Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
16-05-2024 00:58
Behavioral task
behavioral1
Sample
6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe
Resource
win7-20240419-en
General
-
Target
6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe
-
Size
2.9MB
-
MD5
6a9aaa3fc23d1561df97e3f9eb2de110
-
SHA1
d0effad0bad292fb0bcb377cbafacd8db83a474e
-
SHA256
9ff431f5f1b0f09adff076f71cdfbe91566f3b00f5ea57fc9e4c02aef199a565
-
SHA512
7350bce60b1a9ffb8ce8c8f98e17ebef7931db0f8a77af7d4dfef0ac02065169ec51734e0602a2be5790e77be9703ea560f3caf640dbaee85fc30e4630912c4c
-
SSDEEP
49152:P4DKm+cjWnC8WLqxdGWJMcWI2TJT1Q0UN2Trsljq:gDKmzjWnC8Wikx1DUN2/Uq
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 39 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1088 2036 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4852 2036 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2080 2036 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5068 2036 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2136 2036 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 400 2036 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4920 2036 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3400 2036 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4580 2036 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3640 2036 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4124 2036 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3960 2036 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4428 2036 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4544 2036 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 748 2036 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1588 2036 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2856 2036 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1636 2036 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3288 2036 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4896 2036 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4156 2036 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4284 2036 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4000 2036 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1812 2036 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5016 2036 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3120 2036 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2824 2036 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4792 2036 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2088 2036 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1308 2036 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4496 2036 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3468 2036 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1716 2036 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2220 2036 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2148 2036 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2204 2036 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4592 2036 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4004 2036 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3684 2036 schtasks.exe -
Processes:
SppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exe6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SppExtComObj.exe -
Processes:
resource yara_rule behavioral2/memory/3044-1-0x00000000000A0000-0x0000000000386000-memory.dmp dcrat C:\Users\Public\Desktop\SppExtComObj.exe dcrat C:\Recovery\WindowsRE\SppExtComObj.exe dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 3036 powershell.exe 2976 powershell.exe 3544 powershell.exe 4576 powershell.exe 1940 powershell.exe 1012 powershell.exe 3408 powershell.exe 4544 powershell.exe 748 powershell.exe 2084 powershell.exe 4428 powershell.exe -
Checks computer location settings 2 TTPs 14 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
SppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exe6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation SppExtComObj.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation SppExtComObj.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation SppExtComObj.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation SppExtComObj.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation SppExtComObj.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation SppExtComObj.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation SppExtComObj.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation SppExtComObj.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation SppExtComObj.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation SppExtComObj.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation SppExtComObj.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation SppExtComObj.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation SppExtComObj.exe -
Executes dropped EXE 13 IoCs
Processes:
SppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exepid process 1704 SppExtComObj.exe 1384 SppExtComObj.exe 3288 SppExtComObj.exe 3776 SppExtComObj.exe 3408 SppExtComObj.exe 5000 SppExtComObj.exe 3120 SppExtComObj.exe 3684 SppExtComObj.exe 3040 SppExtComObj.exe 4372 SppExtComObj.exe 2672 SppExtComObj.exe 3800 SppExtComObj.exe 4604 SppExtComObj.exe -
Processes:
SppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exe6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exeSppExtComObj.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SppExtComObj.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SppExtComObj.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SppExtComObj.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SppExtComObj.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SppExtComObj.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SppExtComObj.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SppExtComObj.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SppExtComObj.exe -
Drops file in Program Files directory 28 IoCs
Processes:
6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exedescription ioc process File created C:\Program Files\Google\Chrome\66fc9ff0ee96c2 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe File created C:\Program Files\Reference Assemblies\Microsoft\87a3d061194d9e 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe File created C:\Program Files (x86)\Microsoft.NET\RedistList\56085415360792 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Microsoft.NET\RedistList\wininit.exe 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Portable Devices\f3b6ecef712a24 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Photo Viewer\it-IT\RuntimeBroker.exe 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Portable Devices\RCX5390.tmp 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe File opened for modification C:\Program Files\Google\Chrome\sihost.exe 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe File created C:\Program Files\Google\Chrome\sihost.exe 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe File created C:\Program Files (x86)\Microsoft.NET\RedistList\wininit.exe 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe File opened for modification C:\Program Files\7-Zip\RCX517C.tmp 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\it-IT\RuntimeBroker.exe 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe File created C:\Program Files (x86)\Internet Explorer\images\backgroundTaskHost.exe 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe File created C:\Program Files (x86)\Internet Explorer\images\eddb19405b7ce1 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Photo Viewer\it-IT\9e8d7a4ca61bd9 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Microsoft.NET\RedistList\RCX69C2.tmp 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe File created C:\Program Files\Reference Assemblies\Microsoft\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe File opened for modification C:\Program Files\7-Zip\sppsvc.exe 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\it-IT\RCX5826.tmp 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Internet Explorer\images\backgroundTaskHost.exe 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe File created C:\Program Files\7-Zip\sppsvc.exe 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe File created C:\Program Files\7-Zip\0a1fd5f707cd16 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe File opened for modification C:\Program Files\Google\Chrome\RCX5CAD.tmp 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\RCX65B9.tmp 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Internet Explorer\images\RCX67BE.tmp 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe -
Drops file in Windows directory 4 IoCs
Processes:
6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exedescription ioc process File created C:\Windows\bcastdvr\StartMenuExperienceHost.exe 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe File created C:\Windows\bcastdvr\55b276f4edf653 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe File opened for modification C:\Windows\bcastdvr\RCX6C44.tmp 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe File opened for modification C:\Windows\bcastdvr\StartMenuExperienceHost.exe 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 39 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2220 schtasks.exe 4920 schtasks.exe 748 schtasks.exe 4156 schtasks.exe 3120 schtasks.exe 4792 schtasks.exe 2088 schtasks.exe 4124 schtasks.exe 2080 schtasks.exe 2856 schtasks.exe 4000 schtasks.exe 5016 schtasks.exe 4496 schtasks.exe 3468 schtasks.exe 3640 schtasks.exe 1588 schtasks.exe 1812 schtasks.exe 5068 schtasks.exe 4580 schtasks.exe 3288 schtasks.exe 4896 schtasks.exe 3684 schtasks.exe 4852 schtasks.exe 2136 schtasks.exe 4428 schtasks.exe 1636 schtasks.exe 2824 schtasks.exe 2148 schtasks.exe 400 schtasks.exe 4544 schtasks.exe 1716 schtasks.exe 2204 schtasks.exe 4004 schtasks.exe 1088 schtasks.exe 3400 schtasks.exe 3960 schtasks.exe 4284 schtasks.exe 1308 schtasks.exe 4592 schtasks.exe -
Modifies registry class 14 IoCs
Processes:
SppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exe6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings SppExtComObj.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exepid process 3044 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe 3044 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe 3044 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe 3044 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe 3044 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe 3044 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe 3044 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe 3044 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe 3044 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe 3044 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe 3044 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe 3044 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe 3044 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe 3044 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe 3044 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe 3044 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe 3044 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe 3044 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe 3044 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe 3044 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe 3044 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe 3044 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe 3044 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe 3408 powershell.exe 3408 powershell.exe 1012 powershell.exe 1012 powershell.exe 4428 powershell.exe 4428 powershell.exe 1940 powershell.exe 1940 powershell.exe 4576 powershell.exe 4576 powershell.exe 3036 powershell.exe 3036 powershell.exe 3544 powershell.exe 3544 powershell.exe 2084 powershell.exe 2084 powershell.exe 748 powershell.exe 748 powershell.exe 4544 powershell.exe 4544 powershell.exe 2976 powershell.exe 2976 powershell.exe 2976 powershell.exe 2084 powershell.exe 3408 powershell.exe 4544 powershell.exe 4576 powershell.exe 4428 powershell.exe 1940 powershell.exe 1012 powershell.exe 3544 powershell.exe 3036 powershell.exe 748 powershell.exe 1704 SppExtComObj.exe 1384 SppExtComObj.exe 3288 SppExtComObj.exe 3776 SppExtComObj.exe 3408 SppExtComObj.exe 5000 SppExtComObj.exe 3120 SppExtComObj.exe 3684 SppExtComObj.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
Processes:
6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exedescription pid process Token: SeDebugPrivilege 3044 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe Token: SeDebugPrivilege 3408 powershell.exe Token: SeDebugPrivilege 1012 powershell.exe Token: SeDebugPrivilege 4428 powershell.exe Token: SeDebugPrivilege 4576 powershell.exe Token: SeDebugPrivilege 1940 powershell.exe Token: SeDebugPrivilege 4544 powershell.exe Token: SeDebugPrivilege 3036 powershell.exe Token: SeDebugPrivilege 3544 powershell.exe Token: SeDebugPrivilege 2084 powershell.exe Token: SeDebugPrivilege 748 powershell.exe Token: SeDebugPrivilege 2976 powershell.exe Token: SeDebugPrivilege 1704 SppExtComObj.exe Token: SeDebugPrivilege 1384 SppExtComObj.exe Token: SeDebugPrivilege 3288 SppExtComObj.exe Token: SeDebugPrivilege 3776 SppExtComObj.exe Token: SeDebugPrivilege 3408 SppExtComObj.exe Token: SeDebugPrivilege 5000 SppExtComObj.exe Token: SeDebugPrivilege 3120 SppExtComObj.exe Token: SeDebugPrivilege 3684 SppExtComObj.exe Token: SeDebugPrivilege 3040 SppExtComObj.exe Token: SeDebugPrivilege 4372 SppExtComObj.exe Token: SeDebugPrivilege 2672 SppExtComObj.exe Token: SeDebugPrivilege 3800 SppExtComObj.exe Token: SeDebugPrivilege 4604 SppExtComObj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.execmd.exeSppExtComObj.exeWScript.exeSppExtComObj.exeWScript.exeSppExtComObj.exeWScript.exeSppExtComObj.exeWScript.exeSppExtComObj.exeWScript.exeSppExtComObj.exeWScript.exedescription pid process target process PID 3044 wrote to memory of 4576 3044 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe powershell.exe PID 3044 wrote to memory of 4576 3044 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe powershell.exe PID 3044 wrote to memory of 4428 3044 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe powershell.exe PID 3044 wrote to memory of 4428 3044 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe powershell.exe PID 3044 wrote to memory of 3036 3044 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe powershell.exe PID 3044 wrote to memory of 3036 3044 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe powershell.exe PID 3044 wrote to memory of 1940 3044 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe powershell.exe PID 3044 wrote to memory of 1940 3044 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe powershell.exe PID 3044 wrote to memory of 2976 3044 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe powershell.exe PID 3044 wrote to memory of 2976 3044 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe powershell.exe PID 3044 wrote to memory of 1012 3044 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe powershell.exe PID 3044 wrote to memory of 1012 3044 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe powershell.exe PID 3044 wrote to memory of 3408 3044 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe powershell.exe PID 3044 wrote to memory of 3408 3044 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe powershell.exe PID 3044 wrote to memory of 4544 3044 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe powershell.exe PID 3044 wrote to memory of 4544 3044 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe powershell.exe PID 3044 wrote to memory of 3544 3044 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe powershell.exe PID 3044 wrote to memory of 3544 3044 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe powershell.exe PID 3044 wrote to memory of 748 3044 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe powershell.exe PID 3044 wrote to memory of 748 3044 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe powershell.exe PID 3044 wrote to memory of 2084 3044 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe powershell.exe PID 3044 wrote to memory of 2084 3044 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe powershell.exe PID 3044 wrote to memory of 4792 3044 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe cmd.exe PID 3044 wrote to memory of 4792 3044 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe cmd.exe PID 4792 wrote to memory of 1380 4792 cmd.exe w32tm.exe PID 4792 wrote to memory of 1380 4792 cmd.exe w32tm.exe PID 4792 wrote to memory of 1704 4792 cmd.exe SppExtComObj.exe PID 4792 wrote to memory of 1704 4792 cmd.exe SppExtComObj.exe PID 1704 wrote to memory of 4136 1704 SppExtComObj.exe WScript.exe PID 1704 wrote to memory of 4136 1704 SppExtComObj.exe WScript.exe PID 1704 wrote to memory of 1784 