Analysis
-
max time kernel
149s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
16-05-2024 15:29
Behavioral task
behavioral1
Sample
e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe
Resource
win7-20240221-en
General
-
Target
e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe
-
Size
2.9MB
-
MD5
e349210264df2c9c8513e938aa1f3940
-
SHA1
e689f7221e0954c75e760d5103723c021b82eebb
-
SHA256
4d520afba4c682d393f2979de1abea0e96ec9f84f2b1d0164b57eea4eea15175
-
SHA512
93fb466f6a853c227ebf88ed5586d509e4982f6b0c6e6dce7343c38e887a5c5e5f9b3484d70c7d64b3bdff50a2a93bb73ce7e6a4f6eb4ee8960052248db08b99
-
SSDEEP
49152:f4DKm+cjWnC8WLqxdGWJMcWI2TJT1Q0UN2Trsljq:QDKmzjWnC8Wikx1DUN2/Uq
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 24 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 516 4752 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4864 4752 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3764 4752 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2396 4752 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3312 4752 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4720 4752 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1464 4752 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 704 4752 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2952 4752 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1304 4752 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3100 4752 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5096 4752 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1460 4752 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3108 4752 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2596 4752 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1732 4752 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1172 4752 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4892 4752 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 736 4752 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2408 4752 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3692 4752 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 928 4752 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3456 4752 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4308 4752 schtasks.exe -
Processes:
e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exesysmon.exesysmon.exesysmon.exesysmon.exesysmon.exesysmon.exesysmon.exesysmon.exesysmon.exesysmon.exesysmon.exesysmon.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sysmon.exe -
Processes:
resource yara_rule behavioral2/memory/692-1-0x0000000000790000-0x0000000000A76000-memory.dmp dcrat C:\Windows\CbsTemp\spoolsv.exe dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 2484 powershell.exe 4020 powershell.exe 4428 powershell.exe 844 powershell.exe 4376 powershell.exe 1416 powershell.exe 4436 powershell.exe 4356 powershell.exe 3092 powershell.exe 552 powershell.exe 1184 powershell.exe -
Checks computer location settings 2 TTPs 13 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
sysmon.exesysmon.exesysmon.exesysmon.exesysmon.exesysmon.exee349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exesysmon.exesysmon.exesysmon.exesysmon.exesysmon.exesysmon.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation sysmon.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation sysmon.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation sysmon.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation sysmon.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation sysmon.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation sysmon.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation sysmon.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation sysmon.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation sysmon.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation sysmon.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation sysmon.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation sysmon.exe -
Executes dropped EXE 12 IoCs
Processes:
sysmon.exesysmon.exesysmon.exesysmon.exesysmon.exesysmon.exesysmon.exesysmon.exesysmon.exesysmon.exesysmon.exesysmon.exepid process 4748 sysmon.exe 4992 sysmon.exe 2484 sysmon.exe 4712 sysmon.exe 1368 sysmon.exe 4444 sysmon.exe 3388 sysmon.exe 3152 sysmon.exe 4536 sysmon.exe 1116 sysmon.exe 3376 sysmon.exe 4908 sysmon.exe -
Processes:
sysmon.exesysmon.exesysmon.exesysmon.exesysmon.exesysmon.exesysmon.exesysmon.exesysmon.exesysmon.exee349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exesysmon.exesysmon.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sysmon.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sysmon.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sysmon.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sysmon.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sysmon.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sysmon.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sysmon.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sysmon.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sysmon.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sysmon.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sysmon.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sysmon.exe -
Drops file in Program Files directory 20 IoCs
Processes:
e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exedescription ioc process File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\Registry.exe e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe File created C:\Program Files\Microsoft Office\TextInputHost.exe e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows NT\Accessories\RCX6063.tmp e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Defender\ja-JP\OfficeClickToRun.exe e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe File opened for modification C:\Program Files\Microsoft Office\TextInputHost.exe e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows NT\TableTextService\en-US\sysmon.exe e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows NT\TableTextService\en-US\121e5b5079f7c0 e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows NT\Accessories\lsass.exe e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Defender\ja-JP\e6c9b481da804f e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\Registry.exe e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows NT\Accessories\lsass.exe e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows NT\TableTextService\en-US\sysmon.exe e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\ee2ad38f3d4382 e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows NT\Accessories\6203df4a6bafc7 e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Defender\ja-JP\OfficeClickToRun.exe e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\RCX5E3F.tmp e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe File created C:\Program Files\Microsoft Office\22eafd247d37c3 e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows NT\TableTextService\en-US\RCX5C2B.tmp e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Defender\ja-JP\RCX6277.tmp e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe File opened for modification C:\Program Files\Microsoft Office\RCX669F.tmp e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe -
Drops file in Windows directory 5 IoCs
Processes:
e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exedescription ioc process File created C:\Windows\PrintDialog\en-US\StartMenuExperienceHost.exe e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe File created C:\Windows\CbsTemp\spoolsv.exe e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe File created C:\Windows\CbsTemp\f3b6ecef712a24 e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe File opened for modification C:\Windows\CbsTemp\RCX648B.tmp e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe File opened for modification C:\Windows\CbsTemp\spoolsv.exe e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 24 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1464 schtasks.exe 2952 schtasks.exe 3100 schtasks.exe 5096 schtasks.exe 3456 schtasks.exe 4720 schtasks.exe 704 schtasks.exe 736 schtasks.exe 3692 schtasks.exe 2408 schtasks.exe 928 schtasks.exe 516 schtasks.exe 3764 schtasks.exe 2396 schtasks.exe 3312 schtasks.exe 1460 schtasks.exe 4892 schtasks.exe 4308 schtasks.exe 4864 schtasks.exe 1304 schtasks.exe 3108 schtasks.exe 2596 schtasks.exe 1732 schtasks.exe 1172 schtasks.exe -
Modifies registry class 13 IoCs
Processes:
sysmon.exesysmon.exesysmon.exesysmon.exesysmon.exesysmon.exee349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exesysmon.exesysmon.exesysmon.exesysmon.exesysmon.exesysmon.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings sysmon.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings sysmon.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings sysmon.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings sysmon.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings sysmon.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings sysmon.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings sysmon.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings sysmon.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings sysmon.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings sysmon.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings sysmon.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings sysmon.exe -
Suspicious behavior: EnumeratesProcesses 47 IoCs
Processes:
e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exesysmon.exesysmon.exesysmon.exesysmon.exesysmon.exesysmon.exesysmon.exesysmon.exesysmon.exesysmon.exesysmon.exesysmon.exepid process 692 e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe 692 e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe 692 e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe 692 e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe 692 e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe 1184 powershell.exe 1184 powershell.exe 4436 powershell.exe 4436 powershell.exe 3092 powershell.exe 3092 powershell.exe 2484 powershell.exe 2484 powershell.exe 4376 powershell.exe 4376 powershell.exe 4428 powershell.exe 4428 powershell.exe 844 powershell.exe 844 powershell.exe 4356 powershell.exe 4356 powershell.exe 552 powershell.exe 552 powershell.exe 4020 powershell.exe 4020 powershell.exe 4356 powershell.exe 844 powershell.exe 4436 powershell.exe 1184 powershell.exe 4376 powershell.exe 3092 powershell.exe 2484 powershell.exe 552 powershell.exe 4428 powershell.exe 4020 powershell.exe 4748 sysmon.exe 4992 sysmon.exe 2484 sysmon.exe 4712 sysmon.exe 1368 sysmon.exe 4444 sysmon.exe 3388 sysmon.exe 3152 sysmon.exe 4536 sysmon.exe 1116 sysmon.exe 3376 sysmon.exe 4908 sysmon.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exesysmon.exesysmon.exesysmon.exesysmon.exesysmon.exesysmon.exesysmon.exesysmon.exesysmon.exesysmon.exesysmon.exesysmon.exedescription pid process Token: SeDebugPrivilege 692 e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe Token: SeDebugPrivilege 1184 powershell.exe Token: SeDebugPrivilege 4436 powershell.exe Token: SeDebugPrivilege 3092 powershell.exe Token: SeDebugPrivilege 4376 powershell.exe Token: SeDebugPrivilege 2484 powershell.exe Token: SeDebugPrivilege 4356 powershell.exe Token: SeDebugPrivilege 4020 powershell.exe Token: SeDebugPrivilege 4428 powershell.exe Token: SeDebugPrivilege 844 powershell.exe Token: SeDebugPrivilege 552 powershell.exe Token: SeDebugPrivilege 4748 sysmon.exe Token: SeDebugPrivilege 4992 sysmon.exe Token: SeDebugPrivilege 2484 sysmon.exe Token: SeDebugPrivilege 4712 sysmon.exe Token: SeDebugPrivilege 1368 sysmon.exe Token: SeDebugPrivilege 4444 sysmon.exe Token: SeDebugPrivilege 3388 sysmon.exe Token: SeDebugPrivilege 3152 sysmon.exe Token: SeDebugPrivilege 4536 sysmon.exe Token: SeDebugPrivilege 1116 sysmon.exe Token: SeDebugPrivilege 3376 sysmon.exe Token: SeDebugPrivilege 4908 sysmon.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.execmd.exesysmon.exeWScript.exesysmon.exeWScript.exesysmon.exeWScript.exesysmon.exeWScript.exesysmon.exeWScript.exesysmon.exeWScript.exedescription pid process target process PID 692 wrote to memory of 552 692 e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe powershell.exe PID 692 wrote to memory of 552 692 e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe powershell.exe PID 692 wrote to memory of 1184 692 e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe powershell.exe PID 692 wrote to memory of 1184 692 e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe powershell.exe PID 692 wrote to memory of 844 692 e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe powershell.exe PID 692 wrote to memory of 844 692 e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe powershell.exe PID 692 wrote to memory of 1416 692 e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe powershell.exe PID 692 wrote to memory of 1416 692 e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe powershell.exe PID 692 wrote to memory of 4436 692 e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe powershell.exe PID 692 wrote to memory of 4436 692 e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe powershell.exe PID 