Analysis
-
max time kernel
149s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
15-05-2024 16:24
Behavioral task
behavioral1
Sample
d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe
Resource
win7-20240220-en
General
-
Target
d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe
-
Size
3.2MB
-
MD5
d96af1f18f70dd1401179685f518b060
-
SHA1
2111cbea44fe1c5af0c3bfd7b48c9de09e769f3e
-
SHA256
cc692cb560eed095d42301dda9d9825b8b6656123b88164a9fa72724b651d0c8
-
SHA512
5ef31420588da5afed32d8c0fc6e6dc1742927abe1658a5ffe36cc0e82794b1c03a94a7ba9e8d6d18a6fe82e1deba5c825fde442ffbe0c0e7ce8658ebc317c98
-
SSDEEP
49152:HC0Fl8v/911bwaEYpdYUVsk3DZGAy55kBsfJGAW6KyWUcPmWQpE:HC0Fl8v/qXYrv5tG9uKJGAWl5N
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 54 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2920 2556 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2604 2556 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2552 2556 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2472 2556 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2368 2556 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2696 2556 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1052 2556 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2416 2556 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2724 2556 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2784 2556 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2780 2556 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 612 2556 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1612 2556 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1976 2556 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1848 2556 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2216 2556 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1872 2556 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1276 2556 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1584 2556 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2188 2556 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 624 2556 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1436 2556 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2128 2556 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2108 2556 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2024 2556 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2648 2556 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2976 2556 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2104 2556 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2956 2556 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 324 2556 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1032 2556 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 588 2556 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1480 2556 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1380 2556 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1796 2556 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1836 2556 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1208 2556 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1152 2556 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2028 2556 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1768 2556 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1996 2556 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1616 2556 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1028 2556 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 916 2556 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 932 2556 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2376 2556 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2948 2556 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 780 2556 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 604 2556 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1908 2556 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2012 2556 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2040 2556 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2084 2556 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1604 2556 schtasks.exe -
Processes:
explorer.exed96af1f18f70dd1401179685f518b060_NeikiAnalytics.exeexplorer.exeexplorer.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe -
Processes:
resource yara_rule behavioral1/memory/2068-1-0x0000000000240000-0x000000000057C000-memory.dmp dcrat C:\Program Files (x86)\Windows Defender\fr-FR\lsass.exe dcrat C:\Program Files (x86)\Windows Defender\fr-FR\lsass.exe dcrat C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsass.exe dcrat C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\wininit.exe dcrat C:\MSOCache\All Users\RCX2F72.tmp dcrat C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\taskhost.exe dcrat C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\wininit.exe dcrat C:\Windows\Microsoft.NET\wininit.exe dcrat behavioral1/memory/1632-344-0x0000000001280000-0x00000000015BC000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 2420 powershell.exe 844 powershell.exe 1940 powershell.exe 1652 powershell.exe 3064 powershell.exe 1664 powershell.exe 2108 powershell.exe 3060 powershell.exe 3004 powershell.exe 1152 powershell.exe 1368 powershell.exe 1784 powershell.exe -
