Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
15-05-2024 14:32
Behavioral task
behavioral1
Sample
d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe
Resource
win7-20240215-en
General
-
Target
d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe
-
Size
3.2MB
-
MD5
d67c083b7f55c40deae2ac79549d0a70
-
SHA1
c47be45497fe044d732a847a21b7b2be0172c8c5
-
SHA256
ba381b7847ed129aa068cee625f78d7a8ec511a55d55feb86e22159ab43b6357
-
SHA512
2fb0a24efd4e6349cc1f0f4193ac1b512dcb679478b65f51fb967b6c736192eb0e161e7020756e4a9ce03f89aae7789bac5ce57c0968ee60b095a25654511d6d
-
SSDEEP
49152:HC0Fl8v/911bwaEYpdYUVsk3DZGAy55kBsfJGAW6KyWUcPmWQpE:HC0Fl8v/qXYrv5tG9uKJGAWl5N
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 48 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3148 688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3664 688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 396 688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1732 688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5104 688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4812 688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1596 688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2544 688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2264 688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5064 688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3268 688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4192 688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4904 688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1504 688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4516 688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1812 688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1364 688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1884 688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3764 688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3440 688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1656 688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4220 688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 428 688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4376 688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1660 688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5016 688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2688 688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1640 688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 440 688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4784 688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1952 688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2744 688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 624 688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1984 688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4788 688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2368 688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2256 688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3444 688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3280 688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4524 688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2324 688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3368 688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2412 688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4928 688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3312 688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5072 688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1172 688 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4056 688 schtasks.exe -
Processes:
sysmon.exesysmon.exesysmon.exesysmon.exesysmon.exesysmon.exed67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sysmon.exe -
Processes:
resource yara_rule behavioral2/memory/1224-1-0x0000000000CC0000-0x0000000000FFC000-memory.dmp dcrat C:\Program Files (x86)\Internet Explorer\images\dllhost.exe dcrat C:\Program Files (x86)\Internet Explorer\images\dllhost.exe dcrat C:\Windows\Performance\backgroundTaskHost.exe dcrat C:\Windows\Fonts\sysmon.exe dcrat C:\Windows\ModemLogs\upfc.exe dcrat C:\Program Files (x86)\Windows NT\Accessories\System.exe dcrat behavioral2/memory/3476-418-0x00000000007C0000-0x0000000000AFC000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 4948 powershell.exe 4444 powershell.exe 1040 powershell.exe 1792 powershell.exe 4796 powershell.exe 4252 powershell.exe 2920 powershell.exe 1052 powershell.exe 1948 powershell.exe 1964 powershell.exe 2896 powershell.exe -
Checks computer location settings 2 TTPs 7 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
sysmon.exesysmon.exesysmon.exesysmon.exesysmon.exed67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exesysmon.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation sysmon.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation sysmon.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation sysmon.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation sysmon.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation sysmon.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation sysmon.exe -