692 wrote to memory of 4356 692 e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe powershell.exe PID 692 wrote to memory of 4356 692 e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe powershell.exe PID 692 wrote to memory of 4376 692 e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe powershell.exe PID 692 wrote to memory of 4376 692 e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe powershell.exe PID 692 wrote to memory of 2484 692 e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe powershell.exe PID 692 wrote to memory of 2484 692 e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe powershell.exe PID 692 wrote to memory of 4428 692 e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe powershell.exe PID 692 wrote to memory of 4428 692 e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe powershell.exe PID 692 wrote to memory of 4020 692 e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe powershell.exe PID 692 wrote to memory of 4020 692 e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe powershell.exe PID 692 wrote to memory of 3092 692 e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe powershell.exe PID 692 wrote to memory of 3092 692 e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe powershell.exe PID 692 wrote to memory of 1116 692 e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe cmd.exe PID 692 wrote to memory of 1116 692 e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe cmd.exe PID 1116 wrote to memory of 4768 1116 cmd.exe w32tm.exe PID 1116 wrote to memory of 4768 1116 cmd.exe w32tm.exe PID 1116 wrote to memory of 4748 1116 cmd.exe sysmon.exe PID 1116 wrote to memory of 4748 1116 cmd.exe sysmon.exe PID 4748 wrote to memory of 2060 4748 sysmon.exe WScript.exe PID 4748 wrote to memory of 2060 4748 sysmon.exe WScript.exe PID 4748 wrote to memory of 4240 4748 sysmon.exe WScript.exe PID 4748 wrote to memory of 4240 4748 sysmon.exe WScript.exe PID 2060 wrote to memory of 4992 2060 WScript.exe sysmon.exe PID 2060 wrote to memory of 4992 2060 WScript.exe sysmon.exe PID 4992 wrote to memory of 3388 4992 sysmon.exe WScript.exe PID 4992 wrote to memory of 3388 4992 sysmon.exe WScript.exe PID 4992 wrote to memory of 4424 4992 sysmon.exe WScript.exe PID 4992 wrote to memory of 4424 4992 sysmon.exe WScript.exe PID 3388 wrote to memory of 2484 3388 WScript.exe sysmon.exe PID 3388 wrote to memory of 2484 3388 WScript.exe sysmon.exe PID 2484 wrote to memory of 4364 2484 sysmon.exe WScript.exe PID 2484 wrote to memory of 4364 2484 sysmon.exe WScript.exe PID 2484 wrote to memory of 696 2484 sysmon.exe WScript.exe PID 2484 wrote to memory of 696 2484 sysmon.exe WScript.exe PID 4364 wrote to memory of 4712 4364 WScript.exe sysmon.exe PID 4364 wrote to memory of 4712 4364 WScript.exe sysmon.exe PID 4712 wrote to memory of 4720 4712 sysmon.exe WScript.exe PID 4712 wrote to memory of 4720 4712 sysmon.exe WScript.exe PID 4712 wrote to memory of 60 4712 sysmon.exe WScript.exe PID 4712 wrote to memory of 60 4712 sysmon.exe WScript.exe PID 4720 wrote to memory of 1368 4720 WScript.exe sysmon.exe PID 4720 wrote to memory of 1368 4720 WScript.exe sysmon.exe PID 1368 wrote to memory of 3180 1368 sysmon.exe WScript.exe PID 1368 wrote to memory of 3180 1368 sysmon.exe WScript.exe PID 1368 wrote to memory of 4060 1368 sysmon.exe WScript.exe PID 1368 wrote to memory of 4060 1368 sysmon.exe WScript.exe PID 3180 wrote to memory of 4444 3180 WScript.exe sysmon.exe PID 3180 wrote to memory of 4444 3180 WScript.exe sysmon.exe PID 4444 wrote to memory of 3804 4444 sysmon.exe WScript.exe PID 4444 wrote to memory of 3804 4444 sysmon.exe WScript.exe PID 4444 wrote to memory of 3352 4444 sysmon.exe WScript.exe PID 4444 wrote to memory of 3352 4444 sysmon.exe WScript.exe PID 3804 wrote to memory of 3388 3804 WScript.exe sysmon.exe PID 3804 wrote to memory of 3388 3804 WScript.exe sysmon.exe -
System policy modification 1 TTPs 39 IoCs
Processes:
sysmon.exesysmon.exesysmon.exesysmon.exee349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exesysmon.exesysmon.exesysmon.exesysmon.exesysmon.exesysmon.exesysmon.exesysmon.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sysmon.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe"1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:692 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:552 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1184 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:844 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
