Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
16-05-2024 05:49
Behavioral task
behavioral1
Sample
a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe
Resource
win7-20240508-en
General
-
Target
a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe
-
Size
2.9MB
-
MD5
a8afc525e8ae9a9c34f01e2efb7fdab0
-
SHA1
6e519caf5546a9c89e62ec00fc11d78ef2fbfb6d
-
SHA256
4123eccc2d223d14ab820f328e26e109a0a6fa4a58648122fbc0fa352d242836
-
SHA512
d0747c7bfba0dff9e8d3d98d4912653006b91ac5bb63493bef05116ba2282d1daeaad2c24958ddb96623172a12bdffa77be014e08537fedde295e90bffd37b4d
-
SSDEEP
49152:/4DKm+cjWnC8WLqxdGWJMcWI2TJT1Q0UN2Trsljq:wDKmzjWnC8Wikx1DUN2/Uq
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 51 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2784 2724 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2384 2724 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2516 2724 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2484 2724 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2532 2724 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2748 2724 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2388 2724 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1956 2724 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2800 2724 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2780 2724 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2832 2724 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2020 2724 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2956 2724 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1848 2724 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1256 2724 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1864 2724 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2200 2724 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2188 2724 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 596 2724 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 792 2724 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1000 2724 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1064 2724 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 952 2724 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 584 2724 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2436 2724 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 760 2724 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 616 2724 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2268 2724 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3040 2724 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2872 2724 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2248 2724 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2656 2724 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2440 2724 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1780 2724 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1144 2724 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1004 2724 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2224 2724 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2424 2724 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 836 2724 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1656 2724 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1992 2724 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1984 2724 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1988 2724 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2000 2724 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 912 2724 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1536 2724 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1740 2724 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2892 2724 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1664 2724 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1552 2724 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 900 2724 schtasks.exe -
Processes:
explorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exea8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe -
Processes:
resource yara_rule behavioral1/memory/2916-1-0x00000000003D0000-0x00000000006B6000-memory.dmp dcrat C:\Program Files (x86)\Windows Portable Devices\dllhost.exe dcrat C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\RCX4A23.tmp dcrat C:\Users\Default User\explorer.exe dcrat behavioral1/memory/2740-239-0x0000000000B80000-0x0000000000E66000-memory.dmp dcrat behavioral1/memory/1912-250-0x0000000000F00000-0x00000000011E6000-memory.dmp dcrat behavioral1/memory/1356-273-0x0000000001080000-0x0000000001366000-memory.dmp dcrat behavioral1/memory/692-285-0x0000000001340000-0x0000000001626000-memory.dmp dcrat behavioral1/memory/3036-309-0x00000000002E0000-0x00000000005C6000-memory.dmp dcrat behavioral1/memory/2108-321-0x0000000000180000-0x0000000000466000-memory.dmp dcrat behavioral1/memory/108-334-0x0000000000EE0000-0x00000000011C6000-memory.dmp dcrat behavioral1/memory/2836-346-0x00000000013D0000-0x00000000016B6000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 1476 powershell.exe 2956 powershell.exe 2508 powershell.exe 1800 powershell.exe 288 powershell.exe 1768 powershell.exe 2532 powershell.exe 2032 powershell.exe 1808 powershell.exe 2372 powershell.exe 2220 powershell.exe 2944 powershell.exe -
Executes dropped EXE 16 IoCs
Processes:
explorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exepid process 2740 explorer.exe 1912 explorer.exe 900 explorer.exe 1356 explorer.exe 692 explorer.exe 1280 explorer.exe 3036 explorer.exe 2108 explorer.exe 108 explorer.exe 2836 explorer.exe 2868 explorer.exe 2928 explorer.exe 1476 explorer.exe 2740 explorer.exe 2336 explorer.exe 2968 explorer.exe -
Processes:
explorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exea8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe -
Drops file in Program Files directory 12 IoCs
Processes:
a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exedescription ioc process File created C:\Program Files (x86)\Windows Portable Devices\5940a34987c991 a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe File created C:\Program Files\Uninstall Information\6ccacd8608530f a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Defender\fr-FR\RCX39E7.tmp a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Portable Devices\RCX40CD.tmp a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Portable Devices\dllhost.exe a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe File opened for modification C:\Program Files\Uninstall Information\RCX4C27.tmp a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Defender\fr-FR\csrss.exe a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Portable Devices\dllhost.exe a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe File created C:\Program Files\Uninstall Information\Idle.exe a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Defender\fr-FR\csrss.exe a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe File opened for modification C:\Program Files\Uninstall Information\Idle.exe a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Defender\fr-FR\886983d96e3d3e a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe -
Drops file in Windows directory 16 IoCs
Processes:
a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exedescription ioc process File opened for modification C:\Windows\AppPatch\AppPatch64\sppsvc.exe a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe File opened for modification C:\Windows\Fonts\winlogon.exe a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe File opened for modification C:\Windows\Registration\CRMLog\RCX530D.tmp a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe File created C:\Windows\ShellNew\sppsvc.exe a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe File created C:\Windows\AppPatch\AppPatch64\sppsvc.exe a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe File created C:\Windows\Fonts\winlogon.exe a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe File created C:\Windows\Registration\CRMLog\System.exe a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe File created C:\Windows\Registration\CRMLog\27d1bcfc3c54e0 a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe File opened for modification C:\Windows\ShellNew\sppsvc.exe a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe File opened for modification C:\Windows\AppPatch\AppPatch64\RCX433E.tmp a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe File opened for modification C:\Windows\Registration\CRMLog\System.exe a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe File created C:\Windows\ShellNew\0a1fd5f707cd16 a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe File created C:\Windows\AppPatch\AppPatch64\0a1fd5f707cd16 a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe File created C:\Windows\Fonts\cc11b995f2a76d a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe File opened for modification C:\Windows\ShellNew\RCX3BEB.tmp a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe File opened for modification C:\Windows\Fonts\RCX4820.tmp a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 51 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 912 schtasks.exe 1956 