Executes dropped EXE 6 IoCs
Processes:
sysmon.exesysmon.exesysmon.exesysmon.exesysmon.exesysmon.exepid process 3476 sysmon.exe 2492 sysmon.exe 5036 sysmon.exe 3168 sysmon.exe 3396 sysmon.exe 3236 sysmon.exe -
Processes:
sysmon.exesysmon.exesysmon.exesysmon.exed67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exesysmon.exesysmon.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sysmon.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sysmon.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sysmon.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sysmon.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sysmon.exe -
Drops file in Program Files directory 40 IoCs
Processes:
d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exedescription ioc process File created C:\Program Files (x86)\Internet Explorer\images\5940a34987c991 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\7a0fd90576e088 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\MSBuild\Microsoft\services.exe d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\RCX6D5F.tmp d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\explorer.exe d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\upfc.exe d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\RCX768F.tmp d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\StartMenuExperienceHost.exe d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe File created C:\Program Files\Microsoft Office 15\SearchApp.exe d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe File created C:\Program Files\Microsoft Office 15\38384e6a620884 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Internet Explorer\images\RCX6925.tmp d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe File created C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe File created C:\Program Files\Windows Multimedia Platform\9e8d7a4ca61bd9 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe File created C:\Program Files\Mozilla Firefox\browser\55b276f4edf653 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe File opened for modification C:\Program Files\Microsoft Office 15\RCX61EA.tmp d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RCX6F74.tmp d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows NT\Accessories\RCX82DD.tmp d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe File opened for modification C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe File created C:\Program Files (x86)\MSBuild\Microsoft\c5b4cb5e9653cc d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe File created C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\upfc.exe d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe File created C:\Program Files\Mozilla Firefox\browser\StartMenuExperienceHost.exe d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows NT\Accessories\System.exe d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\RCX768E.tmp d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows NT\Accessories\System.exe d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe File created C:\Program Files (x86)\Internet Explorer\images\dllhost.exe d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe File created C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\ea1d8f6d871115 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\MSBuild\Microsoft\RCX6625.tmp d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Internet Explorer\images\dllhost.exe d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe File created C:\Program Files (x86)\MSBuild\Microsoft\services.exe d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Internet Explorer\images\RCX68A7.tmp d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\RCX6D5E.tmp d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RCX6F73.tmp d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows NT\Accessories\RCX835B.tmp d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\explorer.exe d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows NT\Accessories\27d1bcfc3c54e0 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe File opened for modification C:\Program Files\Windows Multimedia Platform\RCX5FD5.tmp d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe File opened for modification C:\Program Files\Windows Multimedia Platform\RCX5FD6.tmp d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe File opened for modification C:\Program Files\Microsoft Office 15\RCX61EB.tmp d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe File opened for modification C:\Program Files\Microsoft Office 15\SearchApp.exe d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\MSBuild\Microsoft\RCX6624.tmp d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe -
Drops file in Windows directory 20 IoCs
Processes:
d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exedescription ioc process File created C:\Windows\Performance\backgroundTaskHost.exe d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe File created C:\Windows\Performance\eddb19405b7ce1 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe File created C:\Windows\Help\5b884080fd4f94 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe File created C:\Windows\ModemLogs\ea1d8f6d871115 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe File opened for modification C:\Windows\Help\fontdrvhost.exe d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe File opened for modification C:\Windows\Fonts\RCX7BA4.tmp d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe File created C:\Windows\Help\fontdrvhost.exe d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe File created C:\Windows\Fonts\121e5b5079f7c0 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe File opened for modification C:\Windows\ModemLogs\upfc.exe d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe File opened for modification C:\Windows\Fonts\RCX7B26.tmp d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe File opened for modification C:\Windows\ModemLogs\RCX7DA8.tmp d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe File created C:\Windows\Fonts\sysmon.exe d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe File created C:\Windows\ModemLogs\upfc.exe d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe File opened for modification C:\Windows\Performance\RCX7189.tmp d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe File opened for modification C:\Windows\Performance\RCX7207.tmp d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe File opened for modification C:\Windows\Performance\backgroundTaskHost.exe d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe File opened for modification C:\Windows\Help\RCX7912.tmp d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe File opened for modification C:\Windows\ModemLogs\RCX7E26.tmp d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe File opened for modification C:\Windows\Help\RCX7911.tmp d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe File opened for modification C:\Windows\Fonts\sysmon.exe d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 48 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 3280 schtasks.exe 2324 schtasks.exe 1596 schtasks.exe 3440 schtasks.exe 2688 schtasks.exe 1640 schtasks.exe 1952 schtasks.exe 2368 schtasks.exe 4056 schtasks.exe 3664 schtasks.exe 2544 schtasks.exe 3268 schtasks.exe 440 schtasks.exe 396 schtasks.exe 1732 schtasks.exe 2264 schtasks.exe 624 schtasks.exe 5072 schtasks.exe 4192 schtasks.exe 1812 schtasks.exe 1364 schtasks.exe 4784 schtasks.exe 1984 schtasks.exe 4928 schtasks.exe 3148 schtasks.exe 4812 schtasks.exe 4220 schtasks.exe 428 schtasks.exe 3368 schtasks.exe 1172 schtasks.exe 1660 schtasks.exe 2744 schtasks.exe 5064 schtasks.exe 4904 schtasks.exe 4516 schtasks.exe 1884 schtasks.exe 1656 schtasks.exe 4376 schtasks.exe 4788 schtasks.exe 2256 schtasks.exe 3444 schtasks.exe 4524 schtasks.exe 5104 schtasks.exe 1504 schtasks.exe 3764 schtasks.exe 5016 schtasks.exe 2412 schtasks.exe 3312 schtasks.exe -
Modifies registry class 6 IoCs
Processes:
sysmon.exesysmon.exesysmon.exesysmon.exesysmon.exesysmon.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings sysmon.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings sysmon.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings sysmon.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings sysmon.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings sysmon.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings sysmon.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 1224 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe 1224 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe 1224 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe 1224 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe 1224 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe 1224 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe 1224 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe 1224 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe 1224 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe 1224 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe 1224 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe 1224 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe 1224 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe 1224 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe 1224 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe 1224 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe 1224 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe 1224 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe 1224 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe 1224 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe 1224 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe 1224 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe 1224 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe 1224 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe 1224 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe 1224 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe 1224 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe 1224 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe 1224 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe 1224 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe 1224 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe 1224 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe 1224 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe 1224 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe 1224 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe 1224 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe 1224 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe 1224 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe 1224 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe 1224 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe 1224 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe 1224 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe 1224 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe 1224 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe 1224 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe 1224 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe 1224 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe 1224 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe 1224 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe 1224 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe 1224 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe 2896 powershell.exe 2896 powershell.exe 1964 powershell.exe 1964 powershell.exe 1948 powershell.exe 1948 powershell.exe 4948 powershell.exe 4948 powershell.exe 1052 powershell.exe 1052 powershell.exe 1792 powershell.exe 1792 powershell.exe 1040 powershell.exe -
Suspicious use of AdjustPrivilegeToken 18 IoCs
Processes:
d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exesysmon.exesysmon.exesysmon.exesysmon.exesysmon.exesysmon.exedescription pid process Token: SeDebugPrivilege 1224 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe Token: SeDebugPrivilege 2896 powershell.exe Token: SeDebugPrivilege 1964 powershell.exe Token: SeDebugPrivilege 1040 powershell.exe Token: SeDebugPrivilege 1948 powershell.exe Token: SeDebugPrivilege 4948 powershell.exe Token: SeDebugPrivilege 1052 powershell.exe Token: SeDebugPrivilege 1792 powershell.exe Token: SeDebugPrivilege 4444 powershell.exe Token: SeDebugPrivilege 4252 powershell.exe Token: SeDebugPrivilege 2920 powershell.exe Token: SeDebugPrivilege 4796 powershell.exe Token: SeDebugPrivilege 3476 sysmon.exe Token: SeDebugPrivilege 2492 sysmon.exe Token: SeDebugPrivilege 5036 sysmon.exe Token: SeDebugPrivilege 3168 sysmon.exe Token: SeDebugPrivilege 3396 sysmon.exe Token: SeDebugPrivilege 3236 sysmon.exe -
Suspicious use of WriteProcessMemory 58 IoCs
Processes:
d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exesysmon.exeWScript.exesysmon.exeWScript.exesysmon.exeWScript.exesysmon.exeWScript.exesysmon.exeWScript.exesysmon.exedescription pid process target process PID 1224 wrote to memory of 1964 1224 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe powershell.exe PID 1224 wrote to memory of 1964 1224 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe powershell.exe PID 1224 wrote to memory of 4252 1224 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe powershell.exe PID 1224 wrote to memory of 4252 1224 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe powershell.exe PID 1224 wrote to memory of 2896 1224 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe powershell.exe PID 1224 wrote to memory of 2896 1224 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe powershell.exe PID 1224 wrote to memory of 2920 1224 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe powershell.exe PID 1224 wrote to memory of 2920 1224 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe powershell.exe PID 1224 wrote to memory of 4948 1224 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe powershell.exe PID 1224 wrote to memory of 4948 1224 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe powershell.exe PID 1224 wrote to memory of 1052 1224 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe powershell.exe PID 1224 wrote to memory of 1052 1224 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe powershell.exe PID 1224 wrote to memory of 4444 1224 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe powershell.exe PID 1224 wrote to memory of 4444 1224 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe powershell.exe PID 1224 wrote to memory of 1948 1224 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe powershell.exe PID 1224 wrote to memory of 1948 1224 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe powershell.exe PID 1224 wrote to memory of 1040 1224 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe powershell.exe PID 1224 wrote to memory of 1040 1224 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe powershell.exe PID 1224 wrote to memory of 1792 1224 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe powershell.exe PID 1224 wrote to memory of 1792 1224 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe powershell.exe PID 1224 wrote to memory of 4796 1224 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe powershell.exe PID 1224 wrote to memory of 4796 1224 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe powershell.exe PID 1224 wrote to memory of 3476 1224 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe sysmon.exe PID 1224 wrote to memory of 3476 1224 d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe sysmon.exe PID 3476 wrote to memory of 4192 3476 sysmon.exe WScript.exe PID 3476 wrote to memory of 4192 3476 sysmon.exe WScript.exe PID 3476 wrote to memory of 4972 3476 sysmon.exe WScript.exe PID 3476 wrote to memory of 4972 3476 sysmon.exe WScript.exe PID 4192 wrote to memory of 2492 4192 WScript.exe sysmon.exe PID 4192 wrote to memory of 2492 4192 WScript.exe sysmon.exe PID 2492 wrote to memory of 1580 2492 sysmon.exe WScript.exe PID 2492 wrote to memory of 1580 2492 sysmon.exe WScript.exe PID 2492 wrote to memory of 2808 2492 sysmon.exe WScript.exe PID 2492 wrote to memory of 2808 2492 sysmon.exe WScript.exe PID 1580 wrote to memory of 5036 1580 WScript.exe sysmon.exe PID 1580 wrote to memory of 5036 1580 WScript.exe sysmon.exe PID 5036 wrote to memory of 3756 5036 sysmon.exe WScript.exe PID 5036 wrote to memory of 3756 5036 sysmon.exe WScript.exe PID 5036 wrote to memory of 1888 5036 sysmon.exe WScript.exe PID 5036 wrote to memory of 1888 5036 sysmon.exe WScript.exe PID 3756 wrote to memory of 3168 3756 WScript.exe sysmon.exe PID 3756 wrote to memory of 3168 3756 WScript.exe sysmon.exe PID 3168 wrote to memory of 4908 3168 sysmon.exe WScript.exe PID 3168 wrote to memory of 4908 3168 sysmon.exe WScript.exe PID 3168 wrote to memory of 1292 3168 sysmon.exe WScript.exe PID 3168 wrote to memory of 1292 3168 sysmon.exe WScript.exe PID 4908 wrote to memory of 3396 4908 WScript.exe sysmon.exe PID 4908 wrote to memory of 3396 4908 WScript.exe sysmon.exe PID 3396 wrote to memory of 3532 3396 sysmon.exe WScript.exe PID 3396 wrote to memory of 3532 3396 sysmon.exe WScript.exe PID 3396 wrote to memory of 776 3396 sysmon.exe WScript.exe PID 3396 wrote to memory of 776 3396 sysmon.exe WScript.exe PID 3532 wrote to memory of 3236 3532 WScript.exe sysmon.exe PID 3532 wrote to memory of 3236 3532 WScript.exe sysmon.exe PID 3236 wrote to memory of 4544 3236 sysmon.exe WScript.exe PID 3236 wrote to memory of 4544 3236 sysmon.exe WScript.exe PID 3236 wrote to memory of 2232 3236 sysmon.exe WScript.exe PID 3236 wrote to memory of 2232 3236 sysmon.exe WScript.exe -
System policy modification 1 TTPs 21 IoCs
Processes:
sysmon.exesysmon.exesysmon.exesysmon.exed67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exesysmon.exesysmon.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sysmon.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\d67c083b7f55c40deae2ac79549d0a70_NeikiAnalytics.exe"1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1224 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1964 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4252 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2896 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2920 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4948 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1052 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4444 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1948 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1040 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1792 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4796 -
C:\Windows\Fonts\sysmon.exe"C:\Windows\Fonts\sysmon.exe"2⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3476 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\faddd38c-ce1b-4671-9b8e-b9ebc2a9cbc2.vbs"3⤵
- Suspicious use of WriteProcessMemory
PID:4192 -
C:\Windows\Fonts\sysmon.exeC:\Windows\Fonts\sysmon.exe4⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2492 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\07ff5301-3cb1-409a-8ccd-184d8b2912dc.vbs"5⤵
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Windows\Fonts\sysmon.exeC:\Windows\Fonts\sysmon.exe6⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5036 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1005c37e-541d-4f19-a03a-bb55c4d01f46.vbs"7⤵
