Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
16-05-2024 10:15
Behavioral task
behavioral1
Sample
da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe
Resource
win7-20240508-en
General
-
Target
da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe
-
Size
3.2MB
-
MD5
da302f8b90f36acd84743c7639d4e0d0
-
SHA1
f8fdb617872a6f31fc21b7d7826efba0651077a4
-
SHA256
a22fcf8eea502fd77a86507ef856f97512aeed2006a0d79f122850f5d14dcf9b
-
SHA512
cb2392bfd6277ba436ccf0421baccbae4f2b6ef2ecbcd2c72c95de2e3a820a212cd9c7d3662795290341d9c285e75a8a2111fda8bb1ec296a9772689a9af9646
-
SSDEEP
98304:msmfE8eD0M782w1JSdvi199xP9/ecsFjPSz:mQNBY2S99xl
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 9 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2328 4912 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1376 4912 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4136 4912 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2352 4912 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3712 4912 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 436 4912 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4968 4912 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1920 4912 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4904 4912 schtasks.exe -
Processes:
sihost.exesihost.exeda302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exesihost.exesihost.exesihost.exesihost.exesihost.exesihost.exesihost.exesihost.exesihost.exesihost.exesihost.exesihost.exesihost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sihost.exe -
Processes:
resource yara_rule behavioral2/memory/3448-1-0x00000000002E0000-0x000000000061C000-memory.dmp dcrat C:\Users\Admin\AppData\Local\Temp\RCX3D0A.tmp dcrat C:\Recovery\WindowsRE\StartMenuExperienceHost.exe dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 2964 powershell.exe 3164 powershell.exe 1596 powershell.exe 404 powershell.exe 2056 powershell.exe 3996 powershell.exe 3988 powershell.exe 4392 powershell.exe 440 powershell.exe 4992 powershell.exe 3356 powershell.exe -
Checks computer location settings 2 TTPs 15 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exesihost.exesihost.exesihost.exesihost.exesihost.exesihost.exesihost.exesihost.exesihost.exesihost.exesihost.exesihost.exesihost.exesihost.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation sihost.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation sihost.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation sihost.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation sihost.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation sihost.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation sihost.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation sihost.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation sihost.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation sihost.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation sihost.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation sihost.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation sihost.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation sihost.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation sihost.exe -
Executes dropped EXE 15 IoCs
Processes:
sihost.exesihost.exesihost.exesihost.exesihost.exesihost.exesihost.exesihost.exesihost.exesihost.exesihost.exesihost.exesihost.exesihost.exesihost.exepid process 3872 sihost.exe 2572 sihost.exe 2964 sihost.exe 3704 sihost.exe 4364 sihost.exe 4816 sihost.exe 2712 sihost.exe 3508 sihost.exe 3184 sihost.exe 4916 sihost.exe 5112 sihost.exe 3624 sihost.exe 3188 sihost.exe 2056 sihost.exe 4584 sihost.exe -
Processes:
sihost.exesihost.exesihost.exesihost.exesihost.exesihost.exesihost.exesihost.exeda302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exesihost.exesihost.exesihost.exesihost.exesihost.exesihost.exesihost.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sihost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sihost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sihost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sihost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sihost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sihost.exe -
