ac565335f4dfc6d91f0d64c83cafcefcf703ad7c8f879b0cc9cbc7b1f7d1cf69

Analysis

max time kernel
141s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
15/05/2024, 22:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe
Size

91KB
MD5

460b9a89f72f64370c1e20522291e040
SHA1

97c462933e6a4a8e2ccb12eabdee941baca851c7
SHA256

ac565335f4dfc6d91f0d64c83cafcefcf703ad7c8f879b0cc9cbc7b1f7d1cf69
SHA512

faa3cb97940dd61682a2531c017c600c3724e55f633ad0f4080ac147a0fd5934560d03e4d85a07420060cdb5d1d0e072e781f87992cc7698aec7f14298de4774
SSDEEP

1536:8AwEmBj3EXHn4x+9aTSAwEmBj3EXHn4x+9aBm:8GmF3onW+MTSGmF3onW+MBm

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 13 IoCs

pid	Process
580	xk.exe
308	IExplorer.exe
2816	WINLOGON.EXE
2144	CSRSS.EXE
2672	SERVICES.EXE
1376	LSASS.EXE
3032	xk.exe
2060	IExplorer.exe
2072	WINLOGON.EXE
692	CSRSS.EXE
1060	SERVICES.EXE
2176	LSASS.EXE
884	SMSS.EXE

Loads dropped DLL 22 IoCs

pid	Process
1284	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe
1284	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe
1284	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe
1284	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe
1284	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe
1284	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe
1284	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe
1284	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe
1284	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe
1284	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe
1284	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe
1284	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe
1284	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe
1284	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe
1284	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe
1284	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe
1284	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe
1284	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe
1284	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe
1284	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe
1284	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe
1284	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe

Modifies system executable filetype association 2 TTPs 13 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe"	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File opened for modification	C:\desktop.ini	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe
File created	C:\desktop.ini	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe
File opened for modification	F:\desktop.ini	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe
File created	F:\desktop.ini	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe
File opened (read-only)	\??\T:	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe
File opened (read-only)	\??\W:	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe
File opened (read-only)	\??\B:	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe
File opened (read-only)	\??\E:	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe
File opened (read-only)	\??\G:	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe
File opened (read-only)	\??\M:	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe
File opened (read-only)	\??\Q:	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe
File opened (read-only)	\??\Y:	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe
File opened (read-only)	\??\O:	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe
File opened (read-only)	\??\X:	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe
File opened (read-only)	\??\H:	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe
File opened (read-only)	\??\J:	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe
File opened (read-only)	\??\K:	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe
File opened (read-only)	\??\L:	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe
File opened (read-only)	\??\U:	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe
File opened (read-only)	\??\Z:	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe
File opened (read-only)	\??\I:	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe
File opened (read-only)	\??\N:	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe
File opened (read-only)	\??\P:	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe
File opened (read-only)	\??\R:	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe
File opened (read-only)	\??\V:	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe

Drops file in System32 directory 20 IoCs

description	ioc	Process
File created	C:\Windows\system32\perfh00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc010.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh011.dat	OUTLOOK.EXE
File opened for modification	C:\Windows\SysWOW64\shell.exe	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\shell.exe	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Mig2.scr	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe
File created	C:\Windows\system32\perfc009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00C.dat	OUTLOOK.EXE
File opened for modification	C:\Windows\SysWOW64\Mig2.scr	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\PerfStringBackup.TMP	OUTLOOK.EXE
File created	C:\Windows\system32\perfc007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh010.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc011.dat	OUTLOOK.EXE
File created	C:\Windows\SysWOW64\IExplorer.exe	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\PerfStringBackup.INI	OUTLOOK.EXE
File created	C:\Windows\system32\perfh007.dat	OUTLOOK.EXE

