Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
15-05-2024 07:48
Behavioral task
behavioral1
Sample
a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe
Resource
win7-20240221-en
General
-
Target
a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe
-
Size
2.9MB
-
MD5
a76c3992f0ce41945386691b991de4f0
-
SHA1
694416f5f2cc6579af87f08175b52f9039930972
-
SHA256
92e319b1b62dd242ccb3feaaa29200780cc33c46a5b35a4f5723fbcd73976023
-
SHA512
6f8e49018ca2bd9ef4f002d968903cd6e414d61afbc68e8c70f74e1c473d612ed07f25af2c129fbd59105b71c9704cbc4c4b2e1b889ef3ebb8896a64b6ba7870
-
SSDEEP
49152:H4DKm+cjWnC8WLqxdGWJMcWI2TJT1Q0UN2Trsljq:YDKmzjWnC8Wikx1DUN2/Uq
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 48 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 532 612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1492 612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4636 612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4840 612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3288 612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4864 612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1108 612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1232 612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4092 612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5084 612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4228 612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3368 612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1260 612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2284 612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2264 612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3272 612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2568 612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1676 612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4472 612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4824 612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1576 612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1296 612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1424 612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2180 612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3584 612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1300 612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 548 612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 724 612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4464 612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2288 612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3764 612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1488 612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1552 612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3728 612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3240 612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2552 612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2732 612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3820 612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2668 612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1836 612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2356 612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1456 612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5024 612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4448 612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4176 612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4812 612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3832 612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4028 612 schtasks.exe -
Processes:
SearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exea76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SearchApp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SearchApp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SearchApp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SearchApp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SearchApp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SearchApp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SearchApp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SearchApp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SearchApp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SearchApp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SearchApp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SearchApp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SearchApp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SearchApp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SearchApp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SearchApp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SearchApp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SearchApp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SearchApp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SearchApp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SearchApp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