Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
16-05-2024 05:49
Behavioral task
behavioral1
Sample
a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe
Resource
win7-20240508-en
General
-
Target
a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe
-
Size
2.9MB
-
MD5
a8afc525e8ae9a9c34f01e2efb7fdab0
-
SHA1
6e519caf5546a9c89e62ec00fc11d78ef2fbfb6d
-
SHA256
4123eccc2d223d14ab820f328e26e109a0a6fa4a58648122fbc0fa352d242836
-
SHA512
d0747c7bfba0dff9e8d3d98d4912653006b91ac5bb63493bef05116ba2282d1daeaad2c24958ddb96623172a12bdffa77be014e08537fedde295e90bffd37b4d
-
SSDEEP
49152:/4DKm+cjWnC8WLqxdGWJMcWI2TJT1Q0UN2Trsljq:wDKmzjWnC8Wikx1DUN2/Uq
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 48 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1404 2020 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3156 2020 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1296 2020 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3580 2020 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5068 2020 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1152 2020 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 900 2020 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3976 2020 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4444 2020 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4924 2020 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 560 2020 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1848 2020 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3968 2020 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1460 2020 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2800 2020 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4136 2020 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4832 2020 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 452 2020 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1684 2020 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4964 2020 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1016 2020 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4668 2020 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1816 2020 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4492 2020 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1524 2020 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3036 2020 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2568 2020 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1804 2020 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1864 2020 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2204 2020 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2768 2020 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4656 2020 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3932 2020 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2552 2020 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1948 2020 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3504 2020 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4544 2020 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1252 2020 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2352 2020 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4612 2020 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4644 2020 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3988 2020 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2340 2020 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2720 2020 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2632 2020 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1508 2020 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1728 2020 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4936 2020 schtasks.exe -
Processes:
System.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exea8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe -
Processes:
resource yara_rule behavioral2/memory/1420-1-0x0000000000290000-0x0000000000576000-memory.dmp dcrat C:\Users\Public\Videos\backgroundTaskHost.exe dcrat C:\Users\Default\Links\RCX66C1.tmp dcrat C:\Windows\DiagTrack\spoolsv.exe dcrat C:\Program Files\dotnet\swidtag\System.exe dcrat behavioral2/memory/5296-304-0x0000000000450000-0x0000000000736000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 3576 powershell.exe 832 powershell.exe 2568 powershell.exe 1168 powershell.exe 1816 powershell.exe 2332 powershell.exe 1524 powershell.exe 3036 powershell.exe 1960 powershell.exe 4280 powershell.exe 636 powershell.exe -
Checks computer location settings 2 TTPs 15 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