schtasks.exe 596 schtasks.exe 1064 schtasks.exe 1992 schtasks.exe 2388 schtasks.exe 2800 schtasks.exe 2656 schtasks.exe 1656 schtasks.exe 1552 schtasks.exe 792 schtasks.exe 2268 schtasks.exe 2384 schtasks.exe 2748 schtasks.exe 1848 schtasks.exe 2892 schtasks.exe 900 schtasks.exe 2516 schtasks.exe 1988 schtasks.exe 2484 schtasks.exe 2188 schtasks.exe 584 schtasks.exe 760 schtasks.exe 2424 schtasks.exe 1664 schtasks.exe 2780 schtasks.exe 2832 schtasks.exe 1000 schtasks.exe 616 schtasks.exe 2248 schtasks.exe 2784 schtasks.exe 1864 schtasks.exe 1780 schtasks.exe 1256 schtasks.exe 3040 schtasks.exe 1740 schtasks.exe 2436 schtasks.exe 2872 schtasks.exe 836 schtasks.exe 2440 schtasks.exe 2532 schtasks.exe 2020 schtasks.exe 1004 schtasks.exe 1984 schtasks.exe 2200 schtasks.exe 1144 schtasks.exe 1536 schtasks.exe 2956 schtasks.exe 952 schtasks.exe 2000 schtasks.exe 2224 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 33 IoCs
Processes:
a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exepid process 2916 a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe 2916 a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe 2916 a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe 2916 a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe 2916 a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe 2508 powershell.exe 1768 powershell.exe 2372 powershell.exe 2032 powershell.exe 2220 powershell.exe 1476 powershell.exe 2944 powershell.exe 2532 powershell.exe 1808 powershell.exe 1800 powershell.exe 2956 powershell.exe 288 powershell.exe 2740 explorer.exe 1912 explorer.exe 900 explorer.exe 1356 explorer.exe 692 explorer.exe 1280 explorer.exe 3036 explorer.exe 2108 explorer.exe 108 explorer.exe 2836 explorer.exe 2868 explorer.exe 2928 explorer.exe 1476 explorer.exe 2740 explorer.exe 2336 explorer.exe 2968 explorer.exe -
Suspicious use of AdjustPrivilegeToken 29 IoCs
Processes:
a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exedescription pid process Token: SeDebugPrivilege 2916 a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe Token: SeDebugPrivilege 1768 powershell.exe Token: SeDebugPrivilege 2508 powershell.exe Token: SeDebugPrivilege 2372 powershell.exe Token: SeDebugPrivilege 2032 powershell.exe Token: SeDebugPrivilege 2220 powershell.exe Token: SeDebugPrivilege 1476 powershell.exe Token: SeDebugPrivilege 2944 powershell.exe Token: SeDebugPrivilege 1808 powershell.exe Token: SeDebugPrivilege 2532 powershell.exe Token: SeDebugPrivilege 1800 powershell.exe Token: SeDebugPrivilege 2956 powershell.exe Token: SeDebugPrivilege 288 powershell.exe Token: SeDebugPrivilege 2740 explorer.exe Token: SeDebugPrivilege 1912 explorer.exe Token: SeDebugPrivilege 900 explorer.exe Token: SeDebugPrivilege 1356 explorer.exe Token: SeDebugPrivilege 692 explorer.exe Token: SeDebugPrivilege 1280 explorer.exe Token: SeDebugPrivilege 3036 explorer.exe Token: SeDebugPrivilege 2108 explorer.exe Token: SeDebugPrivilege 108 explorer.exe Token: SeDebugPrivilege 2836 explorer.exe Token: SeDebugPrivilege 2868 explorer.exe Token: SeDebugPrivilege 2928 explorer.exe Token: SeDebugPrivilege 1476 explorer.exe Token: SeDebugPrivilege 2740 explorer.exe Token: SeDebugPrivilege 2336 explorer.exe Token: SeDebugPrivilege 2968 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.execmd.exeexplorer.exeWScript.exeexplorer.exeWScript.exeexplorer.exedescription pid process target process PID 2916 wrote to memory of 1476 2916 a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe powershell.exe PID 2916 wrote to memory of 1476 2916 a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe powershell.exe PID 2916 wrote to memory of 1476 2916 a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe powershell.exe PID 2916 wrote to memory of 2032 2916 a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe powershell.exe PID 2916 wrote to memory of 2032 2916 a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe powershell.exe PID 2916 wrote to memory of 2032 2916 a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe powershell.exe PID 2916 wrote to memory of 2956 2916 a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe powershell.exe PID 2916 wrote to memory of 2956 2916 a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe powershell.exe PID 2916 wrote to memory of 2956 2916 a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe powershell.exe PID 2916 wrote to memory of 1808 2916 a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe powershell.exe PID 2916 wrote to memory of 1808 2916 a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe powershell.exe