Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
15-05-2024 07:21
Behavioral task
behavioral1
Sample
a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe
Resource
win7-20240221-en
General
-
Target
a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe
-
Size
2.9MB
-
MD5
a2076a85de5c50013fd48e423e2c2050
-
SHA1
4ef4d4fd4cf21287ccb37baa4fc8a4efa31b6bd6
-
SHA256
296ff7111b13564c6bffbc590f46a21188c873f95658d756c22425584453b9b6
-
SHA512
ff45a43830600f097569378af3d957346f2e66bfbf65f5a89ba592c5b90ef0759bf7a587914fb84c3406b6624c2301652ed30440cde9701d18bdf68b46cfa1a3
-
SSDEEP
49152:f4DKm+cjWnC8WLqxdGWJMcWI2TJT1Q0UN2Trsljq:QDKmzjWnC8Wikx1DUN2/Uq
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 45 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4580 1260 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4828 1260 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1084 1260 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1352 1260 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2640 1260 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3684 1260 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4656 1260 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4744 1260 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3484 1260 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4648 1260 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3180 1260 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2356 1260 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1492 1260 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4672 1260 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1904 1260 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4844 1260 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2232 1260 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4512 1260 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4116 1260 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1392 1260 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1544 1260 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3000 1260 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1444 1260 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5032 1260 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 528 1260 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4720 1260 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1144 1260 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1840 1260 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1860 1260 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1820 1260 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4028 1260 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3184 1260 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3752 1260 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2540 1260 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 952 1260 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4852 1260 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1484 1260 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 408 1260 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3388 1260 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5020 1260 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3460 1260 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3984 1260 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3660 1260 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3228 1260 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1960 1260 schtasks.exe -
Processes:
RuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exea2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe -
Processes:
resource yara_rule behavioral2/memory/720-1-0x0000000000C40000-0x0000000000F26000-memory.dmp dcrat C:\Program Files\Java\jre8\lib\sihost.exe dcrat C:\Program Files (x86)\Windows Multimedia Platform\RuntimeBroker.exe dcrat C:\Recovery\WindowsRE\RuntimeBroker.exe dcrat behavioral2/memory/3972-293-0x0000000000F50000-0x0000000001236000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 5004 powershell.exe 2820 powershell.exe 3020 powershell.exe 2136 powershell.exe 3496 powershell.exe 4648 powershell.exe 2404 powershell.exe 3268 powershell.exe 4772 powershell.exe 3748 powershell.exe 2676 powershell.exe -