SearchApp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SearchApp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SearchApp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SearchApp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SearchApp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SearchApp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SearchApp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SearchApp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SearchApp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SearchApp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SearchApp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SearchApp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SearchApp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SearchApp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SearchApp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SearchApp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SearchApp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SearchApp.exe -
Processes:
resource yara_rule behavioral2/memory/1192-1-0x0000000000C50000-0x0000000000F36000-memory.dmp dcrat C:\Program Files (x86)\Adobe\Acrobat Reader DC\explorer.exe dcrat C:\Users\Admin\sihost.exe dcrat C:\Users\Public\Videos\RuntimeBroker.exe dcrat C:\Program Files (x86)\WindowsPowerShell\Modules\sysmon.exe dcrat C:\Program Files\Windows Sidebar\Gadgets\RCX69E4.tmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 4440 powershell.exe 632 powershell.exe 3188 powershell.exe 2628 powershell.exe 412 powershell.exe 3180 powershell.exe 1104 powershell.exe 3792 powershell.exe 2640 powershell.exe 3972 powershell.exe 1200 powershell.exe -
Checks computer location settings 2 TTPs 13 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation SearchApp.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation SearchApp.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation SearchApp.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation SearchApp.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation SearchApp.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation SearchApp.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation SearchApp.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation SearchApp.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation SearchApp.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation SearchApp.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation SearchApp.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation SearchApp.exe -
Executes dropped EXE 13 IoCs
Processes:
SearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exepid process 644 SearchApp.exe 4924 SearchApp.exe 4608 SearchApp.exe 876 SearchApp.exe 2524 SearchApp.exe 4336 SearchApp.exe 3572 SearchApp.exe 2436 SearchApp.exe 5084 SearchApp.exe 956 SearchApp.exe 4336 SearchApp.exe 3964 SearchApp.exe 3296 SearchApp.exe -
Processes:
SearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exea76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exeSearchApp.exeSearchApp.exeSearchApp.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SearchApp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SearchApp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SearchApp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SearchApp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SearchApp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SearchApp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SearchApp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SearchApp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SearchApp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SearchApp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SearchApp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SearchApp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SearchApp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SearchApp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SearchApp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SearchApp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SearchApp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SearchApp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SearchApp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SearchApp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SearchApp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SearchApp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SearchApp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SearchApp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SearchApp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SearchApp.exe -
Drops file in Program Files directory 16 IoCs
Processes:
a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exedescription ioc process File created C:\Program Files\Internet Explorer\fr-FR\e6c9b481da804f a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe File created C:\Program Files\Internet Explorer\fr-FR\OfficeClickToRun.exe a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe File created C:\Program Files\Windows Sidebar\Gadgets\RuntimeBroker.exe a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe File opened for modification C:\Program Files\Internet Explorer\fr-FR\RCX5896.tmp a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\sysmon.exe a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RCX69E4.tmp a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\explorer.exe a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\sysmon.exe a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe File created C:\Program Files\Windows Sidebar\Gadgets\9e8d7a4ca61bd9 a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RuntimeBroker.exe a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\7a0fd90576e088 a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\121e5b5079f7c0 a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\RCX5681.tmp a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\explorer.exe a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe File opened for modification C:\Program Files\Internet Explorer\fr-FR\OfficeClickToRun.exe a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\RCX652E.tmp a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe -
Drops file in Windows directory 17 IoCs
Processes:
a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exedescription ioc process File created C:\Windows\INF\ServiceModelEndpoint 3.0.0.0\csrss.exe a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe File created C:\Windows\SystemApps\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\pris\5b884080fd4f94 a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe File created C:\Windows\tracing\sppsvc.exe a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe File created C:\Windows\SystemApps\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\pris\fontdrvhost.exe a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe File created C:\Windows\es-ES\886983d96e3d3e a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe File opened for modification C:\Windows\tracing\sppsvc.exe a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe File opened for modification C:\Windows\INF\ServiceModelEndpoint 3.0.0.0\RCX4FE7.tmp a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\pris\fontdrvhost.exe a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe File opened for modification C:\Windows\es-ES\RCX5EA4.tmp a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe File opened for modification C:\Windows\es-ES\csrss.exe a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe File created C:\Windows\tracing\0a1fd5f707cd16 a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe File created C:\Windows\INF\ServiceModelEndpoint 3.0.0.0\886983d96e3d3e a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe File created C:\Windows\es-ES\csrss.exe a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe File created C:\Windows\Globalization\ELS\SpellDictionaries\wininit.exe a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe File opened for modification C:\Windows\tracing\RCX4DE2.tmp a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe File opened for modification C:\Windows\INF\ServiceModelEndpoint 3.0.0.0\csrss.exe a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\pris\RCX51EC.tmp a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 48 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1300 schtasks.exe 548 schtasks.exe 4448 schtasks.exe 1108 schtasks.exe 4472 schtasks.exe 1576 schtasks.exe 2180 schtasks.exe 3584 schtasks.exe 3832 schtasks.exe 2732 schtasks.exe 532 schtasks.exe 3368 schtasks.exe 2568 schtasks.exe 4824 schtasks.exe 1296 schtasks.exe 4636 schtasks.exe 2284 schtasks.exe 3764 schtasks.exe 3240 schtasks.exe 4812 schtasks.exe 1456 schtasks.exe 4840 schtasks.exe 4092 schtasks.exe 3728 schtasks.exe 3820 schtasks.exe 2668 schtasks.exe 1836 schtasks.exe 2356 schtasks.exe 4176 schtasks.exe 3288 schtasks.exe 4864 schtasks.exe 5084 schtasks.exe 724 schtasks.exe 2552 schtasks.exe 1552 schtasks.exe 1260 schtasks.exe 2264 schtasks.exe 3272 schtasks.exe 1424 schtasks.exe 1488 schtasks.exe 2288 schtasks.exe 5024 schtasks.exe 4028 schtasks.exe 1492 schtasks.exe 1232 schtasks.exe 4228 schtasks.exe 1676 schtasks.exe 4464 schtasks.exe -
Modifies registry class 13 IoCs
Processes:
a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings SearchApp.exe -
Suspicious behavior: EnumeratesProcesses 57 IoCs
Processes:
a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exepid process 1192 a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe 1192 a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe 1192 a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe 1192 a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe 1192 a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe 1192 a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe 1192 a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe 1192 a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe 1192 a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe 1192 a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe 1192 a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe 632 powershell.exe 632 powershell.exe 3188 powershell.exe 3188 powershell.exe 1104 powershell.exe 1104 powershell.exe 3972 powershell.exe 3972 powershell.exe 3180 powershell.exe 3180 powershell.exe 2640 powershell.exe 2640 powershell.exe 2628 powershell.exe 2628 powershell.exe 1200 powershell.exe 1200 powershell.exe 3792 powershell.exe 3792 powershell.exe 4440 powershell.exe 4440 powershell.exe 412 powershell.exe 412 powershell.exe 1200 powershell.exe 1104 powershell.exe 632 powershell.exe 3180 powershell.exe 2640 powershell.exe 3188 powershell.exe 2628 powershell.exe 412 powershell.exe 3972 powershell.exe 3792 powershell.exe 4440 powershell.exe 644 SearchApp.exe 4924 SearchApp.exe 4608 SearchApp.exe 876 SearchApp.exe 2524 SearchApp.exe 4336 SearchApp.exe 3572 SearchApp.exe 2436 SearchApp.exe 5084 SearchApp.exe 956 SearchApp.exe 4336 SearchApp.exe 3964 SearchApp.exe 3296 SearchApp.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
Processes:
a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exedescription pid process Token: SeDebugPrivilege 1192 a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe Token: SeDebugPrivilege 632 powershell.exe Token: SeDebugPrivilege 3188 powershell.exe Token: SeDebugPrivilege 1104 powershell.exe Token: SeDebugPrivilege 3972 powershell.exe Token: SeDebugPrivilege 3180 powershell.exe Token: SeDebugPrivilege 2640 powershell.exe Token: SeDebugPrivilege 2628 powershell.exe Token: SeDebugPrivilege 412 powershell.exe Token: SeDebugPrivilege 1200 powershell.exe Token: SeDebugPrivilege 3792 powershell.exe Token: SeDebugPrivilege 4440 powershell.exe Token: SeDebugPrivilege 644 SearchApp.exe Token: SeDebugPrivilege 4924 SearchApp.exe Token: SeDebugPrivilege 4608 SearchApp.exe Token: SeDebugPrivilege 876 SearchApp.exe Token: SeDebugPrivilege 2524 SearchApp.exe Token: SeDebugPrivilege 4336 SearchApp.exe Token: SeDebugPrivilege 3572 SearchApp.exe Token: SeDebugPrivilege 2436 SearchApp.exe Token: SeDebugPrivilege 5084 SearchApp.exe Token: SeDebugPrivilege 956 SearchApp.exe Token: SeDebugPrivilege 4336 SearchApp.exe Token: SeDebugPrivilege 3964 SearchApp.exe Token: SeDebugPrivilege 3296 SearchApp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.execmd.exeSearchApp.exeWScript.exeSearchApp.exeWScript.exeSearchApp.exeWScript.exeSearchApp.exeWScript.exeSearchApp.exeWScript.exeSearchApp.exeWScript.exedescription pid process target process PID 1192 wrote to memory of 2640 1192 a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe powershell.exe PID 1192 wrote to memory of 2640 1192 a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe powershell.exe PID 1192 wrote to memory of 3972 1192 a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe powershell.exe PID 1192 wrote to memory of 3972 1192 a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe powershell.exe PID 1192 wrote to memory of 1200 1192 a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe powershell.exe PID 1192 wrote to memory of 1200 1192 a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe powershell.exe PID 1192 wrote to memory of 2628 1192 a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe powershell.exe PID 1192 wrote to memory of 2628 1192 a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe powershell.exe PID 1192 wrote to memory of 412 1192 a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe powershell.exe PID 1192 wrote to memory of 412 1192 a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe powershell.exe PID 1192 wrote to memory of 3180 1192 a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe powershell.exe PID 1192 wrote to memory of 3180 1192 a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe powershell.exe PID 1192 wrote to memory of 1104 1192 a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe powershell.exe PID 1192 wrote to memory of 1104 1192 a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe powershell.exe PID 1192 wrote to memory of 4440 1192 a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe powershell.exe PID 1192 wrote to memory of 4440 1192 a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe powershell.exe PID 1192 wrote to memory of 632 1192 a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe powershell.exe PID 1192 wrote to memory of 632 1192 a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe powershell.exe PID 1192 wrote to memory of 3792 1192 a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe powershell.exe PID 1192 wrote to memory of 3792 1192 a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe powershell.exe PID 1192 wrote to memory of 3188 1192 a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe powershell.exe PID 1192 wrote to memory of 3188 1192 a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe powershell.exe PID 1192 wrote to memory of 2924 1192 