redline | 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d

Analysis

max time kernel
148s
max time network
143s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
26-05-2024 16:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

148b2c38cf0726535d760a703f803c80_NeikiAnalytics.exe
Size

515KB
MD5

148b2c38cf0726535d760a703f803c80
SHA1

107503ca149f547d4745fe9b9a3fbae03d60126c
SHA256

30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d
SHA512

6b9c13d80fb24924604245f9046c28df75d009c6cd6f819ef2ac6e99a592acfc84473b4fcc6e2c1ccafd6001bb4a931a8ced6a968bd874e2ebf81cd8c714bdbd
SSDEEP

12288:EMbx504bFjsNfn8lmwaYy//2hWc8CYBMQI4aqNA:Lbw4bR689aYy//2hDPYBMQI4aqN

Score

10^/10

redline sectoprat xworm docx discovery execution infostealer persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

127.0.0.1:7000

beshomandotestbesnd.run.place:7000

Attributes

Install_directory
%ProgramData%
install_file
cmd.exe
telegram
https://api.telegram.org/bot2128988424:AAEkYnwvOQA95riqRZwlqBxg4GV-odRNOyo/sendMessage?chat_id=966649672

Extracted

Family

redline

Botnet

DOCX

beshomandotestbesnd.run.place:1111

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral1/memory/2480-69-0x0000000002190000-0x000000000219E000-memory.dmp	disable_win_def

Detect Xworm Payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2480-27-0x0000000000400000-0x0000000000418000-memory.dmp	family_xworm
behavioral1/memory/2480-30-0x0000000000400000-0x0000000000418000-memory.dmp	family_xworm
behavioral1/memory/2480-28-0x0000000000400000-0x0000000000418000-memory.dmp	family_xworm
behavioral1/memory/2480-24-0x0000000000400000-0x0000000000418000-memory.dmp	family_xworm
behavioral1/memory/2480-22-0x0000000000400000-0x0000000000418000-memory.dmp	family_xworm

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2480-61-0x0000000002250000-0x000000000226E000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2480-61-0x0000000002250000-0x000000000226E000-memory.dmp	family_sectoprat

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2724	powershell.exe
2664	powershell.exe
1572	powershell.exe
2236	powershell.exe
2560	powershell.exe
2712	powershell.exe
2688	powershell.exe
2556	powershell.exe
944	powershell.exe
2336	powershell.exe

Drops startup file 2 IoCs

Processes:

148b2c38cf0726535d760a703f803c80_NeikiAnalytics.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cmd.lnk	148b2c38cf0726535d760a703f803c80_NeikiAnalytics.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cmd.lnk	148b2c38cf0726535d760a703f803c80_NeikiAnalytics.exe

Executes dropped EXE 4 IoCs

Processes:

cmd.execmd.execmd.execmd.exe

pid process

1776 cmd.exe
1480 cmd.exe
1632 cmd.exe
2728 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

148b2c38cf0726535d760a703f803c80_NeikiAnalytics.exe

pid process

2480 148b2c38cf0726535d760a703f803c80_NeikiAnalytics.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
1776	cmd.exe
1480	cmd.exe
1632	cmd.exe
2728	cmd.exe

pid	process
2480	148b2c38cf0726535d760a703f803c80_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

148b2c38cf0726535d760a703f803c80_NeikiAnalytics.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\cmd = "C:\\ProgramData\\cmd.exe"	148b2c38cf0726535d760a703f803c80_NeikiAnalytics.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

148b2c38cf0726535d760a703f803c80_NeikiAnalytics.execmd.execmd.exe

description	pid	process	target process
PID 2368 set thread context of 2480	2368	148b2c38cf0726535d760a703f803c80_NeikiAnalytics.exe	148b2c38cf0726535d760a703f803c80_NeikiAnalytics.exe
PID 1776 set thread context of 1480	1776	cmd.exe	cmd.exe
PID 1632 set thread context of 2728	1632	cmd.exe	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