Checks computer location settings 2 TTPs 15 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
RuntimeBroker.exea2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe -
Executes dropped EXE 14 IoCs
Processes:
RuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exepid process 3972 RuntimeBroker.exe 3228 RuntimeBroker.exe 720 RuntimeBroker.exe 952 RuntimeBroker.exe 2232 RuntimeBroker.exe 5056 RuntimeBroker.exe 3504 RuntimeBroker.exe 2304 RuntimeBroker.exe 1904 RuntimeBroker.exe 2676 RuntimeBroker.exe 4360 RuntimeBroker.exe 1388 RuntimeBroker.exe 216 RuntimeBroker.exe 4480 RuntimeBroker.exe -
Processes:
a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RuntimeBroker.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RuntimeBroker.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RuntimeBroker.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RuntimeBroker.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RuntimeBroker.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RuntimeBroker.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RuntimeBroker.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RuntimeBroker.exe -
Drops file in Program Files directory 17 IoCs
Processes:
a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exedescription ioc process File opened for modification C:\Program Files (x86)\Windows Multimedia Platform\RuntimeBroker.exe a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe File created C:\Program Files\Java\jre8\lib\66fc9ff0ee96c2 a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Photo Viewer\ja-JP\29c1c3cc0f7685 a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe File created C:\Program Files (x86)\Internet Explorer\sppsvc.exe a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe File created C:\Program Files (x86)\Internet Explorer\0a1fd5f707cd16 a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre8\lib\RCX50F4.tmp a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\ja-JP\RCX5F03.tmp a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Multimedia Platform\RuntimeBroker.exe a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Multimedia Platform\9e8d7a4ca61bd9 a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe File created C:\Program Files\ModifiableWindowsApps\wininit.exe a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Internet Explorer\RCX638A.tmp a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Internet Explorer\sppsvc.exe a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe File created C:\Program Files\Java\jre8\lib\sihost.exe a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Photo Viewer\ja-JP\unsecapp.exe a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe File opened for modification C:\Program Files\Java\jre8\lib\sihost.exe a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Multimedia Platform\RCX55F7.tmp a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\ja-JP\unsecapp.exe a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe -
Drops file in Windows directory 9 IoCs
Processes:
a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exedescription ioc process File opened for modification C:\Windows\Sun\Java\Deployment\dllhost.exe a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe File created C:\Windows\Resources\fontdrvhost.exe a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe File created C:\Windows\WinSxS\sysmon.exe a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe File opened for modification C:\Windows\Sun\Java\Deployment\RCX48D1.tmp a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe File opened for modification C:\Windows\Resources\RCX4CDB.tmp a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe File opened for modification C:\Windows\Resources\fontdrvhost.exe a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe File created C:\Windows\Sun\Java\Deployment\dllhost.exe a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe File created C:\Windows\Sun\Java\Deployment\5940a34987c991 a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe File created C:\Windows\Resources\5b884080fd4f94 a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 45 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2356 