Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
16-05-2024 01:57
Behavioral task
behavioral1
Sample
78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe
Resource
win7-20240220-en
General
-
Target
78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe
-
Size
2.9MB
-
MD5
78e93535702e2a553d85bac1d4737210
-
SHA1
572ed789a4da08d6c3cc770b4b49bb6d6a4ea75f
-
SHA256
b6d844ec087f7be57656bfb4782919dbe0cf823301b441e68b7a7a8e757049fb
-
SHA512
ad2ff42ed3569df69618af61d3732744c3aa713816709dbe53b11ee07df97f744acd99c26155485a3dac76a4576592e181e3198bbaad86009de716b72a183baa
-
SSDEEP
49152:H4DKm+cjWnC8WLqxdGWJMcWI2TJT1Q0UN2Trsljq:YDKmzjWnC8Wikx1DUN2/Uq
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 64 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2088 2984 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4984 2984 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 840 2984 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4252 2984 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3940 2984 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3652 2984 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3576 2984 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2928 2984 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3308 2984 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2276 2984 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4324 2984 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4372 2984 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4740 2984 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4512 2984 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1072 2984 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3176 2984 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4916 2984 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1528 2984 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 464 2984 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2172 2984 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3560 2984 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 348 2984 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 564 2984 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2484 2984 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2444 2984 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2520 2984 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4888 2984 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3064 2984 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4580 2984 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4928 2984 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3684 2984 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3252 2984 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1644 2984 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4372 2984 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2536 2984 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4064 2984 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4380 2984 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4600 2984 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1132 2984 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3360 2984 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4976 2984 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 404 2984 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4692 2984 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 464 2984 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4956 2984 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1072 2984 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3708 2984 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2252 2984 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2444 2984 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 548 2984 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1244 2984 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4644 2984 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5068 2984 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3136 2984 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3016 2984 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4084 2984 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1528 2984 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4212 2984 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1836 2984 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2520 2984 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5040 2984 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1288 2984 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4056 2984 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4164 2984 schtasks.exe -
Processes:
MoUsoCoreWorker.exeMoUsoCoreWorker.exeMoUsoCoreWorker.exeMoUsoCoreWorker.exeMoUsoCoreWorker.exeMoUsoCoreWorker.exeMoUsoCoreWorker.exeMoUsoCoreWorker.exeMoUsoCoreWorker.exeMoUsoCoreWorker.exe78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exeMoUsoCoreWorker.exeMoUsoCoreWorker.exeMoUsoCoreWorker.exe78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" MoUsoCoreWorker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" MoUsoCoreWorker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" MoUsoCoreWorker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" MoUsoCoreWorker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" MoUsoCoreWorker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" MoUsoCoreWorker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" MoUsoCoreWorker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" MoUsoCoreWorker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" MoUsoCoreWorker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" MoUsoCoreWorker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" MoUsoCoreWorker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" MoUsoCoreWorker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" MoUsoCoreWorker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" MoUsoCoreWorker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" MoUsoCoreWorker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" MoUsoCoreWorker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" MoUsoCoreWorker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" MoUsoCoreWorker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" MoUsoCoreWorker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" MoUsoCoreWorker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" MoUsoCoreWorker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" MoUsoCoreWorker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" MoUsoCoreWorker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" MoUsoCoreWorker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" MoUsoCoreWorker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" MoUsoCoreWorker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" MoUsoCoreWorker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" MoUsoCoreWorker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" MoUsoCoreWorker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" MoUsoCoreWorker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" MoUsoCoreWorker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" MoUsoCoreWorker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" MoUsoCoreWorker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" MoUsoCoreWorker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" MoUsoCoreWorker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" MoUsoCoreWorker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" MoUsoCoreWorker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" MoUsoCoreWorker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" MoUsoCoreWorker.exe -