Executes dropped EXE 3 IoCs
Processes:
explorer.exeexplorer.exeexplorer.exepid process 1632 explorer.exe 2636 explorer.exe 1508 explorer.exe -
Processes:
explorer.exeexplorer.exed96af1f18f70dd1401179685f518b060_NeikiAnalytics.exeexplorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe -
Drops file in Program Files directory 45 IoCs
Processes:
d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\wininit.exe d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe File opened for modification C:\Program Files\Uninstall Information\RCX3AA1.tmp d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows NT\TableTextService\it-IT\5940a34987c991 d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\taskhost.exe d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows NT\TableTextService\it-IT\RCX1BA2.tmp d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows NT\TableTextService\it-IT\RCX1BA3.tmp d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\taskhost.exe d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Defender\fr-FR\lsass.exe d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Defender\fr-FR\6203df4a6bafc7 d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\b75386f1303e64 d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Defender\fr-FR\RCX1FAB.tmp d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Defender\fr-FR\lsass.exe d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows NT\TableTextService\it-IT\dllhost.exe d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe File opened for modification C:\Program Files\Windows Journal\Templates\RCX3196.tmp d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe File opened for modification C:\Program Files\Windows Journal\Templates\RCX3197.tmp d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\taskhost.exe d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe File created C:\Program Files (x86)\Common Files\7a0fd90576e088 d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe File created C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\56085415360792 d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe File created C:\Program Files\Windows Journal\Templates\dllhost.exe d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe File created C:\Program Files\Windows Journal\Templates\5940a34987c991 d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\b75386f1303e64 d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows NT\TableTextService\it-IT\dllhost.exe d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\RCX26D2.tmp d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe File opened for modification C:\Program Files\Windows NT\TableTextService\de-DE\RCX28E7.tmp d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe File created C:\Program Files\Windows NT\TableTextService\de-DE\explorer.exe d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe File created C:\Program Files (x86)\Common Files\explorer.exe d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\taskhost.exe d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe File created C:\Program Files\Uninstall Information\taskhost.exe d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe File created C:\Program Files\Uninstall Information\b75386f1303e64 d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Common Files\RCX2D6E.tmp d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe File opened for modification C:\Program Files\Windows Journal\Templates\dllhost.exe d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\RCX389D.tmp d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe File opened for modification C:\Program Files\Uninstall Information\RCX3AA2.tmp d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\RCX382F.tmp d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe File created C:\Program Files\Windows NT\TableTextService\de-DE\7a0fd90576e088 d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Defender\fr-FR\RCX2019.tmp d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\RCX26D3.tmp d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe File opened for modification C:\Program Files\Windows NT\TableTextService\de-DE\RCX28E8.tmp d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe File opened for modification C:\Program Files\Windows NT\TableTextService\de-DE\explorer.exe d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe File opened for modification C:\Program Files\Uninstall Information\taskhost.exe d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe File created C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\wininit.exe d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Common Files\RCX2D6D.tmp d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Common Files\explorer.exe d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RCX35AD.tmp d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RCX361B.tmp d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe -
Drops file in Windows directory 7 IoCs
Processes:
d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exedescription ioc process File created C:\Windows\Microsoft.NET\wininit.exe d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe File created C:\Windows\Microsoft.NET\56085415360792 d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe File opened for modification C:\Windows\Microsoft.NET\RCX3CA6.tmp d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe File opened for modification C:\Windows\Microsoft.NET\RCX3D14.tmp d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe File opened for modification C:\Windows\Microsoft.NET\wininit.exe d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe File created C:\Windows\rescache\rc0005\sppsvc.exe d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe File created C:\Windows\Speech\Common\fr-FR\lsm.exe d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 54 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1052 schtasks.exe 624 schtasks.exe 1996 schtasks.exe 2552 schtasks.exe 1276 schtasks.exe 2024 schtasks.exe 1836 schtasks.exe 1616 schtasks.exe 1152 schtasks.exe 2948 schtasks.exe 2368 schtasks.exe 2784 schtasks.exe 2780 schtasks.exe 2188 schtasks.exe 1796 schtasks.exe 612 schtasks.exe 324 schtasks.exe 2604 schtasks.exe 780 schtasks.exe 1208 schtasks.exe 1612 schtasks.exe 2216 schtasks.exe 2108 schtasks.exe 2956 schtasks.exe 1480 schtasks.exe 2104 schtasks.exe 1028 schtasks.exe 2920 schtasks.exe 2376 schtasks.exe 2472 schtasks.exe 1436 schtasks.exe 2128 schtasks.exe 2976 schtasks.exe 916 schtasks.exe 2416 schtasks.exe 2724 schtasks.exe 1848 schtasks.exe 1908 schtasks.exe 2648 schtasks.exe 2040 schtasks.exe 2696 schtasks.exe 1584 schtasks.exe 2028 schtasks.exe 1032 schtasks.exe 588 schtasks.exe 1768 schtasks.exe 1604 schtasks.exe 1380 schtasks.exe 2084 schtasks.exe 1976 schtasks.exe 1872 schtasks.exe 932 schtasks.exe 604 schtasks.exe 2012 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeexplorer.exepid process 2068 d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe 2068 d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe 2068 d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe 2068 d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe 2068 d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe 2068 d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe 2068 d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe 2068 d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe 2068 d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe 2068 d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe 2068 d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe 2068 d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe 2068 d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe 2068 d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe 2068 d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe 2068 d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe 2068 d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe 2068 d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe 2068 d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe 2068 d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe 2068 d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe 2068 d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe 2068 d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe 2068 d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe 2068 d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe 2068 d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe 2068 d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe 2068 d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe 2068 d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe 2068 d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe 2068 d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe 2068 d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe 2068 d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe 2068 d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe 2068 d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe 2068 d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe 2068 d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe 2068 d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe 2068 d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe 2068 d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe 2068 d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe 2068 d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe 2068 d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe 2068 d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe 2068 d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe 2068 d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe 2068 d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe 2068 d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe 2068 d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe 1664 powershell.exe 1368 powershell.exe 3064 powershell.exe 2420 powershell.exe 3060 powershell.exe 1652 powershell.exe 1940 powershell.exe 1784 powershell.exe 844 powershell.exe 1152 powershell.exe 3004 powershell.exe 2108 powershell.exe 1632 explorer.exe 1632 explorer.exe 1632 explorer.