schtasks.exe 5032 schtasks.exe 1860 schtasks.exe 3752 schtasks.exe 3388 schtasks.exe 3460 schtasks.exe 4580 schtasks.exe 3684 schtasks.exe 1392 schtasks.exe 3000 schtasks.exe 4656 schtasks.exe 3180 schtasks.exe 1904 schtasks.exe 1444 schtasks.exe 528 schtasks.exe 4028 schtasks.exe 4852 schtasks.exe 4828 schtasks.exe 1084 schtasks.exe 3484 schtasks.exe 4672 schtasks.exe 4844 schtasks.exe 2540 schtasks.exe 3228 schtasks.exe 1352 schtasks.exe 4744 schtasks.exe 1492 schtasks.exe 2232 schtasks.exe 4720 schtasks.exe 3184 schtasks.exe 1960 schtasks.exe 2640 schtasks.exe 4648 schtasks.exe 1820 schtasks.exe 952 schtasks.exe 408 schtasks.exe 4512 schtasks.exe 1144 schtasks.exe 5020 schtasks.exe 3984 schtasks.exe 3660 schtasks.exe 4116 schtasks.exe 1544 schtasks.exe 1840 schtasks.exe 1484 schtasks.exe -
Modifies registry class 15 IoCs
Processes:
RuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exea2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 62 IoCs
Processes:
a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exepid process 720 a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe 720 a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe 720 a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe 720 a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe 720 a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe 720 a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe 720 a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe 720 a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe 720 a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe 720 a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe 720 a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe 720 a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe 720 a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe 720 a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe 720 a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe 4772 powershell.exe 4772 powershell.exe 2820 powershell.exe 2820 powershell.exe 5004 powershell.exe 5004 powershell.exe 3268 powershell.exe 2404 powershell.exe 3268 powershell.exe 2404 powershell.exe 3496 powershell.exe 3496 powershell.exe 2136 powershell.exe 2136 powershell.exe 2676 powershell.exe 2676 powershell.exe 3748 powershell.exe 3748 powershell.exe 3020 powershell.exe 3020 powershell.exe 4648 powershell.exe 4648 powershell.exe 3748 powershell.exe 3020 powershell.exe 4772 powershell.exe 2404 powershell.exe 2820 powershell.exe 3268 powershell.exe 2136 powershell.exe 5004 powershell.exe 3496 powershell.exe 4648 powershell.exe 2676 powershell.exe 3972 RuntimeBroker.exe 3228 RuntimeBroker.exe 720 RuntimeBroker.exe 952 RuntimeBroker.exe 2232 RuntimeBroker.exe 5056 RuntimeBroker.exe 3504 RuntimeBroker.exe 2304 RuntimeBroker.exe 1904 RuntimeBroker.exe 2676 RuntimeBroker.exe 4360 RuntimeBroker.exe 1388 RuntimeBroker.exe 216 RuntimeBroker.exe 4480 RuntimeBroker.exe -
Suspicious use of AdjustPrivilegeToken 26 IoCs
Processes:
a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exedescription pid process Token: SeDebugPrivilege 720 a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe Token: SeDebugPrivilege 4772 powershell.exe Token: SeDebugPrivilege 2820 powershell.exe Token: SeDebugPrivilege 3748 powershell.exe Token: SeDebugPrivilege 5004 powershell.exe Token: SeDebugPrivilege 2404 powershell.exe Token: SeDebugPrivilege 3268 powershell.exe Token: SeDebugPrivilege 3020 powershell.exe Token: SeDebugPrivilege 3496 powershell.exe Token: SeDebugPrivilege 2136 powershell.exe Token: SeDebugPrivilege 2676 powershell.exe Token: SeDebugPrivilege 4648 powershell.exe Token: SeDebugPrivilege 3972 RuntimeBroker.exe Token: SeDebugPrivilege 3228 RuntimeBroker.exe Token: SeDebugPrivilege 720 RuntimeBroker.exe Token: SeDebugPrivilege 952 RuntimeBroker.exe Token: SeDebugPrivilege 2232 RuntimeBroker.exe Token: SeDebugPrivilege 5056 RuntimeBroker.exe Token: SeDebugPrivilege 3504 RuntimeBroker.exe Token: SeDebugPrivilege 2304 RuntimeBroker.exe Token: SeDebugPrivilege 1904 RuntimeBroker.exe Token: SeDebugPrivilege 2676 RuntimeBroker.exe Token: SeDebugPrivilege 4360 RuntimeBroker.exe Token: SeDebugPrivilege 1388 RuntimeBroker.exe Token: SeDebugPrivilege 216 RuntimeBroker.exe Token: SeDebugPrivilege 4480 RuntimeBroker.