Processes:
resource yara_rule behavioral2/memory/1956-1-0x0000000000100000-0x00000000003E6000-memory.dmp dcrat C:\Program Files (x86)\Windows Portable Devices\backgroundTaskHost.exe dcrat C:\Program Files\VideoLAN\upfc.exe dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 22 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 3756 powershell.exe 4896 powershell.exe 372 powershell.exe 1132 powershell.exe 1780 powershell.exe 968 powershell.exe 1340 powershell.exe 4488 powershell.exe 404 powershell.exe 4596 powershell.exe 4468 powershell.exe 4916 powershell.exe 4600 powershell.exe 4556 powershell.exe 932 powershell.exe 4380 powershell.exe 3724 powershell.exe 4104 powershell.exe 4252 powershell.exe 3312 powershell.exe 1612 powershell.exe 116 powershell.exe -
Checks computer location settings 2 TTPs 15 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exeMoUsoCoreWorker.exeMoUsoCoreWorker.exeMoUsoCoreWorker.exeMoUsoCoreWorker.exeMoUsoCoreWorker.exeMoUsoCoreWorker.exeMoUsoCoreWorker.exe78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exeMoUsoCoreWorker.exeMoUsoCoreWorker.exeMoUsoCoreWorker.exeMoUsoCoreWorker.exeMoUsoCoreWorker.exeMoUsoCoreWorker.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation MoUsoCoreWorker.exe Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation MoUsoCoreWorker.exe Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation MoUsoCoreWorker.exe Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation MoUsoCoreWorker.exe Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation MoUsoCoreWorker.exe Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation MoUsoCoreWorker.exe Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation MoUsoCoreWorker.exe Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation MoUsoCoreWorker.exe Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation MoUsoCoreWorker.exe Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation MoUsoCoreWorker.exe Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation MoUsoCoreWorker.exe Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation MoUsoCoreWorker.exe Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation MoUsoCoreWorker.exe -
Executes dropped EXE 14 IoCs
Processes:
78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exeMoUsoCoreWorker.exeMoUsoCoreWorker.exeMoUsoCoreWorker.exeMoUsoCoreWorker.exeMoUsoCoreWorker.exeMoUsoCoreWorker.exeMoUsoCoreWorker.exeMoUsoCoreWorker.exeMoUsoCoreWorker.exeMoUsoCoreWorker.exeMoUsoCoreWorker.exeMoUsoCoreWorker.exeMoUsoCoreWorker.exepid process 4136 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe 4648 MoUsoCoreWorker.exe 3092 MoUsoCoreWorker.exe 4132 MoUsoCoreWorker.exe 1820 MoUsoCoreWorker.exe 556 MoUsoCoreWorker.exe 4696 MoUsoCoreWorker.exe 3148 MoUsoCoreWorker.exe 932 MoUsoCoreWorker.exe 2992 MoUsoCoreWorker.exe 3756 MoUsoCoreWorker.exe 4800 MoUsoCoreWorker.exe 3208 MoUsoCoreWorker.exe 1728 MoUsoCoreWorker.exe -
Processes:
MoUsoCoreWorker.exeMoUsoCoreWorker.exeMoUsoCoreWorker.exe78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exeMoUsoCoreWorker.exeMoUsoCoreWorker.exeMoUsoCoreWorker.exeMoUsoCoreWorker.exe78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exeMoUsoCoreWorker.exeMoUsoCoreWorker.exeMoUsoCoreWorker.exeMoUsoCoreWorker.exeMoUsoCoreWorker.exeMoUsoCoreWorker.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA MoUsoCoreWorker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" MoUsoCoreWorker.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA MoUsoCoreWorker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" MoUsoCoreWorker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" MoUsoCoreWorker.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" MoUsoCoreWorker.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA MoUsoCoreWorker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" MoUsoCoreWorker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" MoUsoCoreWorker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" MoUsoCoreWorker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA MoUsoCoreWorker.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA MoUsoCoreWorker.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA MoUsoCoreWorker.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA MoUsoCoreWorker.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA MoUsoCoreWorker.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA MoUsoCoreWorker.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA MoUsoCoreWorker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" MoUsoCoreWorker.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA MoUsoCoreWorker.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA MoUsoCoreWorker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" MoUsoCoreWorker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" MoUsoCoreWorker.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" MoUsoCoreWorker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" MoUsoCoreWorker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" MoUsoCoreWorker.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA MoUsoCoreWorker.exe -
Drops file in System32 directory 3 IoCs
Processes:
78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exedescription ioc process File created C:\Windows\SysWOW64\networklist\icons\sihost.exe 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe File created C:\Windows\SysWOW64\networklist\icons\66fc9ff0ee96c2 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\networklist\icons\sihost.exe 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe -
Drops file in Program Files directory 27 IoCs
Processes:
78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exedescription ioc process File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\sysmon.exe 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Mail\cc11b995f2a76d 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\sysmon.exe 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe File created C:\Program Files\VideoLAN\upfc.exe 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe File created C:\Program Files\VideoLAN\ea1d8f6d871115 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Multimedia Platform\dllhost.exe 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe File created C:\Program Files\Microsoft Office 15\ClientX64\Registry.exe 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe File created C:\Program Files\Uninstall Information\upfc.exe 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Mail\winlogon.exe 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe File opened for modification C:\Program Files\Microsoft Office 15\ClientX64\Registry.exe 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Multimedia Platform\5940a34987c991 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\121e5b5079f7c0 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe File created C:\Program Files\Windows Media Player\Icons\SppExtComObj.exe 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe File opened for modification C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\spoolsv.exe 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Portable Devices\eddb19405b7ce1 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\spoolsv.exe 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Multimedia Platform\dllhost.exe 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Mail\winlogon.exe 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Portable Devices\RCX455B.tmp 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Portable Devices\backgroundTaskHost.exe 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe File opened for modification C:\Program Files\Uninstall Information\upfc.exe 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe File created C:\Program Files\Microsoft Office 15\ClientX64\ee2ad38f3d4382 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe File created C:\Program Files\Uninstall Information\ea1d8f6d871115 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\f3b6ecef712a24 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Portable Devices\backgroundTaskHost.exe 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe File opened for modification C:\Program Files\VideoLAN\RCX4B69.tmp 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe File opened for modification C:\Program Files\VideoLAN\upfc.exe 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe -
Drops file in Windows directory 19 IoCs
Processes:
78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exedescription ioc process File created C:\Windows\L2Schemas\lsass.exe 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe File created C:\Windows\it-IT\OfficeClickToRun.exe 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe File created C:\Windows\OCR\spoolsv.exe 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe File created C:\Windows\BitLockerDiscoveryVolumeContents\unsecapp.exe 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe File opened for modification C:\Windows\Migration\WTR\lsass.exe 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe File opened for modification C:\Windows\Offline Web Pages\dllhost.exe 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe File opened for modification C:\Windows\L2Schemas\RCX3ED0.tmp 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe File created C:\Windows\Migration\WTR\6203df4a6bafc7 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe File created C:\Windows\Offline Web Pages\dllhost.exe 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe File created C:\Windows\Offline Web Pages\5940a34987c991 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe File opened for modification C:\Windows\it-IT\OfficeClickToRun.exe 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\unsecapp.exe 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe File created C:\Windows\L2Schemas\6203df4a6bafc7 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe File created C:\Windows\CSC\spoolsv.exe 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe File opened for modification C:\Windows\L2Schemas\lsass.exe 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe File created C:\Windows\Migration\WTR\lsass.exe 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe File created C:\Windows\it-IT\e6c9b481da804f 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe File created C:\Windows\SystemResources\backgroundTaskHost.exe 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe File created C:\Windows\BitLockerDiscoveryVolumeContents\29c1c3cc0f7685 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 64 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 3684 schtasks.exe 1260 schtasks.exe 3576 schtasks.exe 2088 schtasks.exe 2536 schtasks.exe 1244 schtasks.exe 5040 schtasks.exe 4048 schtasks.exe 4956 schtasks.exe 2928 schtasks.exe 564 schtasks.exe 2520 schtasks.exe 4380 schtasks.exe 4212 schtasks.exe 2908 schtasks.exe 2088 schtasks.exe 4916 schtasks.exe 3360 schtasks.exe 3016 schtasks.exe 5068 schtasks.exe 3532 schtasks.exe 848 schtasks.exe 4976 schtasks.exe 4084 schtasks.exe 3464 schtasks.exe 464 schtasks.exe 2172 schtasks.exe 2484 schtasks.exe 404 schtasks.exe 2052 schtasks.exe 3844 schtasks.exe 3940 schtasks.exe 348 schtasks.exe 3064 schtasks.exe 3136 schtasks.exe 4324 schtasks.exe 4372 schtasks.exe 4644 schtasks.exe 4056 schtasks.exe 3176 schtasks.exe 4928 schtasks.exe 1656 schtasks.exe 1880 schtasks.exe 3560 schtasks.exe 4692 schtasks.exe 1072 schtasks.exe 2092 schtasks.exe 4900 schtasks.exe 4252 schtasks.exe 2276 schtasks.exe 4888 schtasks.exe 4372 schtasks.exe 1084 schtasks.exe 1644 schtasks.exe 4600 schtasks.exe 2252 schtasks.exe 1288 schtasks.exe 4740 schtasks.exe 4512 schtasks.exe 1528 schtasks.exe 3252 schtasks.exe 4984 schtasks.exe 840 schtasks.exe 3652 schtasks.exe -
Modifies registry class 15 IoCs
Processes:
MoUsoCoreWorker.exeMoUsoCoreWorker.exeMoUsoCoreWorker.exeMoUsoCoreWorker.exeMoUsoCoreWorker.exeMoUsoCoreWorker.exe78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exeMoUsoCoreWorker.exeMoUsoCoreWorker.exeMoUsoCoreWorker.exe78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exeMoUsoCoreWorker.exeMoUsoCoreWorker.exeMoUsoCoreWorker.exeMoUsoCoreWorker.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings MoUsoCoreWorker.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings MoUsoCoreWorker.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings MoUsoCoreWorker.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings MoUsoCoreWorker.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings MoUsoCoreWorker.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings MoUsoCoreWorker.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings MoUsoCoreWorker.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings MoUsoCoreWorker.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings MoUsoCoreWorker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings MoUsoCoreWorker.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings MoUsoCoreWorker.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings MoUsoCoreWorker.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings MoUsoCoreWorker.