2648 schtasks.exe
2024 schtasks.exe
1900 schtasks.exe
1508 schtasks.exe

pid	process
2648	schtasks.exe
2024	schtasks.exe
1900	schtasks.exe
1508	schtasks.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

148b2c38cf0726535d760a703f803c80_NeikiAnalytics.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	148b2c38cf0726535d760a703f803c80_NeikiAnalytics.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	148b2c38cf0726535d760a703f803c80_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	148b2c38cf0726535d760a703f803c80_NeikiAnalytics.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	148b2c38cf0726535d760a703f803c80_NeikiAnalytics.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	148b2c38cf0726535d760a703f803c80_NeikiAnalytics.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	148b2c38cf0726535d760a703f803c80_NeikiAnalytics.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

148b2c38cf0726535d760a703f803c80_NeikiAnalytics.exe

pid process

2480 148b2c38cf0726535d760a703f803c80_NeikiAnalytics.exe

pid	process
2480	148b2c38cf0726535d760a703f803c80_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

148b2c38cf0726535d760a703f803c80_NeikiAnalytics.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe148b2c38cf0726535d760a703f803c80_NeikiAnalytics.execmd.exepowershell.exepowershell.execmd.exepowershell.exepowershell.exe

pid	process
2368	148b2c38cf0726535d760a703f803c80_NeikiAnalytics.exe
2712	powershell.exe
2724	powershell.exe
2368	148b2c38cf0726535d760a703f803c80_NeikiAnalytics.exe
2664	powershell.exe
1572	powershell.exe
2688	powershell.exe
2556	powershell.exe
2480	148b2c38cf0726535d760a703f803c80_NeikiAnalytics.exe
1776	cmd.exe
944	powershell.exe
1776	cmd.exe
2336	powershell.exe
1776	cmd.exe
2480	148b2c38cf0726535d760a703f803c80_NeikiAnalytics.exe
2480	148b2c38cf0726535d760a703f803c80_NeikiAnalytics.exe
1632	cmd.exe
2236	powershell.exe
1632	cmd.exe
2560	powershell.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

148b2c38cf0726535d760a703f803c80_NeikiAnalytics.exepowershell.exepowershell.exe148b2c38cf0726535d760a703f803c80_NeikiAnalytics.exepowershell.exepowershell.exepowershell.exepowershell.execmd.exepowershell.execmd.exepowershell.execmd.exepowershell.execmd.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2368	148b2c38cf0726535d760a703f803c80_NeikiAnalytics.exe
Token: SeDebugPrivilege	2712	powershell.exe
Token: SeDebugPrivilege	2724	powershell.exe
Token: SeDebugPrivilege	2480	148b2c38cf0726535d760a703f803c80_NeikiAnalytics.exe
Token: SeDebugPrivilege	2664	powershell.exe
Token: SeDebugPrivilege	1572	powershell.exe
Token: SeDebugPrivilege	2688	powershell.exe
Token: SeDebugPrivilege	2556	powershell.exe
Token: SeDebugPrivilege	2480	148b2c38cf0726535d760a703f803c80_NeikiAnalytics.exe
Token: SeDebugPrivilege	1776	cmd.exe
Token: SeDebugPrivilege	944	powershell.exe
Token: SeDebugPrivilege	1480	cmd.exe
Token: SeDebugPrivilege	2336	powershell.exe
Token: SeDebugPrivilege	1632	cmd.exe
Token: SeDebugPrivilege	2236	powershell.exe
Token: SeDebugPrivilege	2728	cmd.exe
Token: SeDebugPrivilege	2560	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

148b2c38cf0726535d760a703f803c80_NeikiAnalytics.exe

pid process

2480 148b2c38cf0726535d760a703f803c80_NeikiAnalytics.exe

pid	process
2480	148b2c38cf0726535d760a703f803c80_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

