Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
15-05-2024 04:00
Behavioral task
behavioral1
Sample
77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe
Resource
win7-20240221-en
General
-
Target
77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe
-
Size
2.9MB
-
MD5
77177c57df58a82f289add0cf57ea320
-
SHA1
38c0414cb96be176cdf3b965b870bdf5de04f4a4
-
SHA256
6f250581eae818938c64c4afa3446c7c36dfadda1d8b8ba20870ad0e05c7fe50
-
SHA512
67161531bc39774e219b77de3166c3216ff962ca81af0982a44a502bd25d333aa742f8fca8e5720d91b4e69ddd6c829a0e014b94f7af89d1ceb601691dd2c9b6
-
SSDEEP
49152:f4DKm+cjWnC8WLqxdGWJMcWI2TJT1Q0UN2Trsljq:QDKmzjWnC8Wikx1DUN2/Uq
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 64 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1372 684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4996 684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3484 684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3920 684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5016 684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2932 684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4508 684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2180 684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4212 684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1804 684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 60 684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3684 684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4932 684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4416 684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2204 684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4840 684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4760 684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4744 684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3116 684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3632 684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4920 684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1828 684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1128 684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4068 684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1396 684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4168 684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4348 684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1836 684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3888 684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 632 684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3708 684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2484 684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2864 684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2036 684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4280 684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2920 684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3120 684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4292 684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1924 684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1188 684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4256 684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4056 684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3456 684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 692 684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 220 684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4088 684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4748 684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1192 684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4684 684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4552 684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2128 684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1036 684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4288 684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2440 684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4968 684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4772 684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2480 684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2340 684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3116 684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1544 684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4236 684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3612 684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4840 684 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4348 684 schtasks.exe -
Processes:
csrss.execsrss.execsrss.exe77177c57df58a82f289add0cf57ea320_NeikiAnalytics.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exe77177c57df58a82f289add0cf57ea320_NeikiAnalytics.execsrss.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe -
Processes:
resource yara_rule behavioral2/memory/3672-1-0x0000000000C10000-0x0000000000EF6000-memory.dmp dcrat C:\Program Files\Microsoft Office\Updates\TextInputHost.exe dcrat C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\RCX4B58.tmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 22 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 2912 powershell.exe 4284 powershell.exe 5096 powershell.exe 2388 powershell.exe 4376 powershell.exe 2880 powershell.exe 2892 powershell.exe 1192 powershell.exe 5000 powershell.exe 1944 powershell.exe 1616 powershell.exe 4356 powershell.exe 4032 powershell.exe 4556 powershell.exe 2928 powershell.exe 3576 powershell.exe 4208 powershell.exe 4300 powershell.exe 3312 powershell.exe 4896 powershell.exe 4112 powershell.exe 4760 powershell.exe -