System.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exea8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exeSystem.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation System.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation System.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation System.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation System.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation System.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation System.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation System.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation System.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation System.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation System.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation System.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation System.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation System.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation System.exe -
Executes dropped EXE 14 IoCs
Processes:
System.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exepid process 5296 System.exe 5712 System.exe 6076 System.exe 2796 System.exe 2912 System.exe 936 System.exe 5312 System.exe 5564 System.exe 1744 System.exe 1948 System.exe 2056 System.exe 3876 System.exe 5572 System.exe 3780 System.exe -
Processes:
System.exeSystem.exeSystem.exea8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA System.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA System.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA System.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA System.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA System.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA System.exe -
Drops file in Program Files directory 28 IoCs
Processes:
a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exedescription ioc process File created C:\Program Files (x86)\Windows Portable Devices\upfc.exe a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe File created C:\Program Files\dotnet\swidtag\System.exe a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Portable Devices\upfc.exe a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe File opened for modification C:\Program Files\Microsoft Office\sysmon.exe a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe File created C:\Program Files\Windows Sidebar\Gadgets\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Portable Devices\ea1d8f6d871115 a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe File created C:\Program Files\Microsoft Office\sysmon.exe a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe File opened for modification C:\Program Files\MSBuild\Microsoft\backgroundTaskHost.exe a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe File created C:\Program Files\MSBuild\Microsoft\backgroundTaskHost.exe a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Mail\sihost.exe a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe File created C:\Program Files\dotnet\swidtag\27d1bcfc3c54e0 a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe File opened for modification C:\Program Files\MSBuild\Microsoft\RCX5C5B.tmp a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe File opened for modification C:\Program Files\dotnet\swidtag\System.exe a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Mail\RCX760A.tmp a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe File created C:\Program Files\MSBuild\Microsoft\dllhost.exe a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Mail\sihost.exe a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe File opened for modification C:\Program Files\dotnet\swidtag\RCX6F6F.tmp a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe File opened for modification C:\Program Files\MSBuild\Microsoft\RCX6D6B.tmp a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Mail\66fc9ff0ee96c2 a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe File opened for modification C:\Program Files\MSBuild\Microsoft\dllhost.exe a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe File opened for modification C:\Program Files\Microsoft Office\RCX780F.tmp a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe File created C:\Program Files\MSBuild\Microsoft\5940a34987c991 a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe File created C:\Program Files\MSBuild\Microsoft\eddb19405b7ce1 a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe File created C:\Program Files\Microsoft Office\121e5b5079f7c0 a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RCX5A57.tmp a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Portable Devices\RCX64AC.tmp a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe File created C:\Program Files\Windows Sidebar\Gadgets\e89e8506bc9c9a a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe -
Drops file in Windows directory 12 IoCs
Processes:
a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exedescription ioc process File opened for modification C:\Windows\DiagTrack\spoolsv.exe a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe File opened for modification C:\Windows\ModemLogs\RCX7405.tmp a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe File created C:\Windows\twain_32\csrss.exe a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe File created C:\Windows\twain_32\886983d96e3d3e a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe File created C:\Windows\DiagTrack\spoolsv.exe a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe File created C:\Windows\DiagTrack\f3b6ecef712a24 a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe File opened for modification C:\Windows\twain_32\RCX6298.tmp a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe File opened for modification C:\Windows\DiagTrack\RCX6AE9.tmp a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe File opened for modification C:\Windows\ModemLogs\smss.exe a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe File created C:\Windows\ModemLogs\smss.exe a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe File created C:\Windows\ModemLogs\69ddcba757bf72 a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe File opened for modification C:\Windows\twain_32\csrss.exe a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 48 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 4832 schtasks.exe 1684 schtasks.exe 4668 schtasks.exe 1524 schtasks.exe 1252 schtasks.exe 4644 schtasks.exe 5068 schtasks.exe 1152 schtasks.exe 1948 schtasks.exe 2720 schtasks.exe 4936 schtasks.exe 1848 schtasks.exe 1016 schtasks.exe 1296 schtasks.exe 3932 schtasks.exe 2800 schtasks.exe 452 schtasks.exe 4492 schtasks.exe 3504 schtasks.exe 4612 schtasks.exe 1508 schtasks.exe 560 schtasks.exe 3968 schtasks.exe 4444 schtasks.exe 4136 schtasks.exe 4964 schtasks.exe 1816 schtasks.exe 1804 schtasks.exe 4656 schtasks.exe 1404 schtasks.exe 3580 schtasks.exe 2768 schtasks.exe 2552 schtasks.exe 4544 schtasks.exe 3988 schtasks.exe 3156 schtasks.exe 1864 schtasks.exe 2568 schtasks.exe 2204 schtasks.exe 2352 schtasks.exe 2340 schtasks.exe 2632 schtasks.exe 1728 schtasks.exe 1460 schtasks.exe 3036 schtasks.exe 4924 schtasks.exe 900 schtasks.exe 3976 schtasks.exe -
Modifies registry class 15 IoCs
Processes:
System.exeSystem.exeSystem.exeSystem.exeSystem.exea8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings System.exe Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings System.exe Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings System.exe Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings System.exe Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings System.exe Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings System.exe Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings System.exe Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings System.exe Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings System.exe Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings System.exe Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings System.exe Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings System.exe Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings System.exe Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings System.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exepid process 1420 a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe 1420 a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe 1420 a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe 1420 a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe 1420 a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe 1420 a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe 1420 a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe 1420 a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe 1420 a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe 1420 a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe 1420 a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe 1420 a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe 1420 a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe 1420 a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe 1420 a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe 1420 a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe 1524 powershell.exe 1524 powershell.exe 4280 powershell.exe 4280 powershell.exe 2332 powershell.exe 2332 powershell.exe 1960 powershell.exe 1960 powershell.exe 636 powershell.exe 636 powershell.exe 832 powershell.exe 832 powershell.exe 2568 powershell.exe 2568 powershell.exe 1168 powershell.exe 1168 powershell.exe 3036 powershell.exe 3036 powershell.exe 1816 powershell.exe 1816 powershell.exe 3576 powershell.exe 3576 powershell.exe 2568 powershell.exe 4280 powershell.exe 2332 powershell.exe 3036 powershell.exe 1524 powershell.exe 832 powershell.exe 1960 powershell.exe 1168 powershell.exe 1816 powershell.exe 636 powershell.exe 3576 powershell.exe 5296 System.exe 5712 System.exe 6076 System.exe 2796 System.exe 2912 System.exe 936 System.exe 5312 System.exe 5564 System.exe 1744 System.exe 1948 System.exe 2056 System.exe 3876 System.exe 5572 System.exe 5572 System.exe 3780 System.exe -