148b2c38cf0726535d760a703f803c80_NeikiAnalytics.exe148b2c38cf0726535d760a703f803c80_NeikiAnalytics.exetaskeng.execmd.exe

description	pid	process	target process
PID 2368 wrote to memory of 2712	2368	148b2c38cf0726535d760a703f803c80_NeikiAnalytics.exe	powershell.exe
PID 2368 wrote to memory of 2712	2368	148b2c38cf0726535d760a703f803c80_NeikiAnalytics.exe	powershell.exe
PID 2368 wrote to memory of 2712	2368	148b2c38cf0726535d760a703f803c80_NeikiAnalytics.exe	powershell.exe
PID 2368 wrote to memory of 2712	2368	148b2c38cf0726535d760a703f803c80_NeikiAnalytics.exe	powershell.exe
PID 2368 wrote to memory of 2724	2368	148b2c38cf0726535d760a703f803c80_NeikiAnalytics.exe	powershell.exe
PID 2368 wrote to memory of 2724	2368	148b2c38cf0726535d760a703f803c80_NeikiAnalytics.exe	powershell.exe
PID 2368 wrote to memory of 2724	2368	148b2c38cf0726535d760a703f803c80_NeikiAnalytics.exe	powershell.exe
PID 2368 wrote to memory of 2724	2368	148b2c38cf0726535d760a703f803c80_NeikiAnalytics.exe	powershell.exe
PID 2368 wrote to memory of 2648	2368	148b2c38cf0726535d760a703f803c80_NeikiAnalytics.exe	schtasks.exe
PID 2368 wrote to memory of 2648	2368	148b2c38cf0726535d760a703f803c80_NeikiAnalytics.exe	schtasks.exe
PID 2368 wrote to memory of 2648	2368	148b2c38cf0726535d760a703f803c80_NeikiAnalytics.exe	schtasks.exe
PID 2368 wrote to memory of 2648	2368	148b2c38cf0726535d760a703f803c80_NeikiAnalytics.exe	schtasks.exe
PID 2368 wrote to memory of 2480	2368	148b2c38cf0726535d760a703f803c80_NeikiAnalytics.exe	148b2c38cf0726535d760a703f803c80_NeikiAnalytics.exe
PID 2368 wrote to memory of 2480	2368	148b2c38cf0726535d760a703f803c80_NeikiAnalytics.exe	148b2c38cf0726535d760a703f803c80_NeikiAnalytics.exe
PID 2368 wrote to memory of 2480	2368	148b2c38cf0726535d760a703f803c80_NeikiAnalytics.exe	148b2c38cf0726535d760a703f803c80_NeikiAnalytics.exe
PID 2368 wrote to memory of 2480	2368	148b2c38cf0726535d760a703f803c80_NeikiAnalytics.exe	148b2c38cf0726535d760a703f803c80_NeikiAnalytics.exe
PID 2368 wrote to memory of 2480	2368	148b2c38cf0726535d760a703f803c80_NeikiAnalytics.exe	148b2c38cf0726535d760a703f803c80_NeikiAnalytics.exe
PID 2368 wrote to memory of 2480	2368	148b2c38cf0726535d760a703f803c80_NeikiAnalytics.exe	148b2c38cf0726535d760a703f803c80_NeikiAnalytics.exe
PID 2368 wrote to memory of 2480	2368	148b2c38cf0726535d760a703f803c80_NeikiAnalytics.exe	148b2c38cf0726535d760a703f803c80_NeikiAnalytics.exe
PID 2368 wrote to memory of 2480	2368	148b2c38cf0726535d760a703f803c80_NeikiAnalytics.exe	148b2c38cf0726535d760a703f803c80_NeikiAnalytics.exe
PID 2368 wrote to memory of 2480	2368	148b2c38cf0726535d760a703f803c80_NeikiAnalytics.exe	148b2c38cf0726535d760a703f803c80_NeikiAnalytics.exe
PID 2480 wrote to memory of 2664	2480	148b2c38cf0726535d760a703f803c80_NeikiAnalytics.exe	powershell.exe
PID 2480 wrote to memory of 2664	2480	148b2c38cf0726535d760a703f803c80_NeikiAnalytics.exe	powershell.exe
PID 2480 wrote to memory of 2664	2480	148b2c38cf0726535d760a703f803c80_NeikiAnalytics.exe	powershell.exe
PID 2480 wrote to memory of 2664	2480	148b2c38cf0726535d760a703f803c80_NeikiAnalytics.exe	powershell.exe
PID 2480 wrote to memory of 1572	2480	148b2c38cf0726535d760a703f803c80_NeikiAnalytics.exe	powershell.exe
PID 2480 wrote to memory of 1572	2480	148b2c38cf0726535d760a703f803c80_NeikiAnalytics.exe	powershell.exe
PID 2480 wrote to memory of 1572	2480	148b2c38cf0726535d760a703f803c80_NeikiAnalytics.exe	powershell.exe
PID 2480 wrote to memory of 1572	2480	148b2c38cf0726535d760a703f803c80_NeikiAnalytics.exe	powershell.exe
PID 2480 wrote to memory of 2688	2480	148b2c38cf0726535d760a703f803c80_NeikiAnalytics.exe	powershell.exe
PID 2480 wrote to memory of 2688	2480	148b2c38cf0726535d760a703f803c80_NeikiAnalytics.exe	powershell.exe
PID 2480 wrote to memory of 2688	2480	148b2c38cf0726535d760a703f803c80_NeikiAnalytics.exe	powershell.exe
PID 2480 wrote to memory of 2688	2480	148b2c38cf0726535d760a703f803c80_NeikiAnalytics.exe	powershell.exe