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exepowershell.exepowershell.exepowershell.exepid process 1956 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe 1956 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe 1956 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe 1956 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe 1956 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe 1956 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe 1956 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe 968 powershell.exe 968 powershell.exe 3312 powershell.exe 3312 powershell.exe 3756 powershell.exe 3756 powershell.exe 3724 powershell.exe 3724 powershell.exe 4896 powershell.exe 4896 powershell.exe 1612 powershell.exe 1612 powershell.exe 4252 powershell.exe 4252 powershell.exe 1340 powershell.exe 1340 powershell.exe 4104 powershell.exe 4104 powershell.exe 4488 powershell.exe 4488 powershell.exe 3756 powershell.exe 1780 powershell.exe 1780 powershell.exe 1340 powershell.exe 4488 powershell.exe 968 powershell.exe 968 powershell.exe 3724 powershell.exe 1612 powershell.exe 4896 powershell.exe 3312 powershell.exe 4252 powershell.exe 4104 powershell.exe 1780 powershell.exe 4136 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe 4136 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe 4136 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe 4136 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe 4136 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe 4136 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe 4136 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe 4136 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe 4136 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe 4136 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe 4136 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe 4136 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe 4136 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe 4136 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe 4136 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe 4136 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe 4136 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe 4380 powershell.exe 4380 powershell.exe 372 powershell.exe 372 powershell.exe 4556 powershell.exe 4556 powershell.exe -
Suspicious use of AdjustPrivilegeToken 37 IoCs
Processes:
78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeMoUsoCoreWorker.exeMoUsoCoreWorker.exeMoUsoCoreWorker.exeMoUsoCoreWorker.exeMoUsoCoreWorker.exeMoUsoCoreWorker.exeMoUsoCoreWorker.exeMoUsoCoreWorker.exeMoUsoCoreWorker.exeMoUsoCoreWorker.exeMoUsoCoreWorker.exeMoUsoCoreWorker.exeMoUsoCoreWorker.exedescription pid process Token: SeDebugPrivilege 1956 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe Token: SeDebugPrivilege 968 powershell.exe Token: SeDebugPrivilege 3312 powershell.exe Token: SeDebugPrivilege 3756 powershell.exe Token: SeDebugPrivilege 3724 powershell.exe Token: SeDebugPrivilege 4896 powershell.exe Token: SeDebugPrivilege 1612 powershell.exe Token: SeDebugPrivilege 4252 powershell.exe Token: SeDebugPrivilege 4488 powershell.exe Token: SeDebugPrivilege 1340 powershell.exe Token: SeDebugPrivilege 4104 powershell.exe Token: SeDebugPrivilege 1780 powershell.exe Token: SeDebugPrivilege 4136 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe Token: SeDebugPrivilege 4380 powershell.exe Token: SeDebugPrivilege 372 powershell.exe Token: SeDebugPrivilege 4556 powershell.exe Token: SeDebugPrivilege 4468 powershell.exe Token: SeDebugPrivilege 116 powershell.exe Token: SeDebugPrivilege 4916 powershell.exe Token: SeDebugPrivilege 932 powershell.exe Token: SeDebugPrivilege 4600 powershell.exe Token: SeDebugPrivilege 404 powershell.exe Token: SeDebugPrivilege 1132 powershell.exe Token: SeDebugPrivilege 4596 powershell.exe Token: SeDebugPrivilege 4648 MoUsoCoreWorker.exe Token: SeDebugPrivilege 3092 MoUsoCoreWorker.exe Token: SeDebugPrivilege 4132 MoUsoCoreWorker.exe Token: SeDebugPrivilege 1820 MoUsoCoreWorker.exe Token: SeDebugPrivilege 556 MoUsoCoreWorker.exe Token: SeDebugPrivilege 4696 MoUsoCoreWorker.exe Token: SeDebugPrivilege 3148 MoUsoCoreWorker.exe Token: SeDebugPrivilege 932 MoUsoCoreWorker.exe Token: SeDebugPrivilege 2992 MoUsoCoreWorker.exe Token: SeDebugPrivilege 3756 MoUsoCoreWorker.exe Token: SeDebugPrivilege 4800 MoUsoCoreWorker.exe Token: SeDebugPrivilege 3208 MoUsoCoreWorker.exe Token: SeDebugPrivilege 1728 MoUsoCoreWorker.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
78e93535702e2a553d85bac1d4737210_NeikiAnalytics.execmd.exe78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exeMoUsoCoreWorker.exeWScript.exeMoUsoCoreWorker.exeWScript.exedescription pid process target process PID 1956 wrote to memory of 1780 1956 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe powershell.exe PID 1956 wrote to memory of 1780 1956 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe powershell.exe PID 1956 wrote to memory of 1612 1956 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe powershell.exe PID 1956 wrote to memory of 1612 1956 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe powershell.exe PID 1956 wrote to memory of 968 1956 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe powershell.exe PID 1956 wrote to memory of 968 1956 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe powershell.exe PID 1956 wrote to memory of 3724 1956 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe powershell.exe PID 1956 wrote to memory of 3724 1956 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe powershell.exe PID 1956 wrote to memory of 4104 1956 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe powershell.exe PID 1956 wrote to memory of 4104 1956 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe powershell.exe PID 1956 wrote to memory of 1340 1956 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe powershell.exe PID 1956 wrote to memory of 1340 1956 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe powershell.exe PID 1956 wrote to memory of 4488 1956 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe powershell.exe PID 1956 wrote to memory of 4488 1956 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe powershell.exe PID 1956 wrote to memory of 3756 1956 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe powershell.exe PID 1956 wrote to memory of 3756 1956 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe powershell.exe PID 1956 wrote to memory of 4896 1956 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe powershell.exe PID 1956 wrote to memory of 4896 1956 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe powershell.exe PID 1956 wrote to memory of 4252 1956 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe powershell.exe PID 1956 wrote to memory of 4252 1956 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe powershell.exe PID 1956 wrote to memory of 3312 1956 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe powershell.exe PID 1956 wrote to memory of 3312 1956 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe powershell.exe PID 1956 wrote to memory of 224 1956 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe cmd.exe PID 1956 wrote to memory of 224 1956 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe cmd.exe PID 224 wrote to memory of 952 224 cmd.exe w32tm.exe PID 224 wrote to memory of 952 224 cmd.exe w32tm.exe PID 224 wrote to memory of 4136 224 cmd.exe 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe PID 224 wrote to memory of 4136 224 cmd.exe 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe PID 4136 wrote to memory of 372 4136 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe powershell.exe PID 4136 wrote to memory of 372 4136 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe powershell.exe PID 4136 wrote to memory of 4380 4136 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe powershell.exe PID 4136 wrote to memory of 4380 4136 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe powershell.exe PID 4136 wrote to memory of 4468 4136 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe powershell.exe PID 4136 wrote to memory of 4468 4136 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe powershell.exe PID 4136 wrote to memory of 116 4136 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe powershell.exe PID 4136 wrote to memory of 116 4136 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe powershell.exe PID 4136 wrote to memory of 4600 4136 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe powershell.exe PID 4136 wrote to memory of 4600 4136 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe powershell.exe PID 4136 wrote to memory of 4916 4136 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe powershell.exe PID 4136 wrote to memory of 4916 4136 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe powershell.exe PID 4136 wrote to memory of 1132 4136 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe powershell.exe PID 4136 wrote to memory of 1132 4136 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe powershell.exe PID 4136 wrote to memory of 4596 4136 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe powershell.exe PID 4136 wrote to memory of 4596 4136 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe powershell.exe PID 4136 wrote to memory of 404 4136 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe powershell.exe PID 4136 wrote to memory of 404 4136 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe powershell.exe PID 4136 wrote to memory of 932 4136 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe powershell.exe PID 4136 wrote to memory of 932 4136 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe powershell.exe PID 4136 wrote to memory of 4556 4136 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe powershell.exe PID 4136 wrote to memory of 4556 4136 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe powershell.exe PID 4136 wrote to memory of 4648 4136 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe MoUsoCoreWorker.exe PID 4136 wrote to memory of 4648 4136 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe MoUsoCoreWorker.exe PID 4648 wrote to memory of 652 4648 MoUsoCoreWorker.exe WScript.exe PID 4648 wrote to memory of 652 4648 MoUsoCoreWorker.exe WScript.exe PID 4648 wrote to memory of 2628 4648 MoUsoCoreWorker.exe WScript.exe PID 4648 wrote to memory of 2628 4648 MoUsoCoreWorker.exe WScript.exe PID 652 wrote to memory of 3092 652 WScript.exe MoUsoCoreWorker.exe PID 652 wrote to memory of 3092 652 WScript.exe MoUsoCoreWorker.exe PID 3092 wrote to memory of 2528 3092 MoUsoCoreWorker.exe WScript.exe PID 3092 wrote to memory of 2528 3092 MoUsoCoreWorker.exe WScript.exe PID 3092 wrote to memory of 2044 3092 MoUsoCoreWorker.exe WScript.exe PID 3092 wrote to memory of 2044 3092 MoUsoCoreWorker.exe WScript.exe PID 2528 wrote to memory of 4132 2528 WScript.exe MoUsoCoreWorker.exe PID 2528 wrote to memory of 4132 2528 WScript.exe MoUsoCoreWorker.exe -
System policy modification 1 TTPs 45 IoCs
Processes:
MoUsoCoreWorker.exeMoUsoCoreWorker.exeMoUsoCoreWorker.exeMoUsoCoreWorker.exeMoUsoCoreWorker.exeMoUsoCoreWorker.exe78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exeMoUsoCoreWorker.exeMoUsoCoreWorker.exeMoUsoCoreWorker.exe78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exeMoUsoCoreWorker.exeMoUsoCoreWorker.exeMoUsoCoreWorker.exeMoUsoCoreWorker.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" MoUsoCoreWorker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" MoUsoCoreWorker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" MoUsoCoreWorker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" MoUsoCoreWorker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" MoUsoCoreWorker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" MoUsoCoreWorker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" MoUsoCoreWorker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" MoUsoCoreWorker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" MoUsoCoreWorker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" MoUsoCoreWorker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" MoUsoCoreWorker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" MoUsoCoreWorker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" MoUsoCoreWorker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" MoUsoCoreWorker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" MoUsoCoreWorker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" MoUsoCoreWorker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" MoUsoCoreWorker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" MoUsoCoreWorker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" MoUsoCoreWorker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" MoUsoCoreWorker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" MoUsoCoreWorker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" MoUsoCoreWorker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" MoUsoCoreWorker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" MoUsoCoreWorker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" MoUsoCoreWorker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" MoUsoCoreWorker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" MoUsoCoreWorker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" MoUsoCoreWorker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" MoUsoCoreWorker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" MoUsoCoreWorker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" MoUsoCoreWorker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" MoUsoCoreWorker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" MoUsoCoreWorker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" MoUsoCoreWorker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" MoUsoCoreWorker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" MoUsoCoreWorker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" MoUsoCoreWorker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" MoUsoCoreWorker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" MoUsoCoreWorker.