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\xk.exe	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe
File created	C:\Windows\xk.exe	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe
File created	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File opened for modification	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File created	C:\Windows\inf\Outlook\0009\outlperf.ini	OUTLOOK.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR"	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	OUTLOOK.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	OUTLOOK.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	OUTLOOK.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E3-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CD-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D7-0000-0000-C000-000000000046}\ = "_NewItemAlertRuleAction"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D7-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D8-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063101-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063074-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006302C-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063024-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D7-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D2-0000-0000-C000-000000000046}\ = "_Table"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300E-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630EB-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063059-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063026-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672ED-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006304B-0000-0000-C000-000000000046}\ = "AddressEntry"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630DC-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300C-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A2-0000-0000-C000-000000000046}\ = "_BusinessCardView"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063038-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063005-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CE-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D6-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006307D-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FC-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006304D-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006309D-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063023-0000-0000-C000-000000000046}\ = "_RemoteItem"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D87E7E17-6897-11CE-A6C0-00AA00608FAA}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D87E7E17-6897-11CE-A6C0-00AA00608FAA}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630DC-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C3-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063105-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F2-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063024-0000-0000-C000-000000000046}\ = "_PostItem"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DC-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063087-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006302F-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063077-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063094-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E5-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F6-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E1-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063089-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006302B-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063076-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006309A-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D87E7E17-6897-11CE-A6C0-00AA00608FAA}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006307D-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672FB-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F4-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D8-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FB-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303A-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C4-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F7-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E9-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063046-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303D-0000-0000-C000-000000000046}\ = "UserProperties"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063040-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006304C-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006307C-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006309A-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2112	OUTLOOK.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1284	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2112	OUTLOOK.EXE

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2112	OUTLOOK.EXE
2112	OUTLOOK.EXE
2112	OUTLOOK.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2112	OUTLOOK.EXE
2112	OUTLOOK.EXE

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
1284	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe
580	xk.exe
308	IExplorer.exe
2816	WINLOGON.EXE
2144	CSRSS.EXE
2672	SERVICES.EXE
1376	LSASS.EXE
3032	xk.exe
2060	IExplorer.exe
2072	WINLOGON.EXE
692	CSRSS.EXE
1060	SERVICES.EXE
2176	LSASS.EXE
884	SMSS.EXE
2112	OUTLOOK.EXE

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 1284 wrote to memory of 580	1284	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe	28
PID 1284 wrote to memory of 580	1284	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe	28
PID 1284 wrote to memory of 580	1284	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe	28
PID 1284 wrote to memory of 580	1284	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe	28
PID 1284 wrote to memory of 308	1284	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe	29
PID 1284 wrote to memory of 308	1284	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe	29
PID 1284 wrote to memory of 308	1284	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe	29
PID 1284 wrote to memory of 308	1284	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe	29
PID 1284 wrote to memory of 2816	1284	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe	30
PID 1284 wrote to memory of 2816	1284	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe	30
PID 1284 wrote to memory of 2816	1284	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe	30
PID 1284 wrote to memory of 2816	1284	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe	30
PID 1284 wrote to memory of 2144	1284	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe	31
PID 1284 wrote to memory of 2144	1284	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe	31
PID 1284 wrote to memory of 2144	1284	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe	31
PID 1284 wrote to memory of 2144	1284	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe	31
PID 1284 wrote to memory of 2672	1284	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe	32
PID 1284 wrote to memory of 2672	1284	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe	32
PID 1284 wrote to memory of 2672	1284	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe	32
PID 1284 wrote to memory of 2672	1284	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe	32
PID 1284 wrote to memory of 1376	1284	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe	33
PID 1284 wrote to memory of 1376	1284	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe	33
PID 1284 wrote to memory of 1376	1284	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe	33
PID 1284 wrote to memory of 1376	1284	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe	33
PID 1284 wrote to memory of 3032	1284	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe	34
PID 1284 wrote to memory of 3032	1284	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe	34
PID 1284 wrote to memory of 3032	1284	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe	34
PID 1284 wrote to memory of 3032	1284	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe	34
PID 1284 wrote to memory of 2060	1284	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe	35
PID 1284 wrote to memory of 2060	1284	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe	35
PID 1284 wrote to memory of 2060	1284	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe	35
PID 1284 wrote to memory of 2060	1284	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe	35
PID 1284 wrote to memory of 2072	1284	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe	36
PID 1284 wrote to memory of 2072	1284	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe	36
PID 1284 wrote to memory of 2072	1284	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe	36
PID 1284 wrote to memory of 2072	1284	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe	36
PID 1284 wrote to memory of 692	1284	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe	37
PID 1284 wrote to memory of 692	1284	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe	37
PID 1284 wrote to memory of 692	1284	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe	37
PID 1284 wrote to memory of 692	1284	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe	37
PID 1284 wrote to memory of 1060	1284	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe	38
PID 1284 wrote to memory of 1060	1284	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe	38
PID 1284 wrote to memory of 1060	1284	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe	38
PID 1284 wrote to memory of 1060	1284	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe	38
PID 1284 wrote to memory of 2176	1284	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe	39
PID 1284 wrote to memory of 2176	1284	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe	39
PID 1284 wrote to memory of 2176	1284	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe	39
PID 1284 wrote to memory of 2176	1284	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe	39
PID 1284 wrote to memory of 884	1284	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe	40
PID 1284 wrote to memory of 884	1284	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe	40
PID 1284 wrote to memory of 884	1284	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe	40
PID 1284 wrote to memory of 884	1284	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe	40