Checks computer location settings 2 TTPs 16 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
csrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exe77177c57df58a82f289add0cf57ea320_NeikiAnalytics.execsrss.execsrss.execsrss.exe77177c57df58a82f289add0cf57ea320_NeikiAnalytics.execsrss.execsrss.execsrss.execsrss.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation csrss.exe Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation csrss.exe Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation csrss.exe Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation csrss.exe Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation csrss.exe Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation csrss.exe Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation csrss.exe Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation csrss.exe Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation csrss.exe Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation csrss.exe Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation csrss.exe Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation csrss.exe Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation csrss.exe Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation csrss.exe -
Executes dropped EXE 16 IoCs
Processes:
77177c57df58a82f289add0cf57ea320_NeikiAnalytics.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exepid process 4932 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe 1828 csrss.exe 2456 csrss.exe 1316 csrss.exe 3012 csrss.exe 3596 csrss.exe 4804 csrss.exe 2496 csrss.exe 4556 csrss.exe 1256 csrss.exe 4240 csrss.exe 2204 csrss.exe 3492 csrss.exe 5092 csrss.exe 4880 csrss.exe 4732 csrss.exe -
Processes:
csrss.execsrss.execsrss.exe77177c57df58a82f289add0cf57ea320_NeikiAnalytics.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exe77177c57df58a82f289add0cf57ea320_NeikiAnalytics.execsrss.execsrss.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe -
Drops file in Program Files directory 42 IoCs
Processes:
77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exedescription ioc process File created C:\Program Files (x86)\Windows NT\Accessories\en-US\886983d96e3d3e 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Defender\csrss.exe 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\sppsvc.exe 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows NT\Accessories\en-US\explorer.exe 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe File created C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe File created C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\6cb0b6c459d5d3 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows NT\Accessories\en-US\RCX44CD.tmp 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe File created C:\Program Files\Windows Security\BrowserCore\en-US\backgroundTaskHost.exe 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe File created C:\Program Files\Microsoft Office 15\ClientX64\5b884080fd4f94 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\RCX5260.tmp 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Defender\csrss.exe 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe File opened for modification C:\Program Files\Microsoft Office\Updates\TextInputHost.exe 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\dwm.exe 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Multimedia Platform\MoUsoCoreWorker.exe 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows NT\Accessories\en-US\csrss.exe 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe File created C:\Program Files\Microsoft Office\Updates\TextInputHost.exe 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe File created C:\Program Files\Windows Security\BrowserCore\en-US\eddb19405b7ce1 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe File created C:\Program Files\7-Zip\Lang\lsass.exe 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\dllhost.exe 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe File created C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\dllhost.exe 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe File opened for modification C:\Program Files\Microsoft Office\Updates\RCX46D2.tmp 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe File opened for modification C:\Program Files\Microsoft Office 15\ClientX64\RCX4953.tmp 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe File opened for modification C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\RCX4B58.tmp 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\0a1fd5f707cd16 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe File opened for modification C:\Program Files\Windows Mail\dllhost.exe 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe File created C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\dwm.exe 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe File created C:\Program Files\Windows Mail\dllhost.exe 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows NT\Accessories\en-US\csrss.exe 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe File created C:\Program Files\7-Zip\Lang\6203df4a6bafc7 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Defender\886983d96e3d3e 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe File opened for modification C:\Program Files\7-Zip\Lang\lsass.exe 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows NT\Accessories\en-US\7a0fd90576e088 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe File created C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\5940a34987c991 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe File opened for modification C:\Program Files\Windows Security\BrowserCore\en-US\backgroundTaskHost.exe 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Multimedia Platform\1f93f77a7f4778 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\sppsvc.exe 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe File created C:\Program Files\Microsoft Office\Updates\22eafd247d37c3 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows NT\Accessories\en-US\explorer.exe 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe File created C:\Program Files\Windows Mail\5940a34987c991 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe File created C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\sppsvc.exe 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Multimedia Platform\MoUsoCoreWorker.exe 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe -
Drops file in Windows directory 3 IoCs
Processes:
77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\sihost.exe 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe File created C:\Windows\ServiceProfiles\sihost.exe 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe File created C:\Windows\ServiceProfiles\66fc9ff0ee96c2 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 64 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 4760 schtasks.exe 4920 schtasks.exe 4840 schtasks.exe 3292 schtasks.exe 1372 schtasks.exe 1804 schtasks.exe 1192 schtasks.exe 2340 schtasks.exe 4056 schtasks.exe 1808 schtasks.exe 4216 schtasks.exe 4552 schtasks.exe 4776 schtasks.exe 3484 schtasks.exe 632 schtasks.exe 3708 schtasks.exe 4280 schtasks.exe 4748 schtasks.exe 2440 schtasks.exe 2204 schtasks.exe 3632 schtasks.exe 3120 schtasks.exe 1188 schtasks.exe 4932 schtasks.exe 1396 schtasks.exe 4168 schtasks.exe 1836 schtasks.exe 4288 schtasks.exe 4968 schtasks.exe 4348 schtasks.exe 2388 schtasks.exe 4508 schtasks.exe 2864 schtasks.exe 4292 schtasks.exe 1924 schtasks.exe 1316 schtasks.exe 3116 schtasks.exe 3612 schtasks.exe 5040 schtasks.exe 4744 schtasks.exe 4348 schtasks.exe 4684 schtasks.exe 2128 schtasks.exe 2180 schtasks.exe 4212 schtasks.exe 4416 schtasks.exe 4256 schtasks.exe 4068 schtasks.exe 2920 schtasks.exe 1036 schtasks.exe 60 schtasks.exe 3116 schtasks.exe 3456 schtasks.exe 4088 schtasks.exe 2036 schtasks.exe 220 schtasks.exe 2480 schtasks.exe 4236 schtasks.exe 4996 schtasks.exe 3920 schtasks.exe 5016 schtasks.exe 4840 schtasks.exe 2436 schtasks.exe 2932 schtasks.exe -
Modifies registry class 16 IoCs
Processes:
csrss.execsrss.execsrss.execsrss.execsrss.execsrss.exe77177c57df58a82f289add0cf57ea320_NeikiAnalytics.execsrss.execsrss.execsrss.execsrss.execsrss.exe77177c57df58a82f289add0cf57ea320_NeikiAnalytics.execsrss.execsrss.execsrss.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings csrss.exe Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings csrss.exe Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings csrss.exe Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings csrss.exe Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings csrss.exe Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings csrss.exe Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings csrss.exe Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings csrss.exe Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings csrss.exe Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings csrss.exe Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings csrss.exe Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings csrss.exe Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings csrss.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 3672 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe 3672 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe 3672 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe 3672 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe 3672 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe 3672 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe 3672 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe 5096 powershell.exe 5096 powershell.exe 4300 powershell.exe 4300 powershell.exe 3312 powershell.exe 1616 powershell.exe 3312 powershell.exe 1616 powershell.exe 4896 powershell.exe 4896 powershell.exe 4356 powershell.exe 4356 powershell.exe 2388 powershell.exe 2388 powershell.exe 4284 powershell.exe 4284 powershell.exe 2892 powershell.exe 2892 powershell.exe 1192 powershell.exe 1192 powershell.exe 4032 powershell.exe 4032 powershell.exe 1616 powershell.exe 4896 powershell.exe 1192 powershell.exe 4032 powershell.exe 4356 powershell.exe 5096 powershell.exe 4300 powershell.exe 2892 powershell.exe 3312 powershell.exe 2388 powershell.exe 4284 powershell.exe 4932 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe 4932 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe 4932 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe 4932 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe 4932 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe 4932 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe 4760 powershell.exe 4760 powershell.exe 2928 powershell.exe 2928 powershell.exe 2880 powershell.exe 2880 powershell.exe 4112 powershell.exe 4112 powershell.exe 4376 powershell.exe 4376 powershell.exe 4556 powershell.exe 4556 powershell.exe 3576 powershell.exe 3576 powershell.exe 2912 powershell.exe 2912 powershell.exe 4208 powershell.exe 4208 powershell.exe -
Suspicious use of AdjustPrivilegeToken 39 IoCs
Processes:
77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exedescription pid process Token: SeDebugPrivilege 3672 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe Token: SeDebugPrivilege 5096 powershell.exe Token: SeDebugPrivilege 4356 powershell.exe Token: SeDebugPrivilege 4300 powershell.exe Token: SeDebugPrivilege 3312 powershell.exe Token: SeDebugPrivilege 2892 powershell.exe Token: SeDebugPrivilege 1616 powershell.exe Token: SeDebugPrivilege 1192 powershell.exe Token: SeDebugPrivilege 4896 powershell.exe Token: SeDebugPrivilege 4284 powershell.exe Token: SeDebugPrivilege 2388 powershell.exe Token: SeDebugPrivilege 4032 powershell.exe Token: SeDebugPrivilege 4932 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe Token: SeDebugPrivilege 4760 powershell.exe Token: SeDebugPrivilege 2928 powershell.exe Token: SeDebugPrivilege 4112 powershell.exe Token: SeDebugPrivilege 2880 powershell.exe Token: SeDebugPrivilege 4376 powershell.exe Token: SeDebugPrivilege 4556 powershell.exe Token: SeDebugPrivilege 3576 powershell.exe Token: SeDebugPrivilege 2912 powershell.exe Token: SeDebugPrivilege 4208 powershell.exe Token: SeDebugPrivilege 1944 powershell.exe Token: SeDebugPrivilege 5000 powershell.exe Token: SeDebugPrivilege 1828 csrss.exe Token: SeDebugPrivilege 2456 csrss.exe Token: SeDebugPrivilege 1316 csrss.exe Token: SeDebugPrivilege 3012 csrss.exe Token: SeDebugPrivilege 3596 csrss.exe Token: SeDebugPrivilege 4804 csrss.exe Token: SeDebugPrivilege 2496 csrss.exe Token: SeDebugPrivilege 4556 csrss.exe Token: SeDebugPrivilege 1256 csrss.exe Token: SeDebugPrivilege 4240 csrss.exe Token: SeDebugPrivilege 2204 csrss.exe Token: SeDebugPrivilege 3492 csrss.exe Token: SeDebugPrivilege 5092 csrss.exe Token: SeDebugPrivilege 4880 csrss.exe Token: SeDebugPrivilege 4732 csrss.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
77177c57df58a82f289add0cf57ea320_NeikiAnalytics.execmd.exe77177c57df58a82f289add0cf57ea320_NeikiAnalytics.execsrss.exeWScript.execsrss.exeWScript.exedescription pid process target process PID 3672 wrote to memory of 1616 3672 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe powershell.exe PID 3672 wrote to memory of 1616 3672 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe powershell.exe PID 3672 wrote to memory of 4284 3672 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe powershell.exe PID 3672 wrote to memory of 4284 3672 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe powershell.exe PID 3672 wrote to memory of 4300 3672 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe powershell.exe PID 3672 wrote to memory of 4300 3672 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe powershell.exe PID 3672 wrote to memory of 4356 3672 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe powershell.exe PID 3672 wrote to memory of 4356 3672 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe powershell.exe PID 3672 wrote to memory of 5096 3672 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe powershell.exe PID 3672 wrote to memory of 5096 3672 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe powershell.exe PID 3672 wrote to memory of 2892 3672 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe powershell.exe PID 3672 wrote to memory of 2892 3672 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe powershell.exe PID 3672 wrote to memory of 3312 3672 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe powershell.exe PID 3672 wrote to memory of 3312 3672 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe powershell.exe PID 3672 wrote to memory of 4032 3672 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe powershell.exe PID 3672 wrote to memory of 4032 3672 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe powershell.exe PID 3672 wrote to memory of 2388 3672 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe powershell.exe PID 3672 wrote to memory of 2388 3672 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe powershell.exe PID 3672 wrote to memory of 1192 3672 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe powershell.exe PID 3672 wrote to memory of 1192 3672 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe powershell.exe PID 3672 wrote to memory of 4896 3672 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe powershell.exe PID 3672 wrote to memory of 4896 3672 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe powershell.exe PID 3672 wrote to memory of 2208 3672 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe cmd.exe PID 3672 wrote to memory of 2208 3672 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe cmd.exe PID 2208 wrote to memory of 1996 2208 cmd.exe w32tm.exe PID 2208 wrote to memory of 1996 2208 cmd.exe w32tm.exe PID 2208 wrote to memory of 4932 2208 cmd.exe 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe PID 2208 wrote to memory of 4932 2208 cmd.exe 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe PID 4932 wrote to memory of 4376 4932 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe powershell.exe PID 4932 wrote to memory of 4376 4932 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe powershell.exe PID 4932 wrote to memory of 4112 4932 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe powershell.exe PID 4932 wrote to memory of 4112 4932 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe powershell.exe PID 4932 wrote to memory of 4556 4932 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe powershell.exe PID 4932 wrote to memory of 4556 4932 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe powershell.exe PID 4932 wrote to memory of 2928 4932 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe powershell.exe PID 4932 wrote to memory of 2928 4932 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe powershell.exe PID 4932 wrote to memory of 2880 4932 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe powershell.exe PID 4932 wrote to memory of 2880 4932 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe powershell.exe PID 4932 wrote to memory of 2912 4932 