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.execmd.exeRuntimeBroker.exeWScript.exeRuntimeBroker.exeWScript.exeRuntimeBroker.exeWScript.exeRuntimeBroker.exeWScript.exeRuntimeBroker.exeWScript.exeRuntimeBroker.exeWScript.exedescription pid process target process PID 720 wrote to memory of 3020 720 a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe powershell.exe PID 720 wrote to memory of 3020 720 a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe powershell.exe PID 720 wrote to memory of 2136 720 a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe powershell.exe PID 720 wrote to memory of 2136 720 a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe powershell.exe PID 720 wrote to memory of 4772 720 a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe powershell.exe PID 720 wrote to memory of 4772 720 a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe powershell.exe PID 720 wrote to memory of 3496 720 a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe powershell.exe PID 720 wrote to memory of 3496 720 a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe powershell.exe PID 720 wrote to memory of 3748 720 a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe powershell.exe PID 720 wrote to memory of 3748 720 a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe powershell.exe PID 720 wrote to memory of 2676 720 a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe powershell.exe PID 720 wrote to memory of 2676 720 a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe powershell.exe PID 720 wrote to memory of 4648 720 a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe powershell.exe PID 720 wrote to memory of 4648 720 a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe powershell.exe PID 720 wrote to memory of 2404 720 a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe powershell.exe PID 720 wrote to memory of 2404 720 a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe powershell.exe PID 720 wrote to memory of 3268 720 a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe powershell.exe PID 720 wrote to memory of 3268 720 a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe powershell.exe PID 720 wrote to memory of 5004 720 a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe powershell.exe PID 720 wrote to memory of 5004 720 a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe powershell.exe PID 720 wrote to memory of 2820 720 a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe powershell.exe PID 720 wrote to memory of 2820 720 a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe powershell.exe PID 720 wrote to memory of 1656 720 a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe cmd.exe PID 720 wrote to memory of 1656 720 a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe cmd.exe PID 1656 wrote to memory of 1508 1656 cmd.exe w32tm.exe PID 1656 wrote to memory of 1508 1656 cmd.exe w32tm.exe PID 1656 wrote to memory of 3972 1656 cmd.exe RuntimeBroker.exe PID 1656 wrote to memory of 3972 1656 cmd.exe RuntimeBroker.exe PID 3972 wrote to memory of 2728 3972 RuntimeBroker.exe WScript.exe PID 3972 wrote to memory of 2728 3972 RuntimeBroker.exe WScript.exe PID 3972 wrote to memory of 3684 3972 RuntimeBroker.exe WScript.exe PID 3972 wrote to memory of 3684 3972 RuntimeBroker.exe WScript.exe PID 2728 wrote to memory of 3228 2728 WScript.exe RuntimeBroker.exe PID 2728 wrote to memory of 3228 2728 WScript.exe RuntimeBroker.exe PID 3228 wrote to memory of 4348 3228 RuntimeBroker.exe WScript.exe PID 3228 wrote to memory of 4348 3228 RuntimeBroker.exe WScript.exe PID 3228 wrote to memory of 3732 3228 RuntimeBroker.exe WScript.exe PID 3228 wrote to memory of 3732 3228 RuntimeBroker.exe WScript.exe PID 4348 wrote to memory of 720 4348 WScript.exe RuntimeBroker.exe PID 4348 wrote to memory of 720 4348 WScript.exe RuntimeBroker.exe PID 720 wrote to memory of 3136 720 RuntimeBroker.exe WScript.exe PID 720 wrote to memory of 3136 720 RuntimeBroker.exe WScript.exe PID 720 wrote to memory of 3740 720 RuntimeBroker.exe WScript.exe PID 720 wrote to memory of 3740 720 RuntimeBroker.exe WScript.exe PID 3136 wrote to memory of 952 3136 WScript.exe RuntimeBroker.exe PID 3136 wrote to