Drops file in Program Files directory 10 IoCs
Processes:
da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exedescription ioc process File opened for modification C:\Program Files\Windows Portable Devices\RCX43D6.tmp da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe File created C:\Program Files\Windows Portable Devices\sysmon.exe da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Google\CrashReports\RCX3F2E.tmp da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Google\CrashReports\RCX3F2F.tmp da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe File opened for modification C:\Program Files\Windows Portable Devices\RCX43C6.tmp da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe File opened for modification C:\Program Files\Windows Portable Devices\sysmon.exe da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe File created C:\Program Files (x86)\Google\CrashReports\sihost.exe da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Google\CrashReports\sihost.exe da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe File created C:\Program Files (x86)\Google\CrashReports\66fc9ff0ee96c2 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe File created C:\Program Files\Windows Portable Devices\121e5b5079f7c0 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe -
Drops file in Windows directory 1 IoCs
Processes:
da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exedescription ioc process File created C:\Windows\ServiceState\EventLog\dllhost.exe da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 9 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2328 schtasks.exe 4136 schtasks.exe 436 schtasks.exe 1920 schtasks.exe 4904 schtasks.exe 1376 schtasks.exe 2352 schtasks.exe 3712 schtasks.exe 4968 schtasks.exe -
Modifies registry class 15 IoCs
Processes:
sihost.exesihost.exeda302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exesihost.exesihost.exesihost.exesihost.exesihost.exesihost.exesihost.exesihost.exesihost.exesihost.exesihost.exesihost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings sihost.exe Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings sihost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings sihost.exe Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings sihost.exe Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings sihost.exe Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings sihost.exe Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings sihost.exe Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings sihost.exe Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings sihost.exe Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings sihost.exe Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings sihost.exe Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings sihost.exe Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings sihost.exe Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings sihost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exesihost.exepid process 3448 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe 3448 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe 3448 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe 3448 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe 3448 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe 3448 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe 3448 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe 3448 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe 3448 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe 3448 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe 3448 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe 3448 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe 440 powershell.exe 440 powershell.exe 3164 powershell.exe 3164 powershell.exe 3448 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe 3448 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe 3448 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe 4392 powershell.exe 4392 powershell.exe 404 powershell.exe 1596 powershell.exe 1596 powershell.exe 404 powershell.exe 4992 powershell.exe 4992 powershell.exe 2964 powershell.exe 2964 powershell.exe 2056 powershell.exe 