a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe cmd.exe PID 1192 wrote to memory of 2924 1192 a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe cmd.exe PID 2924 wrote to memory of 692 2924 cmd.exe w32tm.exe PID 2924 wrote to memory of 692 2924 cmd.exe w32tm.exe PID 2924 wrote to memory of 644 2924 cmd.exe SearchApp.exe PID 2924 wrote to memory of 644 2924 cmd.exe SearchApp.exe PID 644 wrote to memory of 4856 644 SearchApp.exe WScript.exe PID 644 wrote to memory of 4856 644 SearchApp.exe WScript.exe PID 644 wrote to memory of 5040 644 SearchApp.exe WScript.exe PID 644 wrote to memory of 5040 644 SearchApp.exe WScript.exe PID 4856 wrote to memory of 4924 4856 WScript.exe SearchApp.exe PID 4856 wrote to memory of 4924 4856 WScript.exe SearchApp.exe PID 4924 wrote to memory of 4372 4924 SearchApp.exe WScript.exe PID 4924 wrote to memory of 4372 4924 SearchApp.exe WScript.exe PID 4924 wrote to memory of 2644 4924 SearchApp.exe WScript.exe PID 4924 wrote to memory of 2644 4924 SearchApp.exe WScript.exe PID 4372 wrote to memory of 4608 4372 WScript.exe SearchApp.exe PID 4372 wrote to memory of 4608 4372 WScript.exe SearchApp.exe PID 4608 wrote to memory of 3364 4608 SearchApp.exe WScript.exe PID 4608 wrote to memory of 3364 4608 SearchApp.exe WScript.exe PID 4608 wrote to memory of 1516 4608 SearchApp.exe WScript.exe PID 4608 wrote to memory of 1516 4608 SearchApp.exe WScript.exe PID 3364 wrote to memory of 876 3364 WScript.exe SearchApp.exe PID 3364 wrote to memory of 876 3364 WScript.exe SearchApp.exe PID 876 wrote to memory of 4468 876 SearchApp.exe WScript.exe PID 876 wrote to memory of 4468 876 SearchApp.exe WScript.exe PID 876 wrote to memory of 4448 876 SearchApp.exe WScript.exe PID 876 wrote to memory of 4448 876 SearchApp.exe WScript.exe PID 4468 wrote to memory of 2524 4468 WScript.exe SearchApp.exe PID 4468 wrote to memory of 2524 4468 WScript.exe SearchApp.exe PID 2524 wrote to memory of 3328 2524 SearchApp.exe WScript.exe PID 2524 wrote to memory of 3328 2524 SearchApp.exe WScript.exe PID 2524 wrote to memory of 404 2524 SearchApp.exe WScript.exe PID 2524 wrote to memory of 404 2524 SearchApp.exe WScript.exe PID 3328 wrote to memory of 4336 3328 WScript.exe SearchApp.exe PID 3328 wrote to memory of 4336 3328 WScript.exe SearchApp.exe PID 4336 wrote to memory of 2160 4336 SearchApp.exe WScript.exe PID 4336 wrote to memory of 2160 4336 SearchApp.exe WScript.exe PID 4336 wrote to memory of 464 4336 SearchApp.exe WScript.exe PID 4336 wrote to memory of 464 4336 SearchApp.exe WScript.exe PID 2160 wrote to memory of 3572 2160 WScript.exe SearchApp.exe PID 2160 wrote to memory of 3572 2160 WScript.exe SearchApp.exe -
System policy modification 1 TTPs 42 IoCs
Processes:
SearchApp.exeSearchApp.exeSearchApp.exea76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SearchApp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SearchApp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SearchApp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SearchApp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SearchApp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SearchApp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SearchApp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SearchApp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SearchApp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SearchApp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SearchApp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SearchApp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SearchApp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SearchApp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SearchApp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SearchApp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SearchApp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SearchApp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SearchApp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SearchApp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SearchApp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SearchApp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SearchApp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SearchApp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SearchApp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SearchApp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SearchApp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SearchApp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SearchApp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SearchApp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SearchApp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SearchApp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SearchApp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SearchApp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SearchApp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SearchApp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SearchApp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SearchApp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SearchApp.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe"1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1192 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2640
