Analysis
-
max time kernel
137s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2024 20:54
Static task
static1
Behavioral task
behavioral1
Sample
391e059619df1772ffe560f8e23dbbe0_NeikiAnalytics.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
391e059619df1772ffe560f8e23dbbe0_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
391e059619df1772ffe560f8e23dbbe0_NeikiAnalytics.exe
-
Size
1.2MB
-
MD5
391e059619df1772ffe560f8e23dbbe0
-
SHA1
7b1df6152dfce7747d3603efe717991539ec0a62
-
SHA256
0d3ad3b5bbc07307c098fc9a651a0848714dad8f317c9d2ff5092295b3006fc8
-
SHA512
ce09e590308b484c086ae62f7af743fe4427fa856f81ed6a65c7c652c67c7feb8d80eb5ee8952029e2d278c68d58f5ef1c7c6538113ec58f83b822a20547d46e
-
SSDEEP
24576:fXTff2BiQOY3lvbELqO7mi7JmEuibeX57XIU9wwXfNdm:fXzfSIk1+7JmEuib87p9wGdm
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation 391e059619df1772ffe560f8e23dbbe0_NeikiAnalytics.exe -
Executes dropped EXE 1 IoCs
pid Process 5100 dotnetchk.exe -
Loads dropped DLL 8 IoCs
pid Process 3564 MsiExec.exe 4320 rundll32.exe 4320 rundll32.exe 4320 rundll32.exe 4320 rundll32.exe 4320 rundll32.exe 4320 rundll32.exe 4320 rundll32.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\N: msiexec.exe -
Drops file in Program Files directory 9 IoCs
description ioc Process File created C:\Program Files (x86)\ScreenConnect Client (11b72ccd7699205c)\Client.resources msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (11b72ccd7699205c)\Elsinore.ScreenConnect.Windows.dll msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (11b72ccd7699205c)\Client.Override.en-US.resources msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (11b72ccd7699205c)\Client.en-US.resources msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (11b72ccd7699205c)\Elsinore.ScreenConnect.WindowsClient.exe.config msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (11b72ccd7699205c)\Client.Override.resources msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (11b72ccd7699205c)\Elsinore.ScreenConnect.Client.dll msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (11b72ccd7699205c)\Elsinore.ScreenConnect.Core.dll msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (11b72ccd7699205c)\Elsinore.ScreenConnect.WindowsClient.exe msiexec.exe -
Drops file in Windows directory 10 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSIA8E2.tmp msiexec.exe File created C:\Windows\Installer\e57a858.msi msiexec.exe File created C:\Windows\Installer\{EEC1A90F-1F5A-4BE3-95F7-23C283B2C9A1}\DefaultIcon msiexec.exe File created C:\Windows\Installer\e57a856.msi msiexec.exe File created C:\Windows\Installer\SourceHash{EEC1A90F-1F5A-4BE3-95F7-23C283B2C9A1} msiexec.exe File opened for modification C:\Windows\Installer\{EEC1A90F-1F5A-4BE3-95F7-23C283B2C9A1}\DefaultIcon msiexec.exe File opened for modification C:\Windows\Installer\e57a856.msi msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000019be7eb961b76eb40000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000019be7eb90000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090019be7eb9000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d19be7eb9000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000019be7eb900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe -
Modifies data under HKEY_USERS 3 IoCs
description ioc Process Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2A\52C64B7E msiexec.exe -