PID 2480 wrote to memory of 2556	2480	148b2c38cf0726535d760a703f803c80_NeikiAnalytics.exe	powershell.exe
PID 2480 wrote to memory of 2556	2480	148b2c38cf0726535d760a703f803c80_NeikiAnalytics.exe	powershell.exe
PID 2480 wrote to memory of 2556	2480	148b2c38cf0726535d760a703f803c80_NeikiAnalytics.exe	powershell.exe
PID 2480 wrote to memory of 2556	2480	148b2c38cf0726535d760a703f803c80_NeikiAnalytics.exe	powershell.exe
PID 2480 wrote to memory of 2024	2480	148b2c38cf0726535d760a703f803c80_NeikiAnalytics.exe	schtasks.exe
PID 2480 wrote to memory of 2024	2480	148b2c38cf0726535d760a703f803c80_NeikiAnalytics.exe	schtasks.exe
PID 2480 wrote to memory of 2024	2480	148b2c38cf0726535d760a703f803c80_NeikiAnalytics.exe	schtasks.exe
PID 2480 wrote to memory of 2024	2480	148b2c38cf0726535d760a703f803c80_NeikiAnalytics.exe	schtasks.exe
PID 2220 wrote to memory of 1776	2220	taskeng.exe	cmd.exe
PID 2220 wrote to memory of 1776	2220	taskeng.exe	cmd.exe
PID 2220 wrote to memory of 1776	2220	taskeng.exe	cmd.exe
PID 2220 wrote to memory of 1776	2220	taskeng.exe	cmd.exe
PID 1776 wrote to memory of 944	1776	cmd.exe	powershell.exe
PID 1776 wrote to memory of 944	1776	cmd.exe	powershell.exe
PID 1776 wrote to memory of 944	1776	cmd.exe	powershell.exe
PID 1776 wrote to memory of 944	1776	cmd.exe	powershell.exe
PID 1776 wrote to memory of 2336	1776	cmd.exe	powershell.exe
PID 1776 wrote to memory of 2336	1776	cmd.exe	powershell.exe
PID 1776 wrote to memory of 2336	1776	cmd.exe	powershell.exe
PID 1776 wrote to memory of 2336	1776	cmd.exe	powershell.exe
PID 1776 wrote to memory of 1900	1776	cmd.exe	schtasks.exe
PID 1776 wrote to memory of 1900	1776	cmd.exe	schtasks.exe
PID 1776 wrote to memory of 1900	1776	cmd.exe	schtasks.exe
PID 1776 wrote to memory of 1900	1776	cmd.exe	schtasks.exe
PID 1776 wrote to memory of 1480	1776	cmd.exe	cmd.exe
PID 1776 wrote to memory of 1480	1776	cmd.exe	cmd.exe
PID 1776 wrote to memory of 1480	1776	cmd.exe	cmd.exe
PID 1776 wrote to memory of 1480	1776	cmd.exe	cmd.exe
PID 1776 wrote to memory of 1480	1776	cmd.exe	cmd.exe
PID 1776 wrote to memory of 1480	1776	cmd.exe	cmd.exe
PID 1776 wrote to memory of 1480	1776	cmd.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\148b2c38cf0726535d760a703f803c80_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\148b2c38cf0726535d760a703f803c80_NeikiAnalytics.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\148b2c38cf0726535d760a703f803c80_NeikiAnalytics.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2712
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\DzmQEVPXhX.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2724
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DzmQEVPXhX" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6190.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2648
- C:\Users\Admin\AppData\Local\Temp\148b2c38cf0726535d760a703f803c80_NeikiAnalytics.exe
  "C:\Users\Admin\AppData\Local\Temp\148b2c38cf0726535d760a703f803c80_NeikiAnalytics.exe"
  2⤵
  - Drops startup file
  - Loads dropped DLL
  - Adds Run key to start application
  - Modifies system certificate store
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2480
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\148b2c38cf0726535d760a703f803c80_NeikiAnalytics.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2664
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '148b2c38cf0726535d760a703f803c80_NeikiAnalytics.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1572
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\cmd.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2688
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'cmd.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2556
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "cmd" /tr "C:\ProgramData\cmd.exe"
    3⤵
    - Creates scheduled task(s)
    PID:2024