2056 powershell.exe 3996 powershell.exe 3996 powershell.exe 3988 powershell.exe 3988 powershell.exe 3356 powershell.exe 3356 powershell.exe 3448 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe 4392 powershell.exe 3164 powershell.exe 440 powershell.exe 3996 powershell.exe 1596 powershell.exe 404 powershell.exe 2964 powershell.exe 4992 powershell.exe 3988 powershell.exe 2056 powershell.exe 3356 powershell.exe 3872 sihost.exe 3872 sihost.exe 3872 sihost.exe 3872 sihost.exe 3872 sihost.exe 3872 sihost.exe 3872 sihost.exe 3872 sihost.exe 3872 sihost.exe 3872 sihost.exe 3872 sihost.exe 3872 sihost.exe 3872 sihost.exe 3872 sihost.exe 3872 sihost.exe -
Suspicious use of AdjustPrivilegeToken 27 IoCs
Processes:
da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exesihost.exesihost.exesihost.exesihost.exesihost.exesihost.exesihost.exesihost.exesihost.exesihost.exesihost.exesihost.exesihost.exesihost.exesihost.exedescription pid process Token: SeDebugPrivilege 3448 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe Token: SeDebugPrivilege 440 powershell.exe Token: SeDebugPrivilege 3164 powershell.exe Token: SeDebugPrivilege 4392 powershell.exe Token: SeDebugPrivilege 1596 powershell.exe Token: SeDebugPrivilege 404 powershell.exe Token: SeDebugPrivilege 4992 powershell.exe Token: SeDebugPrivilege 3996 powershell.exe Token: SeDebugPrivilege 2964 powershell.exe Token: SeDebugPrivilege 3988 powershell.exe Token: SeDebugPrivilege 3356 powershell.exe Token: SeDebugPrivilege 2056 powershell.exe Token: SeDebugPrivilege 3872 sihost.exe Token: SeDebugPrivilege 2572 sihost.exe Token: SeDebugPrivilege 2964 sihost.exe Token: SeDebugPrivilege 3704 sihost.exe Token: SeDebugPrivilege 4364 sihost.exe Token: SeDebugPrivilege 4816 sihost.exe Token: SeDebugPrivilege 2712 sihost.exe Token: SeDebugPrivilege 3508 sihost.exe Token: SeDebugPrivilege 3184 sihost.exe Token: SeDebugPrivilege 4916 sihost.exe Token: SeDebugPrivilege 5112 sihost.exe Token: SeDebugPrivilege 3624 sihost.exe Token: SeDebugPrivilege 3188 sihost.exe Token: SeDebugPrivilege 2056 sihost.exe Token: SeDebugPrivilege 4584 sihost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exesihost.exeWScript.exesihost.exeWScript.exesihost.exeWScript.exesihost.exeWScript.exesihost.exeWScript.exesihost.exeWScript.exesihost.exedescription pid process target process PID 3448 wrote to memory of 404 3448 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe powershell.exe PID 3448 wrote to memory of 404 3448 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe powershell.exe PID 3448 wrote to memory of 440 3448 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe powershell.exe PID 3448 wrote to memory of 440 3448 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe powershell.exe PID 3448 wrote to memory of 4392 3448 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe powershell.exe PID 3448 wrote to memory of 4392 3448 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe powershell.exe PID 3448 wrote to memory of 3164 3448 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe powershell.exe PID 3448 wrote to memory of 3164 3448 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe powershell.exe PID 3448 wrote to memory of 1596 3448 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe powershell.exe PID 3448 wrote to memory of 1596 3448 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe powershell.exe PID 3448 wrote to memory of 4992 3448 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe powershell.exe PID 3448 wrote to memory of 4992 3448 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe powershell.exe PID 3448 wrote to memory of 2964 3448 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe powershell.exe PID 3448 wrote to memory of 2964 3448 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe powershell.exe PID 3448 wrote to memory of 3356 3448 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe powershell.exe PID 3448 wrote to memory of 3356 3448 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe powershell.exe PID 3448 wrote to memory of 3988 3448 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe powershell.exe PID 3448 wrote to memory of 3988 3448 