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeexplorer.exeexplorer.exeexplorer.exedescription pid process Token: SeDebugPrivilege 2068 d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe Token: SeDebugPrivilege 1664 powershell.exe Token: SeDebugPrivilege 1368 powershell.exe Token: SeDebugPrivilege 3064 powershell.exe Token: SeDebugPrivilege 2420 powershell.exe Token: SeDebugPrivilege 3060 powershell.exe Token: SeDebugPrivilege 1652 powershell.exe Token: SeDebugPrivilege 1940 powershell.exe Token: SeDebugPrivilege 1784 powershell.exe Token: SeDebugPrivilege 844 powershell.exe Token: SeDebugPrivilege 1152 powershell.exe Token: SeDebugPrivilege 3004 powershell.exe Token: SeDebugPrivilege 2108 powershell.exe Token: SeDebugPrivilege 1632 explorer.exe Token: SeDebugPrivilege 2636 explorer.exe Token: SeDebugPrivilege 1508 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
d96af1f18f70dd1401179685f518b060_NeikiAnalytics.execmd.exeexplorer.exeWScript.exeexplorer.exeWScript.exeexplorer.exedescription pid process target process PID 2068 wrote to memory of 1368 2068 d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe powershell.exe PID 2068 wrote to memory of 1368 2068 d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe powershell.exe PID 2068 wrote to memory of 1368 2068 d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe powershell.exe PID 2068 wrote to memory of 2108 2068 d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe powershell.exe PID 2068 wrote to memory of 2108 2068 d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe powershell.exe PID 2068 wrote to memory of 2108 2068 d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe powershell.exe PID 2068 wrote to memory of 1664 2068 d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe powershell.exe PID 2068 wrote to memory of 1664 2068 d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe powershell.exe PID 2068 wrote to memory of 1664 2068 d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe powershell.exe PID 2068 wrote to memory of 3064 2068 d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe powershell.exe PID 2068 wrote to memory of 3064 2068 d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe powershell.exe PID 2068 wrote to memory of 3064 2068 d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe powershell.exe PID 2068 wrote to memory of 1652 2068 d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe powershell.exe PID 2068 wrote to memory of 1652 2068 d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe powershell.exe PID 2068 wrote to memory of 1652 2068 d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe powershell.exe PID 2068 wrote to memory of 1940 2068 d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe powershell.exe PID 2068 wrote to memory of 1940 2068 d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe powershell.exe PID 2068 wrote to memory of 1940 2068 d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe powershell.exe PID 2068 wrote to memory of 1784 2068 d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe powershell.exe PID 2068 wrote to memory of 1784 2068 d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe powershell.exe PID 2068 wrote to memory of 1784 2068 d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe powershell.exe PID 2068 wrote to memory of 3060 2068 d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe powershell.exe PID 2068 wrote to memory of 3060 2068 d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe powershell.exe PID 2068 wrote to memory of 3060 2068 d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe powershell.exe PID 2068 wrote to memory of 1152 2068 d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe powershell.exe PID 2068 wrote to memory of 1152 2068 d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe powershell.exe PID 2068 wrote to memory of 1152 2068 d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe powershell.exe PID 2068 wrote to memory of 844 2068 d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe powershell.exe PID 2068 wrote to memory of 844 2068 d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe powershell.exe PID 2068 wrote to memory of 844 2068 d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe powershell.exe PID 2068 wrote to memory of 2420 2068 d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe powershell.exe PID 2068 wrote to memory of 2420 2068 d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe powershell.exe PID 2068 wrote to memory of 2420 2068 d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe powershell.exe PID 2068 wrote to memory of 3004 2068 d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe powershell.exe PID 2068 wrote to memory of 3004 2068 d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe powershell.exe PID 2068 wrote to memory of 3004 2068 d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe powershell.exe PID 2068 wrote to memory of 2072 2068 d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe cmd.exe PID 2068 wrote to memory of 2072 2068 d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe cmd.exe PID 2068 wrote to memory of 2072 2068 d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe cmd.exe PID 2072 