Suspicious use of AdjustPrivilegeToken 26 IoCs
Processes:
a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exedescription pid process Token: SeDebugPrivilege 1420 a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe Token: SeDebugPrivilege 1524 powershell.exe Token: SeDebugPrivilege 3036 powershell.exe Token: SeDebugPrivilege 4280 powershell.exe Token: SeDebugPrivilege 2568 powershell.exe Token: SeDebugPrivilege 832 powershell.exe Token: SeDebugPrivilege 2332 powershell.exe Token: SeDebugPrivilege 1960 powershell.exe Token: SeDebugPrivilege 636 powershell.exe Token: SeDebugPrivilege 1816 powershell.exe Token: SeDebugPrivilege 1168 powershell.exe Token: SeDebugPrivilege 3576 powershell.exe Token: SeDebugPrivilege 5296 System.exe Token: SeDebugPrivilege 5712 System.exe Token: SeDebugPrivilege 6076 System.exe Token: SeDebugPrivilege 2796 System.exe Token: SeDebugPrivilege 2912 System.exe Token: SeDebugPrivilege 936 System.exe Token: SeDebugPrivilege 5312 System.exe Token: SeDebugPrivilege 5564 System.exe Token: SeDebugPrivilege 1744 System.exe Token: SeDebugPrivilege 1948 System.exe Token: SeDebugPrivilege 2056 System.exe Token: SeDebugPrivilege 3876 System.exe Token: SeDebugPrivilege 5572 System.exe Token: SeDebugPrivilege 3780 System.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.execmd.exeSystem.exeWScript.exeSystem.exeWScript.exeSystem.exeWScript.exeSystem.exeWScript.exeSystem.exeWScript.exeSystem.exeWScript.exedescription pid process target process PID 1420 wrote to memory of 3576 1420 a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe powershell.exe PID 1420 wrote to memory of 3576 1420 a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe powershell.exe PID 1420 wrote to memory of 2332 1420 a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe powershell.exe PID 1420 wrote to memory of 2332 1420 a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe powershell.exe PID 1420 wrote to memory of 636 1420 a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe powershell.exe PID 1420 wrote to memory of 636 1420 a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe powershell.exe PID 1420 wrote to memory of 1816 1420 a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe powershell.exe PID 1420 wrote to memory of 1816 1420 a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe powershell.exe PID 1420 wrote to memory of 4280 1420 a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe powershell.exe PID 1420 wrote to memory of 4280 1420 a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe powershell.exe PID 1420 wrote to memory of 832 1420 a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe powershell.exe PID 1420 wrote to memory of 832 1420 a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe powershell.exe PID 1420 wrote to memory of 1524 1420 a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe powershell.exe PID 1420 wrote to memory of 1524 1420 a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe powershell.exe PID 1420 wrote to memory of 1960 1420 a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe powershell.exe PID 1420 wrote to memory of 1960 1420 a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe powershell.exe PID 1420 wrote to memory of 3036 1420 a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe powershell.exe PID 1420 wrote to memory of 3036 1420 a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe powershell.exe PID 1420 wrote to memory of 1168 1420 a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe powershell.exe PID 1420 wrote to memory of 1168 1420 a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe powershell.exe PID 1420 wrote to memory of 2568 1420 a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe powershell.exe PID 1420 wrote to memory of 2568 1420 a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe powershell.exe PID 1420 wrote to memory of 2720 1420 a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe cmd.exe PID 1420 wrote to memory of 2720 1420 a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe cmd.exe PID 2720 wrote to memory of 3044 2720 cmd.exe w32tm.exe PID 2720 wrote to memory of 3044 2720 cmd.exe w32tm.exe PID 2720 wrote to memory of 5296 2720 cmd.exe System.exe PID 2720 wrote to memory of 5296 2720 cmd.exe System.exe PID 5296 wrote to memory of 5500 5296 System.exe WScript.exe PID 5296 wrote to memory of 5500 5296 System.exe WScript.exe PID 5296 wrote to memory of 5544 5296 System.exe WScript.exe PID 5296 wrote to memory of 5544 5296 System.exe WScript.exe PID 5500 wrote to memory of 5712 5500 WScript.exe System.exe PID 5500 wrote to memory of 5712 5500 WScript.exe System.exe PID 5712 wrote to memory of 5880 5712 System.exe WScript.exe PID 5712 wrote to memory of 5880 5712 System.exe WScript.exe PID 5712 wrote to memory of 5928 5712 System.exe WScript.exe PID 5712 wrote to memory of 5928 5712 System.exe WScript.exe PID 5880 wrote to memory of 6076 5880 WScript.exe System.exe PID 5880 wrote to memory of 6076 5880 WScript.exe System.exe PID 6076 wrote to memory of 3540 6076 System.exe WScript.exe PID 6076 wrote to memory of 3540 6076 System.exe WScript.exe PID 6076 wrote to memory of 4864 6076 System.exe WScript.exe PID 6076 wrote to memory of 4864 6076 System.exe WScript.exe PID 3540 wrote to memory of 2796 3540 WScript.exe System.exe PID 3540 wrote to memory of 2796 3540 WScript.exe System.exe PID 2796 wrote to memory of 4436 2796 System.exe WScript.exe PID 2796 wrote to memory of 4436 2796 System.exe WScript.exe PID 2796 wrote to memory of 3736 2796 System.exe WScript.exe PID 2796 wrote to memory of 3736 2796 System.exe WScript.exe PID 4436 wrote to memory of 2912 4436 WScript.exe System.exe PID 4436 wrote to memory of 2912 4436 WScript.exe System.exe PID 2912 wrote to memory of 4644 2912 System.exe WScript.exe PID 2912 wrote to memory of 4644 2912 System.exe WScript.exe PID 2912 wrote to memory of 4980 2912 System.exe WScript.exe PID 2912 wrote to memory of 4980 2912 System.exe WScript.exe PID 4644 wrote to memory of 936 4644 WScript.exe System.exe PID 4644 wrote to memory of 936 4644 WScript.exe System.exe PID 936 wrote to memory of 4732 936 System.exe WScript.exe PID 936 wrote to memory of 4732 936 System.exe WScript.exe PID 936 wrote to memory of 1408 936 System.exe WScript.exe PID 936 wrote to memory of 1408 936 System.exe WScript.exe PID 4732 wrote to memory of 5312 4732 WScript.exe System.exe PID 4732 wrote to memory of 5312 4732 WScript.exe System.exe -
System policy modification 1 TTPs 45 IoCs
Processes:
System.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exea8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe"1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1420 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3576 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2332 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:636 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1816 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4280 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:832 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1524 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1960 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3036 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1168 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2568 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\U3xVM6PQLh.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:3044
-
C:\Program Files\dotnet\swidtag\System.exe"C:\Program Files\dotnet\swidtag\System.exe"3⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5296 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\81f75e1a-5ede-4883-a03a-b7e16ecacfdd.vbs"4⤵
- Suspicious use of WriteProcessMemory
PID:5500 -
C:\Program Files\dotnet\swidtag\System.exe"C:\Program Files\dotnet\swidtag\System.exe"5⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5712 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ac04cd05-46ac-40b8-a34e-18cdf1e6605a.vbs"6⤵
- Suspicious use of WriteProcessMemory
PID:5880 -
C:\Program Files\dotnet\swidtag\System.exe"C:\Program Files\dotnet\swidtag\System.exe"7⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:6076 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d6368dd9-c571-488c-8bb1-422af6182adb.vbs"8⤵
- Suspicious use of WriteProcessMemory
PID:3540 -
C:\Program Files\dotnet\swidtag\System.exe"C:\Program Files\dotnet\swidtag\System.exe"9⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2796 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c8faeba6-9ae1-41ed-a528-84dda39cccc8.vbs"10⤵
- Suspicious use of WriteProcessMemory
PID:4436 -
C:\Program Files\dotnet\swidtag\System.exe"C:\Program Files\dotnet\swidtag\System.exe"11⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2912 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d20f3306-4e35-46f6-b7e9-c82194a1a269.vbs"12⤵