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe"1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1956 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1780 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1612 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:968 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3724 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4104 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1340 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4488 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3756 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4896 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4252 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3312 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZQqiTadxcN.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:224 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:952
-
C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe"3⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4136 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:372 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4380 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4468 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:116 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4600 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4916 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1132 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4596 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:404 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:932 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4556 -
C:\Recovery\WindowsRE\MoUsoCoreWorker.exe"C:\Recovery\WindowsRE\MoUsoCoreWorker.exe"4⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4648 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5b173bbe-c155-4fca-a1bc-1348087e4f1e.vbs"5⤵
- Suspicious use of WriteProcessMemory
PID:652 -
C:\Recovery\WindowsRE\MoUsoCoreWorker.exeC:\Recovery\WindowsRE\MoUsoCoreWorker.exe6⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3092 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dfa6ae54-1abb-4799-9a1c-a7f6e3815d91.vbs"7⤵
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Recovery\WindowsRE\MoUsoCoreWorker.exeC:\Recovery\WindowsRE\MoUsoCoreWorker.exe8⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4132 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a9a35882-00d1-49f7-b58c-08b0cbc620f3.vbs"9⤵PID:4920
-
C:\Recovery\WindowsRE\MoUsoCoreWorker.exeC:\Recovery\WindowsRE\MoUsoCoreWorker.exe10⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1820 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5894016f-f166-45a4-8001-8353ee8b6aca.vbs"11⤵PID:3528
-
C:\Recovery\WindowsRE\MoUsoCoreWorker.exeC:\Recovery\WindowsRE\MoUsoCoreWorker.exe12⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:556 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\80421db3-22ba-4217-84b8-0b03f7e86823.vbs"13⤵PID:3312
-
C:\Recovery\WindowsRE\MoUsoCoreWorker.exeC:\Recovery\WindowsRE\MoUsoCoreWorker.exe14⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4696 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e499dcae-6725-4353-9a5e-d80028b70d8b.vbs"15⤵PID:2088
-
C:\Recovery\WindowsRE\MoUsoCoreWorker.exeC:\Recovery\WindowsRE\MoUsoCoreWorker.exe16⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3148 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\58f8aa1a-4943-4f98-b8ac-c8dfc60c3da8.vbs"17⤵PID:4056
-
C:\Recovery\WindowsRE\MoUsoCoreWorker.exeC:\Recovery\WindowsRE\MoUsoCoreWorker.exe18⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:932 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\40610d9d-4d65-42d7-92a2-f88f3562d160.vbs"19⤵PID:2884
-
C:\Recovery\WindowsRE\MoUsoCoreWorker.exeC:\Recovery\WindowsRE\MoUsoCoreWorker.exe20⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2992 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b70ae50e-4fef-443b-ac5e-eb6d7d8348af.vbs"21⤵PID:3028
-
C:\Recovery\WindowsRE\MoUsoCoreWorker.exeC:\Recovery\WindowsRE\MoUsoCoreWorker.exe22⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3756 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5a8b9333-4fd5-40fd-b966-8f38bf7f9fec.vbs"23⤵PID:4020
-
C:\Recovery\WindowsRE\MoUsoCoreWorker.exeC:\Recovery\WindowsRE\MoUsoCoreWorker.exe24⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4800 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0c3fa160-ff4b-4f95-8342-56cb24859c61.vbs"25⤵PID:952
-
C:\Recovery\WindowsRE\MoUsoCoreWorker.exeC:\Recovery\WindowsRE\MoUsoCoreWorker.exe26⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3208 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a89b5eb4-4336-4e09-8004-26c28cea6710.vbs"27⤵PID:220
-
C:\Recovery\WindowsRE\MoUsoCoreWorker.exeC:\Recovery\WindowsRE\MoUsoCoreWorker.exe28⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1728 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0f8fa3c3-ca8a-4954-8181-9da7983f4cb7.vbs"29⤵PID:4540
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a356461c-b10c-42a4-8cc7-d915c6faab5d.vbs"29⤵PID:3148
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\58d2a68a-6a4f-4b9f-a89c-2b7d8979a8f3.vbs"27⤵PID:4156
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6d8a3fdc-54bf-44b0-82e2-3970ab15554b.vbs"25⤵PID:3404
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b6319cd0-a3a0-493b-b1cc-d1fd1506ea8e.vbs"23⤵PID:2904
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e397b3b3-123b-4999-b3be-40413dbff9ff.vbs"21⤵PID:536
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\68a7a5be-6277-495a-a4fe-e4b1bb245181.vbs"19⤵PID:1492
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bfdc1722-da0f-4ea5-aeec-96fd832e76bd.vbs"17⤵PID:3808
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\91d16235-6993-49a6-80db-51ff7f5de65b.vbs"15⤵PID:520
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c19902d6-a0b6-4a37-b4da-3b3035518e07.vbs"13⤵PID:2200
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4d404ec8-e41e-439d-9aee-9c6344d69d40.vbs"11⤵PID:3844
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5b1a544a-5fe4-4148-b7b9-fb06e4de23db.vbs"9⤵PID:4600
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\313132f1-e73f-466b-a08c-01032800b875.vbs"7⤵PID:2044
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5e5372fa-9571-4877-87d7-08cebadf1291.vbs"5⤵PID:2628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2088
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Windows\L2Schemas\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\L2Schemas\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4252
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Windows\L2Schemas\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\lsass.exe'" /f1⤵