PID:1416 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4436 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4356 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4376 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2484 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4428 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4020 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3092 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Qh9VekMcNe.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:1116 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:4768
-
C:\Program Files (x86)\Windows NT\TableTextService\en-US\sysmon.exe"C:\Program Files (x86)\Windows NT\TableTextService\en-US\sysmon.exe"3⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4748 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\82c33a76-482b-4c63-b143-e906d9dc6fe9.vbs"4⤵
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Program Files (x86)\Windows NT\TableTextService\en-US\sysmon.exe"C:\Program Files (x86)\Windows NT\TableTextService\en-US\sysmon.exe"5⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4992 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f934632b-0b62-4e0f-81b3-1bfa77017b2d.vbs"6⤵
- Suspicious use of WriteProcessMemory
PID:3388 -
C:\Program Files (x86)\Windows NT\TableTextService\en-US\sysmon.exe"C:\Program Files (x86)\Windows NT\TableTextService\en-US\sysmon.exe"7⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2484 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2b130ef7-7610-49a4-b9a4-f26cd85fc60d.vbs"8⤵
- Suspicious use of WriteProcessMemory
PID:4364 -
C:\Program Files (x86)\Windows NT\TableTextService\en-US\sysmon.exe"C:\Program Files (x86)\Windows NT\TableTextService\en-US\sysmon.exe"9⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4712 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\929593c7-7000-4505-945d-a32b494fcb43.vbs"10⤵
- Suspicious use of WriteProcessMemory
PID:4720 -
C:\Program Files (x86)\Windows NT\TableTextService\en-US\sysmon.exe"C:\Program Files (x86)\Windows NT\TableTextService\en-US\sysmon.exe"11⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1368 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f69558bf-b4d3-47ea-bf0f-a48954c2739f.vbs"12⤵
- Suspicious use of WriteProcessMemory
PID:3180 -
C:\Program Files (x86)\Windows NT\TableTextService\en-US\sysmon.exe"C:\Program Files (x86)\Windows NT\TableTextService\en-US\sysmon.exe"13⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4444 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\32e09c32-50c5-48cd-807a-6c69ffa2e2e5.vbs"14⤵
- Suspicious use of WriteProcessMemory
PID:3804 -
C:\Program Files (x86)\Windows NT\TableTextService\en-US\sysmon.exe"C:\Program Files (x86)\Windows NT\TableTextService\en-US\sysmon.exe"15⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3388 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\20cfcbef-b0b9-4922-a83f-5968c6a5a53b.vbs"16⤵PID:3960
-
C:\Program Files (x86)\Windows NT\TableTextService\en-US\sysmon.exe"C:\Program Files (x86)\Windows NT\TableTextService\en-US\sysmon.exe"17⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3152 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2355dd4d-d008-4794-980d-fcaccb0761d6.vbs"18⤵PID:4756
-
C:\Program Files (x86)\Windows NT\TableTextService\en-US\sysmon.exe"C:\Program Files (x86)\Windows NT\TableTextService\en-US\sysmon.exe"19⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4536 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2a310182-8dc8-4d0a-b40b-7f2807d65bf5.vbs"20⤵PID:4148
-
C:\Program Files (x86)\Windows NT\TableTextService\en-US\sysmon.exe"C:\Program Files (x86)\Windows NT\TableTextService\en-US\sysmon.exe"21⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1116 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b1756601-a560-4f71-8143-1c3a32fadff4.vbs"22⤵PID:4248
-
C:\Program Files (x86)\Windows NT\TableTextService\en-US\sysmon.exe"C:\Program Files (x86)\Windows NT\TableTextService\en-US\sysmon.exe"23⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3376 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f0d43544-f15a-4545-ac4a-68648888ff72.vbs"24⤵PID:1692
-
C:\Program Files (x86)\Windows NT\TableTextService\en-US\sysmon.exe"C:\Program Files (x86)\Windows NT\TableTextService\en-US\sysmon.exe"25⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4908 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\14fd738e-2af5-4917-9cc7-996ceec93925.vbs"26⤵PID:1208