wrote to memory of 1908 2072 cmd.exe w32tm.exe PID 2072 wrote to memory of 1908 2072 cmd.exe w32tm.exe PID 2072 wrote to memory of 1908 2072 cmd.exe w32tm.exe PID 2072 wrote to memory of 1632 2072 cmd.exe explorer.exe PID 2072 wrote to memory of 1632 2072 cmd.exe explorer.exe PID 2072 wrote to memory of 1632 2072 cmd.exe explorer.exe PID 1632 wrote to memory of 2864 1632 explorer.exe WScript.exe PID 1632 wrote to memory of 2864 1632 explorer.exe WScript.exe PID 1632 wrote to memory of 2864 1632 explorer.exe WScript.exe PID 1632 wrote to memory of 2192 1632 explorer.exe WScript.exe PID 1632 wrote to memory of 2192 1632 explorer.exe WScript.exe PID 1632 wrote to memory of 2192 1632 explorer.exe WScript.exe PID 2864 wrote to memory of 2636 2864 WScript.exe explorer.exe PID 2864 wrote to memory of 2636 2864 WScript.exe explorer.exe PID 2864 wrote to memory of 2636 2864 WScript.exe explorer.exe PID 2636 wrote to memory of 2304 2636 explorer.exe WScript.exe PID 2636 wrote to memory of 2304 2636 explorer.exe WScript.exe PID 2636 wrote to memory of 2304 2636 explorer.exe WScript.exe PID 2636 wrote to memory of 1540 2636 explorer.exe WScript.exe PID 2636 wrote to memory of 1540 2636 explorer.exe WScript.exe PID 2636 wrote to memory of 1540 2636 explorer.exe WScript.exe PID 2304 wrote to memory of 1508 2304 WScript.exe explorer.exe PID 2304 wrote to memory of 1508 2304 WScript.exe explorer.exe PID 2304 wrote to memory of 1508 2304 WScript.exe explorer.exe PID 1508 wrote to memory of 812 1508 explorer.exe WScript.exe -
System policy modification 1 TTPs 12 IoCs
Processes:
explorer.exeexplorer.exeexplorer.exed96af1f18f70dd1401179685f518b060_NeikiAnalytics.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2068 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1368 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2108 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1664 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3064 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1652 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1940 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1784 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3060 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1152 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:844 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2420 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3004 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\in2KLgOhRm.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:1908
-
C:\Program Files (x86)\Common Files\explorer.exe"C:\Program Files (x86)\Common Files\explorer.exe"3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1632 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ceafe375-0abb-497f-a952-4d6c04f676be.vbs"4⤵
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Program Files (x86)\Common Files\explorer.exe"C:\Program Files (x86)\Common Files\explorer.exe"5⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2636 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c6ca795b-343c-49bf-84d1-9e80a04268e4.vbs"6⤵
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Program Files (x86)\Common Files\explorer.exe"C:\Program Files (x86)\Common Files\explorer.exe"7⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1508 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e8cb4794-11eb-4df8-983d-20a1ef8014f8.vbs"8⤵PID:812
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\76e91a14-3198-48c2-9223-6279937d43b2.vbs"8⤵PID:2068
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d961c263-cddb-4e23-a452-d54bec58cc26.vbs"6⤵PID:1540
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4943d02a-22e7-4b41-aea2-6406a6163081.vbs"4⤵PID:2192
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2472
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\All Users\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2368
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\it-IT\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\it-IT\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2416
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\it-IT\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2216
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1276
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2188
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1436
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2128
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows NT\TableTextService\de-DE\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\de-DE\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows NT\TableTextService\de-DE\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2104
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:324
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1480
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "d96af1f18f70dd1401179685f518b060_NeikiAnalyticsd" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1380