C:\Windows\system32\taskeng.exe
taskeng.exe {5829D692-7A47-42D3-B8EB-37374A2321E4} S-1-5-21-3691908287-3775019229-3534252667-1000:UOTHCPHQ\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2220
- C:\ProgramData\cmd.exe
  C:\ProgramData\cmd.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1776
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData\cmd.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:944
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\DzmQEVPXhX.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2336
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DzmQEVPXhX" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEF3F.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:1900
- - C:\ProgramData\cmd.exe
    "C:\ProgramData\cmd.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1480
- C:\ProgramData\cmd.exe
  C:\ProgramData\cmd.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1632
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData\cmd.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2236
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\DzmQEVPXhX.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2560
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DzmQEVPXhX" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD865.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:1508
- - C:\ProgramData\cmd.exe
    "C:\ProgramData\cmd.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\cmd.exe

Filesize
515KB

MD5
148b2c38cf0726535d760a703f803c80

SHA1
107503ca149f547d4745fe9b9a3fbae03d60126c

SHA256
30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d

SHA512
6b9c13d80fb24924604245f9046c28df75d009c6cd6f819ef2ac6e99a592acfc84473b4fcc6e2c1ccafd6001bb4a931a8ced6a968bd874e2ebf81cd8c714bdbd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
38cd71b6bff4fa5ab63d2fc1cb639605

SHA1
d22ef318263efb5482cca871170453966c94db87

SHA256
a62f31bfbf835b9708e256525650cc16cedf9f7c53ac9dafb1edb240db7a09fd

SHA512
0a7bcb224ca670c906ffc4f6f597090c4e442f950862bb7980bee4f1338e34b59af2791e72a550ea360c63c48d5b2d6370efec10ce07a8a95733ca421cf397ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab56F.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5D0.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6190.tmp

Filesize
1KB

MD5
3542bd4761728e730fd4307b59064fbf

SHA1
b55959760483b92d4454b276f7263cc17450ec59

SHA256
0f5be5abd70b0a448ae466cfcf27328166562e50adc38b49cd632239944d44a1

SHA512
dbdb80cb94f2703fd74278286b69dc2aa0a31951f2dddbb6e8a9d0fd4310b67c055f8a34257af2580af13bd73ee9a5850a7eceaaf9f57562d4a74d4ec4d9d1ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp86D.tmp