Modifies registry class 32 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\sc-11b72ccd7699205c\shell\open\command msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F09A1CEEA5F13EB4597F322C382B9C1A\Language = "1033" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F09A1CEEA5F13EB4597F322C382B9C1A\AuthorizedLUAApp = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F09A1CEEA5F13EB4597F322C382B9C1A\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F09A1CEEA5F13EB4597F322C382B9C1A\ProductName = "ScreenConnect Client (11b72ccd7699205c)" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F09A1CEEA5F13EB4597F322C382B9C1A\InstanceType = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F09A1CEEA5F13EB4597F322C382B9C1A\DeploymentFlags = "3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F09A1CEEA5F13EB4597F322C382B9C1A\SourceList\PackageName = "setup.msi" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F09A1CEEA5F13EB4597F322C382B9C1A\SourceList\Media msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F09A1CEEA5F13EB4597F322C382B9C1A\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sc-11b72ccd7699205c\shell\open msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F09A1CEEA5F13EB4597F322C382B9C1A\AdvertiseFlags = "388" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\sc-11b72ccd7699205c\UseOriginalUrlEncoding = "1" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F09A1CEEA5F13EB4597F322C382B9C1A\Full msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F09A1CEEA5F13EB4597F322C382B9C1A msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F09A1CEEA5F13EB4597F322C382B9C1A\Version = "83893989" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F09A1CEEA5F13EB4597F322C382B9C1A\Clients = 3a0000000000 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\sc-11b72ccd7699205c msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\sc-11b72ccd7699205c\URL Protocol msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sc-11b72ccd7699205c msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F09A1CEEA5F13EB4597F322C382B9C1A msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F09A1CEEA5F13EB4597F322C382B9C1A\Assignment = "1" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F09A1CEEA5F13EB4597F322C382B9C1A\ProductIcon = "C:\\Windows\\Installer\\{EEC1A90F-1F5A-4BE3-95F7-23C283B2C9A1}\\DefaultIcon" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sc-11b72ccd7699205c\shell msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F09A1CEEA5F13EB4597F322C382B9C1A\PackageCode = "6ED0B7625338863439950C50538479B2" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\CE991F5021DE2131117BC2DC679902C5\F09A1CEEA5F13EB4597F322C382B9C1A msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\sc-11b72ccd7699205c\shell\open\command\ = "\"C:\\Program Files (x86)\\ScreenConnect Client (11b72ccd7699205c)\\Elsinore.ScreenConnect.WindowsClient.exe\" \"%1\"" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\CE991F5021DE2131117BC2DC679902C5 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F09A1CEEA5F13EB4597F322C382B9C1A\SourceList msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sc-11b72ccd7699205c\shell\open\command msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F09A1CEEA5F13EB4597F322C382B9C1A\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F09A1CEEA5F13EB4597F322C382B9C1A\SourceList\Media\1 = ";" msiexec.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 5036 msiexec.exe 5036 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2976 msiexec.exe Token: SeIncreaseQuotaPrivilege 2976 msiexec.exe Token: SeSecurityPrivilege 5036 msiexec.exe Token: SeCreateTokenPrivilege 2976 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2976 msiexec.exe Token: SeLockMemoryPrivilege 2976 msiexec.exe Token: SeIncreaseQuotaPrivilege 2976 msiexec.exe Token: SeMachineAccountPrivilege 2976 msiexec.exe Token: SeTcbPrivilege 2976 msiexec.exe Token: SeSecurityPrivilege 2976 msiexec.exe Token: SeTakeOwnershipPrivilege 2976 msiexec.exe Token: SeLoadDriverPrivilege 2976 msiexec.exe Token: SeSystemProfilePrivilege 2976 msiexec.exe Token: SeSystemtimePrivilege 