memory of 952 3136 WScript.exe RuntimeBroker.exe PID 952 wrote to memory of 1912 952 RuntimeBroker.exe WScript.exe PID 952 wrote to memory of 1912 952 RuntimeBroker.exe WScript.exe PID 952 wrote to memory of 796 952 RuntimeBroker.exe WScript.exe PID 952 wrote to memory of 796 952 RuntimeBroker.exe WScript.exe PID 1912 wrote to memory of 2232 1912 WScript.exe RuntimeBroker.exe PID 1912 wrote to memory of 2232 1912 WScript.exe RuntimeBroker.exe PID 2232 wrote to memory of 4436 2232 RuntimeBroker.exe WScript.exe PID 2232 wrote to memory of 4436 2232 RuntimeBroker.exe WScript.exe PID 2232 wrote to memory of 4596 2232 RuntimeBroker.exe WScript.exe PID 2232 wrote to memory of 4596 2232 RuntimeBroker.exe WScript.exe PID 4436 wrote to memory of 5056 4436 WScript.exe RuntimeBroker.exe PID 4436 wrote to memory of 5056 4436 WScript.exe RuntimeBroker.exe PID 5056 wrote to memory of 4608 5056 RuntimeBroker.exe WScript.exe PID 5056 wrote to memory of 4608 5056 RuntimeBroker.exe WScript.exe PID 5056 wrote to memory of 4444 5056 RuntimeBroker.exe WScript.exe PID 5056 wrote to memory of 4444 5056 RuntimeBroker.exe WScript.exe PID 4608 wrote to memory of 3504 4608 WScript.exe RuntimeBroker.exe PID 4608 wrote to memory of 3504 4608 WScript.exe RuntimeBroker.exe -
System policy modification 1 TTPs 45 IoCs
Processes:
RuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exea2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\a2076a85de5c50013fd48e423e2c2050_NeikiAnalytics.exe"1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:720 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3020
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2136
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4772
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3496
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3748
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2676
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4648
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2404
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3268
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5004
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2820
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\48sAkNrSAB.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:1508
-
-
C:\Recovery\WindowsRE\RuntimeBroker.exe"C:\Recovery\WindowsRE\RuntimeBroker.exe"3⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3972 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c5df52fb-3bd3-4eb9-aabe-947f1aeafc7b.vbs"4⤵
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Recovery\WindowsRE\RuntimeBroker.exeC:\Recovery\WindowsRE\RuntimeBroker.exe5⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3228 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d944b65c-516e-444a-aa07-44664e8f62a3.vbs"6⤵
- Suspicious use of WriteProcessMemory
PID:4348 -
C:\Recovery\WindowsRE\RuntimeBroker.exeC:\Recovery\WindowsRE\RuntimeBroker.exe7⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:720 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\040bc938-c31f-4199-b6f0-f70d235aa631.vbs"8⤵
- Suspicious use of WriteProcessMemory
PID:3136 -
C:\Recovery\WindowsRE\RuntimeBroker.exeC:\Recovery\WindowsRE\RuntimeBroker.exe9⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:952 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7de3ee7f-0f4b-4176-869d-240c966af155.vbs"10⤵
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Recovery\WindowsRE\RuntimeBroker.exeC:\Recovery\WindowsRE\RuntimeBroker.exe11⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2232 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\af082c4d-682c-419d-993d-b683b10828a4.vbs"12⤵
- Suspicious use of WriteProcessMemory
PID:4436 -
C:\Recovery\WindowsRE\RuntimeBroker.exeC:\Recovery\WindowsRE\RuntimeBroker.exe13⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5056 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d09534af-13c7-4de7-a5b2-ee4846e35e3a.vbs"14⤵
- Suspicious use of WriteProcessMemory
PID:4608 -
C:\Recovery\WindowsRE\RuntimeBroker.exeC:\Recovery\WindowsRE\RuntimeBroker.exe15⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3504 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1682fb79-f2b1-4ae9-8e82-0eabf573fdec.vbs"16⤵PID:2640