- Suspicious use of WriteProcessMemory
PID:3756 -
C:\Windows\Fonts\sysmon.exeC:\Windows\Fonts\sysmon.exe8⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3168 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aad207a3-8e95-4357-b30e-50a06a4d5c45.vbs"9⤵
- Suspicious use of WriteProcessMemory
PID:4908 -
C:\Windows\Fonts\sysmon.exeC:\Windows\Fonts\sysmon.exe10⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3396 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\69b23107-1c51-4a3a-a353-bfa1ad404d47.vbs"11⤵
- Suspicious use of WriteProcessMemory
PID:3532 -
C:\Windows\Fonts\sysmon.exeC:\Windows\Fonts\sysmon.exe12⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3236 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8af7815c-56d8-4e22-ad73-41edb9d735d5.vbs"13⤵PID:4544
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b541f5d2-5424-47c8-8f8e-d8221f796a35.vbs"13⤵PID:2232
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\df06015f-b1d1-499f-99fc-2c83191ac0a8.vbs"11⤵PID:776
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1dcf7ad7-b4ff-4c87-a20c-91c3e414def8.vbs"9⤵PID:1292
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\473f913f-e1ea-40d7-a9fd-19d54913f4a6.vbs"7⤵PID:1888
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8bb198b2-fa1e-4c96-8ca5-3153e05cc1f8.vbs"5⤵PID:2808
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e1f30b00-fc7d-457e-b424-7247b1372cc5.vbs"3⤵PID:4972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3148
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:396
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office 15\SearchApp.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1732
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4812
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Office 15\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5104
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2264
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\services.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3268
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4192
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Internet Explorer\images\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1504
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\images\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4904
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Internet Explorer\images\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1812
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1364
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3440
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4220
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:428
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4376
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\Windows\Performance\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\Performance\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Windows\Performance\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:440
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Mozilla Firefox\browser\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\browser\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Program Files\Mozilla Firefox\browser\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Windows\Help\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\Help\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Windows\Help\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2256
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\Windows\Fonts\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2368
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Windows\Fonts\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Windows\Fonts\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3280
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Windows\ModemLogs\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4524
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Windows\ModemLogs\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2324
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Windows\ModemLogs\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3368
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Pictures\Camera Roll\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2412
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Admin\Pictures\Camera Roll\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4928
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Pictures\Camera Roll\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3312
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows NT\Accessories\System.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5072
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1172
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows NT\Accessories\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4056