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe powershell.exe PID 3448 wrote to memory of 3996 3448 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe powershell.exe PID 3448 wrote to memory of 3996 3448 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe powershell.exe PID 3448 wrote to memory of 2056 3448 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe powershell.exe PID 3448 wrote to memory of 2056 3448 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe powershell.exe PID 3448 wrote to memory of 3872 3448 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe sihost.exe PID 3448 wrote to memory of 3872 3448 da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe sihost.exe PID 3872 wrote to memory of 4504 3872 sihost.exe WScript.exe PID 3872 wrote to memory of 4504 3872 sihost.exe WScript.exe PID 3872 wrote to memory of 1304 3872 sihost.exe WScript.exe PID 3872 wrote to memory of 1304 3872 sihost.exe WScript.exe PID 4504 wrote to memory of 2572 4504 WScript.exe sihost.exe PID 4504 wrote to memory of 2572 4504 WScript.exe sihost.exe PID 2572 wrote to memory of 2712 2572 sihost.exe WScript.exe PID 2572 wrote to memory of 2712 2572 sihost.exe WScript.exe PID 2572 wrote to memory of 2620 2572 sihost.exe WScript.exe PID 2572 wrote to memory of 2620 2572 sihost.exe WScript.exe PID 2712 wrote to memory of 2964 2712 WScript.exe sihost.exe PID 2712 wrote to memory of 2964 2712 WScript.exe sihost.exe PID 2964 wrote to memory of 4556 2964 sihost.exe WScript.exe PID 2964 wrote to memory of 4556 2964 sihost.exe WScript.exe PID 2964 wrote to memory of 2688 2964 sihost.exe WScript.exe PID 2964 wrote to memory of 2688 2964 sihost.exe WScript.exe PID 4556 wrote to memory of 3704 4556 WScript.exe sihost.exe PID 4556 wrote to memory of 3704 4556 WScript.exe sihost.exe PID 3704 wrote to memory of 4976 3704 sihost.exe WScript.exe PID 3704 wrote to memory of 4976 3704 sihost.exe WScript.exe PID 3704 wrote to memory of 4244 3704 sihost.exe WScript.exe PID 3704 wrote to memory of 4244 3704 sihost.exe WScript.exe PID 4976 wrote to memory of 4364 4976 WScript.exe sihost.exe PID 4976 wrote to memory of 4364 4976 WScript.exe sihost.exe PID 4364 wrote to memory of 2960 4364 sihost.exe WScript.exe PID 4364 wrote to memory of 2960 4364 sihost.exe WScript.exe PID 4364 wrote to memory of 1472 4364 sihost.exe WScript.exe PID 4364 wrote to memory of 1472 4364 sihost.exe WScript.exe PID 2960 wrote to memory of 4816 2960 WScript.exe sihost.exe PID 2960 wrote to memory of 4816 2960 WScript.exe sihost.exe PID 4816 wrote to memory of 1824 4816 sihost.exe WScript.exe PID 4816 wrote to memory of 1824 4816 sihost.exe WScript.exe PID 4816 wrote to memory of 412 4816 sihost.exe WScript.exe PID 4816 wrote to memory of 412 4816 sihost.exe WScript.exe PID 1824 wrote to memory of 2712 1824 WScript.exe sihost.exe PID 1824 wrote to memory of 2712 1824 WScript.exe sihost.exe PID 2712 wrote to memory of 3956 2712 sihost.exe WScript.exe PID 2712 wrote to memory of 3956 2712 sihost.exe WScript.exe PID 2712 wrote to memory of 3376 2712 sihost.exe WScript.exe PID 2712 wrote to memory of 3376 2712 sihost.exe WScript.exe -
System policy modification 1 TTPs 48 IoCs
Processes:
sihost.exesihost.exesihost.exesihost.exesihost.exesihost.exesihost.exesihost.exesihost.exesihost.exesihost.exesihost.exeda302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exesihost.exesihost.exesihost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sihost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sihost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\da302f8b90f36acd84743c7639d4e0d0_NeikiAnalytics.exe"1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3448 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:404 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:440 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4392 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3164 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1596 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4992 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2964 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3356 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3988 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3996 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2056 -