- Suspicious use of WriteProcessMemory
PID:4644 -
C:\Program Files\dotnet\swidtag\System.exe"C:\Program Files\dotnet\swidtag\System.exe"13⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:936 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fe2e06b6-6c37-42de-8658-130013668675.vbs"14⤵
- Suspicious use of WriteProcessMemory
PID:4732 -
C:\Program Files\dotnet\swidtag\System.exe"C:\Program Files\dotnet\swidtag\System.exe"15⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:5312 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\719e169f-903c-4569-a74a-fa94cc4178a2.vbs"16⤵PID:5608
-
C:\Program Files\dotnet\swidtag\System.exe"C:\Program Files\dotnet\swidtag\System.exe"17⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:5564 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a01b7f7f-817b-43a8-82ba-ade5a662e2b0.vbs"18⤵PID:5888
-
C:\Program Files\dotnet\swidtag\System.exe"C:\Program Files\dotnet\swidtag\System.exe"19⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1744 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f7960f7f-439a-44aa-a2f7-27b560e4b9ac.vbs"20⤵PID:4352
-
C:\Program Files\dotnet\swidtag\System.exe"C:\Program Files\dotnet\swidtag\System.exe"21⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1948 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\77f2a231-b325-4c4b-afba-1b61ebb5c891.vbs"22⤵PID:3512
-
C:\Program Files\dotnet\swidtag\System.exe"C:\Program Files\dotnet\swidtag\System.exe"23⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2056 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\db4ef1d8-91d7-4060-93d4-c943c3ee3da7.vbs"24⤵PID:5180
-
C:\Program Files\dotnet\swidtag\System.exe"C:\Program Files\dotnet\swidtag\System.exe"25⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3876 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a67a3a51-6220-48b6-8ac9-fc67a4cd4b40.vbs"26⤵PID:5468
-
C:\Program Files\dotnet\swidtag\System.exe"C:\Program Files\dotnet\swidtag\System.exe"27⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:5572 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7ee3762b-8af4-4bbe-afbb-769b535487eb.vbs"28⤵PID:5980
-
C:\Program Files\dotnet\swidtag\System.exe"C:\Program Files\dotnet\swidtag\System.exe"29⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3780 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0f7afeb9-4690-44b9-84fb-30d576701e7a.vbs"30⤵PID:2552
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\75a50156-2663-4b4b-bf25-7f45c26ab261.vbs"30⤵PID:1980
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3e42af9e-4a9e-4b3f-87f9-1ed082f1c2be.vbs"28⤵PID:1048
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\83bb50e7-6ec4-4593-9944-e7a711ebc540.vbs"26⤵PID:4596
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bb9bcd02-e3f7-48bb-a851-d15130deb456.vbs"24⤵PID:4408
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d3651f02-5395-474d-b367-ee32436e5be6.vbs"22⤵PID:4136
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3bf8ac19-b53f-413f-94c3-0b06d396ed10.vbs"20⤵PID:5104
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ea8fd2d6-68c8-4dfa-85a9-3d8c48513509.vbs"18⤵PID:6004
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b2f62c84-6bee-43aa-afbd-b7458af06888.vbs"16⤵PID:5480
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\02b691a4-14fe-4da3-b397-1f44c822e938.vbs"14⤵PID:1408
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\697d4c62-43ea-4b32-b7c3-583a20277f8f.vbs"12⤵PID:4980
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9882725b-11cd-40c9-9f7b-7463a6ad7fac.vbs"10⤵PID:3736
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2d568da6-b483-406a-b3f8-43a5f035db11.vbs"8⤵PID:4864
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4e17fdfc-9d3a-4b13-976d-4d88cfdfdc63.vbs"6⤵PID:5928
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e445b310-c7c2-414c-9d15-e45d689b04be.vbs"4⤵PID:5544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3156
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1296
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalyticsa" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Sidebar\Gadgets\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Gadgets\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalyticsa" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Sidebar\Gadgets\a8afc525e8ae9a9c34f01e2efb7fdab0_NeikiAnalytics.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1152
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Program Files\MSBuild\Microsoft\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Program Files\MSBuild\Microsoft\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Documents\My Videos\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Videos\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1460