-
C:\Recovery\WindowsRE\RuntimeBroker.exeC:\Recovery\WindowsRE\RuntimeBroker.exe17⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2304 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d901daf0-d811-4b88-8d66-21b62690b5b1.vbs"18⤵PID:2468
-
C:\Recovery\WindowsRE\RuntimeBroker.exeC:\Recovery\WindowsRE\RuntimeBroker.exe19⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1904 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3c0d673f-1a5d-40cb-9b2b-484c4a186acf.vbs"20⤵PID:640
-
C:\Recovery\WindowsRE\RuntimeBroker.exeC:\Recovery\WindowsRE\RuntimeBroker.exe21⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2676 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7be968a8-b845-4870-a53f-9a3b6d8c89b6.vbs"22⤵PID:2472
-
C:\Recovery\WindowsRE\RuntimeBroker.exeC:\Recovery\WindowsRE\RuntimeBroker.exe23⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4360 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\241bc3ee-8e86-4114-aced-1d747012f2e9.vbs"24⤵PID:1376
-
C:\Recovery\WindowsRE\RuntimeBroker.exeC:\Recovery\WindowsRE\RuntimeBroker.exe25⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1388 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ecca572a-31d5-40ab-a9ee-70e1976c1999.vbs"26⤵PID:3404
-
C:\Recovery\WindowsRE\RuntimeBroker.exeC:\Recovery\WindowsRE\RuntimeBroker.exe27⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:216 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\381fd8a6-fb7c-4d85-a2f7-ea78d0d5f992.vbs"28⤵PID:1080
-
C:\Recovery\WindowsRE\RuntimeBroker.exeC:\Recovery\WindowsRE\RuntimeBroker.exe29⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4480 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2b40b5a3-780c-4a3f-a7e7-4ab32a70888b.vbs"30⤵PID:1904
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f1f579d8-f0b0-444e-bf3f-a1669746d3c6.vbs"30⤵PID:1088
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31327b99-ec22-4e26-8375-d919ee1fdddb.vbs"28⤵PID:3152
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a6a075a3-80ba-4a3a-ab25-92bafb1aa935.vbs"26⤵PID:224
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15cb67be-6bb2-4d7d-a37e-c5dd4cf1b251.vbs"24⤵PID:1620
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\76363780-4244-4c2f-9ec6-c544a2595656.vbs"22⤵PID:2456
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\89583493-abaf-43df-a59c-62aadc42e2d0.vbs"20⤵PID:2180
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eba36fd6-b8dd-48ac-aaf9-e5399890e103.vbs"18⤵PID:3396
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bd988f1c-ac37-42a7-b599-f643e78050e2.vbs"16⤵PID:1492
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3f795dac-606d-49c8-a4f3-864b20082917.vbs"14⤵PID:4444
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ea5b8577-0683-4760-9c59-23158d576ad8.vbs"12⤵PID:4596
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8ec971c1-6ec3-4577-a03f-aa8ec31995aa.vbs"10⤵PID:796
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\126b996a-2224-4270-9c15-631bef969a1f.vbs"8⤵PID:3740
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\33262717-c685-4977-958e-57dbee9517a7.vbs"6⤵PID:3732
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\213b4795-adef-4574-85d4-e63f95644206.vbs"4⤵PID:3684
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Windows\Sun\Java\Deployment\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Sun\Java\Deployment\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4828
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Windows\Sun\Java\Deployment\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1084
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Users\Public\AccountPictures\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1352
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Users\Public\AccountPictures\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3684
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Windows\Resources\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\Resources\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Windows\Resources\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3180
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2356