PID 2916 wrote to memory of 1808 2916 a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe powershell.exe PID 2916 wrote to memory of 2372 2916 a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe powershell.exe PID 2916 wrote to memory of 2372 2916 a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe powershell.exe PID 2916 wrote to memory of 2372 2916 a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe powershell.exe PID 2916 wrote to memory of 2508 2916 a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe powershell.exe PID 2916 wrote to memory of 2508 2916 a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe powershell.exe PID 2916 wrote to memory of 2508 2916 a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe powershell.exe PID 2916 wrote to memory of 1800 2916 a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe powershell.exe PID 2916 wrote to memory of 1800 2916 a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe powershell.exe PID 2916 wrote to memory of 1800 2916 a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe powershell.exe PID 2916 wrote to memory of 288 2916 a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe powershell.exe PID 2916 wrote to memory of 288 2916 a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe powershell.exe PID 2916 wrote to memory of 288 2916 a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe powershell.exe PID 2916 wrote to memory of 1768 2916 a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe powershell.exe PID 2916 wrote to memory of 1768 2916 a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe powershell.exe PID 2916 wrote to memory of 1768 2916 a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe powershell.exe PID 2916 wrote to memory of 2220 2916 a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe powershell.exe PID 2916 wrote to memory of 2220 2916 a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe powershell.exe PID 2916 wrote to memory of 2220 2916 a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe powershell.exe PID 2916 wrote to memory of 2944 2916 a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe powershell.exe PID 2916 wrote to memory of 2944 2916 a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe powershell.exe PID 2916 wrote to memory of 2944 2916 a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe powershell.exe PID 2916 wrote to memory of 2532 2916 a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe powershell.exe PID 2916 wrote to memory of 2532 2916 a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe powershell.exe PID 2916 wrote to memory of 2532 2916 a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe powershell.exe PID 2916 wrote to memory of 2932 2916 a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe cmd.exe PID 2916 wrote to memory of 2932 2916 a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe cmd.exe PID 2916 wrote to memory of 2932 2916 a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe cmd.exe PID 2932 wrote to memory of 2072 2932 cmd.exe w32tm.exe PID 2932 wrote to memory of 2072 2932 cmd.exe w32tm.exe PID 2932 wrote to memory of 2072 2932 cmd.exe w32tm.exe PID 2932 wrote to memory of 2740 2932 cmd.exe explorer.exe PID 2932 wrote to memory of 2740 2932 cmd.exe explorer.exe PID 2932 wrote to memory of 2740 2932 cmd.exe explorer.exe PID 2740 wrote to memory of 1324 2740 explorer.exe WScript.exe PID 2740 wrote to memory of 1324 2740 explorer.exe WScript.exe PID 2740 wrote to memory of 1324 2740 explorer.exe WScript.exe PID 2740 wrote to memory of 2184 2740 explorer.exe WScript.exe PID 2740 wrote to memory of 2184 2740 explorer.exe WScript.exe PID 2740 wrote to memory of 2184 2740 explorer.exe WScript.exe PID 1324 wrote to memory of 1912 1324 WScript.exe explorer.exe PID 1324 wrote to memory of 1912 1324 WScript.exe explorer.exe PID 1324 wrote to memory of 1912 1324 WScript.exe explorer.exe PID 1912 wrote to memory of 1116 1912 explorer.exe WScript.exe PID 1912 wrote to memory of 1116 1912 explorer.exe WScript.exe PID 1912 wrote to memory of 1116 1912 explorer.exe WScript.exe PID 1912 wrote to memory of 2036 1912 explorer.exe WScript.exe PID 1912 wrote to memory of 2036 1912 explorer.exe WScript.exe PID 1912 wrote to memory of 2036 1912 explorer.exe WScript.exe PID 1116 wrote to memory of 900 1116 WScript.exe explorer.exe PID 1116 wrote to memory of 900 1116 WScript.exe explorer.exe PID 1116 wrote to memory of 900 1116 WScript.exe explorer.exe PID 900 wrote to memory of 2720 900 explorer.exe WScript.exe -
System policy modification 1 TTPs 51 IoCs