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3972
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1200
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2628
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:412
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3180
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1104
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4440
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:632
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3792
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3188
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bTZqdeVjxS.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:692
-
-
C:\Users\Default User\SearchApp.exe"C:\Users\Default User\SearchApp.exe"3⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:644 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f3377673-5238-46aa-8bb8-d337e3a1bef2.vbs"4⤵
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Users\Default User\SearchApp.exe"C:\Users\Default User\SearchApp.exe"5⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4924 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dcb50ee3-b6f0-43f8-9888-feec33f690fb.vbs"6⤵
- Suspicious use of WriteProcessMemory
PID:4372 -
C:\Users\Default User\SearchApp.exe"C:\Users\Default User\SearchApp.exe"7⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4608 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\58d2159b-bb97-4abc-af96-3ed50b8cb3a8.vbs"8⤵
- Suspicious use of WriteProcessMemory
PID:3364 -
C:\Users\Default User\SearchApp.exe"C:\Users\Default User\SearchApp.exe"9⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:876 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1c287d85-ea58-4341-8bfc-8b0874a4ed11.vbs"10⤵
- Suspicious use of WriteProcessMemory
PID:4468 -
C:\Users\Default User\SearchApp.exe"C:\Users\Default User\SearchApp.exe"11⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2524 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f90df0a3-2cfe-403d-afe5-947beea7e1c2.vbs"12⤵
- Suspicious use of WriteProcessMemory
PID:3328 -
C:\Users\Default User\SearchApp.exe"C:\Users\Default User\SearchApp.exe"13⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4336 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2d92a96b-da55-481a-9c25-8e69c0c4aa13.vbs"14⤵
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Users\Default User\SearchApp.exe"C:\Users\Default User\SearchApp.exe"15⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3572 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7f6c84fe-45a2-4391-b30d-471e97ccee82.vbs"16⤵PID:4964
-
C:\Users\Default User\SearchApp.exe"C:\Users\Default User\SearchApp.exe"17⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2436 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6583eeca-7b46-4c2e-a3fa-dca195e9217d.vbs"18⤵PID:2288
-
C:\Users\Default User\SearchApp.exe"C:\Users\Default User\SearchApp.exe"19⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:5084 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5b6f1efd-1373-4290-bef9-69906f9689fd.vbs"20⤵PID:1932
-
C:\Users\Default User\SearchApp.exe"C:\Users\Default User\SearchApp.exe"21⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:956 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1ced3bcd-7119-40ff-bc04-2ebab54349ee.vbs"22⤵PID:2172
-
C:\Users\Default User\SearchApp.exe"C:\Users\Default User\SearchApp.exe"23⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4336 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\92305b84-615e-4c51-a82c-17f274c8b008.vbs"24⤵PID:3188
-
C:\Users\Default User\SearchApp.exe"C:\Users\Default User\SearchApp.exe"25⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3964 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d5af9c4f-13a5-4736-92cb-6efda4eaad09.vbs"26⤵PID:1636
-
C:\Users\Default User\SearchApp.exe"C:\Users\Default User\SearchApp.exe"27⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3296
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\77f7ad0a-f3d8-41c3-ae2e-6e87b43ad04e.vbs"26⤵PID:3748
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5670110e-3ece-43e1-93f5-0e2665f1088c.vbs"24⤵PID:2540
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8cfd9777-dd1e-4dad-80b7-6a7b50b44985.vbs"22⤵PID:4108
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b1abcac1-f3de-4583-ba26-b9d13da5a272.vbs"20⤵PID:4864
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5b25e896-ad08-4a49-bf38-15ccf5350c54.vbs"18⤵PID:4684
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a0c6a276-ec10-4e2e-99cf-8f1bc3edb5c3.vbs"16⤵PID:3752
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\208485dc-94bc-4d0e-82ba-6f73131f7da7.vbs"14⤵PID:464
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\03fed305-4fb7-4f39-8578-8a16ea1aa5e3.vbs"12⤵PID:404
