134af024bce8aa2d4791fcddc646c36350eacd5dd177b2ed05ac1eba51d06d11

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
09-05-2024 13:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
Size

91KB
MD5

49202c4c2cf07bce3828022e11c28a30
SHA1

75f5460a5dbe0b68ea7329e25cee3ed55b0576ae
SHA256

134af024bce8aa2d4791fcddc646c36350eacd5dd177b2ed05ac1eba51d06d11
SHA512

caff3c2f6afaa3a34e96d7a92cdc4f969460eeb8d73139f3638f190683aef0a19660de6f2eb1e7573371732d58d494d69bf2015c74f59d08eb40e82c460b4849
SSDEEP

768:E3gRYjXbUeHORIC4ZxBMldNKm8Mxm8I+IxrjPfAQ4o3ImuCg3gRYjXbUeHORIC40:uT3OA3+KQsxfS4kT3OA3+KQsxfS4u

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 7 IoCs

pid	Process
1592	xk.exe
2676	IExplorer.exe
2236	WINLOGON.EXE
1876	CSRSS.EXE
2252	SERVICES.EXE
876	LSASS.EXE
2300	SMSS.EXE

Loads dropped DLL 12 IoCs

pid	Process
2904	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
2904	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
2904	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
2904	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
2904	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
2904	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
2904	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
2904	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
2904	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
2904	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
2904	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
2904	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe

Modifies system executable filetype association 2 TTPs 13 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe"	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\shell.exe	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\shell.exe	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Mig2.scr	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Mig2.scr	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\xk.exe	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
File created	C:\Windows\xk.exe	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR"	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe

Modifies registry class 15 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2904	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2904	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
1592	xk.exe
2676	IExplorer.exe
2236	WINLOGON.EXE
1876	CSRSS.EXE
2252	SERVICES.EXE
876	LSASS.EXE
2300	SMSS.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 1592	2904	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe	28
PID 2904 wrote to memory of 1592	2904	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe	28
PID 2904 wrote to memory of 1592	2904	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe	28
PID 2904 wrote to memory of 1592	2904	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe	28
PID 2904 wrote to memory of 2676	2904	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe	29
PID 2904 wrote to memory of 2676	2904	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe	29
PID 2904 wrote to memory of 2676	2904	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe	29
PID 2904 wrote to memory of 2676	2904	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe	29
PID 2904 wrote to memory of 2236	2904	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe	30
PID 2904 wrote to memory of 2236	2904	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe	30
PID 2904 wrote to memory of 2236	2904	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe	30
PID 2904 wrote to memory of 2236	2904	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe	30
PID 2904 wrote to memory of 1876	2904	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe	31
PID 2904 wrote to memory of 1876	2904	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe	31
PID 2904 wrote to memory of 1876	2904	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe	31
PID 2904 wrote to memory of 1876	2904	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe	31
PID 2904 wrote to memory of 2252	2904	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe	32
PID 2904 wrote to memory of 2252	2904	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe	32
PID 2904 wrote to memory of 2252	2904	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe	32
PID 2904 wrote to memory of 2252	2904	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe	32
PID 2904 wrote to memory of 876	2904	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe	33
PID 2904 wrote to memory of 876	2904	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe	33
PID 2904 wrote to memory of 876	2904	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe	33
PID 2904 wrote to memory of 876	2904	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe	33
PID 2904 wrote to memory of 2300	2904	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe	34
PID 2904 wrote to memory of 2300	2904	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe	34
PID 2904 wrote to memory of 2300	2904	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe	34
PID 2904 wrote to memory of 2300	2904	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe	34

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2904
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1592
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2676
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2236
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1876
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2252
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:876
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
91KB

MD5
0211961bd4c59dcc2b67968806c5ffdf

SHA1
cb1b415f24da18bf703a65710b34bf30cfb5937d

SHA256
446a0c20eaf5f77a691f609e64982476039f154154cf35d547fc6f61d43f833d

SHA512
8c924b2ecb5e9f5c4d49d8ee0f9c7c41bb4fc169958671917d303f01a40e654494ef959e111c2a4b9a251ea8f9b77d99a678cf88b51d0a419681dfd3b56e6589

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
91KB

MD5
a6c9ce23f9b160bb3df654d72858934d

SHA1
df4768cad942ede6aa1d3961aa839cc8280733a5

SHA256
a0cd41924f733f49ead18619921ece86e1f31e95baf83a6dbe01cbb43759c6f7

SHA512
6e5a4e6755baa1b5fa53329f124bde14752b733853ea71715b0119c1ecb3881a916e5bb14bd7cec2622f9d4e2ee9abd69eb56c262eb5e4ab134ef59eea2b5143