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe powershell.exe PID 4932 wrote to memory of 2912 4932 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe powershell.exe PID 4932 wrote to memory of 4760 4932 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe powershell.exe PID 4932 wrote to memory of 4760 4932 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe powershell.exe PID 4932 wrote to memory of 5000 4932 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe powershell.exe PID 4932 wrote to memory of 5000 4932 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe powershell.exe PID 4932 wrote to memory of 3576 4932 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe powershell.exe PID 4932 wrote to memory of 3576 4932 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe powershell.exe PID 4932 wrote to memory of 1944 4932 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe powershell.exe PID 4932 wrote to memory of 1944 4932 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe powershell.exe PID 4932 wrote to memory of 4208 4932 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe powershell.exe PID 4932 wrote to memory of 4208 4932 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe powershell.exe PID 4932 wrote to memory of 1828 4932 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe csrss.exe PID 4932 wrote to memory of 1828 4932 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe csrss.exe PID 1828 wrote to memory of 4748 1828 csrss.exe WScript.exe PID 1828 wrote to memory of 4748 1828 csrss.exe WScript.exe PID 1828 wrote to memory of 3120 1828 csrss.exe WScript.exe PID 1828 wrote to memory of 3120 1828 csrss.exe WScript.exe PID 4748 wrote to memory of 2456 4748 WScript.exe csrss.exe PID 4748 wrote to memory of 2456 4748 WScript.exe csrss.exe PID 2456 wrote to memory of 3416 2456 csrss.exe WScript.exe PID 2456 wrote to memory of 3416 2456 csrss.exe WScript.exe PID 2456 wrote to memory of 4964 2456 csrss.exe WScript.exe PID 2456 wrote to memory of 4964 2456 csrss.exe WScript.exe PID 3416 wrote to memory of 1316 3416 WScript.exe csrss.exe PID 3416 wrote to memory of 1316 3416 WScript.exe csrss.exe -
System policy modification 1 TTPs 51 IoCs
Processes:
77177c57df58a82f289add0cf57ea320_NeikiAnalytics.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exe77177c57df58a82f289add0cf57ea320_NeikiAnalytics.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe"1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3672 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1616
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4284
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4300
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4356
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5096
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2892
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3312
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4032
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2388
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1192
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4896
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AHjKJtDsqF.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:1996
-
-
C:\Users\Admin\AppData\Local\Temp\77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe"3⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4932 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4376
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4112
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4556
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2928
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2880
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2912
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4760
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:5000
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3576
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1944
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4208
-
-
C:\Program Files (x86)\Windows NT\Accessories\en-US\csrss.exe"C:\Program Files (x86)\Windows NT\Accessories\en-US\csrss.exe"4⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1828 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b3ed7e3e-a4e2-40af-8049-83337d7c8668.vbs"5⤵
- Suspicious use of WriteProcessMemory
PID:4748 -
C:\Program Files (x86)\Windows NT\Accessories\en-US\csrss.exe"C:\Program Files (x86)\Windows NT\Accessories\en-US\csrss.exe"6⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2456 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dd81e433-a47e-4909-bcd6-be63ea329b3a.vbs"7⤵
- Suspicious use of WriteProcessMemory
PID:3416 -
C:\Program Files (x86)\Windows NT\Accessories\en-US\csrss.exe"C:\Program Files (x86)\Windows NT\Accessories\en-US\csrss.exe"8⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1316 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e940332e-2a5e-4688-9aee-017368a7e9a1.vbs"9⤵PID:2864
-
C:\Program Files (x86)\Windows NT\Accessories\en-US\csrss.exe"C:\Program Files (x86)\Windows NT\Accessories\en-US\csrss.exe"10⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3012 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9667e039-cbb8-434f-826d-a71e49bee52c.vbs"11⤵PID:4356
-
C:\Program Files (x86)\Windows NT\Accessories\en-US\csrss.exe"C:\Program Files (x86)\Windows NT\Accessories\en-US\csrss.exe"12⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3596 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\04c159b3-0128-4873-9dcf-065314d47d43.vbs"13⤵PID:644
-