1704 SppExtComObj.exe WScript.exe PID 1704 wrote to memory of 1784 1704 SppExtComObj.exe WScript.exe PID 4136 wrote to memory of 1384 4136 WScript.exe SppExtComObj.exe PID 4136 wrote to memory of 1384 4136 WScript.exe SppExtComObj.exe PID 1384 wrote to memory of 1904 1384 SppExtComObj.exe WScript.exe PID 1384 wrote to memory of 1904 1384 SppExtComObj.exe WScript.exe PID 1384 wrote to memory of 3280 1384 SppExtComObj.exe WScript.exe PID 1384 wrote to memory of 3280 1384 SppExtComObj.exe WScript.exe PID 1904 wrote to memory of 3288 1904 WScript.exe SppExtComObj.exe PID 1904 wrote to memory of 3288 1904 WScript.exe SppExtComObj.exe PID 3288 wrote to memory of 2928 3288 SppExtComObj.exe WScript.exe PID 3288 wrote to memory of 2928 3288 SppExtComObj.exe WScript.exe PID 3288 wrote to memory of 1792 3288 SppExtComObj.exe WScript.exe PID 3288 wrote to memory of 1792 3288 SppExtComObj.exe WScript.exe PID 2928 wrote to memory of 3776 2928 WScript.exe SppExtComObj.exe PID 2928 wrote to memory of 3776 2928 WScript.exe SppExtComObj.exe PID 3776 wrote to memory of 4716 3776 SppExtComObj.exe WScript.exe PID 3776 wrote to memory of 4716 3776 SppExtComObj.exe WScript.exe PID 3776 wrote to memory of 228 3776 SppExtComObj.exe WScript.exe PID 3776 wrote to memory of 228 3776 SppExtComObj.exe WScript.exe PID 4716 wrote to memory of 3408 4716 WScript.exe SppExtComObj.exe PID 4716 wrote to memory of 3408 4716 WScript.exe SppExtComObj.exe PID 3408 wrote to memory of 4784 3408 SppExtComObj.exe WScript.exe PID 3408 wrote to memory of 4784 3408 SppExtComObj.exe WScript.exe PID 3408 wrote to memory of 3348 3408 SppExtComObj.exe WScript.exe PID 3408 wrote to memory of 3348 3408 SppExtComObj.exe WScript.exe PID 4784 wrote to memory of 5000 4784 WScript.exe SppExtComObj.exe PID 4784 wrote to memory of 5000 4784 WScript.exe SppExtComObj.exe PID 5000 wrote to memory of 1384 5000 SppExtComObj.exe WScript.exe PID 5000 wrote to memory of 1384 5000 SppExtComObj.exe WScript.exe PID 5000 wrote to memory of 380 5000 SppExtComObj.exe WScript.exe PID 5000 wrote to memory of 380 5000 SppExtComObj.exe WScript.exe PID 1384 wrote to memory of 3120 1384 WScript.exe SppExtComObj.exe PID 1384 wrote to memory of 3120 1384 WScript.exe SppExtComObj.exe -
System policy modification 1 TTPs 42 IoCs
Processes:
SppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exe6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SppExtComObj.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe"1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3044 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4576 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4428 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3036 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1940 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2976 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1012 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3408 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4544 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3544 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:748 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2084 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1eVLovZyht.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:4792 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:1380
-
C:\Users\Public\Desktop\SppExtComObj.exe"C:\Users\Public\Desktop\SppExtComObj.exe"3⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1704 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c7b638d4-5fd7-4ac3-b40a-cd953d17e58f.vbs"4⤵
- Suspicious use of WriteProcessMemory
PID:4136 -
C:\Users\Public\Desktop\SppExtComObj.exeC:\Users\Public\Desktop\SppExtComObj.exe5⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1384 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\867031d9-3c18-4d21-987a-aacad3495529.vbs"6⤵
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Users\Public\Desktop\SppExtComObj.exeC:\Users\Public\Desktop\SppExtComObj.exe7⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3288 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f4c6de94-e9f3-4cab-a86b-cda169f9474e.vbs"8⤵
