8a3a408aadfefb9c140e9cd6a3a
SHA145d36af5214a45a776b97265ebb49beac10e9d42
SHA256b6e1c06885966cfc3caeb293510322f88a57664adb90e2f1a7f555f040fc5235
SHA512ade410c168f6cf51b7a3bfa92b62d08fa030afd6c2b10300d9fbdaf4b84e82342700c978502de332f481b8219eb986452e2d98f0a48425a7e107aad7c4984396
-
Filesize
700B
MD5d90cde2b33be1187fea97f338e775f25
SHA19ae8fd319747c8a50b28761c0508f46d2319b877
SHA25646a01a6f4d73966f6e02a3d1d2aac26039dc641042187da4528ac0e95f35daeb
SHA5128099d8e08cae6afd0eaaa2295b74db89932305fd6f3dc159bac04ef668f36ec83ff36b43d2f6758dfac65a58cdf6fba20bd979194e566bd58026df4309f75e71
-
Filesize
701B
MD52535cb689859ca944a58fd28c96f4309
SHA1d2d58a068153cba478e5e411d2b10106cbcfd1bf
SHA256fd05728726ad5290d4ec9b8a54a8932cb2cc684224a7373f216cc48d3e2a3f00
SHA512152e6062e80174efbb74f17c9fb51bbcfc451e2e1da749a4296058c73ab143450435d925ca400ae185203594a84ff2f5cea316ce3108801d8b7c87860a435695
-
Filesize
477B
MD5f44c443d810b0da5a22810d0175aa1ff
SHA1fcd7ca2134af6b35967a3f5046b43ee1edaa1081
SHA256132ff8e336af741e7422b3cf75ca578439dff7c2eccc0de2f05caec2d6a23808
SHA51221662ebecbb48afe23f3ee8c34bec7882f9fcc25b3e1e655db7d0b81edcb0b403f9f370f1f91fb8fb6ca3c728d116a747c545c26e50ccb0c2b5cc61830e17222
-
Filesize
701B
MD58e2504782887ef9dd5bb62e0ca61d58f
SHA137b774258fe9ea7e475b08aaa9d97ba39515d2b7
SHA256612280850f4a85184ca56964ec22b0d148d7f79ac176abe773db0a170cd226b7
SHA51299949402afbf04c80d1bba81bbbd22f0236dbbfc246349e83e146f16db830acd1901d6d386a251b9f03905cfeb69f00f96a66d3090f5a9c9e2664ec083be1899
-
Filesize
250B
MD5ca066d088e7acdb7fd91543fc3b66876
SHA1ec64ab9730367bba1b2ee9fcfca9dfd0c03497f5
SHA2561c4ef7d8579da91465f9b3224eff3e3d31b0c39e77d759002036a73feba9171a
SHA512dbf5a83a9b26d1c2e5de151841b2907e488a08715b48f19190f14bcff6657ee1c57147cae5b99facf32f1fa7c14ba90419c3036f77b0b051e518b2937c2d8b8d