C:\Program Files (x86)\Windows NT\Accessories\en-US\csrss.exe"C:\Program Files (x86)\Windows NT\Accessories\en-US\csrss.exe"14⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4804 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\01411473-7746-4bce-8350-85d41f9af26e.vbs"15⤵PID:3960
-
C:\Program Files (x86)\Windows NT\Accessories\en-US\csrss.exe"C:\Program Files (x86)\Windows NT\Accessories\en-US\csrss.exe"16⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2496 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c3698677-11cf-42bb-9c15-a6c646eeda58.vbs"17⤵PID:2132
-
C:\Program Files (x86)\Windows NT\Accessories\en-US\csrss.exe"C:\Program Files (x86)\Windows NT\Accessories\en-US\csrss.exe"18⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4556 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\10e234ee-da72-48b5-870e-2d445fb948e5.vbs"19⤵PID:3276
-
C:\Program Files (x86)\Windows NT\Accessories\en-US\csrss.exe"C:\Program Files (x86)\Windows NT\Accessories\en-US\csrss.exe"20⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1256 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\47fdc7c8-15cb-4f24-9069-2d2fbc37c0b6.vbs"21⤵PID:2664
-
C:\Program Files (x86)\Windows NT\Accessories\en-US\csrss.exe"C:\Program Files (x86)\Windows NT\Accessories\en-US\csrss.exe"22⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4240 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8998c9f2-2e66-4878-a9b8-bfe8a34ced80.vbs"23⤵PID:3920
-
C:\Program Files (x86)\Windows NT\Accessories\en-US\csrss.exe"C:\Program Files (x86)\Windows NT\Accessories\en-US\csrss.exe"24⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2204 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3fabace9-2acc-45a3-983e-1c0c0f6d4dbf.vbs"25⤵PID:4156
-
C:\Program Files (x86)\Windows NT\Accessories\en-US\csrss.exe"C:\Program Files (x86)\Windows NT\Accessories\en-US\csrss.exe"26⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3492 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ff2ff6d0-195c-4f7e-bca5-707bedf28894.vbs"27⤵PID:1080
-
C:\Program Files (x86)\Windows NT\Accessories\en-US\csrss.exe"C:\Program Files (x86)\Windows NT\Accessories\en-US\csrss.exe"28⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:5092 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2115e1f2-5b2a-4e29-adf5-4d6e7a247c21.vbs"29⤵PID:3548
-
C:\Program Files (x86)\Windows NT\Accessories\en-US\csrss.exe"C:\Program Files (x86)\Windows NT\Accessories\en-US\csrss.exe"30⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4880 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b81c8b17-f9ae-4b20-a800-daa36b9c1891.vbs"31⤵PID:4992
-
C:\Program Files (x86)\Windows NT\Accessories\en-US\csrss.exe"C:\Program Files (x86)\Windows NT\Accessories\en-US\csrss.exe"32⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4732
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\db724201-69a9-483a-a361-6488e385196f.vbs"31⤵PID:2016
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bd54648e-f4ec-40c4-9dd3-a4f9a3213155.vbs"29⤵PID:3960
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11b24d26-e77e-4605-af58-0702e58285a4.vbs"27⤵PID:1936
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\25622c67-6ef2-4629-9637-181bbdd4792d.vbs"25⤵PID:1308
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9f6d21dc-1859-4b91-9ca9-a619717ddbb4.vbs"23⤵PID:4432
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e9b50678-a1fe-4551-af9c-18321f1e0aac.vbs"21⤵PID:4804
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28a1bc58-0e51-4176-8bc6-cc61ec4e269e.vbs"19⤵PID:1512
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f92a70fe-0ecf-4669-a5cd-410ba3fc73c1.vbs"17⤵PID:752
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1d1883a5-f382-4e19-a820-8706d3ba049d.vbs"15⤵PID:4920
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ffd4c9f3-aedc-408b-8676-9ce3efc0f9ab.vbs"13⤵PID:5060
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a2c4e358-f249-48c5-9314-eba8010e80c9.vbs"11⤵PID:3256
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\719b75f5-6f24-4a2a-bba5-9fbf6475cdfe.vbs"9⤵PID:1604
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5f755d41-99ff-4c86-beab-f70b8602ad6d.vbs"7⤵PID:4964
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28633f8a-a59b-46be-be97-418b7da6e0e6.vbs"5⤵PID:3120
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1372
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "77177c57df58a82f289add0cf57ea320_NeikiAnalytics7" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Desktop\77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "77177c57df58a82f289add0cf57ea320_NeikiAnalytics" /sc ONLOGON /tr "'C:\Users\Public\Desktop\77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "77177c57df58a82f289add0cf57ea320_NeikiAnalytics7" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Desktop\77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4508
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2180
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4212
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1804
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:60
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:3684
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Office\Updates\TextInputHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Updates\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4416
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office\Updates\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2204
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
PID:1828
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Admin\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:1128
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\SppExtComObj.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1396