Processes:
explorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exea8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2916 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1476 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2032 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2956 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1808 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2372 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2508 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1800 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:288 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1768 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2220 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2944 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2532 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ysdVHTnJN0.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:2072
-
C:\Users\Default User\explorer.exe"C:\Users\Default User\explorer.exe"3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2740 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a103a78f-e69e-4984-a98e-02fbdc3036ca.vbs"4⤵
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Users\Default User\explorer.exe"C:\Users\Default User\explorer.exe"5⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1912 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2f48389c-5fe3-4edb-8897-1f3a2970d12c.vbs"6⤵
- Suspicious use of WriteProcessMemory
PID:1116 -
C:\Users\Default User\explorer.exe"C:\Users\Default User\explorer.exe"7⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:900 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c2c28514-d9f2-4328-bf7e-ccccb591eb51.vbs"8⤵PID:2720
-
C:\Users\Default User\explorer.exe"C:\Users\Default User\explorer.exe"9⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1356 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\363e9cb1-9fa6-4511-896e-bffa6e147617.vbs"10⤵PID:2372
-
C:\Users\Default User\explorer.exe"C:\Users\Default User\explorer.exe"11⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:692 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\49b05093-abad-4a08-9315-6f4ba8024643.vbs"12⤵PID:2512
-
C:\Users\Default User\explorer.exe"C:\Users\Default User\explorer.exe"13⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1280 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7a05d262-3d9e-4444-827e-2fd7e20c2a9e.vbs"14⤵PID:528
-
C:\Users\Default User\explorer.exe"C:\Users\Default User\explorer.exe"15⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3036 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\66eb1788-9bf1-484a-9680-9b2cd437ade7.vbs"16⤵PID:2900
-
C:\Users\Default User\explorer.exe"C:\Users\Default User\explorer.exe"17⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2108 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5856f763-0706-4448-a9a9-7a507254ebdb.vbs"18⤵PID:1048
-
C:\Users\Default User\explorer.exe"C:\Users\Default User\explorer.exe"19⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:108 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ddd21ad2-deb4-4f54-bc37-d8c5b4cdf663.vbs"20⤵PID:1780
-
C:\Users\Default User\explorer.exe"C:\Users\Default User\explorer.exe"21⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2836 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\05c5ecdb-6242-4970-8ff2-216e3ce08404.vbs"22⤵PID:816
-
C:\Users\Default User\explorer.exe"C:\Users\Default User\explorer.exe"23⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2868 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc4ed6ce-a865-4918-9580-f21e3c8129b7.vbs"24⤵PID:1580
-
C:\Users\Default User\explorer.exe"C:\Users\Default User\explorer.exe"25⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2928 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\af619b65-e94e-4518-8fd3-3b38b9aa7901.vbs"26⤵PID:1728
-
C:\Users\Default User\explorer.exe"C:\Users\Default User\explorer.exe"27⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1476 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\20f997a6-e691-449e-b4ab-f54325f1d1a5.vbs"28⤵PID:1712
-
C:\Users\Default User\explorer.exe"C:\Users\Default User\explorer.exe"29⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2740 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\efc3972d-4bc8-4538-a7d7-15111adfb2e6.vbs"30⤵PID:920
-
C:\Users\Default User\explorer.exe"C:\Users\Default User\explorer.exe"31⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2336 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3f2ec64b-07d9-40ac-b63d-a60925424799.vbs"32⤵PID:2280