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "d96af1f18f70dd1401179685f518b060_NeikiAnalytics" /sc ONLOGON /tr "'C:\MSOCache\All Users\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "d96af1f18f70dd1401179685f518b060_NeikiAnalyticsd" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\d96af1f18f70dd1401179685f518b060_NeikiAnalytics.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Journal\Templates\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1208
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\Templates\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1152
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Journal\Templates\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2376
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Program Files\Uninstall Information\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Windows\Microsoft.NET\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2084
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Windows\Microsoft.NET\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1604
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.2MB
MD51b1714bac4f627d1769016a1717c643c
SHA12ca0858b164a325b66c57c7767ded01b9eed4d08
SHA256a5167fa16c1ea630355300b06b8bc5ebdddf48a2f086fe83f89cca33b01c253e
SHA512df1f1ed405019e4942c4d08703f7dd48f35c95976c27623e95f305362cea769579fb5fff52e044f73c3a8ce1950452d5d792f9349b8610429e6fbce695250bd6
-
Filesize
3.2MB
MD5bebea6e3ba1977435aee586a2806e37e
SHA11528146da2456465519484479cd52ed34fdb015f
SHA2561042b21760cdb8580bb3976e1a98d264459580dc9729830e50deea45021e4e92
SHA5121d8c750ff8eea176bc6bb3728b3397104da569a386857cf783e3306a02b4c0fb7cbc53788550b3481f76851b0d819182eb1b9f962115d4aab27ca5c77ddc570d
-
Filesize
3.2MB
MD5ef0d1de9745028444813b3e4ae790604
SHA1baf2482ec616e41571383dcec1a74da02d3da386
SHA2561a2c2f0bfabe7ba39074859978c36ae99e3687476b984dfc65c7b197eda93095
SHA512bc18d305524e6fae19b469a29314c1d128a2b71fd6df6adf71b8a5ebc83ff4c5238d4e830b189aa91193f755c89816cd10535518a570667bf9ac08b81f714595
-
Filesize
3.2MB
MD58e18dbca8d56bf6af117afb870ea6323
SHA12bd630f2220a14d8580fd244de438735aee07ebe
SHA256ffbf70373e8a471d16268ce18353021c8835dde61f6f66f2b84a65ddcea7aed2
SHA512a1130a5cd09512d7992bc251d55aa5959eb0374a468306e22faab965128557f2b4d08e3dd1d92024b3e049f668211b41edadf05c43fb81c389a8b6417a4b86ff
-
Filesize
3.2MB
MD5d96af1f18f70dd1401179685f518b060
SHA12111cbea44fe1c5af0c3bfd7b48c9de09e769f3e
SHA256cc692cb560eed095d42301dda9d9825b8b6656123b88164a9fa72724b651d0c8
SHA5125ef31420588da5afed32d8c0fc6e6dc1742927abe1658a5ffe36cc0e82794b1c03a94a7ba9e8d6d18a6fe82e1deba5c825fde442ffbe0c0e7ce8658ebc317c98
-
Filesize
3.2MB
MD5a4dc042a79c198e8eed774604ada5713
SHA19136f47ae7f02d8f5569bca13effdb87faf7d57f
SHA2566cfad97fcf955b449f2acfa106d419eec13058489ebfc34a27ea63a1813448ca
SHA5121afd5f5ed6b76e7a43855b7038d1497730ee8030b41f1b05091ac9f218633528889fc0e2b0dcae3e31e6efaf869f35bd2206223f3b0ab416920bdc0d943712dc
-
Filesize
3.2MB
MD5dba4a22533a36142458421bc04dec249
SHA1caafd86aed2e81d2b3acdbf8e4bb8cf022dead95
SHA2568f184d55e83ca88f9591a1405fc0316f5c3adfff304d19c26cac7b5c749dbd5f
SHA512e3e44da964605002de435029af13f5e144f120a576fa41aadd7ec01fb47bb10ea7f894dc20935cbb9a2854b879131f43f2b98efed8c273a642012f5eb9384230
-
Filesize
500B
MD547cf4a07a01cc9df9699e67b7d401232
SHA11e26d5363cf5a1bcb62cbc61b6d6a5401c6ff088
SHA2560821b191359c952ddb8b8f8321b3f21f669ad40b058823335fb3e16c349bba07
SHA5124a26905203bbfb55082932b06a7b70956daf696cb1164be6c91fe4b7dfd572e98a63cc208f4b36bb5afa8a80d8eab9eac2fc463510a75f2776dddaa5b22cb8a4
-
Filesize
724B
MD57deeceee1997a31cca899febaa61dd3f
SHA10439648e019b01b9c3cc3d837a51baae3a341389
SHA2562cc993f8b10c62edb2627fd815f82fbf5f58ada0492cad1b6720c1ac8dec74c9
SHA512cb2456ce34723b76b32eb4677988268e6b6ecea71490ea1d629c23c82894ca886cc3a8ed366ab04d76aed091e12b4b4525c48bb3d767ca99cd632a53bfea9d4b
-
Filesize
724B
MD51881d126adc0770c904ca1634090639a
SHA18466dae668f6290c4004d6aebe6b3e57970336b1
SHA2566d23e29db8d2fe6308fc7937474732c5e2475e441bc0e4a377d35841813528dc
SHA512eaf4c61402c72836c423891f4f5024b06d6791c4dc30bfceac9fec2a1e70c75255305dd0d00b094ed919b2090cab3ded205d7f13db15646e29dce982399891d2
-
Filesize
724B
MD5d30b8d1cb9b49bc333bb40ca1d881d7d
SHA1187e4e1e388270c5c7a3753548bc2ca2994360a2
SHA256c914d42ff418afb660361ac35ff5ee350e59d67b7b1e9d86169d4a51987a88f5
SHA51274aa3b2a3da41ef8bab2277f7dd27923bb5540427de21a342d3b01ba5d1a79eb1467a83e3a48a644286924d7aee1222dfe104e82441f694640c4690dcc4aa80b
-
Filesize
213B
MD559623ce557cc5c7923d5ea53a55477f8
SHA17aa15a413c3e28bdf2bc6feff4589290c618a97b
SHA2568c280b76d7dbabf865e07b2f7be73c5856fb4b023ede0802f0cee4ce2bf41aee
SHA5121342a64c51f8d0efe61de2bfdbd89cfbc04147f95cdab6bcdfd61ebf8aac61cee7b2c8fb3eaa0fafeb4dfbbc1ee727a425a83264d9633245a6bd5c8cee0a9736
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD591f1590577a7348a3ea1845a150e8b3c
SHA19190600dde3c212bfc768dd8139eae89bfb9a959
SHA2567595464968fdf94db3cb55e8f45a5e4db5c811a2d68014060f51f70a655c3822
SHA51206f5e0b09a4a5e23c048bfc416faba6d5106b06c6ee34084b3695e56762ee4dc10f3feb34950c896e102f86a372d52a5729cbe055dac68975342fb4034ae9b6f
-
Filesize
3.2MB
MD5b145d4a6c36ea250856c967124ea3cbc
SHA196014f4313b13ba7ae87291865375bc534792002
SHA256fd657a08a7fa46736e0c4531c492f14cc1c1544e483235f3c5ab04c23cfbe8ed
SHA5125a1eab15c548e1ca0255de33e4e94505f7e24ab172833937ec32fa9af8a72ed4f95d5c801cf4d778f8741f3661e45c4e4724df29664823c8019dd7696a0565b2