C:\Program Files (x86)\Google\CrashReports\sihost.exe"C:\Program Files (x86)\Google\CrashReports\sihost.exe"2⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3872 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e7af6a02-58e4-4c8d-a720-65e599626d92.vbs"3⤵
- Suspicious use of WriteProcessMemory
PID:4504 -
C:\Program Files (x86)\Google\CrashReports\sihost.exe"C:\Program Files (x86)\Google\CrashReports\sihost.exe"4⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2572 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\923d7220-d44c-4527-b8af-9bec626431dd.vbs"5⤵
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Program Files (x86)\Google\CrashReports\sihost.exe"C:\Program Files (x86)\Google\CrashReports\sihost.exe"6⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2964 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b80c72ab-4b1a-4370-8ac7-2aa9390d9ef9.vbs"7⤵
- Suspicious use of WriteProcessMemory
PID:4556 -
C:\Program Files (x86)\Google\CrashReports\sihost.exe"C:\Program Files (x86)\Google\CrashReports\sihost.exe"8⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3704 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\af7c36c7-0295-4088-8a3a-9abf35df05cc.vbs"9⤵
- Suspicious use of WriteProcessMemory
PID:4976 -
C:\Program Files (x86)\Google\CrashReports\sihost.exe"C:\Program Files (x86)\Google\CrashReports\sihost.exe"10⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4364 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\be561dfa-dc37-4c79-a52e-90a82faa7c02.vbs"11⤵
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Program Files (x86)\Google\CrashReports\sihost.exe"C:\Program Files (x86)\Google\CrashReports\sihost.exe"12⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4816 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\97ef5c2c-3241-42e7-97fc-c81ec8f5b01d.vbs"13⤵
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Program Files (x86)\Google\CrashReports\sihost.exe"C:\Program Files (x86)\Google\CrashReports\sihost.exe"14⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2712 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1725a334-0402-44a7-a381-3f331601735e.vbs"15⤵PID:3956
-
C:\Program Files (x86)\Google\CrashReports\sihost.exe"C:\Program Files (x86)\Google\CrashReports\sihost.exe"16⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3508 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cfe0eb68-6f62-4a52-8054-7ab417839e89.vbs"17⤵PID:4212
-
C:\Program Files (x86)\Google\CrashReports\sihost.exe"C:\Program Files (x86)\Google\CrashReports\sihost.exe"18⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3184 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2e80ad66-59ff-4bea-9db4-0df85139ac48.vbs"19⤵PID:1436
-
C:\Program Files (x86)\Google\CrashReports\sihost.exe"C:\Program Files (x86)\Google\CrashReports\sihost.exe"20⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4916 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\da35f0d7-f744-4562-a3e7-95625eff0de8.vbs"21⤵PID:332
-
C:\Program Files (x86)\Google\CrashReports\sihost.exe"C:\Program Files (x86)\Google\CrashReports\sihost.exe"22⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:5112 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1063dee0-da0a-43df-afc1-c6d3b34943dc.vbs"23⤵PID:1684
-
C:\Program Files (x86)\Google\CrashReports\sihost.exe"C:\Program Files (x86)\Google\CrashReports\sihost.exe"24⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3624 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\96434b13-5af3-4a61-96f0-9848579e0e38.vbs"25⤵PID:2276
-
C:\Program Files (x86)\Google\CrashReports\sihost.exe"C:\Program Files (x86)\Google\CrashReports\sihost.exe"26⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3188 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\04adecc0-68c2-44b6-b994-64c5fd4d8088.vbs"27⤵PID:3068
-
C:\Program Files (x86)\Google\CrashReports\sihost.exe"C:\Program Files (x86)\Google\CrashReports\sihost.exe"28⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2056 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a75ae236-55db-445b-82e4-0d99ddc34265.vbs"29⤵PID:3820
-