-
C:\Users\Default User\explorer.exe"C:\Users\Default User\explorer.exe"33⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2968 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\40b97223-d627-4df8-a0c2-9553b0654e44.vbs"32⤵PID:376
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b4f797ed-15b6-4c67-bca6-87a1c538e50b.vbs"30⤵PID:2492
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\53b0d352-4272-4049-911b-423f0bed4820.vbs"28⤵PID:1048
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\746f13de-eede-4584-84e2-6147e48d5ba7.vbs"26⤵PID:2144
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d58e40c2-ec4a-468b-9331-f58b49a88554.vbs"24⤵PID:2952
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e71719c5-d0a5-453d-8d12-a7b08c39d2be.vbs"22⤵PID:2408
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d9579227-adf1-401e-a06c-b6a0db3b9a8f.vbs"20⤵PID:2692
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e044797a-682b-4f31-8703-0404eb87f85d.vbs"18⤵PID:1536
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f9653902-85a6-4ec7-a7fb-05181742a7ce.vbs"16⤵PID:792
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c0fb2d96-9d6e-4108-9606-48f561a1beb3.vbs"14⤵PID:1200
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0c388c0e-ff71-4de1-8956-42a35fcf6e39.vbs"12⤵PID:2172
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d9a3003c-2cf5-4c22-94d4-e1af823e26f2.vbs"10⤵PID:2892
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2bea4c72-b1dd-4f2b-838b-0ef599d892cc.vbs"8⤵PID:1832
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f46bb77b-488d-47ed-853d-92024bc74635.vbs"6⤵PID:2036
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cbf32d81-2334-4beb-8790-6d40e34b86f1.vbs"4⤵PID:2184
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2384
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Windows\ShellNew\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2388
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\ShellNew\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Windows\ShellNew\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Portable Devices\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1256
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Windows\AppPatch\AppPatch64\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\AppPatch\AppPatch64\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2200
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Windows\AppPatch\AppPatch64\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2188
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Windows\Fonts\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Fonts\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Windows\Fonts\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2436
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files\Uninstall Information\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2268
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files\Uninstall Information\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Music\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2248
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default\Music\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Music\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2440
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1144
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Windows\Registration\CRMLog\System.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2224
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2424
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Windows\Registration\CRMLog\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:900
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.9MB
MD5a8afc525e8ae9a9c34f01e2efb7fdab0
SHA16e519caf5546a9c89e62ec00fc11d78ef2fbfb6d
SHA2564123eccc2d223d14ab820f328e26e109a0a6fa4a58648122fbc0fa352d242836
SHA512d0747c7bfba0dff9e8d3d98d4912653006b91ac5bb63493bef05116ba2282d1daeaad2c24958ddb96623172a12bdffa77be014e08537fedde295e90bffd37b4d
-
Filesize
2.9MB
MD544436a33067d0a0f891727bc4fb08ae0
SHA1ca94d039b7a3ad474b6a8d8557b89ea8671b553f
SHA256e035aebba4b502bf1a002fcbffb99bcce4ce74f3b8b7bc794977fa36aff01e15
SHA5127f07b35fee3e6594fe327ab1d944ef09f04c2833d8b3b4769e8eff91384dbb580b11eec9515f19a5de303ffda516e90dfe9774bb559fb29dbab2fdf4b018bbfc
-
Filesize
710B
MD58b6760853264e9b1289ba72b5ac5d262
SHA13d7369a19ead3c2a6571853cc412cde1cdfd6ad9
SHA256b33e5243c0cf17697d0d0ad3b9e2213dd6f6360f1ddf05129d55d80bec026f90
SHA5121a6fc54f7f2d52a6e1a92a7626f8335965c6a756f26d0bda5e84a105a6a237004f60c4a35c170c87bc86fc206c76aad33cafc129246b11af91251b1b541ba5f7