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Users\Public\Desktop\SppExtComObj.exeC:\Users\Public\Desktop\SppExtComObj.exe9⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3776 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dc410e8a-6f72-4d31-a2f8-0587f0818a32.vbs"10⤵
- Suspicious use of WriteProcessMemory
PID:4716 -
C:\Users\Public\Desktop\SppExtComObj.exeC:\Users\Public\Desktop\SppExtComObj.exe11⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3408 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f19afa23-5b72-4b35-8c12-968589555f98.vbs"12⤵
- Suspicious use of WriteProcessMemory
PID:4784 -
C:\Users\Public\Desktop\SppExtComObj.exeC:\Users\Public\Desktop\SppExtComObj.exe13⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5000 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\56f1c34c-937d-41f2-b542-6e188445a0f6.vbs"14⤵
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Users\Public\Desktop\SppExtComObj.exeC:\Users\Public\Desktop\SppExtComObj.exe15⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3120 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c1c06223-4f0e-4374-b106-c2c26ed41918.vbs"16⤵PID:3240
-
C:\Users\Public\Desktop\SppExtComObj.exeC:\Users\Public\Desktop\SppExtComObj.exe17⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3684 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e005aae2-6eb8-4de4-a14a-f77e451453fa.vbs"18⤵PID:1076
-
C:\Users\Public\Desktop\SppExtComObj.exeC:\Users\Public\Desktop\SppExtComObj.exe19⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3040 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\80f87e97-7f4d-4087-a731-f2d1dcd041c0.vbs"20⤵PID:1228
-
C:\Users\Public\Desktop\SppExtComObj.exeC:\Users\Public\Desktop\SppExtComObj.exe21⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4372 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b30ed35c-1114-4a4b-a00c-84bdf94a1257.vbs"22⤵PID:212
-
C:\Users\Public\Desktop\SppExtComObj.exeC:\Users\Public\Desktop\SppExtComObj.exe23⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2672 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b6c47d47-75b7-40fa-985b-463997eece38.vbs"24⤵PID:1496
-
C:\Users\Public\Desktop\SppExtComObj.exeC:\Users\Public\Desktop\SppExtComObj.exe25⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3800 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\07634cb4-1ff0-47e6-94fa-496d320b59df.vbs"26⤵PID:4420
-
C:\Users\Public\Desktop\SppExtComObj.exeC:\Users\Public\Desktop\SppExtComObj.exe27⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4604 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ef36fb5e-85ed-439c-a95c-2abb601307f0.vbs"28⤵PID:1632
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7db721d0-cf02-4855-853b-4f3bc8229a91.vbs"28⤵PID:4716
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8320cc67-1b2d-4a06-b65f-254cf1f143c8.vbs"26⤵PID:4284
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f45d6431-ef34-429e-9131-eb400fee206d.vbs"24⤵PID:3652
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9a1d8ffe-3da1-4838-b1db-681923ce0094.vbs"22⤵PID:3392
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6748e0eb-3968-4af7-ae19-2310aec5b166.vbs"20⤵PID:2260
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0db83065-d0d7-48f7-b260-f53b52911d8f.vbs"18⤵PID:4080
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35db84db-db0d-465d-b4da-e3de513ba0e5.vbs"16⤵PID:116
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7d11dba5-ec05-4476-80d2-eeb70a435eac.vbs"14⤵PID:380
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31203692-cd40-4d7e-927c-1ce8d80e6cbd.vbs"12⤵PID:3348
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6abdcbeb-a372-477b-8f54-da3530e6afef.vbs"10⤵PID:228
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bceecce9-87f2-4b2a-9c0c-4e05f369fa9c.vbs"8⤵PID:1792
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2026a482-574d-4e98-b261-11b280a3fed3.vbs"6⤵PID:3280
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8d119284-8c4e-4797-8e43-f3f3244f12cd.vbs"4⤵PID:1784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files\7-Zip\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1088
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\7-Zip\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files\7-Zip\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2080
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2136