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Default User\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4168
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4348
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:3888
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Mail\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4280
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Mail\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Windows\ServiceProfiles\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3120
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Windows\ServiceProfiles\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1188
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4256
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\OfficeClickToRun.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3456
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\Default User\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:220
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files\7-Zip\Lang\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4088
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files\7-Zip\Lang\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1192
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Desktop\System.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4684
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default\Desktop\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Desktop\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2128
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Start Menu\taskhostw.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4288
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Start Menu\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2440
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Documents\My Music\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Music\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:4772
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Documents\My Music\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2480
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\MoUsoCoreWorker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2340
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MoUsoCoreWorker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\MoUsoCoreWorker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\MoUsoCoreWorker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:1544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4236
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Defender\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\MoUsoCoreWorker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4348
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MoUsoCoreWorker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\MoUsoCoreWorker.exe'" /rl HIGHEST /f1⤵PID:3548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\MoUsoCoreWorker.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:2388
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Templates\sppsvc.exe'" /f1⤵
- Creates scheduled task(s)
PID:5040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Admin\Templates\sppsvc.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:2436
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Templates\sppsvc.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:4776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\sppsvc.exe'" /f1⤵
- Creates scheduled task(s)
PID:1808
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\sppsvc.exe'" /rl HIGHEST /f1⤵PID:2204
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\sppsvc.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:4216
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\TrustedInstaller.exe'" /f1⤵PID:3036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\Users\Admin\TrustedInstaller.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:1316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\TrustedInstaller.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:3292
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.9MB
MD577177c57df58a82f289add0cf57ea320
SHA138c0414cb96be176cdf3b965b870bdf5de04f4a4
SHA2566f250581eae818938c64c4afa3446c7c36dfadda1d8b8ba20870ad0e05c7fe50
SHA51267161531bc39774e219b77de3166c3216ff962ca81af0982a44a502bd25d333aa742f8fca8e5720d91b4e69ddd6c829a0e014b94f7af89d1ceb601691dd2c9b6
-
Filesize
2.9MB
MD5a189778ec06cf1dffb644c634c1e8ce4
SHA191c7ac070ff86600760ee8fb5f3fa2671504b49f
SHA25627eab1726393c623f47921f16f4655c335e79ce8bff6c3cac00c4d674f99c5bf
SHA5129f0220055b94aa80ea900dd5e0fd10bede870664b7ca8772656cf67a3fcb3a8df69b01b707d8534e37740fafd10afb5447debc068de7dca5174a8577d3d30c55
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe.log
Filesize1KB
MD5bbb951a34b516b66451218a3ec3b0ae1
SHA17393835a2476ae655916e0a9687eeaba3ee876e9
SHA256eb70c64ae99d14ac2588b7a84854fbf3c420532d7fe4dfd49c7b5a70c869943a
SHA51263bcbfcf8e7421c66855c487c31b2991a989bdea0c1edd4c40066b52fa3eb3d9d37db1cd21b8eb4f33dd5870cc20532c8f485eab9c0b4f6b0793a35c077f2d6f
-
Filesize
1KB
MD54a667f150a4d1d02f53a9f24d89d53d1
SHA1306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97
SHA256414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd
SHA5124edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD52e907f77659a6601fcc408274894da2e
SHA19f5b72abef1cd7145bf37547cdb1b9254b4efe9d
SHA256385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233
SHA51234fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721
-
Filesize
944B
MD5bd5940f08d0be56e65e5f2aaf47c538e
SHA1d7e31b87866e5e383ab5499da64aba50f03e8443
SHA2562d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6