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8e208bf7-498d-4623-8aa3-381864b29166.vbs"26⤵PID:2656
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\44e7def4-9403-4204-ba6a-5b7edfab2864.vbs"24⤵PID:4152
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c209b46a-cac2-48b2-b1db-128bb1fb1392.vbs"22⤵PID:5024
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\389e1f54-8c01-4226-a20d-bd1f7962d505.vbs"20⤵PID:412
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4403b37b-7848-4851-9e64-faa24d259bdc.vbs"18⤵PID:1560
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c0d48346-e6ce-4386-9f22-c2a5474ccb6d.vbs"16⤵PID:824
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b8f46b37-6c17-4c7d-9fdd-4fcb84107481.vbs"14⤵PID:3352
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\087ce2d6-11da-4cd1-9dfb-8c66ac19bd04.vbs"12⤵PID:4060
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f550c0ee-1727-49ab-9a77-a6f39310f549.vbs"10⤵PID:60
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1c3ed728-c385-4e4b-9556-776a37a4c3ae.vbs"8⤵PID:696
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\02a72462-e69d-499f-80d5-56639959363a.vbs"6⤵PID:4424
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\87077c02-db44-4ed0-b582-4843dd4c22e0.vbs"4⤵PID:4240
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Program Files\dotnet\shared\Microsoft.NETCore.App\Registry.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2396
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\dotnet\shared\Microsoft.NETCore.App\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3312
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Program Files\dotnet\shared\Microsoft.NETCore.App\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows NT\Accessories\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1464
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows NT\Accessories\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\OfficeClickToRun.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1304
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3100
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5096
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Windows\CbsTemp\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1460
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\CbsTemp\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Windows\CbsTemp\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office\TextInputHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1732
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1172
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Favorites\Registry.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:736
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\Default\Favorites\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2408
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Favorites\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:928
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3456
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4308
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
1KB
MD54a667f150a4d1d02f53a9f24d89d53d1
SHA1306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97
SHA256414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd
SHA5124edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8
-
Filesize
944B
MD5cadef9abd087803c630df65264a6c81c
SHA1babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA5127278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085
-
Filesize
944B
MD56c47b3f4e68eebd47e9332eebfd2dd4e
SHA167f0b143336d7db7b281ed3de5e877fa87261834
SHA2568c48b1f2338e5b24094821f41121d2221f1cb3200338f46df49f64d1c4bc3e0c
SHA5120acf302a9fc971ef9df65ed42c47ea17828e54dff685f4434f360556fd27cdc26a75069f00dcdc14ba174893c6fd7a2cfd8c6c07be3ce35dafee0a006914eaca
-
Filesize
944B
MD5bd5940f08d0be56e65e5f2aaf47c538e
SHA1d7e31b87866e5e383ab5499da64aba50f03e8443
SHA2562d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6
SHA512c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406
-
Filesize
944B
MD53a6bad9528f8e23fb5c77fbd81fa28e8
SHA1f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2
-
Filesize
743B
MD5949988c59b1d7406bd0971d1901c0619
SHA1bea740a721dbce97d6e06b7f4ee40718287b83a5
SHA256a864f3794608f725d27f2d75ce350994eafd9e6c7bc421f02ef25713f329d87c