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:400
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3400
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4124
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Desktop\SppExtComObj.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4428
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Public\Desktop\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Desktop\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Program Files\Google\Chrome\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Program Files\Google\Chrome\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3288
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4156
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4284
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1812
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3120
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2824
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics6" /sc MINUTE /mo 6 /tr "'C:\Program Files\Reference Assemblies\Microsoft\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2088
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics6" /sc MINUTE /mo 12 /tr "'C:\Program Files\Reference Assemblies\Microsoft\6a9aaa3fc23d1561df97e3f9eb2de110_NeikiAnalytics.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1308
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Internet Explorer\images\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4496
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\images\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3468
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Internet Explorer\images\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2220
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2148
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2204
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Windows\bcastdvr\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\bcastdvr\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Windows\bcastdvr\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3684
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.9MB
MD558cfbffa0af1c9236549bbaf09bffe18
SHA1f24b635b342c3d430d1bf17df62baceaa04a1456
SHA256dae9ec9ec48f22aeeac80182ffe9571cda634bfdb51ae0f7ba093871eb5e472d
SHA512c438cd19957408cac5c88d1f95d58e521bf3a9ca625c9ca5fd197800a8ca9581908f8b358f2e750de311e2bafffbd4687be51100eaf0bde51028042bd40b0d47
-
Filesize
1KB
MD54a667f150a4d1d02f53a9f24d89d53d1
SHA1306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97
SHA256414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd
SHA5124edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD54a154efa7af25bb8b94d0d9c7b4f15cd
SHA15e0e04103e4eef1bc7ef242b730aed1958f98e1f
SHA256c216eda372556eb78e680bde247c2fd2085642ee33031905a213c6bec502ccce
SHA512fc4678133318fe1952947be74e244246336c7faacc9b9ae32336d57b106ec8f044e5db41dd98e8f3a54270ddacab2fc84a66d5d67deeadc3056ea5213bcbbba4
-
Filesize
944B
MD5bd5940f08d0be56e65e5f2aaf47c538e
SHA1d7e31b87866e5e383ab5499da64aba50f03e8443
SHA2562d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6
SHA512c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406
-
Filesize
944B
MD5cadef9abd087803c630df65264a6c81c
SHA1babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA5127278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085
-
Filesize
944B
MD56d3e9c29fe44e90aae6ed30ccf799ca8
SHA1c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA2562360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA51260c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a
-
Filesize
716B
MD5e74f2a0eda2c8fa14900a4c9d2b391a7
SHA1ad326baca00fed05388abbd27df53cec02e2f34f
SHA256d31e92f54b182a30249a00f29d35e1f25a4fb5b7ad0a33a540ac5214e34e5af6
SHA51222e40d048328baf116e5d466dbd5f58dd7fac663f888dee58fe50d851d8723fa2ccdab6e61c977cbd19edb50c416821e9b6a0791a3a9885151e082182461bf07
-
Filesize
205B
MD5ae030a9d77ff40e28b11ad64afdbdf97
SHA1bfcced4adf723e7ace2365328582d5e88dc56dd0
SHA25644edfdb71cb6d02b02164805829e5660b80eb0bdbcdbfe8b7b18ee995e35f0f8
SHA512ad12b0292f43ab97171166c5f3bdf01ea07eab928c0dbeea52637ef0a239873bf54019b69dc2fa4a892dcb4993573884e96f7e8aa15adf93af779cd5a1061dfd
-
Filesize