-
Filesize
710B
MD503c0266b5bff2bef60df923994cd9649
SHA1bc644b9ad5a63b8c6ae193fb0775e8b856cbfadb
SHA256e0230ad0251c667d8c7af42f20ebc15b5aaf3a4cbd6bd9add614c1e0d587de27
SHA512b8ae7d6964b5b8deb10b4c670fd3cbbb6d4df2d00d9a76f6065667e551e17e79ea290b5a47a30bdad5d83d08c679cb157297fc82f3327bd828550947597ee72b
-
Filesize
710B
MD577b4f91f849a13506d2863959d7d5271
SHA19b8eaafd9981d0dd84c4f220c1f6271d72628d3c
SHA256e5b8b1617b5b8ba2ffd82bf4a268f53032999b1ce0482b7a21fb1a8f42df1f3b
SHA5122866ff9551b9163e9ade90f23830cf1cb1b7daa12c953678e5340bd47047f1ed916a48420d52f93d68c7fa1fb6fbe065942b53c6cbf6944514fbadc588c6a785
-
Filesize
709B
MD5dde2c2cd95c9fbf964f53391cce772cd
SHA11e6db9c34910485cf4ba7d993e517f581c3e28a0
SHA2569dbc6df11da61e79b3ea24f279ba2127da950431dcd677558d3b13cb7e27e34b
SHA5126b2f93fa8e507096923ee99eaf0fe925343dd615b07c649070af68fbc755ad14a2eb027a585e8104ef3df2e789eea8f3c740eeb8393c0e7c5fe5381caf0bdc95
-
Filesize
710B
MD5c8a3ff7e6889fa4be2cb61fb8c2b3e3c
SHA1db27fa765eb7396a9bc495d1030cb0de26adaf10
SHA2566510fe533cac0b04513d7ec46fde8b01ceb004b011935100837f0e54cfb71e6e
SHA51218345ec505d8fde99771efb90b3468e6b9e71ebd123515adbacda9f1a60f83126577e7312f17560f6c835eb4ddf7c95a01f1b5e6be514cc3f928e957ca2ea672
-
Filesize
710B
MD5436abedf4c75b2b7d1469d6e32a080e6
SHA1cb9c2ff4e88d6bd0e85b05d525ec443a21a5eaf6
SHA256bf248970d9fe707a26c11e4608412c453f84eda7f7ec37dc51e0c709ea794ba0
SHA5126a078f8e73949c3a14ac6e87d6064a785e55ab5232724b229459bbaabaf8a1d7b1c5a044e36069c83d633302af4c96ec7da473894911a8dfb9ce2a11e64295c7
-
Filesize
710B
MD5b2a9f21ab75442a9c49709d943909f53
SHA161cf811310f01e21f7b9e1696f300469edfca865
SHA256c071864763d744838488100cc2b7345d0db41b2c926bd197c46162ee6d6ff1c8
SHA512c2a55d7c4a53fd0053141b9c23ca7fbea8ea79f435c703bc826990a9f339e7a3690ef696371afd8e43ef3d3624a7a78f6f389c2abb4c236c367db90730c44a17
-
Filesize
710B
MD58211a40ed2336dd1fd9dfbbc27992da8
SHA192512caa7fd00f14ea86bb69d41701d64f71b685
SHA25685d5519b16cf93d5af2a8001bc8d0ff5024e46bcb1a181a99b184718e535c267
SHA512c45ced917a1a4a1b83793fe1331ada83dae344c715d7ffa1039cc7b57876fed54bb0abdbd669137ce5d68a3ca0b37d5d4f7ec3c017acc180fbcb32b6bfa79590
-
Filesize
710B
MD5833204edc74a46c1b3c31f0162f1bea9
SHA15d74bb81526a30a74808c2ae4a61244126f23be0
SHA256f619801be262b907e1a2ccf8ce86536599409c13b08fa5d6b8f7d2b7c0ea1c40
SHA5126e52ca5114e68f4417f3249d147a76672118ef8b6ed494234737ee0e2a2d3d0b5a3626c99ed4f73a3dc3346db78e95a09821ece29ca62f775d17e3dd83f21226
-
Filesize
709B
MD541ac08dfea8ccfa548aff02b7c894b71
SHA1b38cc1b2a0aa8d84817033a39fdb4d0eb0ae2789
SHA2569eb845b876a14978d6054a77f85b3a9f2baf70ab48cce9b64dabf0917d1d8371
SHA51238916801d169cd21401cf4f00bd5a308ebbee3f347b6665255dd97ae8bfb9b144cfbbaa38c990ec519aae50c9a9bdb3bc8f35503d1bf6366549ee33e842ba7d9
-
Filesize
486B
MD51c2f36472004060d89caa407f30b543c
SHA1c1cc08c35d5c362880ecfc2ea61f63af19e7128f
SHA256cc493f9fcba742b167d62bb8797d061a3a7ff89cf307724ba1db4e619ee4bc85
SHA512c63bfb9764edf8dcf5f0a0e01e574674f2fd262f58acc5e7f8bf756c4ac934e48eebcac19e1747fed5201833e2ab25cc86c4b454adfdb0618abf22428bd219f6
-
Filesize
710B
MD525821d49b304d69d0b8265d0ae9aa653
SHA11771439b248eb23918800b42ec1df6fd09560cec
SHA2568bca05d98783e7f69de335c2cd445feac3b236549df025f7a29574a6d7cdc0c8
SHA512b335f1cf089c5916c00c9cf6a41291a635686f22b20068c0e2a1d70431d267dec8025af1567a3c166612ac12fd1f0896cdbc89a2c11fc1dd6764386689f440d8
-
Filesize
709B
MD5360e4511635271df794301ad9e892aef
SHA16f7ef3c50758d764420087f36fa5db88f9983419
SHA25639124004cc318cdded86a0fec0a825839068787fbb84f3dfb0addaff845a6566
SHA5122ee7ba3f322c8400127959d3362d91c9f73c02071e731cf826bdc2c1cca3b18ae86bb5a99b828512c774c388724048d5c98a75b237aa6e5b4b30874c05d75d8a
-
Filesize
199B
MD55e987f294a58b481115f6f419b4fdb0e
SHA139a56c7c58f94522aa62b371d2a7d16b28bf90cf
SHA256d5bcd09252fd6a9ef309885bbff877f89102f2bcb47915f079dd1b7d13ba66e3
SHA512bc42ff46d829fd32116322133ffc7e0ed6af3cff88522ed3e13e841343504ccad78ccb3d3a39616a6a138c164473e265632dadd13da68e804a525a23cc566e9b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5385c61ebb84899b6c237418d46361ec0
SHA1032b60538924eaa68fdefcb0104a169349214813
SHA256234b10b7f8359feef9540045b0adf98284c405326422de78387e7fe51ef3f55f
SHA5126b430751f645c2bb0ab99d60f602b777a746758023671c50ca1681d70032cf40efa1ee73eb2493dccf4fa367a5b10f5ed3842b513d71dbfe149ea5a55f6db50c
-
Filesize
2.9MB
MD5bb329817c94e26958235e548ecf4b299
SHA19f54532fd35427c7f6a3cc736fff38562d9ccdd1
SHA25682cee8bf2fb5dc31e2cd5e0d2c1968b021de724f525c15f549e8cb397d30f7a5
SHA512223df78f5240530a871be607e73b2d4a0f3f0320bb08d31b66229ef1002cae1d4405c5e0ff975ab0342fdb4dcf16c40a14fa0e2a3df4b2fa0fe8aa4253d5ecc3