- Process spawned unexpected child process
PID:3576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2928
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:3308
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2276
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4324
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4372
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Portable Devices\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:1072
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Users\Public\AccountPictures\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3176
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Users\Public\AccountPictures\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:464
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2172
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\Program Files\VideoLAN\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:348
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\Program Files\VideoLAN\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:564
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f1⤵
- Process spawned unexpected child process
PID:2444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4888
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\Registry.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:4580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4928
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Windows\Migration\WTR\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3684
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3252
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Windows\Migration\WTR\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Windows\it-IT\OfficeClickToRun.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4372
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\it-IT\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\Windows\it-IT\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:4064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Application Data\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4380
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default\Application Data\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Application Data\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:1132
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Users\Public\AccountPictures\SearchApp.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3360
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Users\Public\AccountPictures\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\MoUsoCoreWorker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MoUsoCoreWorker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\MoUsoCoreWorker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:464
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\MoUsoCoreWorker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\Program Files\Uninstall Information\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1072
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:3708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\Program Files\Uninstall Information\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2252
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Windows\Offline Web Pages\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
PID:548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Windows\Offline Web Pages\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1244
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3136
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\SppExtComObj.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Admin\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4084
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:1528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4212
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:1836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Desktop\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Public\Desktop\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1288
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Desktop\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\spoolsv.exe'" /f1⤵
- Creates scheduled task(s)
PID:1260
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:4164
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\spoolsv.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:2052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\NetHood\sppsvc.exe'" /f1⤵
- Creates scheduled task(s)
PID:4048
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Admin\NetHood\sppsvc.exe'" /rl HIGHEST /f1⤵PID:4104
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\NetHood\sppsvc.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:1656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Windows\SysWOW64\networklist\icons\sihost.exe'" /f1⤵
- Creates scheduled task(s)
PID:3576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\SysWOW64\networklist\icons\sihost.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:3844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Windows\SysWOW64\networklist\icons\sihost.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:2092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\unsecapp.exe'" /f1⤵
- Creates scheduled task(s)
PID:2908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\unsecapp.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:4900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\unsecapp.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:3532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Mail\winlogon.exe'" /f1⤵
- Creates scheduled task(s)
PID:3464
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\winlogon.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\winlogon.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:2088
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f1⤵
- Creates scheduled task(s)
PID:1880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f1⤵PID:2884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
PID:1084
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.9MB
MD578e93535702e2a553d85bac1d4737210
SHA1572ed789a4da08d6c3cc770b4b49bb6d6a4ea75f
SHA256b6d844ec087f7be57656bfb4782919dbe0cf823301b441e68b7a7a8e757049fb
SHA512ad2ff42ed3569df69618af61d3732744c3aa713816709dbe53b11ee07df97f744acd99c26155485a3dac76a4576592e181e3198bbaad86009de716b72a183baa
-
Filesize
2.9MB
MD52a06e3beeaa835088a964ba57fe2c518
SHA19ed54ddf7ae1d9ad31fa32e5f930f4c2a3947117
SHA2563c23c634ed615c63f2461ab55425b70293725caf46cd5b8823901feed63efcd6
SHA51245f60e3d02e7c44b96d37b07d186f0e4fb5c84e5d44c73c56408bb9b2ef84cabc2be243cd94cf7129ff09f285cb2a0d2b4becc0bfdcbfd2d03ac7cf0f3e380a3
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\78e93535702e2a553d85bac1d4737210_NeikiAnalytics.exe.log
Filesize1KB
MD5bbb951a34b516b66451218a3ec3b0ae1
SHA17393835a2476ae655916e0a9687eeaba3ee876e9