2976 msiexec.exe Token: SeProfSingleProcessPrivilege 2976 msiexec.exe Token: SeIncBasePriorityPrivilege 2976 msiexec.exe Token: SeCreatePagefilePrivilege 2976 msiexec.exe Token: SeCreatePermanentPrivilege 2976 msiexec.exe Token: SeBackupPrivilege 2976 msiexec.exe Token: SeRestorePrivilege 2976 msiexec.exe Token: SeShutdownPrivilege 2976 msiexec.exe Token: SeDebugPrivilege 2976 msiexec.exe Token: SeAuditPrivilege 2976 msiexec.exe Token: SeSystemEnvironmentPrivilege 2976 msiexec.exe Token: SeChangeNotifyPrivilege 2976 msiexec.exe Token: SeRemoteShutdownPrivilege 2976 msiexec.exe Token: SeUndockPrivilege 2976 msiexec.exe Token: SeSyncAgentPrivilege 2976 msiexec.exe Token: SeEnableDelegationPrivilege 2976 msiexec.exe Token: SeManageVolumePrivilege 2976 msiexec.exe Token: SeImpersonatePrivilege 2976 msiexec.exe Token: SeCreateGlobalPrivilege 2976 msiexec.exe Token: SeCreateTokenPrivilege 2976 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2976 msiexec.exe Token: SeLockMemoryPrivilege 2976 msiexec.exe Token: SeIncreaseQuotaPrivilege 2976 msiexec.exe Token: SeMachineAccountPrivilege 2976 msiexec.exe Token: SeTcbPrivilege 2976 msiexec.exe Token: SeSecurityPrivilege 2976 msiexec.exe Token: SeTakeOwnershipPrivilege 2976 msiexec.exe Token: SeLoadDriverPrivilege 2976 msiexec.exe Token: SeSystemProfilePrivilege 2976 msiexec.exe Token: SeSystemtimePrivilege 2976 msiexec.exe Token: SeProfSingleProcessPrivilege 2976 msiexec.exe Token: SeIncBasePriorityPrivilege 2976 msiexec.exe Token: SeCreatePagefilePrivilege 2976 msiexec.exe Token: SeCreatePermanentPrivilege 2976 msiexec.exe Token: SeBackupPrivilege 2976 msiexec.exe Token: SeRestorePrivilege 2976 msiexec.exe Token: SeShutdownPrivilege 2976 msiexec.exe Token: SeDebugPrivilege 2976 msiexec.exe Token: SeAuditPrivilege 2976 msiexec.exe Token: SeSystemEnvironmentPrivilege 2976 msiexec.exe Token: SeChangeNotifyPrivilege 2976 msiexec.exe Token: SeRemoteShutdownPrivilege 2976 msiexec.exe Token: SeUndockPrivilege 2976 msiexec.exe Token: SeSyncAgentPrivilege 2976 msiexec.exe Token: SeEnableDelegationPrivilege 2976 msiexec.exe Token: SeManageVolumePrivilege 2976 msiexec.exe Token: SeImpersonatePrivilege 2976 msiexec.exe Token: SeCreateGlobalPrivilege 2976 msiexec.exe Token: SeCreateTokenPrivilege 2976 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2976 msiexec.exe Token: SeLockMemoryPrivilege 2976 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2976 msiexec.exe 2976 msiexec.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 2736 wrote to memory of 5100 2736 391e059619df1772ffe560f8e23dbbe0_NeikiAnalytics.exe 85 PID 2736 wrote to memory of 5100 2736 391e059619df1772ffe560f8e23dbbe0_NeikiAnalytics.exe 85 PID 2736 wrote to memory of 5100 2736 391e059619df1772ffe560f8e23dbbe0_NeikiAnalytics.exe 85 PID 2736 wrote to memory of 2976 2736 391e059619df1772ffe560f8e23dbbe0_NeikiAnalytics.exe 87 PID 2736 wrote to memory of 2976 2736 391e059619df1772ffe560f8e23dbbe0_NeikiAnalytics.exe 87 PID 2736 wrote to memory of 2976 2736 391e059619df1772ffe560f8e23dbbe0_NeikiAnalytics.exe 87 PID 5036 wrote to memory of 3564 5036 msiexec.exe 90 PID 5036 wrote to memory of 3564 5036 msiexec.exe 90 PID 5036 wrote to memory of 3564 5036 msiexec.exe 90 PID 3564 wrote to memory of 4320 3564 MsiExec.exe 92 PID 3564 wrote to memory of 4320 3564 MsiExec.exe 92 PID 3564 wrote to memory of 4320 3564 MsiExec.exe 92 PID 5036 wrote to memory of 2540 5036 msiexec.exe 105 PID 5036 wrote to memory of 2540 5036 msiexec.exe 105 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\391e059619df1772ffe560f8e23dbbe0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\391e059619df1772ffe560f8e23dbbe0_NeikiAnalytics.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Users\Admin\AppData\Local\Temp\VSD7918.tmp\DotNetFXCustom\dotnetchk.exe"C:\Users\Admin\AppData\Local\Temp\VSD7918.tmp\DotNetFXCustom\dotnetchk.exe"2⤵
