Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
15-05-2024 09:07
Behavioral task
behavioral1
Sample
b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe
Resource
win7-20240508-en
General
-
Target
b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe
-
Size
3.2MB
-
MD5
b6c83df257a00210c12b42d28a5df730
-
SHA1
67a993a3c4547e8442f767575dafdbfe018ec0e4
-
SHA256
8fdd38ee81442567732265fa944a19a51a26ec1254e8d2a54e41d254a52a35d6
-
SHA512
1c0bdbae29e9761260b3f9284d41be1b63c921399e7e1822c5c725d9811bea555b64fd311ab8e86634b36fdfa381e686fe087b480de9cf958a4f944556f5f60c
-
SSDEEP
49152:vC0Fl8v/911bwaEYpdYUVsk3DZGAy55kBsfJGAW6KyWUcPmWQpE:vC0Fl8v/qXYrv5tG9uKJGAWl5N
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 45 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2536 3952 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1380 3952 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1168 3952 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4692 3952 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3000 3952 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3756 3952 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3976 3952 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2060 3952 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2808 3952 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4888 3952 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2648 3952 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2900 3952 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4072 3952 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5020 3952 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1940 3952 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4324 3952 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2548 3952 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3248 3952 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3188 3952 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2896 3952 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3820 3952 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 408 3952 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3488 3952 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3204 3952 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4116 3952 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1292 3952 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4168 3952 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1544 3952 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2620 3952 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 708 3952 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4816 3952 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 844 3952 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4864 3952 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2388 3952 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5036 3952 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4860 3952 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 544 3952 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4876 3952 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5108 3952 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1540 3952 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2552 3952 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4344 3952 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4880 3952 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1256 3952 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2108 3952 schtasks.exe -
Processes:
b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exesihost.exesihost.exesihost.exesihost.exesihost.exesihost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sihost.exe -
Processes:
resource yara_rule behavioral2/memory/4068-1-0x0000000000450000-0x000000000078C000-memory.dmp dcrat C:\ProgramData\Microsoft\DeviceSync\backgroundTaskHost.exe dcrat C:\Program Files (x86)\Windows Media Player\Visualizations\SearchApp.exe dcrat C:\Windows\TAPI\smss.exe dcrat C:\Program Files (x86)\Reference Assemblies\lsass.exe dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 3208 powershell.exe 4816 powershell.exe 5008 powershell.exe 4992 powershell.exe 2620 powershell.exe 2440 powershell.exe 1660 powershell.exe 4168 powershell.exe 3504 powershell.exe 708 powershell.exe 764 powershell.exe -
Checks computer location settings 2 TTPs 7 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
sihost.exesihost.exesihost.exesihost.exesihost.exesihost.exeb6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation sihost.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation sihost.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation sihost.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation sihost.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation sihost.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation sihost.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe -
Executes dropped EXE 6 IoCs
Processes:
sihost.exesihost.exesihost.exesihost.exesihost.exesihost.exepid process 3228 sihost.exe 1100 sihost.exe 2572 sihost.exe 3016 sihost.exe 1716 sihost.exe 5068 sihost.exe -
Processes:
b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exesihost.exesihost.exesihost.exesihost.exesihost.exesihost.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sihost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sihost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sihost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sihost.exe -
Drops file in Program Files directory 30 IoCs
Processes:
b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exedescription ioc process File created C:\Program Files (x86)\Reference Assemblies\lsass.exe b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe File opened for modification C:\Program Files\7-Zip\Lang\RCX550C.tmp b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Google\RCX671D.tmp b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Google\RCX671E.tmp b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\RCX708B.tmp b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\sihost.exe b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Photo Viewer\fr-FR\5940a34987c991 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Media Player\Visualizations\38384e6a620884 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Photo Viewer\fr-FR\dllhost.exe b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\fr-FR\RCX62F3.tmp b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe File created C:\Program Files\7-Zip\Lang\RuntimeBroker.exe b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\RCX50E2.tmp b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Google\RuntimeBroker.exe b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\lsass.exe b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe File created C:\Program Files\7-Zip\Lang\9e8d7a4ca61bd9 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Media Player\Visualizations\SearchApp.exe b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe File created C:\Program Files (x86)\Reference Assemblies\6203df4a6bafc7 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Media Player\Visualizations\RCX6B47.tmp b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Media Player\Visualizations\RCX6BC5.tmp b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Media Player\Visualizations\SearchApp.exe b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\sihost.exe b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe File created C:\Program Files (x86)\Google\9e8d7a4ca61bd9 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\fr-FR\dllhost.exe b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\66fc9ff0ee96c2 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe File created C:\Program Files (x86)\Google\RuntimeBroker.exe b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\RCX50E1.tmp b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe File opened for modification C:\Program Files\7-Zip\Lang\RuntimeBroker.exe b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe File opened for modification C:\Program Files\7-Zip\Lang\RCX550B.tmp b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\fr-FR\RCX62F2.tmp b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\RCX7109.tmp b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe -
Drops file in Windows directory 16 IoCs
Processes:
b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exedescription ioc process File created C:\Windows\TAPI\smss.exe b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe File opened for modification C:\Windows\TAPI\RCX579F.tmp b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe File opened for modification C:\Windows\TAPI\RCX6DDA.tmp b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe File created C:\Windows\es-ES\backgroundTaskHost.exe b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe File created C:\Windows\TAPI\69ddcba757bf72 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe File opened for modification C:\Windows\TAPI\spoolsv.exe b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe File opened for modification C:\Windows\es-ES\RCX6071.tmp b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe File opened for modification C:\Windows\TAPI\RCX6E67.tmp b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe File created C:\Windows\TAPI\spoolsv.exe b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe File created C:\Windows\Boot\Resources\it-IT\b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe File opened for modification C:\Windows\TAPI\RCX579E.tmp b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe File opened for modification C:\Windows\es-ES\backgroundTaskHost.exe b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe File created C:\Windows\es-ES\eddb19405b7ce1 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe File opened for modification C:\Windows\es-ES\RCX6060.tmp b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe File opened for modification C:\Windows\TAPI\smss.exe b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe File created C:\Windows\TAPI\f3b6ecef712a24 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 45 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 3820 schtasks.exe 1544 schtasks.exe 4816 schtasks.exe 544 schtasks.exe 3000 schtasks.exe 4876 schtasks.exe 4880 schtasks.exe 4692 schtasks.exe 2900 schtasks.exe 5020 schtasks.exe 5036 schtasks.exe 3756 schtasks.exe 4888 schtasks.exe 4072 schtasks.exe 4324 schtasks.exe 3488 schtasks.exe 4864 schtasks.exe 2808 schtasks.exe 1940 schtasks.exe 2896 schtasks.exe 4116 schtasks.exe 1292 schtasks.exe 1540 schtasks.exe 2648 schtasks.exe 2548 schtasks.exe 3204 schtasks.exe 2620 schtasks.exe 4860 schtasks.exe 2552 schtasks.exe 1256 schtasks.exe 1380 schtasks.exe 3976 schtasks.exe 2060 schtasks.exe 4168 schtasks.exe 708 schtasks.exe 2388 schtasks.exe 5108 schtasks.exe 2536 schtasks.exe 3248 schtasks.exe 3188 schtasks.exe 408 schtasks.exe 844 schtasks.exe 4344 schtasks.exe 2108 schtasks.exe 1168 schtasks.exe -
Modifies registry class 7 IoCs
Processes:
b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exesihost.exesihost.exesihost.exesihost.exesihost.exesihost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings sihost.exe Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings sihost.exe Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings sihost.exe Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings sihost.exe Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings sihost.exe Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings sihost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 4068 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe 4068 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe 4068 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe 4068 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe 4068 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe 4068 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe 4068 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe 4068 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe 4068 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe 4068 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe 4068 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe 4068 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe 4068 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe 4068 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe 4068 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe 4068 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe 4068 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe 4068 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe 4068 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe 4068 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe 4068 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe 4068 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe 4068 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe 4068 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe 4068 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe 4068 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe 4068 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe 4068 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe 4068 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe 4068 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe 4068 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe 4068 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe 4068 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe 4068 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe 4068 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe 4068 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe 4068 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe 4068 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe 4068 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe 4068 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe 4068 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe 4068 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe 4068 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe 4068 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe 4068 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe 4068 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe 4068 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe 4068 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe 4068 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe 4068 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe 4068 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe 4068 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe 4068 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe 4068 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe 4068 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe 4068 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe 4168 powershell.exe 4168 powershell.exe 2620 powershell.exe 2620 powershell.exe 3504 powershell.exe 3208 powershell.exe 3208 powershell.exe 4992 powershell.exe -
Suspicious use of AdjustPrivilegeToken 18 IoCs
Processes:
b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exesihost.exesihost.exesihost.exesihost.exesihost.exesihost.exedescription pid process Token: SeDebugPrivilege 4068 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe Token: SeDebugPrivilege 4168 powershell.exe Token: SeDebugPrivilege 2620 powershell.exe Token: SeDebugPrivilege 1660 powershell.exe Token: SeDebugPrivilege 764 powershell.exe Token: SeDebugPrivilege 3504 powershell.exe Token: SeDebugPrivilege 708 powershell.exe Token: SeDebugPrivilege 3208 powershell.exe Token: SeDebugPrivilege 4992 powershell.exe Token: SeDebugPrivilege 5008 powershell.exe Token: SeDebugPrivilege 2440 powershell.exe Token: SeDebugPrivilege 4816 powershell.exe Token: SeDebugPrivilege 3228 sihost.exe Token: SeDebugPrivilege 1100 sihost.exe Token: SeDebugPrivilege 2572 sihost.exe Token: SeDebugPrivilege 3016 sihost.exe Token: SeDebugPrivilege 1716 sihost.exe Token: SeDebugPrivilege 5068 sihost.exe -
Suspicious use of WriteProcessMemory 62 IoCs
Processes:
b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.execmd.exesihost.exeWScript.exesihost.exeWScript.exesihost.exeWScript.exesihost.exeWScript.exesihost.exeWScript.exesihost.exedescription pid process target process PID 4068 wrote to memory of 3504 4068 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe powershell.exe PID 4068 wrote to memory of 3504 4068 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe powershell.exe PID 4068 wrote to memory of 4168 4068 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe powershell.exe PID 4068 wrote to memory of 4168 4068 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe powershell.exe PID 4068 wrote to memory of 1660 4068 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe powershell.exe PID 4068 wrote to memory of 1660 4068 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe powershell.exe PID 4068 wrote to memory of 2440 4068 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe powershell.exe PID 4068 wrote to memory of 2440 4068 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe powershell.exe PID 4068 wrote to memory of 2620 4068 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe powershell.exe PID 4068 wrote to memory of 2620 4068 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe powershell.exe PID 4068 wrote to memory of 4992 4068 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe powershell.exe PID 4068 wrote to memory of 4992 4068 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe powershell.exe PID 4068 wrote to memory of 708 4068 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe powershell.exe PID 4068 wrote to memory of 708 4068 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe powershell.exe PID 4068 wrote to memory of 5008 4068 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe powershell.exe PID 4068 wrote to memory of 5008 4068 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe powershell.exe PID 4068 wrote to memory of 4816 4068 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe powershell.exe PID 4068 wrote to memory of 4816 4068 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe powershell.exe PID 4068 wrote to memory of 3208 4068 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe powershell.exe PID 4068 wrote to memory of 3208 4068 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe powershell.exe PID 4068 wrote to memory of 764 4068 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe powershell.exe PID 4068 wrote to memory of 764 4068 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe powershell.exe PID 4068 wrote to memory of 4636 4068 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe cmd.exe PID 4068 wrote to memory of 4636 4068 b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe cmd.exe PID 4636 wrote to memory of 1628 4636 cmd.exe w32tm.exe PID 4636 wrote to memory of 1628 4636 cmd.exe w32tm.exe PID 4636 wrote to memory of 3228 4636 cmd.exe sihost.exe PID 4636 wrote to memory of 3228 4636 cmd.exe sihost.exe PID 3228 wrote to memory of 2296 3228 sihost.exe WScript.exe PID 3228 wrote to memory of 2296 3228 sihost.exe WScript.exe PID 3228 wrote to memory of 1844 3228 sihost.exe WScript.exe PID 3228 wrote to memory of 1844 3228 sihost.exe WScript.exe PID 2296 wrote to memory of 1100 2296 WScript.exe sihost.exe PID 2296 wrote to memory of 1100 2296 WScript.exe sihost.exe PID 1100 wrote to memory of 5008 1100 sihost.exe WScript.exe PID 1100 wrote to memory of 5008 1100 sihost.exe WScript.exe PID 1100 wrote to memory of 1992 1100 sihost.exe WScript.exe PID 1100 wrote to memory of 1992 1100 sihost.exe WScript.exe PID 5008 wrote to memory of 2572 5008 WScript.exe sihost.exe PID 5008 wrote to memory of 2572 5008 WScript.exe sihost.exe PID 2572 wrote to memory of 4816 2572 sihost.exe WScript.exe PID 2572 wrote to memory of 4816 2572 sihost.exe WScript.exe PID 2572 wrote to memory of 3052 2572 sihost.exe WScript.exe PID 2572 wrote to memory of 3052 2572 sihost.exe WScript.exe PID 4816 wrote to memory of 3016 4816 WScript.exe sihost.exe PID 4816 wrote to memory of 3016 4816 WScript.exe sihost.exe PID 3016 wrote to memory of 5072 3016 sihost.exe WScript.exe PID 3016 wrote to memory of 5072 3016 sihost.exe WScript.exe PID 3016 wrote to memory of 4176 3016 sihost.exe WScript.exe PID 3016 wrote to memory of 4176 3016 sihost.exe WScript.exe PID 5072 wrote to memory of 1716 5072 WScript.exe sihost.exe PID 5072 wrote to memory of 1716 5072 WScript.exe sihost.exe PID 1716 wrote to memory of 4068 1716 sihost.exe WScript.exe PID 1716 wrote to memory of 4068 1716 sihost.exe WScript.exe PID 1716 wrote to memory of 4548 1716 sihost.exe WScript.exe PID 1716 wrote to memory of 4548 1716 sihost.exe WScript.exe PID 4068 wrote to memory of 5068 4068 WScript.exe sihost.exe PID 4068 wrote to memory of 5068 4068 WScript.exe sihost.exe PID 5068 wrote to memory of 3652 5068 sihost.exe WScript.exe PID 5068 wrote to memory of 3652 5068 sihost.exe WScript.exe PID 5068 wrote to memory of 4816 5068 sihost.exe WScript.exe PID 5068 wrote to memory of 4816 5068 sihost.exe WScript.exe -
System policy modification 1 TTPs 21 IoCs
Processes:
sihost.exesihost.exesihost.exesihost.exesihost.exeb6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exesihost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sihost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\b6c83df257a00210c12b42d28a5df730_NeikiAnalytics.exe"1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4068 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3504
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4168
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1660
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2440
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2620
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4992
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:708
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:5008
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4816
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3208
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:764