SHA512496145823b91b4b50ad1107b7350bce16c9e2b3ba3503b8c613f0b668299229f16fcc7cd5360131902a1493e79fb1de68e388f368fa90237ddfb16b55cdc97ec
-
Filesize
743B
MD54f41603579adccf749d9ff9cac438f2b
SHA11450a9b8b11f50c9c11f90c7e3844e37f77d272d
SHA256931ccf0ce36de9d87124c4435dc03a387bc3bee8390abd8ffbdf98015c43445d
SHA51257740bb93f9214a91a95de18fcc7880197318095da05c3bdaa7346ddedc91971b68840deea3ceddf252cf5b360d9c2b0b0c39484b2de3c8d1b93c8d2b1704ce4
-
Filesize
743B
MD5cfdab03a143935d5374bba3bdd6cbfa9
SHA1a13f9e3f36f4bb90edc74982330e5d9d81edf6d4
SHA25638c0082d0de158b71fc543bcc54ec07c595bd0e7d7a7b657041d986e2bbc6168
SHA5126268361c2846d14dc8a1c7054687518f751358d9418b3b733929614ab8c344fa302132ffbcfe79cc44396f52134804a259ced22ba2ac8a2c2fcf221a4c7d1227
-
Filesize
743B
MD596d057046655bc6099ea584cde5ffe05
SHA15128eaca2cd0317b6e209e539393072be91190bf
SHA2560fbcc08b7d91ce47e02bec9be9f2bdc53ca87da0c555eb1f24f5bd15e09109d7
SHA512ee1f95ac0a2005c834e1fbc376f37bf85e1cf88f6ccfb93629dd05e467e45c7ec845eed771c2c02868942804d4ee22b71c80ce67e21ef8f2305af4b23a1661df
-
Filesize
743B
MD50905cf14886f5dd9d767bf59a55c8c12
SHA10fc7187df619d98caea83bec3efb7379a6cdcdf6
SHA256b971ea34f6c6499be177c5a7e39c3badd0baf35361e59559244b1ed3c431a5a4
SHA512b1371b4193ee62523c59bef47940cd3d2a6a49a0e06c0ef8418a1ab7886e7a71fc1edff48d6b4d3ca82f7ab218f3f9f84f6d2c432f6e1b4369aa4dcad632e9d8
-
Filesize
743B
MD545ca9e0a46f54715d8bddf9953101b76
SHA12f89b4ee5e558e6662894cad40b6d7eb3eb1fdca
SHA2562aa5dbbfe0cd32f6f0adc60701140469d56420cd26dca63c02743926eaadab22
SHA512fef18414fd58374c6e07a50e6fa8cc36be1504d04466a94285c8b09e9efef0f5de80446d9c698bd785e5aee39d4a8914b43a8ee0f098330383e289d79e7cccab
-
Filesize
743B
MD5ce0e315967750f876e2667ca3d37e49e
SHA1d75a8b47314283f9303a43ba03b3db269797ddd7
SHA25672527636f5a9c6209da1da9cc2f8194aecf43abd8a81fc9e7a56663f99db6e44
SHA5125436c07bce7e1ac27293230deb53933478c5a6be05c763d6617381a82693d65fe9c33627a1c313cad155a6b9d934931382c50943e568f870fb470215fffbc986
-
Filesize
519B
MD5bb4228689ebea737374b7e36c4a7d5af
SHA1dfb2a19c0f12006346b96af27824055f2f65e01e
SHA2561e4d35ef75b6e830e2e04f1ee8c1cc830c895c45d9cd57ad04673115cda6794a
SHA5127576431b9d8abb7ff78ea3340b08e1efd10fce2bfe5cbd3bf59e1d1056d66379be6bc3e4a3e503f7bbcb0af2d15683fc6fdca27de935e70b8e1d65c2d3805109
-
Filesize
743B
MD5e9054c8dce0d994c6403c439868f6868
SHA138fc5b338254b5689cf5a2f8cedb621d7a5958da
SHA2566da67460a852aae899862de169e593145bac43e76fa3c77368fab103844839b5
SHA512b17b6ecc01945655226b1249c97e1edef67cc1a23dbbfde4019e1c2365f77813ae8305ff0b6e54bb2e588cddd5aeb9126403c6b38f5712e9b9be44366d89b379
-
Filesize
232B
MD56e0ebe415999694bbe357fa8991f4bab
SHA1a5386711f5ab6e5d075d3915fb157209c9b65b6c
SHA256cfa1b6b05286f53b7d7bf9b96e4385121394b732ed036bf85ee6889a426be208
SHA51225cee9ce0175ac36452feffabb213bf40e29586f3b7a814824783c30ccaa01b12ac20bd6865a1e5cf6f8278ef20a681d9d331c3f83f244188e1b9c572410d3bf
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
743B
MD569f508203a60a3c2c501a9a4147261ec
SHA1dfb3cc635429c9461208a308fca065b9568b4fb7
SHA25676567dd78bb3416bee660ae8915ede2db304c1e02ca6b2c5da8ac82918f4dd37
SHA5128c5271ba0c34a761595152f3570d90f25a34defa96e16e9a2b2c7ba5c212bb54ea3c7f689acc25ab52738bc625b1ed97a7f83a4440e47a4300e8d4e555d1285f
-
Filesize
743B
MD57019c242f079b5ea6084820455a3c6eb
SHA1eb3af486b229be0f70db50b79c9113bcff294add
SHA25664a35813660b45ba967479acd08bdab8bff44533d50590be0c88450b7625c6a8
SHA512e17cc96935837c8fe44cb5f331941427367bdaaf48410582a86643df7cb46315e36ac917a76a0c24495f55fde826232783a080851c4ac92da6228e8463469714
-
Filesize
743B
MD59f7280b4049981e75d8c208152724825
SHA1e4d3c72188c4ee9d82e2f5262fdf4433b2268d1d
SHA2568d85d13ab52a1f698b0380d16e4cbacce5c801e3377cb55b898d4966daf2d15f
SHA512a9ceb86899a7879ab55daf90a9d0a73a0a01603e989bba9c1699ab1bbd2ae8aa73b4ba0d8d6abb7db82e6a2e7e2560ea66fff165736675023693a642861c429f
-
Filesize
743B
MD54972953e4daec1fbe4845e5ff954a3f2
SHA164fbd6bfc5cbf86150ae6a71038dc973f6ef1bf2
SHA2561f3cce9be14f8d0234fe7b522b27007524b263bc53ff026cddb70375e501575b
SHA512d974ef204fe71d0823f1762956f6c5afe2f1b9192e1d926f75e63386b3c4694235919478fc8402d1f2bcfae0a19e34262d84ad69017ffe9d4935c284ab50c3fe
-
Filesize
2.9MB
MD5e349210264df2c9c8513e938aa1f3940
SHA1e689f7221e0954c75e760d5103723c021b82eebb
SHA2564d520afba4c682d393f2979de1abea0e96ec9f84f2b1d0164b57eea4eea15175
SHA51293fb466f6a853c227ebf88ed5586d509e4982f6b0c6e6dce7343c38e887a5c5e5f9b3484d70c7d64b3bdff50a2a93bb73ce7e6a4f6eb4ee8960052248db08b99