Download Submit
C:\Users\Admin\AppData\Local\winlogon.exe

Filesize
91KB

MD5
49202c4c2cf07bce3828022e11c28a30

SHA1
75f5460a5dbe0b68ea7329e25cee3ed55b0576ae

SHA256
134af024bce8aa2d4791fcddc646c36350eacd5dd177b2ed05ac1eba51d06d11

SHA512
caff3c2f6afaa3a34e96d7a92cdc4f969460eeb8d73139f3638f190683aef0a19660de6f2eb1e7573371732d58d494d69bf2015c74f59d08eb40e82c460b4849

Download Submit
C:\Windows\xk.exe

Filesize
91KB

MD5
97dada6e43c63810147f249f68d42a24

SHA1
fa92f581bd0a7bf41a7e30a07bf2fa7b812f5f1f

SHA256
ccb93b2b4750a57b1b5f7a9ff5c42be50a90dc69e70e0aba36e48db1e439e73c

SHA512
90a096289d8250df421464fdd75204b5f36d0980da048f7e48daf16f1aa97ad8b05a15acfb079820dca64175e07782047a4f53529d22e63d1b6278b57bd8f25c

Download Submit
\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
91KB

MD5
ce1ced6a926c5be453cc4378baa365fb

SHA1
f803b072e61aa86e69e18da405044bfe6e158246

SHA256
d37111d25c8bef5d38408a034b87fcaa10479207e42fb5fc9e3f91bbdfb88d13

SHA512
e045ada1a2135ca739d302655d2a5ab98b8490dd66668075c17d2e9b6b245a1440aa97cc105a6d36fa0050b6c65f601cac9ddadb381381b26c4500f8843c9bc3

Download Submit
\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
91KB

MD5
e4baeb6fd6d93bf00ed735dd15bdf2ad

SHA1
931519e38361c31e37ff502cb52a99a859f8c3e6

SHA256
01d7e0817c3854158a5c3e68871281fcfaaa458839a96406eed10367582ea198

SHA512
cbfc605759364b38e8c7e67d8cb9853597825ad69e4cd508a772dc08325c51ef168099dfbaf7056375970524169772e14fd4d25489f5622443e754dfb0ffa5f8

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
91KB

MD5
aab1f5d03b5229c4902e0e0c418273b4

SHA1
8add53beb959ddd4a4d443114eb8373e8987cb01

SHA256
c1e9406175602230918bc5971d461350a6a0aaf82817586c6a6f24e635e89c5c

SHA512
0afba23651030e8899e88d045ecd674c75c4b112b0821e8138d0f804016c7c92052752368a8571249f1e55519fd994c1a91bd2bde90f1b1a740e6206324851e3

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
91KB

MD5
ca329b4e9abd845518bb7d29b23443aa

SHA1
2f4508df13fa102422f9e141a9335259d4221095

SHA256
ecf71739feae50590f106fd7f8f51cfb5c7bb13a19fb48ab0f92ce9c03baa076

SHA512
3f4dd2de4bd9e115c7aa9db895bbaeec38b04e62a4df345577377675d9ac126760350a3d11ff15c8c6a4d4030ccd72ae8295e620f9f433628846e8cb2e120fd2

Download Submit
memory/876-188-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/876-192-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1592-114-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/1592-123-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1592-118-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1876-159-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/1876-165-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1876-164-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2236-151-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2236-146-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2236-147-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2252-180-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2252-174-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2300-201-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2300-206-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2676-137-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2676-136-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2676-132-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2676-131-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2904-116-0x0000000002550000-0x000000000257C000-memory.dmp

Filesize
176KB

Download
memory/2904-163-0x0000000002550000-0x000000000257C000-memory.dmp

Filesize
176KB

Download
memory/2904-173-0x0000000000020000-0x0000000000024000-memory.dmp

Filesize
16KB

Download
memory/2904-4-0x0000000000401000-0x0000000000427000-memory.dmp

Filesize
152KB

Download
memory/2904-117-0x0000000002550000-0x000000000257C000-memory.dmp

Filesize
176KB

Download
memory/2904-179-0x0000000000401000-0x0000000000427000-memory.dmp

Filesize
152KB

Download
memory/2904-145-0x0000000002550000-0x000000000257C000-memory.dmp

Filesize
176KB

Download
memory/2904-3-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2904-200-0x0000000002550000-0x000000000257C000-memory.dmp

Filesize
176KB

Download
memory/2904-0-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2904-209-0x0000000000401000-0x0000000000427000-memory.dmp

Filesize
152KB

Download
memory/2904-208-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2904-130-0x0000000002550000-0x000000000257C000-memory.dmp

Filesize
176KB

Download
memory/2904-2-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2904-1-0x0000000000020000-0x0000000000024000-memory.dmp

Filesize
16KB

Download