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Documents\My Videos\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\twain_32\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4136
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\twain_32\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\twain_32\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:452
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1684
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Links\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Default\Links\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Links\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1524
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2568
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Windows\DiagTrack\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1804
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\DiagTrack\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Windows\DiagTrack\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2204
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files\MSBuild\Microsoft\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\Microsoft\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files\dotnet\swidtag\System.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\dotnet\swidtag\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files\dotnet\swidtag\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3504
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Documents\taskhostw.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Public\Documents\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1252
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Documents\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2352
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Windows\ModemLogs\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\ModemLogs\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Windows\ModemLogs\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Mail\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2340
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1508
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4936
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.9MB
MD53ed22f1f48857191340f0c760ceed1cc
SHA1ef8253c7eab15ad662686b8ce5634b7973a7bc75
SHA256c2ab608be2caf318294a24c45d434a5acd18a9fcc01d8602c171d2b0c54c8ab7
SHA51234c63b51d0b5e9b6f5b490b4f303c1da3ee7c860a1d8ea16e67053530b0a98be1646300e6de78c65fd10901a2bf314e07b8d179fb67642d026c61144d0311ce4
-
Filesize
1KB
MD54a667f150a4d1d02f53a9f24d89d53d1
SHA1306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97
SHA256414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd
SHA5124edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD53235c0b45a0ee14bd4e5213339b30705
SHA149ebee3177d8bf7d2b1ce8df3f28f3cc576364aa
SHA256e407d81c185f5505e1f76e43cfe12076caf7fc7ffb35fd8df087c12c35125b9f
SHA5122e3e467a766e7f05c81f661472bf8ce944f915cf829f70b4f988b65fc55165580fe37bb8683851e28b939313707c995849fefb1f402d57998412de96cfe0cd54
-
Filesize
944B
MD52e907f77659a6601fcc408274894da2e
SHA19f5b72abef1cd7145bf37547cdb1b9254b4efe9d
SHA256385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233
SHA51234fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721
-
Filesize
944B
MD5e243a38635ff9a06c87c2a61a2200656
SHA1ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc
SHA256af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f
SHA5124418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4
-
Filesize
944B
MD5bd5940f08d0be56e65e5f2aaf47c538e
SHA1d7e31b87866e5e383ab5499da64aba50f03e8443
SHA2562d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6
SHA512c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406
-
Filesize
718B
MD5bf239895c8c73d7365297742ffb74cb4
SHA17c970f4aa11401716a4a6cf5b219229256c3426d
SHA256fa382062c752222cf5c81f5ee9be606c4110f617727e9f7b9e408db30d4e6954
SHA51293fde9013772169e3855d5506bc89def4901b77e786fe138c87f656c195497809d92b4e991b40636efd1b234bd076868edd5a6b532d2ab0f9e6854a878ff6cfa
-
Filesize
718B
MD51bc6524f234f3066c34eaed964217786
SHA1f8e7a00227a36dd151f557cda9b58297a4e9f4c1
SHA256d1863e8545f91c6524184fb642e14a266963f0f1345fe4a9f19b04ba1a0603c9
SHA51203ebc955e54cfb6d2329e74781bb04eaa8f5167bef8a3cf4b60ad73e5fe26f3374cf6e2bf95dca94dbcafe3bddb65a42822d61883555ea53b6bd01c8f417e81c
-
Filesize
718B
MD53feac04591e6a6557eb7eb98ecd4402d
SHA117b82499a5cd59b3f375a25e3ee5a82bcb3fc758
SHA2563ab02661d08307532cf73b30faa6b2a4a5dd40c560b7421b9e411fbc2fe2276e