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp883.tmp

Filesize
92KB

MD5
5f914a013176785e26d70d07234c605c

SHA1
5336e9ed6aeb682b46a0472f4f80ec24c4504210

SHA256
72b56bbce7e5e07702bf46a002c75cb3a8994fd390b190b989628d387d21975b

SHA512
103eff502bec0df1a36bd19a97ca1d10cc34da2183480fe146434ec916020011c8af003b66ab5f6f4886e95b21749be8d8c3c3ebf3ae1b2e5c6db216e8b4e1b2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
24c1a70de9a3b4673523824368c96039

SHA1
da7ed3bd3fde4c4f945a451afffa4e94ad7f4053

SHA256
5ca961dab6ea5ada59050da35e22d03c45990a659f03604762d695e6b679845a

SHA512
a4c7959d6ece9fbeb73c148a8fec2b15718932205289483f3f4faed7c82e395ff0f91517e5de1ec8ec606ab75a75daba954790b8c3c0b67ca5162570b488e8b8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
a3fc4ab7054236c6358c92df13c61958

SHA1
a3f0320d54da7cfa6f1efce268115939173dee3a

SHA256
2b0fc9f93a8b8cdda668d243b31a4216164286c2218538c7f370b8f885312a23

SHA512
b482f2d6053ed4409fb360934c9d7c51cd77d9bc35efd440b1f0329501c4a2a0e336942779d9ddf7e093e23cf191820705d84e1ec369fd5beed81eb7affe60d5

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1480-88-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1776-60-0x0000000000EC0000-0x0000000000F48000-memory.dmp

Filesize
544KB

Download
memory/2368-0-0x0000000074A0E000-0x0000000074A0F000-memory.dmp

Filesize
4KB

Download
memory/2368-5-0x0000000004790000-0x00000000047EA000-memory.dmp

Filesize
360KB

Download
memory/2368-4-0x00000000003A0000-0x00000000003B0000-memory.dmp

Filesize
64KB

Download
memory/2368-3-0x00000000005B0000-0x00000000005CA000-memory.dmp

Filesize
104KB

Download
memory/2368-2-0x0000000074A00000-0x00000000750EE000-memory.dmp

Filesize
6.9MB

Download
memory/2368-31-0x0000000074A00000-0x00000000750EE000-memory.dmp

Filesize
6.9MB

Download
memory/2368-1-0x00000000000B0000-0x0000000000138000-memory.dmp

Filesize
544KB

Download
memory/2480-27-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2480-61-0x0000000002250000-0x000000000226E000-memory.dmp

Filesize
120KB

Download
memory/2480-70-0x0000000007610000-0x00000000078F2000-memory.dmp

Filesize
2.9MB

Download
memory/2480-69-0x0000000002190000-0x000000000219E000-memory.dmp

Filesize
56KB

Download
memory/2480-77-0x0000000005790000-0x00000000057A6000-memory.dmp

Filesize
88KB

Download
memory/2480-76-0x0000000006240000-0x000000000628A000-memory.dmp

Filesize
296KB

Download
memory/2480-75-0x0000000005A00000-0x0000000005A34000-memory.dmp

Filesize
208KB

Download
memory/2480-74-0x0000000007900000-0x00000000079A6000-memory.dmp

Filesize
664KB

Download
memory/2480-73-0x0000000004830000-0x0000000004838000-memory.dmp

Filesize
32KB

Download
memory/2480-72-0x0000000005580000-0x00000000055C8000-memory.dmp

Filesize
288KB

Download
memory/2480-71-0x0000000005420000-0x000000000543C000-memory.dmp

Filesize
112KB

Download
memory/2480-20-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2480-22-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2480-24-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2480-26-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2480-28-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2480-30-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2480-18-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download