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IzyyQHg7CN.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:4636 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:1628
-
-
C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\sihost.exe"C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\sihost.exe"3⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3228 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0240b491-2552-41e3-93e6-ef2519354cad.vbs"4⤵
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\sihost.exe"C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\sihost.exe"5⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1100 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\da755566-76c3-4731-85b9-c6d0a726be21.vbs"6⤵
- Suspicious use of WriteProcessMemory
PID:5008 -
C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\sihost.exe"C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\sihost.exe"7⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2572 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e32f78e0-2192-420b-aea5-417d7416e695.vbs"8⤵
- Suspicious use of WriteProcessMemory
PID:4816 -
C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\sihost.exe"C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\sihost.exe"9⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3016 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d34d6369-8f2b-4f8e-81cf-2d08541cb926.vbs"10⤵
- Suspicious use of WriteProcessMemory
PID:5072 -
C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\sihost.exe"C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\sihost.exe"11⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1716 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\19869018-5556-4429-b7e5-ef1f95fd9969.vbs"12⤵
- Suspicious use of WriteProcessMemory
PID:4068 -
C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\sihost.exe"C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\sihost.exe"13⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5068 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\98d4d29d-6ac1-4df1-9a17-5029024271a5.vbs"14⤵PID:3652
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\91a7fd54-0b34-44fa-970c-bbf283d913e5.vbs"14⤵PID:4816
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a26ab5e2-2ad4-4d1b-b2f3-4719aad81d87.vbs"12⤵PID:4548
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\561f772e-dba9-4993-ae63-859c154b74eb.vbs"10⤵PID:4176
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\130bde91-89ab-4ee7-b3e0-e6229db9dddb.vbs"8⤵PID:3052
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6162ee3e-5dc2-412e-8ba7-75ddd783298f.vbs"6⤵PID:1992
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\24b7903e-e002-416e-863f-763042f48d1f.vbs"4⤵PID:1844
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1380
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1168
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files\7-Zip\Lang\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files\7-Zip\Lang\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2808
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Windows\TAPI\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4888
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\TAPI\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Windows\TAPI\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Microsoft\DeviceSync\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4072
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\DeviceSync\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Microsoft\DeviceSync\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Users\Public\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4324
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Public\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Users\Public\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3248
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3188
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3820
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Windows\es-ES\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:408
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\es-ES\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3488
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Windows\es-ES\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3204
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4168
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\SppExtComObj.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Default User\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Google\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Google\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\TextInputHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2388
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Users\Default User\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Media Player\Visualizations\SearchApp.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Visualizations\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Media Player\Visualizations\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Windows\TAPI\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\TAPI\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Windows\TAPI\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4344
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Reference Assemblies\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1256
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Reference Assemblies\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2108