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Program Files\Java\jre8\lib\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\Java\jre8\lib\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Program Files\Java\jre8\lib\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1904
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2232
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1392
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1144
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1820
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\unsecapp.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3184
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Admin\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Internet Explorer\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:408
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3388
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Start Menu\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3460
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Start Menu\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Application Data\SppExtComObj.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Admin\Application Data\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3228
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Application Data\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1960
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.9MB
MD51c8a169288baa053351d8a8957652003
SHA1d41e7ccff1801959e966b818349017ce87451da5
SHA2562856e4596a7e650b4978cda6b0e482b7c00aff2b736f072eb1735c24af0b22f4
SHA512d00ac382f01500d8b9a2a39725851530f07c0ab8989221f3ac9cf24dbdfb262d2725afbeca0bf1b24f950117cdd832714f1319028ec9007159645abaf4b3953d
-
Filesize
2.9MB
MD5a2076a85de5c50013fd48e423e2c2050
SHA14ef4d4fd4cf21287ccb37baa4fc8a4efa31b6bd6
SHA256296ff7111b13564c6bffbc590f46a21188c873f95658d756c22425584453b9b6
SHA512ff45a43830600f097569378af3d957346f2e66bfbf65f5a89ba592c5b90ef0759bf7a587914fb84c3406b6624c2301652ed30440cde9701d18bdf68b46cfa1a3
-
Filesize
2.9MB
MD589fd9805b81ee443cfc45649a131a483
SHA14857767c5e48d3ae858ba410aaeb3e4b78652295
SHA25661620d980e6ebe7a0bbdec6e7254c369fbe6b9e28d8a6b820583273f5bf14f3e
SHA512a76c7cadcff852525659bb6da1707da9073c77b7148c1671a219df064c546d81449486da0e6d57705cd98a000dbf317024eaa80e4cefcea9657ff93f13654380
-
Filesize
1KB
MD54a667f150a4d1d02f53a9f24d89d53d1
SHA1306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97
SHA256414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd
SHA5124edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
944B
MD56d3e9c29fe44e90aae6ed30ccf799ca8
SHA1c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA2562360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA51260c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a
-
Filesize
944B
MD52e907f77659a6601fcc408274894da2e
SHA19f5b72abef1cd7145bf37547cdb1b9254b4efe9d
SHA256385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233
SHA51234fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721
-
Filesize
944B
MD562623d22bd9e037191765d5083ce16a3
SHA14a07da6872672f715a4780513d95ed8ddeefd259
SHA25695d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010
SHA5129a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992
-
Filesize
944B
MD5e243a38635ff9a06c87c2a61a2200656
SHA1ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc
SHA256af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f
SHA5124418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4
-
Filesize
944B
MD5bd5940f08d0be56e65e5f2aaf47c538e
SHA1d7e31b87866e5e383ab5499da64aba50f03e8443
SHA2562d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6
SHA512c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406
-
Filesize
944B
MD559d97011e091004eaffb9816aa0b9abd
SHA11602a56b01dd4b7c577ca27d3117e4bcc1aa657b
SHA25618f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d
SHA512d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6
-
Filesize
714B
MD5468b230bf966ba8c651c40e1e203f1e1
SHA1abda1b16b7ab9c7979304862859cd99e357e9fa7
SHA2567f69b220f86d30281adde9f5e0e2d130230ec6235842ce3f01e34854f7f4533f
SHA5125ee5e3b47f793fee2d8e6403848cc6e8ee4d7a1376595d61a1d39be32cb222cf0419615699a254ac4d52a803225b21eac669056a55e540462ec60b02391a0de0
-
Filesize
715B
MD5284ce2f0ade0ab7280bbc10c3c7d4f11