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.2MB
MD5d67c083b7f55c40deae2ac79549d0a70
SHA1c47be45497fe044d732a847a21b7b2be0172c8c5
SHA256ba381b7847ed129aa068cee625f78d7a8ec511a55d55feb86e22159ab43b6357
SHA5122fb0a24efd4e6349cc1f0f4193ac1b512dcb679478b65f51fb967b6c736192eb0e161e7020756e4a9ce03f89aae7789bac5ce57c0968ee60b095a25654511d6d
-
Filesize
3.2MB
MD51320ddaa154d7ab22e2a738a0d6c8d7b
SHA1416aea2a6e2378fa7bb5e478c18eeee98f3c13c7
SHA2568cef5661fb2f20706ec8a7f0ed3e5e305ebc1a844f9268a45b354ccc6a1b00b5
SHA51269e414ee0f5f4ff7c59b7aaaac6d3ba5ef8fbf16ce4a5122224dfb1696153e545128e292f4fe88642f302b183dee248926d6181ae09b73085bba10b562c07a0a
-
Filesize
3.2MB
MD5be35365662cd9d605fe6617807239ee7
SHA140ad063d455a823dfcc1f1c192895afcf6b43deb
SHA2563bf575b3b7a41d712a4f324312ea042d346680d06fdd4ab2aa6f64b7ef500fa2
SHA512080d2c458e5c0aca8f4890ac5f99083dc89642fae351c95a5f01035d20cff98890c2c934998548cc78636169e5e751a5ce5b9b2b35c66aadcbab88ffcf7a152e
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
1KB
MD549b64127208271d8f797256057d0b006
SHA1b99bd7e2b4e9ed24de47fb3341ea67660b84cca1
SHA2562a5d403a2e649d8eceef8f785eeb0f6d33888ec6bbf251b3c347e34cb32b1e77
SHA512f7c728923c893dc9bc88ad2159e0abcda41e1b40ff7e7756e6252d135ed238a2248a2662b3392449836dd1b0b580f0c866cc33e409527484fe4602e3d3f10e3e
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
944B
MD559d97011e091004eaffb9816aa0b9abd
SHA11602a56b01dd4b7c577ca27d3117e4bcc1aa657b
SHA25618f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d
SHA512d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6
-
Filesize
944B
MD53a6bad9528f8e23fb5c77fbd81fa28e8
SHA1f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2
-
Filesize
944B
MD52e907f77659a6601fcc408274894da2e
SHA19f5b72abef1cd7145bf37547cdb1b9254b4efe9d
SHA256385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233
SHA51234fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721
-
Filesize
703B
MD559b03894b9002907c200a1d10f7957c3
SHA1569777ee08d2261f0b81c924c2dac91777ea4f1b
SHA2562c6aec65bc2e95505a281d2f94a93ca29377a9fa1d1dd59feaeb62a57059924a
SHA5120ab91393938f432f9facd2da76f196b3d1fbb7d81a5cb8d898f6e941fb6eabd09d47431ba805890fc4026b731cebbbb49df6636b1ff9b03a73a7650514caec46
-
Filesize
703B
MD551b873ff78e40d92791adac1bad9dcc7
SHA15ca65083ce58f18be3ec58637bd7d0233f697af2
SHA256af34f882dba555ce9660d712d39ccf24a31bd98b20fb86cc659092d20f06d672
SHA512225470ab3aed5fd7f81044f3d5532cb3fb713a213a7ebf0f066d1e97449993f21a00b6952bcfe5b99ca2ab4fab4c7581756823645294cfd22d9f7e25f18e0eb3
-
Filesize
703B
MD52813f17aa03f7d8d50b176d36c0b0146
SHA136e714afeca561c30102c250f206cfbbf1bac93c
SHA2566882ce12c6821db2faa7c3d03f91322bf17892fa7d247c5903001d1695caf88c
SHA51299d588e40c7c63dc540358c693dd486b0195a556162ef0b553195566d15f7cbd7086fb4271f9e948c426b5cc3fcf8b0821d7832f047140cb7eed02f1ab9f6cd7
-
Filesize
703B
MD5424a972dd4915f5eb186d0155e8639b3
SHA119d0d66ed7ef5fe649cc2409d97db286b0a384be
SHA2563af300d7edb6de5434c3c7d3e60b975438d2aaaee4590a1464e74dc51462d2b9
SHA512b1b530af486252c375b0a568ec3fc02016dfdbec69f8f5bd2a364aead52e10654751b2e47767af1a203600976acdcf6cda878968f7c1a09a0ee660b8831cfcfa
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
703B
MD54f4d8fc0c5b7dd35f2c8b5eb55f245f1
SHA15b613d29fabac76c07950ea0a5aff714c07138fe
SHA2560cc527021b0e526874d5a21827343c8296aac6963a346dcfd363e2f1080ff081
SHA5128e9cb90b8b8169c579ffb9c632764edaed228698cea3ba04070a1f1cab4215c465973f821def779b9737686e92a3487b88ffdf7c11127267e161b9c46c3e097a
-
Filesize
479B
MD52b4394d36333629d50679f23b39fc490
SHA107ea3bd6ae02e349f39dd44f22423b3c0c47bc3a
SHA25699672768948a9f6043f3700df24b4639e9dce05eb54ce00530e58a65fdcabcde
SHA51248ca7e7a6fc0232c4c7db036a1e770e8e0a21f4e0bd2c31205438c8cd890e492cd555582042202f179babe9c9e5eda3014dca5276be68f91d60b1891ab67c4e1
-
Filesize
703B
MD5920405a68fe967b9c82e2446ab0fd6b5
SHA1ebc13c2d9f5c7f025597177c818380778cf40b54
SHA2560268ab0c269df25056d89fb294825a43148b9ed4836461a0d773b77f6d0783bf
SHA512acf02c0978595803ad3913f3a9d4b39cea96c2f8d42d8baacd1d32509352a743a979ba9a4e14bc838b7531e02b48b715d49e98f7bc9e338d83b28ea46038ffba
-
Filesize
3.2MB
MD5f4681fa967ba0859ab216a8669ff3b41
SHA1835da04c16f96cf0544561e5f812f1f41fd692a4
SHA2561c0a754c127a1c4f5c349d2228135d135f0937a5de1a6eabbbdb13702e321517
SHA512f34e95c794b9fb842c03ac020bc9249c99d5e7ece3d3a9e8c1e4bbf5f7ce8328919980a82dfe7af5450d61cee550fefba57e839c386c3e781506570b8f2af00d
-
Filesize
3.2MB
MD554271049ecd01a9872797efa308a5683
SHA17a103af3cdc84fecf1e8610057e0bc199ddbd608
SHA2567087ff45692728e6ec8f8e68b4a481645aeb964ac951a0a90059168153b356ed
SHA51261f4e148259ce83ab71041dea54c56978448f5143e39de31067e4c2eace89872aa70b4c12071f344930a15d438545c62beafe5f221ac5c86134bdb1ef6e27f54
-
Filesize
3.2MB
MD5f1389e0576e96fc0209a6eb53a780b68
SHA1a354c1df46ede577337b093bd9e5b3fbc6e3a18a
SHA2569af5678a1b89e4036ad81457b0a5d52264fb20cfba489f4f04ab323b5ed77eed
SHA51257ade46a978dde84843b47f18f3d2a229ff8c964e1442c329dccbab593b24cea4241d2ed12500f9649a96a22fddf5c41a8a1c2afe8641f9f909491c9f62b2cc8