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\378d01be-84b0-4205-9c10-cbd8aa48f517.vbs"10⤵PID:4448
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1141c1a3-4ab9-45b6-9401-0c7808347786.vbs"8⤵PID:1516
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\90ddbed6-cf46-4a00-a1eb-8748b22212a6.vbs"6⤵PID:2644
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8a985be6-bb15-4b70-9027-e9a6b09f1f34.vbs"4⤵PID:5040
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Windows\tracing\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\tracing\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Windows\tracing\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\INF\ServiceModelEndpoint 3.0.0.0\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\INF\ServiceModelEndpoint 3.0.0.0\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\INF\ServiceModelEndpoint 3.0.0.0\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3288
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Windows\SystemApps\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\pris\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\pris\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1232
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Windows\SystemApps\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\pris\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5084
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Admin\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4228
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3368
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1260
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2284
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2264
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\fr-FR\OfficeClickToRun.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3272
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\fr-FR\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2568
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\fr-FR\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1676
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Desktop\OfficeClickToRun.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4472
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4824
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Desktop\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1296
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1424
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2180
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\es-ES\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\es-ES\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1300
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\es-ES\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Videos\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Public\Videos\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4464
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Videos\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2288
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1488
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3240
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2732
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3820
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Sidebar\Gadgets\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Gadgets\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2356
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\Gadgets\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1456
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\SearchApp.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\Default User\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4176
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4812
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4028
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.9MB
MD5a76c3992f0ce41945386691b991de4f0
SHA1694416f5f2cc6579af87f08175b52f9039930972
SHA25692e319b1b62dd242ccb3feaaa29200780cc33c46a5b35a4f5723fbcd73976023
SHA5126f8e49018ca2bd9ef4f002d968903cd6e414d61afbc68e8c70f74e1c473d612ed07f25af2c129fbd59105b71c9704cbc4c4b2e1b889ef3ebb8896a64b6ba7870
-
Filesize
2.9MB
MD52076220deaaeda79cbcd385dda4a1135
SHA1d596dcfdf47f7c31c495477032f8c58520e15048
SHA25626632d2e192536fb43ac2c610dd1efa91b41179d040276004c4fd37cc5245b54
SHA51293263d7c2891402c3cf1b2007403b081f2a74a892c14bc757da166e347b6a42d247240460247523b6f9fe876c34962f3e0c010a7ba21c95b14403c621effc941
-
Filesize
2.9MB
MD53f589e3b8016af54850b0adff9e6d021
SHA19da46554b8904adf9f5b975311464cc871223afd
SHA256860ef4434663f7377e1e71372b99cbf21438865a4a48c736619a21daa106b92a
SHA5121e3faeaac8289bff7a26c7baceb73072ab3f1545bee7d007407c1679e33ea675c2220848f9eb78aab47a0e528c67fa994e0d5116646b1ed687c42ae87fe6810a
-
Filesize
1KB
MD54a667f150a4d1d02f53a9f24d89d53d1
SHA1306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97
SHA256414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd
SHA5124edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
944B
MD5bd5940f08d0be56e65e5f2aaf47c538e
SHA1d7e31b87866e5e383ab5499da64aba50f03e8443
SHA2562d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6
SHA512c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406
-
Filesize
944B
MD5cadef9abd087803c630df65264a6c81c
SHA1babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA5127278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085
-
Filesize
710B
MD5ba405b5f0696c5e082d262ae388c6554
SHA1646af058b14ec53688edbbc6066aea18a52be298
SHA256216f7b1616d258b15ec3f9fb676a961a91fa998543affb8c8d32e5636ae86e8c
SHA512b2807e7571d5b68a0c59ad5194ada5c75eb2a1e5aba97f6e5a467baecda2ebd46de37894ddb11ce857ff4187db4692ffb9a99a411231751eb1e2b48a56f41e32
-
Filesize
710B
MD50f03e10f43939cd33d379837eab39517
SHA127965f9997fe1790a395f98d001603632dc59ee4
SHA2566587f7777a3f4a236424c1e652c724ff06a968f5727135873c854ecd8a32f623
SHA512b0f03a8bd718a1263618b847cd8368837788465642c32f827d1da1e535a7140ac614ec342994f545aeb1d803fa6da863c8174770fe83d4587e1cf2eceabeaa6a
-
Filesize
711B
MD5df0e49d3733578449a63371740df62a3
SHA12bd290be5e1317c0b8c7ed9da595cb264030c445
SHA256f545820e4becea6b7ea2aba88aebb3168d9dfaced4a7134d5735e84ee1bb2ae1
SHA5123fc7da1127dabb161a938be1df519c9a693d131efc5fad08527c75df4da5a2701342a3c2ba1b9ed59c9fe7c24592ace17fccf18057a82ad9b200667da109cdc0
-
Filesize
711B
MD5faeb6c65b9f1ab74ac23b1b0a416d45d
SHA18cb57d1c57f4673f309a6816aa26e550ea4f4a86
SHA2565827f1027bdf2786105d5e9cf19d790df08fa2d4e2341d795151e64c00e29db8
SHA5128bced1dc25e16c82c990654174dcd2f1758a328470e8d7ab1ad23763afe861de0a8ff896442bd300e9bc4087bf59acee79a3be183702d28d4263b8040140c4bf
-
Filesize
711B
MD5274f12ee35485636d99fd332fe162790
SHA14ef1a98923d30b69037fed7b0b0925d23b82dae4
SHA2566db09f41968962d903c06f8a5df967b5deb0dc199655c648145515bc95fd323e
SHA512102647363bc02002bd786ccd8af0d098fbc50236d0c9894a882e36a12b4f8ba938b7ed5a6b68fa7ee8897fed4ef50433e3605ce32c73b4f93ac6dafa61e39c52
-
Filesize
711B
MD51bccd0b10698534c4c1e83b3c591a8a0
SHA12afd8dda976f194b13b91d9fa2119dcc5d70e596
SHA256fb99aa84d11d9288c6007113b9df3743b47bd99f1af444e07e0781748ca937c2
SHA512143a03ec53aedf76c49298d276603f1ab710599e92750ea24fdb3269bbd3d2848ed91d6751a43a2f9fb2e07f30c6aa3f2e770025ef1d9f642c33bdc81338f19d
-
Filesize
711B
MD5e1426dd2381cebbfbacd6cfc5db09dab
SHA10ca4e4b21f8c08f1961fc11ec783e239a7585b21
SHA256bdbd845200eb71ea51d1493fe087ab1c0c73217d0192a54a996b3f05ab0d72ab
SHA51220b814e48e913adaac66b0ea1673c84d4ccd5a14ebd38fd8a01e0d8d857ea5cb040cfaa8eb591093955109766b6d6552466a525d0ba5ce8a975ee37d5e4259a6
-
Filesize
487B
MD5c52b233e583489e5f7433572f077f5b4
SHA1f68785bbba4de7b51af0b12a09756b9d0b6d6578
SHA25637b28683903d250d38d3618bb1c35be0610deabafd92890cef6ac9b436fa17ce
SHA512e084ee7c658be8e3d1ac33d82d1a8b483e256d7ceb1997eb662fb60730f920dcc118ddb8ae5e36c6f5a0118b5ad3ecfd9e8603416206f5dacf666fd95c3d3767
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
200B
MD58f1c52e7f6b4601d0dfb001cbde5c9b5
SHA1e17bdd2c425bb0a748f44ad38f8f8a333165ab13
SHA256c21604e4995a81d56d169fdca375f922023ee39822ca013ef9d92807698b381c
SHA512734d75fce9f8d530580468a2cf716c345ee2373ad0fbbc547b9a8fdc0947ffc67e821fcd9e1c7fb9225ceaf3c86638143187e1a922d00e6091512aaba2d8437d
-
Filesize
711B
MD5e7e7cc0bf01f6b154916379ba3ecb980
SHA19fc44a0758fe17ce197aa25658f6dc36bfe8ed05
SHA256ed5db7c1e7effd9894e7838869f2b1a069dd447d6b5bc8db8ac03f2774368b86
SHA5122f25520639459e4a2444fc75da8d6805702e41e4fd4b27fc24e9e4561acc170d104406dafe769e84bddeab91c61b22f017fc46f3b595041ea9bb439d2016ddb6
-
Filesize
711B
MD51e7168949d87de32fd265a56f31514fa
SHA1dd8a0c66b23c6077e02478aaf3ff4660ecf643a2
SHA25616f213a83fb556f6714ba9e43730922f0a45395d1cbd1d10b8b270698ab1468f
SHA512f710a71191e598833d029404a134b94b32d3a0028124694c21e7fbd998b1c83bd4fb3b777493dcd3315b39b6a2bea5fcb3ee61ec509879f3397a5a545b5591ba
-
Filesize
710B
MD5685ff2f58c23bb1bff6e280b2c1ba8f8
SHA114c3b125f9610fa8a445d746ca7bf592053433a4
SHA256cabcc11c67c17ee64b263d6f258dbf763d7702981f38ec4375b97f88248e4efd
SHA5127a573a6e5cba72a40869451ec2172c40ada89f831c3504e74310a7606c93f41003115a155bebd78500151aac8debefef16ba89727ba785cd2f57dd6b58857073
-
Filesize
711B
MD518c91d97244066aeb1541d7e7824497b
SHA19929aac56a2f638770f2b454ae13585944745d02
SHA2560db8026a03abc63c3e775bb202c081d91ca2b69f8bf308a8452dec9079bba303
SHA512e66e69a653e33f0ac02b9e4482282a8363ed1af54d4fe97a727bb2a39450a7a6f45953325e1a5e292c4365ab8ad157170db29a0d1560e771506017eb1185ae42
-
Filesize
2.9MB
MD531041dd60a6c75eb61e4659f3b3807f9
SHA1dfd330395b119125f606bea62c627b4dfb1e7ee1
SHA256f137c910af59a38f421b56f4d30f2273ac5f70de2fb16ddae04f716dc462bcb9
SHA5129030c782118650a9ce9b6efd0853fb5ef76b4ff6484616421e75031c55ee2ed52ea71e39693878224a01d279cbcf48e1dde4ea8cb7f9a534c036a0f477548006
-
Filesize
2.9MB
MD550ccccd7fbbdad41f811b17823c8c9df
SHA114a985bf894aae6162b6ba47b2d8a3a72284a09a
SHA256c88a6e96d6f23b84050e855dbe400e766e9a250689d2a5694d6ef9936e2ed2b6
SHA51265cd027b8344f4563ddd2609c2bb23e3096d7121e49b014fe3043ed95414ce053659524e50c8a4c9eb11b0e06aa25f4820fbf3ed0c72dde76f5841ae4c05a109