- Executes dropped EXE
PID:5100
-
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\setup.msi"2⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2976
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5036 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding E1E4227506E7DCFA70FCC4D31E7C04CD C2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3564 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\MSI7DFA.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240615000 1 Elsinore.ScreenConnect.InstallerActions!Elsinore.ScreenConnect.ClientInstallerActions.FixupServiceArguments3⤵
- Loads dropped DLL
PID:4320
-
-
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:2540
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
PID:3728
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD59bd52959d75648b9f81d074aa233f469
SHA10cfa0a0cfb9751349ea9f1208106a9d6ed66953f
SHA25659fc443dea687f70d03c54b37929c1cd651dbc9091f64a4b7a7f690eeb779b9e
SHA51210682400d85b7a2895fcbc8883cc8dd326b7185977430cf8d1ce70e36ff45f4167ea5b26b71823b212ef41f97a662016d8ebedd09ee69b14a9332679af9edf95
-
Filesize
279KB
MD56d5f46d5ae78e61ea290b6c300def625
SHA13ae79c014bc2066a9f7966d6764825c2dab24b51
SHA256a4c316a8d25936de049356c0a36f9d04feed977eca19a13b9908dc1e697aa0f8
SHA512efc8a0dfbf590c23463b82c8ffc7b295d77bccd16750e3db7ef5b2c8c8acd6ea45839abd131672b3f75198dd68e539ee30bdea1bdc54d5296f27f89acdda374f
-
Filesize
194KB
MD527eb6b7a79a41c8eb611e3d492f09acb
SHA1ac0234cc29183a58e36ea4271074fbe3eb935744
SHA256327dcc7c94c4df1822700982c40318ead01ac48fa07170221d468bf78c5189b0
SHA51235aa8861a6fd66a74a408f558b78a5b52e7b4a963c44a945260f63f4c5aece0b0446dea890cf1c01ca10600da3d4c36c224700130ecb64b5d0298396e051902a
-
Filesize
19KB
MD5fcb234ac467125d61196946526883161
SHA1b5e919ae7fdd23a40360f3d2895fd95fd7d6047d
SHA256ce1c13343377bc52ba06f20a9b8eb5d8334aa96a25db9c3dc33d8b928bfe2397
SHA512e9524c35126fe8abd3b65ddca415bc2453aa2362761e082e6df819b4efb4dbae4ec61c822a94fd401867cabca6f4ace9c1c07c3c0137ece808d65ca51dc505ef
-
Filesize
176KB
MD51e5a0962f20e91ca18bc150266e6f49e
SHA1e71caab3b88b2913178ca2ae549a00455679cd4e
SHA256fa74ae4d5e62a1cc7cfeaa55d84fe9bddab06651b6744fb4469074e79317da99
SHA51209021a2183536d07d915e413bd70fbd47f6afcf9fa9b8deb886f473c7b3dc3ee3e042c126f644be70f42f491692fab0a25b49ef88099caf272eec75c5bd2fc1f
-
Filesize
85KB
MD54992d98e6772a5fd7256c4c7fe978a11
SHA16cf70905908b59553e1b92e057c3e7c13bd7b6a4
SHA2565494efb1859e625eff5c2b51a66058fd7ffe1aa619594f62900a0bef392012d0
SHA5128afdda6a49a4c61c62e329f3d15dc31c98327fd720e654972b14f98112b79d293648cad0dd08b3d12e48e020dd21fe40f9fc0a6c78014e1434a1703f40f6f4d8
-
Filesize
766KB
MD5a6f2eb667909f70a151b597de548dc57
SHA1a3a55305966ec586249cf2dfcf1ae0bed98f6b61
SHA256e3a980b0f0639008d8a5a060caa3b619f3408e9dd7a3182c788b21e3cfc02d3f
SHA512f8bb35175460e398797ac9b05089fe8130d028bb1fc65a1201b63b8cd0105a2a0ed2c991f7381f7ff1ee060106e89697db54fedb4dcac648df95a3302cafb6d3
-
Filesize
23.7MB
MD571deff0dcf52e0029c3873b5a75e8cde
SHA19252fcf7dcb0d3bb3ffda8243ebec1477f4ca3d9
SHA2566edfe8d6099846642ecb47bae766c0d197e43620ae3eb5fe5c24b72c673918ad
SHA5125dfe3e3a242a5a151f1f9d8b7b0aea2915f52cd9fd218b16a981a95e31eb68884762d773b10b5776c74e0d5b99050472ec8e91187a47455294737f682d733037
-
\??\Volume{b97ebe19-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{e870da61-7651-4e9f-b4be-f76678a5a52c}_OnDiskSnapshotProp
Filesize6KB
MD50e21c411dfd2fa9bbea8cec43cff078c
SHA1e20478cafd69ccf617f72413f9da83202aeb2791
SHA25696f3f826211ce1cae38c36c5dd707abe824062e6597c843de4dfd2ef84f9fd29
SHA51206daa40879ed2afbef3e9f8d4e271ae21dc1b74aa5b1ddfca8683f075c6f9d8a21b11d459c895cfeccd1f3ba2fd6e4c5ac222ed5381953fa510dc6aec7a796c6