C:\Program Files (x86)\Google\CrashReports\sihost.exe"C:\Program Files (x86)\Google\CrashReports\sihost.exe"30⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4584 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35c7e295-388c-4eab-935a-ca5bb78c4586.vbs"29⤵PID:4508
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7260584f-1f2c-4d7c-98ec-95dea2df4563.vbs"27⤵PID:1300
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\01aabcbe-237e-4787-93f2-f99301fdd236.vbs"25⤵PID:208
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\587f3d2c-df7d-4031-933b-787aafc80eeb.vbs"23⤵PID:4692
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9f27b5bc-324e-418e-8fd0-cce37563700f.vbs"21⤵PID:3044
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\97b626d8-36e2-41d1-8393-ebc5f55a4c33.vbs"19⤵PID:3176
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\df18b71e-a292-49e9-909e-4400cedf77b7.vbs"17⤵PID:2768
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7ed68d7c-45f3-4ed9-add7-1fd798cee6ae.vbs"15⤵PID:3376
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c2897efd-f0a0-4dba-a774-9eca2b6bec52.vbs"13⤵PID:412
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5cac550f-7fde-43df-bbeb-65f08654c20a.vbs"11⤵PID:1472
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dc8b3093-06bc-4259-ba57-42a9ccaba795.vbs"9⤵PID:4244
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fbe47695-9c83-40c6-a4c6-0a74d5f55c72.vbs"7⤵PID:2688
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b643d122-2568-4101-87c5-c62fa75ba29d.vbs"5⤵PID:2620
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b22a7699-96b5-47f4-8637-65af61b2ca52.vbs"3⤵PID:1304
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\CrashReports\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2328
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\CrashReports\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1376
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Google\CrashReports\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4136
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2352
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:436
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Portable Devices\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Portable Devices\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4904
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.2MB
MD51612369acf4058a4e10f310696358e8e
SHA14849e41889f002b4c22d08d4e39d617d760a9957
SHA2564fbbf44ec3b3385ce2f4077ae1f3808441388608977e9f1781ef9e4c3cd244da
SHA5122b35db1717c0f8c2ba34cc649306b46908b246b9db0946cd6260f2ad757b15483f0fca4f37e95bb48257601f802c0d822f6b63156fb0caab6c6bc99009bd24c3
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
1KB
MD549b64127208271d8f797256057d0b006
SHA1b99bd7e2b4e9ed24de47fb3341ea67660b84cca1
SHA2562a5d403a2e649d8eceef8f785eeb0f6d33888ec6bbf251b3c347e34cb32b1e77
SHA512f7c728923c893dc9bc88ad2159e0abcda41e1b40ff7e7756e6252d135ed238a2248a2662b3392449836dd1b0b580f0c866cc33e409527484fe4602e3d3f10e3e
-
Filesize
944B
MD53a6bad9528f8e23fb5c77fbd81fa28e8
SHA1f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2
-
Filesize
944B
MD5cadef9abd087803c630df65264a6c81c
SHA1babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA5127278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085
-
Filesize
944B
MD528d4235aa2e6d782751f980ceb6e5021
SHA1f5d82d56acd642b9fc4b963f684fd6b78f25a140
SHA2568c66720f953e82cfbd8f00543c42c0cf77c3d97787ec09cb3e1e2ba5819bd638
SHA512dba1bd6600f5affcfdc33a59e7ac853ee5fdfafb8d1407a1768728bd4f66ef6b49437214716b7e33e3de91d7ce95709050a3dab4354dd62acaf1de28107017a2
-
Filesize
944B
MD56c47b3f4e68eebd47e9332eebfd2dd4e
SHA167f0b143336d7db7b281ed3de5e877fa87261834
SHA2568c48b1f2338e5b24094821f41121d2221f1cb3200338f46df49f64d1c4bc3e0c
SHA5120acf302a9fc971ef9df65ed42c47ea17828e54dff685f4434f360556fd27cdc26a75069f00dcdc14ba174893c6fd7a2cfd8c6c07be3ce35dafee0a006914eaca
-
Filesize
729B
MD52596608fbca2bacc1350ed1abcd0fe34
SHA1fbfac18975a0fcfa960067952cecc001f308ec7d
SHA25602026da5bff764763c855951f358fee9052b3f91d5f1011a7500a5cbbad34c1c
SHA51241a0aa4ae6e05b4cd2aeba69492aa408796cbd86ea2f647ab04c7f15cfc5551adf560196a849c10bad433b46704f4c96bb32fda37f9e757ebd3747e908118ca0
-
Filesize
729B
MD509f71d15b21bbede97aea287845684c7