716B
MD55f80dd244750ae9d77296f14c5aa32cd
SHA11da76c8406cd851e3104dca8afc8d34180c6fec9
SHA256f24e91c8a1cb7e255b3dda7ad2b5a79bf8bfbdf899a28a2987976d0857a844b3
SHA5121a0d03ad65d78a7d965d2135aa41d3c4769fdb4e8fe8a33352a8e8f3102d65e2bcfc045cc971ae4865d2cc885ff344c79f7151f6efe5ac051c24a5d0e110a07c
-
Filesize
716B
MD501d6a0d2f6013409e77b60ed768ead8e
SHA16463b2cd80e7e4e541e8202c6f9625245f29ff85
SHA256528e0f32871bb0b17f17bb9112e6e0427bfe5d00a6ac2661a0437a291a098280
SHA5124f4a516a266c7af3c9702467b2ed3af22194477266f7cb9c16cff51039c2e36761fa70ef1e68fe2bc2d9d065792e9ff1458dfaaed6bc7e29e26d9c1fe9250c4e
-
Filesize
716B
MD5df127eecf3a4aa43a70c0d795f2b2047
SHA1f79d32f6343ef009d52e3d6cdba686b1602a6691
SHA2564db5bd507e4695e1c78d38f7d05e9453b6dac8890ffd75308c366db7dc5a857f
SHA512d32b18c4b598ddc13c6a9fdcc30647332496066e27e8ebe1bcb3e08a74fa983bd7d0fe92af3230b7e4c113b843e445fb115ec5c2aba274c51594362aa9bfb9ee
-
Filesize
492B
MD5233fb7bd35a95558de2fe5a22997950f
SHA13c697d5b988768f31d827c41a8c3344c3271622e
SHA256ed8c8b6efe7dff654b7555f043e9b45d8d3187403660e3a759dc67de75509181
SHA512e8b15093390acc2c885cedee6599ef6e5b28a814f89c9ff7fa376432761d4a44f07284afcde4afbaf0faea5327d524284dc895d5a6091f9c2b17be798ce5aa3c
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
716B
MD5aefc45548b2ad92a160ea58a3f7d5926
SHA19db942bce6a67c8276019dde50c5acb6a72ba5df
SHA2562bff36881d908f1b3fe3739f9321c06487b207faae5974ca5ee9c147cec1bfe8
SHA51273d3f3a971b9138778e78419deacb6276484c8fd2428c00fc16be43da025187851b06a83e27d45dacf32dda6607ed1a72ed494e41813df30b48d9d8197d4cfec
-
Filesize
716B
MD530e010047ed5d53cb9ade01766dc09c9
SHA1d254619cad92050edf8829c97f48fcf9e02d4d24
SHA25600c4f467e4668d6a934ec3219e20eb8d5f54b2a0d7888725596739519e7a84fa
SHA5129a9980134ff145750028a95c99b6f99a26d9c0088e0860ad26640173b37d5690d4de528292718611b20c37149cd37c9ce7583cc31a604281fdda20ce5f9b5635
-
Filesize
716B
MD5e091691c10039e69b06cf1b580cbe2d0
SHA12d1d004c5f20453413b94f894005c521cf5d12a0
SHA25657e45836487c5287693c452369d1383f8684f541a00b09de8d7467fb8b5a29eb
SHA51277d788872d2df68e760ec732217678333dd0627bb3e1e09f37ea1689a5ee1c556d70d624d655ea79501cd6741ec58ec8126bd93c2f9df82e383f330f74037df0
-
Filesize
716B
MD5ff352044ac62337fb143b877f57bee46
SHA12ed6d6c461477de5aa7562b26ab13830d236e32e
SHA256b2e91443b5e16bca555399529bd7aef8f95bc27c9f056ce5cf1a3a3960f4f91c
SHA512ef74d9105e82a8c946f5c34940cc7f64de5a8a6fa11c651a025c99b9785bfe857ab1daa5eb361aa47761c5e987119f4b0875d2b467f6cd7f5a31f2704a625000
-
Filesize
716B
MD511ace1362dcbce73adfe71f62d7776a8
SHA129faf41a74e3db8b09c6035f87198861ef81a84c
SHA256a6238e8b37b2ffd64152cbdad39195f80c49d40a97f16edb63136ef45ace3219
SHA51210124ceb82264e06d00c0d2540eec25b96ccad8eef6e59c419e03a2360043868aaf6af4acce5d6ef93aa36f509d4c7570c9c19f4c852bcbd9c9967186634c8ba
-
Filesize
716B
MD5ba9a3042ea9101f89bf1d7c7dd7bf135
SHA1681f794813cd4f77acdfa72b6e219e3b5e83a817
SHA256d1a03e54612beb93356efe14db33a01ce89aba71d69dba6b9e3fb9077a4ba4f7
SHA5129b73b65efb24d6d4f94097444b7c8b6ccdef89d9ebe3f6762ebbc70debe4fe5eb9133fa3993b5ca585232f74f28827c5feb74b44b4d4e80734d83c1a272a2974
-
Filesize
716B
MD576bacbf0c2500e5a052c3fc7bdecccf4
SHA130b6e8c3e80e585f78bc5dd5d16ac3a35c0f4c4d
SHA25676ff6246e872cded4cefe2b8242c273264814c19d2a14ef45c25faf81b95edc3
SHA512cc1699ef947616e20249ba58592414442b5b9b32cc08a15ecc8528ef36aae61e989b2028c5deedb974c3c2a63dd5dc9880754e3f894a56b8f806cc191ebad293
-
Filesize
716B
MD5621d7767269bfbad5c4a89b6df4743fc
SHA1ec3992ce710e53e3ce19a238d4513e61051ab467
SHA256aadce17bb88b813f0c01e006cbbddc180f76923d262a55417450f2496a900747
SHA512e9067d9f8328da6c38e8e0966c5f0801460fbd97f38f5f9decdd5831856e114e2750ae25d91915cb286fa6c73ee761ee687ff7d95d482c5b996bb2b6057f08e4
-
Filesize
716B
MD502892f91880a5fbce36efb0b5a01e223
SHA1ac5815053655b90080dac69218900c0409a8398a
SHA2562a1c323344b4e1e095694d06b3e584226ec0879409229d3b95e026ddd633c9d7
SHA512cc33ae2206b07dccca14b4589e9c70c5192fd869a45a80be6262f101801292cc681d66991396c0758aa4fbb3557abf70115dac0d8ecf5acc5afd88c540d857f7
-
Filesize
2.9MB
MD56a9aaa3fc23d1561df97e3f9eb2de110
SHA1d0effad0bad292fb0bcb377cbafacd8db83a474e
SHA2569ff431f5f1b0f09adff076f71cdfbe91566f3b00f5ea57fc9e4c02aef199a565
SHA5127350bce60b1a9ffb8ce8c8f98e17ebef7931db0f8a77af7d4dfef0ac02065169ec51734e0602a2be5790e77be9703ea560f3caf640dbaee85fc30e4630912c4c