SHA256eb70c64ae99d14ac2588b7a84854fbf3c420532d7fe4dfd49c7b5a70c869943a
SHA51263bcbfcf8e7421c66855c487c31b2991a989bdea0c1edd4c40066b52fa3eb3d9d37db1cd21b8eb4f33dd5870cc20532c8f485eab9c0b4f6b0793a35c077f2d6f
-
Filesize
1KB
MD54a667f150a4d1d02f53a9f24d89d53d1
SHA1306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97
SHA256414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd
SHA5124edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD5bd5940f08d0be56e65e5f2aaf47c538e
SHA1d7e31b87866e5e383ab5499da64aba50f03e8443
SHA2562d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6
SHA512c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406
-
Filesize
944B
MD52e907f77659a6601fcc408274894da2e
SHA19f5b72abef1cd7145bf37547cdb1b9254b4efe9d
SHA256385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233
SHA51234fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721
-
Filesize
944B
MD5cadef9abd087803c630df65264a6c81c
SHA1babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA5127278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085
-
Filesize
944B
MD562623d22bd9e037191765d5083ce16a3
SHA14a07da6872672f715a4780513d95ed8ddeefd259
SHA25695d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010
SHA5129a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992
-
Filesize
610B
MD565b1e267338bca7c1a2a806576540588
SHA156288ef4ce5f8d08ec0c04526977235cdcc58398
SHA256d9e572e11e82aeaa1234751e49bbd186575575c55e09fad0818e0a2126d28a84
SHA5128bedfda6abcad4581fabdd34bd89be5188c5387e535ff2dc9e34b0aa0667df677789dd283d67160b9f5a885f6a199d82b637d05ca8d3c8ba1380e2d6d7aba152
-
Filesize
944B
MD56d42b6da621e8df5674e26b799c8e2aa
SHA1ab3ce1327ea1eeedb987ec823d5e0cb146bafa48
SHA2565ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c
SHA51253faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29
-
Filesize
944B
MD52ea91e7d1b473f8290ae52d13e105194
SHA15e565d99a7733250427e70f5f6e1951a081deed6
SHA256712db2b991a3c11ccd71b36cfe99fad0b5b1eb1026b12d28c35a43334128671a
SHA5120d6e2f0f8963986cb27a5cb853c5a87af5d2b65142ff082b4a12681b467d4a72efbcaea71307513523915aa4f27e7b238c67f4ab563f69525938f38253599424
-
Filesize
944B
MD5dd0716df5ff6e2ed8bfa08e271d64dd8
SHA1c342bbe936058ea27843d5dbe5eb434f926612f7
SHA25615ea3598b422f0d7705405688a174b98789b623154d4ccf3f3148f7c10bafdd8
SHA5127e6dc8f9ad269ca3969e7b1284399f16f59559d5a4232537147fb7edcba86932474eff26921c09472894d55ee045dd3e371dcfce65d358785166742582e0b8a4
-
Filesize
944B
MD5c9478c9419eff5c6f926498364d8c3a0
SHA10c68dfdd6106fc85121592d5f00ad2d9b5c888c1
SHA256e5bc3944768915b60045d5d3e72eaeb665497fc815555ac8ec638edcee7b7587
SHA5123267fb9291a2d10fea94199cbe99242516561d602949ce08e1926566955f6f08d2e7145851f4a96656b67a0a1a3c49aa43c9df3a5c6ac6e0b5e22fbd3cb96a11
-
Filesize
944B
MD5a672fcf7facce635c83caf7b195d0bf8
SHA1fec2f6c2456efe713ba08fa692a4a356f2f37ba8
SHA25671945453f618f8cf9c2ddb24132d7e0522643e13ce42a59ff65476938f56082c
SHA51212713a140e8a73c9dd8b3bc309e3ff1256c16ecd019d1ded31ab47c71651b11dcdcf48ef889805e5bc87bdeb323c5663ff34313cc41170d2d9b45051107dc31f
-
Filesize
944B
MD5cfecb4e0f846589c2742fd84d6bbd1db
SHA1730c66c99e80f1c7d0fdd1ef7483c9dfb0a770ec
SHA25612190c96e9eef24f7ee9a4e19d806f29d4aedab1f2c696478dea5684941824aa
SHA512669241f726837dcd3b6c6664e002c4938cf1ccf9be3f3b4a953efb35a2977c6ea9536e1b61b92b1b716991f9801f4516d8e1d53c65ac605174ece553f19da475
-
Filesize
944B
MD5057e7742b25e65a341d1341da25b54a8
SHA165c874ac4f429a4172bdf89a73922e39873ecab6
SHA256f8cf996545599e442f94820af5c724fca27d22de96bcef6aa308d0520c3a1468
SHA51294b461e3705336b9ebf10df506f4a436cee20ac60540cfb6fd2f36c48e011836bf1f9e3f00e5b254ad6e6f1338a976dba495d398b4459687f518e815afde04e7
-
Filesize
716B
MD5a6811b5da29d9baed168a893c9992ad7
SHA15f46d69e45011cda7bfc24c592cb9f8bbe984055
SHA25625cd9a1afa92d5fa2ef06912d9f2bdeb051bbab09241b9ec464bf9b1d010e287
SHA51236b6df18f1e8c9488e108eeb7b0abec2f79bd4723d03962562d3b19c1ba7ace0722b4a440364ff3e60d60f14472b2311b56f99c3fdee018a93f9a69ebb53f681
-
Filesize
717B
MD552438066d0ffa6fb9784f69701339aba
SHA1e8819ee53fcfef04173e4f81caca5f25fcfc77c6
SHA256728de1dc9508c8eeedf5465acd4f02f5cf6a726fa82229e3689bcff80e4c625c
SHA512f10e52f362f768c510681702a506390a8e1739e075c09955e0380a15003273e5785b7029917c99f2cbe67fce09c629bfeb44c428c4f3e1d640265aa9dc9eb11c
-
Filesize
717B
MD5e5a0191daa8485d7219bab869c94350d
SHA1e89fbe893169a77c7cf0fd2127fa484d05048939
SHA25687f16eee25b3bf75a30f7391138198b0efbea770600406e57ec5eb00b310828d
SHA512013c8085e98cd899fcdeb5f350d7219f4839850bae866b2dd8fb94c7af6d76041f1f9bbe3d9d20b8930269e2bf5ac36126d1032317cefbe0409a707e2b0419fe
-
Filesize
717B
MD508273c754b3c3929ad8a28521aeb250c
SHA1cf63d7a413c563c224e0eafcb025d9d29f5e75e8
SHA25687d26bbafd3e8eea7686200ea297ac226502e796dc191b593f40d09468724939
SHA51262b242642c3e3a12f43a9dbb4847df5b331ec967e5fa65f912f440e40ec3559628e4195011a2d69d300d0312550e4a821eb073e8d67190aff9df375252d7338e
-
Filesize
493B
MD5742b4b37c6f919194d0e4be1f736cd95
SHA118a32b01ca91d6f5a8906e44f0bece4c9a147ce5
SHA256eea88b2b7bd81f39403385a468b5b90d9c2b311127e88aef0e877a2cdb8ff01b
SHA5120e8bdbe113fa31c5ca232126e0b37208cf24aa6ae5f93266a82704ddfef9945a14976ccc27e9c4fe1428fbce6495964369bcabcfccb45c9f6d9f4895cd04748e
-
Filesize
716B
MD55d6a8da1ae1ad4fc8057c51f4b24c065
SHA131e81167ed19ad72615b0435c231f9b0021c8c3d
SHA256c5d803be055b37f58b3b3fb7e451779d51ae317f5706de5efcc1a8a8c6074291
SHA5125b4a6e8caadae10d3387cad728c5473374371aa254141ae4e636a5a66e8e3a8b034ce208b98b0b8a2eaab6230ccaa819727a7e08f04a2c9ab7b4329b2db4350f
-
Filesize
250B
MD5db8a077e7c45e7fa32483d62fda4a1c9
SHA1ebb66bb68ea5d2fca325edb7e3254340ec61a1e4
SHA256dcadd3a9996ceb163e47278267543483ba19c6616e7132118ce76a500d475b3d
SHA512e6f346a71226c19c4aafc0d7c6a2bc88337b480f4317884b53837a9b4d309da9c425e241f70bc961aec7ae656c7711701601ab299752a5d3e368504e3b0ee6cd
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
717B
MD586f461bfd4c383d8d471c455d2c024a4
SHA1657ce0d65028bc693b15ce05c24345a4fd40164f
SHA256d2d5a81883d9d82081ac6e85efcfaf08af705a8c7186856db938ca597e8d8ee2
SHA512ade6611f6d01569dae9eb5a0c19c7d8a92d3b71a770cdf0eab1d18ca9f79d14fca8577b3d56b33756da97d265c5d5182980e2ccfd908b024302c0d80375c7360
-
Filesize
717B
MD564f6df1b7cc7cde134f9592d5da389f0
SHA18bae95012a247f8ba89d35675e0bad6c78d10454
SHA256f0b04210b106d1f0c357f60e364d0c094fb97d78b09b2acacd1118f625b7d6e4
SHA51238677db1c5d80d03bf285a61db55ebd3eeddebb08acd56f848916b6d36bb3295a6852d5a732e47208665c834e8979691f915db2aed62a9ebf2231b48ebd29189
-
Filesize
717B
MD532ede7cbdb2a1c5e6526f793a9298af0
SHA18fcae9cb3bd7910c5dc49415128b748993922fa2
SHA2564e89ccb358667c819967cf15d19c610d98bb004055be167a78088afd560c919b
SHA5122dd4d0cb712fe66eadb210fd5b92707245187804ebfca3ebe8da2e47a8c2fb11b139fbc4f9b048d93d2351fa111ec926ee233bb81c43b21a8bf00816ea728b4f
-
Filesize
717B
MD567c2904ab64c826ff200a1df6e90a7d1
SHA1979e541f24b7b2b88df4281fd31f1c53430e7742
SHA256e7909a47ec3a2de120629ba145499c470efd8c6a8b4f2dceefd40530aefa9a68
SHA5124e4022fa183e3cb0f460d84524ff0f96bd700b165d83230d3b2e296e1d74a31d23f30e1cacd23d0b67f1e2615523ab3bfac7da2d0c974b2d82cbb8b81480b222