SHA512c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406
-
Filesize
944B
MD5cadef9abd087803c630df65264a6c81c
SHA1babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA5127278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085
-
Filesize
944B
MD592075279f2dbcaa5724ee5a47e49712f
SHA18dd3e2faa8432dde978946ebaf9054f7c6e0b2cb
SHA256fd985ddd090621af25aa77aebff689c95ea7679ff0e81887124b2802ae3e9442
SHA512744c62556233d9872f43ffb5a5a98aee20a44834436306f0a948c8c4072bdb46ef8044616593747edd645caaee60faf8b14fedb2d6df5f6019b5c73357d80d22
-
Filesize
944B
MD56019bc03fe1dc3367a67c76d08b55399
SHA13d0b6d4d99b6b8e49829a3992072c3d9df7ad672
SHA2567f88db7b83b11cd8ea233efc3a1498635b68771482658255750df564a065f7d0
SHA5126b5409780a23e977b0bbe463e351f1d474539100aeaa01b0b7fe72aa6dbfb3c0fec64fe9db65b63d188a279b65eae7f31ef0b6880c67ada9ab175da419f595eb
-
Filesize
944B
MD5bf3651a8682259b5e292b98289271f76
SHA14694a32734c377985dafbd15e26b9a129f1e4a45
SHA2565ffc07abea05b9bb523e511ed75995488a22e3dd54fddc50b62b8336bd57c575
SHA512d9cd369fc710131f0f24c3add83a923625831b1bfb4fba0da83dd71fa41a4ed5a0f0e00755f3cf8ae2aef4aa498c353348c51c167f7d6a2af834f07c78b33896
-
Filesize
944B
MD5a672fcf7facce635c83caf7b195d0bf8
SHA1fec2f6c2456efe713ba08fa692a4a356f2f37ba8
SHA25671945453f618f8cf9c2ddb24132d7e0522643e13ce42a59ff65476938f56082c
SHA51212713a140e8a73c9dd8b3bc309e3ff1256c16ecd019d1ded31ab47c71651b11dcdcf48ef889805e5bc87bdeb323c5663ff34313cc41170d2d9b45051107dc31f
-
Filesize
944B
MD59405862a3b15dc34824f6a0e5f077f4f
SHA1bbe0000e06be94fa61d6e223fb38b1289908723d
SHA2560a0869426bca171c080316948a4638a7152018ea5e07de97b2d51e0d90905210
SHA512fc7ae988b81dec5b13ae9878350cd9d063538bfb2bc14f099087836ed54cd77a36bc7c4276fa075a80a3cd20e7620fa2ba5a8b5b7bf98698b10752749187148d
-
Filesize
944B
MD501841b4277227c0578c89131444e7d57
SHA1b00fbb6cabb5d09d50c28c0fdc62e5e6917b0c5d
SHA25634797c2cafe0d94ea265e6aba8e38c3c34532e125bdd6dc8c1eab16a977a8cfa
SHA51215c656ce162ff535506f9f22d285355576e53b89baebc1064523ab59f2eccb111cdd71c1fd66e59995d0727993bd268c976a9bd6cd78ff78d19a3c13436f0497
-
Filesize
944B
MD5be95052f298019b83e11336567f385fc
SHA1556e6abda268afaeeec5e1ee65adc01660b70534
SHA256ebc004fe961bed86adc4025cdbe3349699a5a1fc328cc3a37f3ff055e7e82027
SHA512233df172f37f85d34448901057ff19f20792d6e139579a1235165d5f6056a2075c19c85bc9115a6bb74c9c949aebd7bb5391e2ae9f7b1af69e5c4aca3a48cff5
-
Filesize
737B
MD51d1c8c623ee93004ad9c895d48b861c7
SHA11afa2194a34662ebaac8f8ba9a37acb8fa69a707
SHA2564ea7630d649aeaf90e61029c6c8feb59b8b224d4722ded855478f425747961e8
SHA512eb0ba77fc97aa20cbcc7ee05148ee17202a059a4c293778046f0418d7eec9fea4fd2176e0ce7cea6054197cd5f5d6fb1fa10f176c853bd3c4543a5f7f394f9d1
-
Filesize
737B
MD5f1bd92578fa4b27df37cfa29461b06b3
SHA1225453e08decbdeebec9c64d2f5340d8c5449bb4
SHA256c7eac840d3baa326b97e1487d55537cefe0fa4dbfc63df48ab0e666e858c50da
SHA51272a9b4e72f7e0b75c78394d5f2bd83d0e588ef533569444578536cc43049949f02a363ce195ffc9926fc558f5f3c2ce8cfb95c13ee7d0aa31b85b32d74e8a96c
-
Filesize
737B
MD5ebdd8f417514e8e067a0c14d0599d9a1
SHA1e81fc5137743f88f4602c247ffee1d30aedba621
SHA25609578a72a8a62be958cf485a0d77ba76fcafbfcbcbbbbd0a687ca109447741b1
SHA51260dd7f7c32dd7daf8e6f5cc3aa0612198d94ae1958e77e7acc3f221a022fa0f165313285e004ba26de2c3695d406b3b5bcdc2a1137c86427d52d57b0c2f86034
-
Filesize
513B
MD59b1854d489601758f78ccd3034439b08
SHA1c5c792cb0a03e78581da59443dd13033dd2f1d62
SHA256a623c66c0c23ff850bae83c44270ade92997a5171a4b5e000eb0798bd64d3644
SHA512d9ee21cc04e1f623a23a20e8a63a1ff5f46b7bfe5d6c314f8865433aa7d3b08861d6a8fc9b19cd62c9f8b4ae3771cc0fff271bebb69c5b96431de3dd4620d113
-
Filesize
737B
MD5832f2fa691f4d7df55c29f211cf5d91d
SHA1c53ec1bc94fb7a78893060051c9615eb567d0518
SHA256684aece4b3fa894ccbcffd1dfb177e88db013e8195b2a2aec42b745f3973d241
SHA51209d40b9797a4d07532450f5bcdeec927dbcdb8bb6f78b7bfb91b7d2cc6c6bfb416676dd24054283f86943b0c0e98c9c1fd382317213af4d1b1c443e8c77e3693
-
Filesize
737B
MD512759071f61a3a4930c2556b8c5d4122
SHA1e4308042591f8072de6920a122bd7362adf542a7
SHA256bcecaf6f3226d26777011f53eae46f8eda9b08b952425af679f3635f9613d9c9
SHA5121e4c836887ba10ede32e2afc71c629ce6e16874c1d078a8a3efab23b5c2d9839efc04057a30926a947ac2345737f57faceb01ecac3ac41c8f4d1f05b4e1384ae
-
Filesize
250B
MD542cb773f28e7795663ede3a42f4e5ca2
SHA1ef209c82aafd80d0605d72c3e059bd8c4799e59d
SHA25665d62b59b8644b8220f682a4cea3dd0f9305bce73ad59780d13332a1246d777d
SHA51250660c7cc1bd2bd5e8084d3059e766f74bbbb86c501b4c8e5d820e60c5708353050ec4a72165ed9747fa179b384b6570020660347c55535553414ee92d5a8c5f
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
737B
MD599a0a452a921342656f87af3b7accec9
SHA1327affa576da9c23ac7f4e018c8752849e9b9ba4
SHA2568bfbc3d6129711a62d391abaae168e8e539a2267bc04d6ed5f05ff92758d945e
SHA512824acd9c8e396dd67a1c882b78e3004ab09ea81083f987a2dd08b08290a6f67ba4900bc46125d7caa19769527ad99fc1cd95d1d403b2b02062ec41324ba3d2c8
-
Filesize
737B
MD576e816b379183277ece75e4e5708b49b
SHA154a73e406155387b38df188bb272a9531f49d71d
SHA256e8446694445787f83b045fdfbcb751378cdb901370053186f6fa0ad7c697eeed
SHA512e03c334141c3e475f8d8b44de49bd2e977e2e0efc984d99caefe5787b889fd3beefaa72fa588ef533fdebef73343ebd30467816c3dad771c7ce0ee907762b4df
-
Filesize
737B
MD5843d3156be2c9170aad624e41236a65c
SHA1d3925cfd92987d639c8f1ab311b0e927e5f41072
SHA2568e5e023e3aa3d828583cf15944ad6c005c286c9e095b571f770d5d8673c381ec
SHA512980533eb0ac0ee6bcc579afd11f01e424b1b85e222a02e176b0e6d18af6f0619f937f00c6b7dfe5d3daaf69940bf1ae98b8ae6eedb3080d0c348e03abb086678
-
Filesize
737B
MD551874d23f1762b94d66a02db5b54cd55
SHA1d09c7a5fc2c4d2fb8120f8cdacb5f0fab40053bc
SHA256a1eb4a338f4f6049aac15d266e267de52fb4c8177ab31c90919d89de45964dac
SHA5123d6e59e944066ead08d9fe25259cd4faef06420ff1e40ce263d0f49b805265499b5c95537932082177ca08a5297ca7c9f80b0d033a2aaa6a5886c72fe0799500