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.2MB
MD5a1f1b4a004cea167c0a0304ddada0cc5
SHA1a53250f0612686818c488b97bbb3264f14580310
SHA2568650aa811d70bf7dafa7906923b990f453f7fc5e9d0f4cc5348784fe277a436d
SHA51291c7f203d0c2f05ebc69ba8f14922e247bf16be3b9c7c98abd7ec77924440276c0812421fc962c9c8e8bc5c3f69445b99a5a9e4551219c1c8a57d19d25d284d6
-
Filesize
3.2MB
MD5fa5e53b3c7f7b694b0532bd4154dd947
SHA1b75d716c9f6ba443d29bc206b040ea2f0969f376
SHA256d5a5d3854eda2836e35c3107d24f3d6f65a9fd40a6d642012f5f59d4cbf1c441
SHA512ce5e2c6cbab1b42d03c0dccdf4bf2477a3af4772e3e16aa25cca429e450c513e42bdfa83c745af03628ca883172fb82a4e762097fb714d7dbf65498046290e13
-
Filesize
3.2MB
MD5b6c83df257a00210c12b42d28a5df730
SHA167a993a3c4547e8442f767575dafdbfe018ec0e4
SHA2568fdd38ee81442567732265fa944a19a51a26ec1254e8d2a54e41d254a52a35d6
SHA5121c0bdbae29e9761260b3f9284d41be1b63c921399e7e1822c5c725d9811bea555b64fd311ab8e86634b36fdfa381e686fe087b480de9cf958a4f944556f5f60c
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
1KB
MD549b64127208271d8f797256057d0b006
SHA1b99bd7e2b4e9ed24de47fb3341ea67660b84cca1
SHA2562a5d403a2e649d8eceef8f785eeb0f6d33888ec6bbf251b3c347e34cb32b1e77
SHA512f7c728923c893dc9bc88ad2159e0abcda41e1b40ff7e7756e6252d135ed238a2248a2662b3392449836dd1b0b580f0c866cc33e409527484fe4602e3d3f10e3e
-
Filesize
944B
MD562623d22bd9e037191765d5083ce16a3
SHA14a07da6872672f715a4780513d95ed8ddeefd259
SHA25695d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010
SHA5129a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992
-
Filesize
944B
MD52979eabc783eaca50de7be23dd4eafcf
SHA1d709ce5f3a06b7958a67e20870bfd95b83cad2ea
SHA256006cca90e78fbb571532a83082ac6712721a34ea4b21f490058ffb3f521f4903
SHA51292bc433990572d9427d0c93eef9bd1cc23fa00ed60dd0c9c983d87d3421e02ce3f156c6f88fe916ef6782dbf185cbce083bc0094f8c527f302be6a37d1c53aba
-
Filesize
944B
MD53a6bad9528f8e23fb5c77fbd81fa28e8
SHA1f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2
-
Filesize
944B
MD5bd5940f08d0be56e65e5f2aaf47c538e
SHA1d7e31b87866e5e383ab5499da64aba50f03e8443
SHA2562d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6
SHA512c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406
-
Filesize
944B
MD56d3e9c29fe44e90aae6ed30ccf799ca8
SHA1c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA2562360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA51260c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a
-
Filesize
944B
MD52e907f77659a6601fcc408274894da2e
SHA19f5b72abef1cd7145bf37547cdb1b9254b4efe9d
SHA256385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233
SHA51234fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721
-
Filesize
944B
MD559d97011e091004eaffb9816aa0b9abd
SHA11602a56b01dd4b7c577ca27d3117e4bcc1aa657b
SHA25618f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d
SHA512d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6
-
Filesize
749B
MD5e899f9c5a38c7d36142b69bc7240425e
SHA1283581eaf94973971a1f5fe3a054f7f06fee943d
SHA256340a150f66ff3fb8452d88742831f29bf271620f026177a1993fb1335a3d30d8
SHA51201816c54eb8d1ab4c570f7b2b5d3874ea2c7ebb8c249350f69d022592eaa7bc2ad42e84d8fb0e68ba9f9f12418ff6e780c144d5791124a039e4f44a1a705f109
-
Filesize
749B
MD512967a12c475943301010da5d29c3d27
SHA19ef8fb860276992a4715862abdad9f30b4792514
SHA256e925b948ee7e3b5dbb7bb1112ca51cb531b9385aa9461269ee0849c2a2b39d3e
SHA5126a4fe365d740faaea19fa57b9ab14364884bddc00277de643540b5d3af837cca8aad3bacad5f9b9b21f82f8206f83d7918c3392b4683c3d10c549a04e391f4d3
-
Filesize
525B
MD5f936dcb17993614bd370eba21f97e6f3
SHA1b44fd61ba3deb5e7a853693c538acab9e5770f91
SHA2568682c25dcd14d8c964901e341bb0e10906bf7b74a91eab4b380d4ae284cc75e3
SHA5120888526329549b9105a2141f8117bed9345f49d3a83327b9dd3be1f3734bcb1b61b5c451ae8bcf2dccdd73538b85c5b06bf7a845f6d3b66f0f193cc29aa33f08
-
Filesize
749B
MD5cfd328e60edea50a39de6c7995c28eca
SHA1772a3424731eba9d7eb6846be4d57904bc58ee40
SHA256176fbac9f78e994e45ff36c7bec018b8aab06b013dd22081ff9ea11d00968fd7
SHA512faf67853fe0f67293dde12e0c30a9c7efc97ff0645cc0060da2b11c3d9e68c71cfe064329776c18b30f04cba6f7267cbb3edff0a2e4f47c30bce0d332955fbef
-
Filesize
238B
MD55ee0b02eb5b6c4020742001dbb5d7564
SHA12ca045f2d3c8cfe8e1d65798d22defd7f2c47f60
SHA2561e8aed5fc0b3cf1e5100748cc67354cb214073e65d91daad0ab74a0124078208
SHA512dc4934cfe82a97328863a19372b592d1dfa250b5e0782cc5f0a039a7b80c1ce8cac0e85cfb17290957a6b4b639cd2e7434108cb9dd4c8495a57615939eccb4a9
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
749B
MD5e1d2da85e82dcf2a8039db73501eb9c2
SHA19b6ce4a3ad580f17c07698902fa55b35b3147f28
SHA256a7c7909310a78444c2d73e98b61bfd0262f39965c3035a79f422ead4effb3000
SHA5124548fce522fa201444a34cd0110cfc3ceeccc4ef781b5fab1a98e3cd884f484a6923727a76fa28fabeb03555587611b6a24497d20b1b768738b78008c71d916e
-
Filesize
749B
MD5fc64adf345b71e642474717ec054b12d
SHA146e545bee674147c9178e53e456e17d96ed5743b
SHA256f811eae6a2e927cbc7b5d13cbe1c4b6c6a41ea163ee7b2b1cb24bead72111f54
SHA5125ee5c1fa8d309860e7875dc585c0d89683582a26868c5e7706620d449f9a3eecb98df0caa352eda2d6920966829b10b7409985152b881dd5bd91d34a8503cb01
-
Filesize
749B
MD590e6f7b0e8eb3c2123965d521b471644
SHA12eba442eb6d52715f1c7b55f9efc757eeb9b51a9
SHA2569d6be7e948b319d8c65c965ddd356b891f621ca71fac35118ce79e841163c626
SHA5123cbe678801288cf4cd328a947704900919a029442d714f120e585fa708b7af9edd00687212c9d420537cce637a2af985d6a5d0aa91b6627db9f51dc3bc3a8cba
-
Filesize
3.2MB
MD5e0f0bb13ee543d8c39f84e8551340816
SHA15d605b6c3c84159fc74898ba26f4555ab451ee9e
SHA25618c8979c3cfa7403b8056b5e4eb9aa935600d9b5340174eb568713c8d40795f9
SHA5120e8a6460c7586f3613f08cb2eaf44ff98486ef495b040aa3961a09a487e8af758f0d556fcd55e1bb1cdddca11b872a87dc7396c4a8eef1bfd6cef7a0091f35da