SHA122a473e19abab96bb6803c29f6e8a459095e4a2a
SHA256addd52c27d7eb761c3adfb5e06f8bc179bdff7f244fa4868d536c34c98b69e2c
SHA512b6d9db906ee7996914a1423e618b735d59b88272908730706514a7d8e89938d38577fdfbc79c9ac9a32618682e5f14f9c7466e814ecbed9ccab7a8a545532d0b
-
Filesize
729B
MD5ac98d08c2ce1a9a2b9bfd8a4211dc5bd
SHA1facd4b9e3ecc6312f326abd1b6a73ff324433dcb
SHA256c095a76f545d35a60b888d0da03d274eabbc445bfd9bc951dbb337104d8d1981
SHA512ba41e009738d92d7b317cf9036864a169c74774af89a4a4e90bee8bb016590b54f568b59525290f712055ec5ee64375129c9239f3d80940633e2151d156b771c
-
Filesize
729B
MD53c9f5867a8bbf0da3de9bb8c6e9a9e53
SHA1fda167b5a1e0cbad5f561ac4c68585fd5f33c981
SHA25684c8982be2c730e0ba06d10b2e94f78c82b1e6282bde957bd69f617bf1095f85
SHA51280dede639660ec50f03fd58a518921ff8e56123e477d56b537c7e49c82f3f0e91afbcee983266cb81dcd8f514eeeb2a680d9b9c319447ea542e1f981bebac713
-
Filesize
729B
MD5cf7aa1538596f8e5929e676255f21be8
SHA1f18858cc95446300bade57050323640956e498c9
SHA25631395e1a18722d2a0467476310c49184ec74db1939981175d1e49a8ea8a77c81
SHA51249aba4758a331ba2bf045c292fc7a3e5a8dd06cce31634df6b14bb679d816cba222028e440ec5f23954f9e5469c993034c97160db9d0c2a342185dd327891ebe
-
Filesize
729B
MD55d4cbe48f4da0c8b42629868a8114f5c
SHA13cb935b6fe13474acd7007f7287fa48783956a47
SHA25615d79ba1784a87b036c575c5c206d7a43711b446ecba8a38c3efddda61bd760d
SHA512ef9c4d8a9e53feac8e6101d535511ee18a4d40ab1df940e5eda514bc1fa51a9a0fb77ead0b1f4b52434ac4d00e46f342438d63d270ecd5e1aacf0dfab28415bd
-
Filesize
729B
MD54e080ee1e2549821acf3313a99f31d15
SHA1c913cfdc799e05fae6c72bac590aa8b6e513fee3
SHA256eb50e1f85c54a3f895f4c9924ad5b47bad4b10559bbb0a09bcaaf91948f5ac11
SHA512aa0bd601c2997940e768cf9920ad908ae3c03f87fa336fe0885cf2a24a376d2fe03feabd1e6fb6c5073e80c47c9f705c7ab8a66d1edfefaeeb9980e09b7fe1dc
-
Filesize
3.2MB
MD5da302f8b90f36acd84743c7639d4e0d0
SHA1f8fdb617872a6f31fc21b7d7826efba0651077a4
SHA256a22fcf8eea502fd77a86507ef856f97512aeed2006a0d79f122850f5d14dcf9b
SHA512cb2392bfd6277ba436ccf0421baccbae4f2b6ef2ecbcd2c72c95de2e3a820a212cd9c7d3662795290341d9c285e75a8a2111fda8bb1ec296a9772689a9af9646
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
729B
MD512da067833ee64c3fb49acc44ff064a4
SHA1a1a3dd0138921a6349b6e6f1ac3f135d2ac9054c
SHA2564f2f0539a9ffd38ea294887ee56090b162b7e82a8586dcbe63af884610857c7a
SHA512b147a6e087cc66e1d11f01290b994bf1fef4c740649b065a1880a645cfcd66028379791ce7179c83e5e3f16ed3c9d9cd74d2e0a46fa87ca251325de987f775e9
-
Filesize
505B
MD5add00ddb2b2760189bf9ac5af35fce42
SHA11ef78ec44d166f2de1c5703e09781fde00f880af
SHA25605e07f692f5372b98c2db7b0c0b36bcdc8877a309c219695d3c8f9e28492605d
SHA512698925fab5bfc9fdfb6e8fd414e95767bef17e6120a56d8b9095d58f576c5afc8925659ea791560f07168626a26070de70a2db4b2e7dc73bb94cac6c663bcdfd
-
Filesize
729B
MD56580843b9e6aed7e6a69b12c362eac67
SHA1243b85e5f59f2d6523e3b04274701622eeaaa89d
SHA256a0aecf849c26bc5f4e99b2f117bf4389bae4248f6fb5012824227a3840a93953
SHA5121f9578d2c2f70c4faebeb8e3e2a78ad45aadcb7528f364e76a337d59e57a217ca9b362bc9df6d1268861738420069ab7d5a5cecbba36328197348ad90e0a6137
-
Filesize
729B
MD5a78d0d68f4b612ad314939ba93526ac5
SHA1b91ca60241b52a908dced55194383e3cc69fba5c
SHA256ac63a23159542a376d4701c65ad4cf4f9fcde1642d853d5f4f27f8788efb2492
SHA512dfc2cd5900672176898d510ca42a35052cb9117fe43914fb1e21383b3cc56ed3b812e64dfce444ae999010f8828c84993e4fcf9c3c665d5672e5eab691c87a69
-
Filesize
729B
MD5500ccaa9dbe1ae99d9a5ec4f984b8c03
SHA163253805538267a7e18aecd84d4dc30f9b3ab177
SHA2562ca3be88da3a2c49115b8374355b7f368f42cf3a1d49405e6b26b04902940fb5
SHA5124a45b3a7a3e5c9068aca80066d58d223cc4f59e82e9551b2d3acddf7d516bd08d6b479ff9724a59fc4be2cf05ea1db991a712fed30743ed5fc97f6977571cd40
-
Filesize
729B
MD575a0eb8f67a090b50449ace08f9225cf
SHA18521c2a71c13132dc5eadf1d1e738be2d372df02
SHA256b612c9369d673a5bddb6dcd6017e30c1d263892fce6ad6f421ca22ca71c91348
SHA5124d5bb58a9566ebb2ecd266b1194d132f1fa1359ede52de00b2fe2105775be22d33de10b98c071ef1335bc37b4b79195811b0d9ec20ff63afa7c10c216f4a5aac
-
Filesize
729B
MD5f24aa26f88fc867b9d3643356968f465
SHA1b26038d0b7029b8b18094a9767401768f85d6284
SHA256fcfb3978d8777fea3ec2387fe7bbb43d4c4a22407698b239d66fcf0536e2fe95
SHA512e548cd74e8d29c9e91f7e66560a47aaee6c16acb057c3a18daaeb35ed419f49d112c2f0d56d451048952f036a016c37892e105cb0da0528d79e5287c0a097c58