SHA5124dba88a5bcc9fdcdc14f2255a0389257dedc4a428080bb1e9ecf3934f40f92e74f5393ce3050476f73feb5cf7d53fc6c54e3fd11ef82e39f74c755026f9819d8
-
Filesize
718B
MD5959eaf14d146841f9b813bc3e0bfac45
SHA1e41b1208a4ffacfe2acee7dd877d6fc96898f01c
SHA256e4458cf4c8acf988ff8d2f07ffe8da3d37ee51ea13cb29524f79b138daa06b46
SHA5120f0aa0eb00de2bf3dafd5e943dcce0eb85a82b1df37576b0ea9dc253c45f428b2cfde270796920f0acd656080803539f3b81171d556f107420e263a38d93422b
-
Filesize
207B
MD572014a208bb9ec64d95becb5d17987ce
SHA186a499b20e4a29c1bd66037a4694d58fb9d898e4
SHA256b25638cd8a9402cd01cedd5173d631f031be3cc475b83190a0416da5369cfb6b
SHA51290aee720455b9442a5326724292adf5d5cb73ff5042f5243b5cdc387fc0d893704e76b9d8c94178311e080691e1d5f556a58a69a585cac3f5305e2b9a7a32810
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
718B
MD5a96c81ca98475098243479df76191d38
SHA10d55f4b45f08b13119fc8f9b017ddeb6361ff074
SHA2567212089a3ea5ac7891d6622cc826711f06adb7b67fa9f92f72cb2d241433edca
SHA5128c65b9ab90bb5083522aef89b467915c9bbc0a2e3f3d6ddbfc2fcf14d53db963cb520fe208914d28d1f8300bc848ace93854cd6c849b1d414f5fe043f94bdea5
-
Filesize
718B
MD5db19227aac8ed34a2746e4062b4e4ee4
SHA16864e81308c2be1d095e0d8453439782463c4035
SHA2562fde7b070cde433da934d8fc290d48738f5a8462d2c21ef25cd0b65ee583d40e
SHA512bdf79033a113ceae20e41c6b868415c9cb37d9aa292a66994168972d7695f30763c7439b874f0b5d255ce99522f3063fe246e5f22ac4ea40d50e420f57ed1700
-
Filesize
718B
MD5d34f801b2a9fa3d5733c1d4aec3e3c30
SHA16c829dee2eb3f1eb220cad1e4d2aa9a406b92752
SHA2568176851426fc9cf2a9eb3c91cab6b05d8b66e08c9ed4fc978bf03d4b76e031c0
SHA512edc2427fbf1765ccdeec051c3a249c699ed7a100ef8176f819f1bb7e0e0160c7a4123bd4dcaa10ff807956d36f5ac6d414b238a2379a4b219386edc2412f4bb0
-
Filesize
718B
MD5f69936edfbf3f6bf2908cd48ede83b78
SHA114dee1d2007b0853092de9f5d2e965856832a421
SHA25614b2b0e382605cfdff5ae1add199927cf50896d6eb005d4511f13487c1bef527
SHA512e34e11d00f4b6c944e4e3870594980ed899a3c39779edb4ba8f917f91b9d66443f41c3a32d6c8aea0af3b797631cb35f18c0c0865f30051937e411521ae634d6
-
Filesize
718B
MD54ec82340f322861c6dbc0d7b364f96c0
SHA1acd8bd9323a71531c2164d9ecf519f549c7637d7
SHA256e71ac10770bc65e9f5b2022a8fd8e2bb7a847e7cb6330a516adff733cd3f11bb
SHA512c668680fc8931c753639a3579cae6a299136fa57bb2b06364fdf10435b7bcc17283137ce8cf411d46b75093e4222dce46fb7d6783d202800fd89f3af9418ffdb
-
Filesize
718B
MD514409cdbb57eb036e434e0367ccb5e63
SHA14f6dba244df002e172f362e3d761308b06d07e18
SHA2566670599d757e45b001c29430d2289b0cc71fead30177f274e8853371e0a2ac38
SHA512cae6a3b02dd4019fcaaea8178139ab0b3905fae864879962e6d8509788b36afe545012f88785bf0dc86be6ff01bedd3392b66ff8e57f5eb5de617351dcb3439b
-
Filesize
718B
MD53a2ed28dfc17fb1ac1a54f3a87b0e69a
SHA1b7f775662fd8773c9ac87d5839114fbcb9b82092
SHA25692b87f9c77e01955f0762cf0dc3d5817c38bc1e73f28b4fe74f0f7fbe9c35b42
SHA51282ef09833ca4aa6100049e39e54177224c0baeae462a45d3eef745109383baec773176bc496b0e31373dff00e3330f14ab4270e487f96212c5eaebd384bab915
-
Filesize
494B
MD5834c014c4755534762bde05d0ad5499a
SHA129eb404a4c2811667de93fbdc603ba26d9674db9
SHA256b71765f62aece19d35777b6becf95b9e7dd7cfbdf06ee3520e465e4ae6d60ff7
SHA512c62a7fd854e9e7bd45699aacdbe043792e9ae163361fafd93ac00aa097c5e3a8b4eb8515b41d03f271193ff3e3dfb636932883662ed8efa237d525ea9ba2de10
-
Filesize
718B
MD551a44cddc79288e802d506e2ab6ddd79
SHA1a17324ea606c5970e6a604a51cca1ab51f8360ad
SHA2560fc93dd409a54ff28af45cdc62c83a83d044277acce7cafe031d7ce99372ab87
SHA5127d5970500c8573888d0b01a58ae077ae8e5ed911ad15777ca50a9c58bf619b17a353658d4d77f88d6b882e1a56b48cd343c1a10fe6091b359711fdb651c91e78
-
Filesize
717B
MD587b10fbd2a282bedfe207dc93260db7c
SHA1049df64cf2c17efec21dfd3f39d8fa519981e2ac
SHA256068eca96d96d8c777e934344100361861e36d129ec1c7e47c1093e6b05715da5
SHA5124357d672b1b83c6c6195962a90b83ef436e532419fdc6c95ad1bc08cda5454e08ce278a99cc2186de2e59c504c6aabeb22566b140893ee073562ca27a8774a52
-
Filesize
2.9MB
MD54744187154f1bf883aeda07c68503d56
SHA1a9c48238455eddaf8df79ae13c03493d9b03ec00
SHA256c3c37738590e567bbffda3930e540ac020e85f13357df65716d5c3cbfd21e371
SHA512d6f63c83285c72cb3f6c4b8dbfe5a04e9d2ceedc0bd051b830f3180fa1592fade83c18f9f29524fbd2c93eec86d84ee9f1fff11624e0503696d321a5a06158c2
-
Filesize
2.9MB
MD5a8afc525e8ae9a9c34f01e2efb7fdab0
SHA16e519caf5546a9c89e62ec00fc11d78ef2fbfb6d
SHA2564123eccc2d223d14ab820f328e26e109a0a6fa4a58648122fbc0fa352d242836
SHA512d0747c7bfba0dff9e8d3d98d4912653006b91ac5bb63493bef05116ba2282d1daeaad2c24958ddb96623172a12bdffa77be014e08537fedde295e90bffd37b4d
-
Filesize
2.9MB
MD543374f10cb920500e15ff29ce26531bd
SHA1928af16db8da595319f5f182c48be4e568d2d356
SHA256e142849ab90316f280db6dbba3ede5f30571aa752939b44b5d41b3926fffe33a
SHA51275bc3ff6975e530a5df66d991a8684107af246d00345acd14099fdaf97923c3e3567b7ff16787ecabf278f3a46385f175bc5b7695a26908ab88137120e2fd8c9