SHA1be744ba155833ef1ea82c8d44671bf895f1efe34
SHA2562bb5e9f812be958a773a53d31ff61403875222323b697e863a202fac188773ad
SHA512e029b0701c32b3fe397661ae5b799416f871a08b4343ac00095be1fd7cc46b3443a9d04850cb3c5befcdf1ef462f6e84093d196c1932ca07f473335090f94c93
-
Filesize
491B
MD50cc7ef608f19ac86cf5f64751304baa6
SHA14707b5d4666a2182698978f9291e99679b4cce48
SHA2568e095a59dab14b3a5204feb3ddd8ea49b7d2700023b15579e0f8f47c3c864a66
SHA512c3a9f8cbab04c5a2bc1e062c50a28367f1ddc22ebaa8be5cc8a785ab4effa8d43fcf437b150208b9683a69b9e9d9681ae26d7894104fda6f17c08f4eb1873dce
-
Filesize
715B
MD52bcb774bda44a03e7e02af20a4968716
SHA147f66477e5761078c75091875ca8051773c4b4d5
SHA25654fa4c022c0b7d3ec54b6ee9725f7c60b2365d79d236997c11afa6225ab29d3e
SHA5129bf50817c331ded34884a01d44646d51b1d1761806566ff78ebc7eead79e6b638c71cc4ae5658bfb62a876ff0ce4942bbddf462d491972fac701dd05ad36fdb7
-
Filesize
714B
MD50b91a53925ffffa42dc9bbc2a47eccc7
SHA1efcf36bcb0686f361f36190c0b2b535d82ac0ce8
SHA256b0c437783c1d35a75971ae3fa21986c08fb99a1d1c0fdde8bf0118e12eb2ef88
SHA51252410c644ad204d7504b54607ea24e85596d40d71f5af266d5ff76ae7f151bbb7d8f8b742eba440400e3b5d5d7274e4345130cf7a9a9fd6e6daca36087ef2ebe
-
Filesize
715B
MD5d47d343a763472cb1bf25f56914a8523
SHA142d277db2b419fd8d02f9d6bc52ec15d36709a80
SHA256d86b579fa24762585802c70d2250adc50cd42eb44c198e47d93bc2e494296b77
SHA512cf02d751ffc5fb956d1d57ad5244cbe8d66269fa4ec612ec62f02b1f4bd60f97a8a1b81a63a2e4679957dfc3a09626ce1ab5e1f551a106581379cad6e5af6fb1
-
Filesize
204B
MD5cfc5ca7ed8a24620d5fa42839110552d
SHA19365afda0abedf7f67622609df78e5b130443397
SHA2568bc4d008d51079d6252c459f970d8e8dec82fd2b3ada050d3aba23409f9f6f08
SHA512b2d154db858e8778863dd869cce71d18122fdd91a6dac81ea336804390a6d094b5e0fb7748861cfb66d10c888dca01cec6b0f606cc6ea7b936e88c20b907b2ee
-
Filesize
715B
MD5e291bad5ce93bfc227a0c59c82410f70
SHA12843a0c4d060d886cf62405256323b490534a133
SHA2562d0daec5eb092ab0e1d65b9df055997491ac2b56dad6aac440865b8a74c0aad5
SHA512f891e5fa40f25bbb3e329c36dd5056349db2a12c67b86e6469aee38616b1c528e8b0e2a55726abe1023bdbd65c239c47341f3bfd3c411aa02cf626df477866f0
-
Filesize
714B
MD574d6827a3a3f6fd62f488a038217cae5
SHA1f6dbf7dcea8bd8652dc24d6828f0b7160942af38
SHA2569ec1dd316ed5177f03ef30629008abfe32a02f7d5baa3bc2b2bac651d4ca5ab3
SHA5129b02e5cb36582296e7b5ebcbdfd9194d576cf10f6cfb0784686a17ffd720453193b4e980fc0ed78b9a6e78412b8ccf33067f7eed3727a336fb1e9bea27bfca9e
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
715B
MD5c250da9266553d4e7c6d835037853b3a
SHA1a7dd7f18a74e2b917a962a5c61878e3e95ef9a87
SHA256377eb2430cc1e6d9f20cba9563fe4ae42a8a87a5f324c6db53837b77d643d653
SHA512d8f68e433a8ae2d0f546637079c366826f20af4395a4a0c35931b607d22af3192914676bbd0b48ed9e4d58c652960ac616ddfac861823cb14146030430d7e4de
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
715B
MD53ecd4700ff00b0108400ad2f93fa19e4
SHA10bd9404aba566a22bdf739ae5c4628e48e282460
SHA256068e62588172230b386dee27c6bfddb175ec98f5e2506462d13eb0cb87629410
SHA5120bd8bba6fa8b2afeee579366a2a76caab23db77799fcbe77c4673fc878a88831faf2a7a86a92f82ab15edfc4ad723f1b5c69126835b32a2c782af73be4ed5baa
-
Filesize
715B
MD530fc01150f183af0858e33b2035e3cee
SHA1e3e5cb75136c3d4fc28386d85597993d21056822
SHA256dbb379553215f4e6c7b9e600b47bf83fe8e33bd937b102f938ff3981a0e9681f
SHA512951bc48324d7e62182f963bea7a25b700aba8e3ff0c872eba65e6767c182ff05677eb0c10434efd168786673ae08a077005a6123026ae364812dd13f5fcd658b
-
Filesize
715B
MD5c02c14da25231299b7d4cb32fdd321f3
SHA1a8972bf4bfd8e816336418d7b112c61f8dee55fd
SHA2560481a25082313c0251645d10befec7e5df0bba8545f724577e0284293f9a860f
SHA512e7f59bcfc392fdcf14512a3cccf7550f0ff189f14f31003c646ff53761c510a49545b39c357103a8a24d488556cd9458784de58c8d5bfb05a873bc8d008d9bc5
-
Filesize
715B
MD597b7a99260d4893cb5f3069998d15059
SHA1ce917bf6a93277fab5cf8c24c0ae734a4c8b28b7
SHA25648b0c9ada8c8671e13e8cea54c8fd9e1a269e4992b447053c501e1df1137f25a
SHA51299d29deb8f30aee116126de6081512c6ffc7d2eacfb5b98cb4dec9dc5f386f7e96b0895da7eec5f258d43a22c9af8d50a4912e4b6a015b5b891be69eabc0a90e
-
Filesize
715B
MD52f85828c82d356a719967fc7db833478
SHA1009c915f9f476e714863d1bf4a265b9c98d1a0ff
SHA256d944eb44582e21db46aa8be09c0468a3ba7aa798a672f3e08ef7a645034277bd
SHA512de9abf9f0e92ae6a01ca56ad2edd567441d5240d7f33bf757bb04226665efea8eb875075e8cb0bf448e03e5715e285c94d7bdc01105862c2860c002ab8c8cb47