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\460b9a89f72f64370c1e20522291e040_NeikiAnalytics.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1284
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:580
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:308
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2816
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2144
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2672
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1376
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3032
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2060
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2072
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:692
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1060
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2176
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:884

C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" -Embedding
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
240KB

MD5
9b4c31f354200dbec4447de319a43704

SHA1
6f17018defccbd037103ce389753c5dae2aa9ee8

SHA256
113ce03aca3266914faae83c5dbfafe43e6b510ba655afe1937cc0448045dad2

SHA512
909347538ab8adc3615b9a607caf6fcdeec009b641d1411a21fa7179e45ea34bae039bcc3dc4e9f449f96ee1c7ec18bcc328148e2dcc4943cd4201534ecc63e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
240KB

MD5
24421d478fa06798a75dcf50b31d1f56

SHA1
28b6a6ef9144cfcc3b6c2884fdc01c84c4e43cf6

SHA256
66bf3f2704cb0f51a2429d291673cdb77de84c66c7375c1669544d3eb6d69142

SHA512
5cd512ae0667929ea60a4ed77e4f38ca0fc3e3a0a912c13c0c7d4a036a1c017937a38fa97e04d41840c8473053324c7bb16f7ec3edd81fcc025b02e6d774280e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
240KB

MD5
946dbe597ae980f49f2bc820aab08715

SHA1
97f21e55e7ced45d2be844d10914eb2d0a50d49e

SHA256
d271bfbee6a8fcd0449a5e92842a9a1d218e2e61626aeae2cd0e5c2407a1f27b

SHA512
b12ce99dbd14b5d9369ad4f1cecc00e96567d878b6a2b978579dd4fee037ffcba3861b51fe9f7313cb195421d841c8f137e2c61526e5e329f1a3f3da4b6d410a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Outlook\mapisvc.inf

Filesize
1KB

MD5
48dd6cae43ce26b992c35799fcd76898

SHA1
8e600544df0250da7d634599ce6ee50da11c0355

SHA256
7bfe1f3691e2b4fb4d61fbf5e9f7782fbe49da1342dbd32201c2cc8e540dbd1a

SHA512
c1b9322c900f5be0ad166ddcfec9146918fb2589a17607d61490fd816602123f3af310a3e6d98a37d16000d4acbbcd599236f03c3c7f9376aeba7a489b329f31

Download Submit
C:\Users\Admin\AppData\Local\winlogon.exe

Filesize
91KB

MD5
460b9a89f72f64370c1e20522291e040

SHA1
97c462933e6a4a8e2ccb12eabdee941baca851c7

SHA256
ac565335f4dfc6d91f0d64c83cafcefcf703ad7c8f879b0cc9cbc7b1f7d1cf69

SHA512
faa3cb97940dd61682a2531c017c600c3724e55f633ad0f4080ac147a0fd5934560d03e4d85a07420060cdb5d1d0e072e781f87992cc7698aec7f14298de4774

Download Submit
C:\Windows\xk.exe

Filesize
91KB

MD5
b8cb0f68878c15e0d9d07e4740b3e66f

SHA1
763b01efe6a0c2ad0d030d4cef6329e49a4ed634

SHA256
6a1005c933ae33a188e88bf36f7ee47cec92dd1ea51a13fa0e6d424a7e6014b7

SHA512
1cdcbccab9def9c8ee996cb8e39ad8fe2010d5013670a6c80a55e2c53122468471498ac1303ad787e046f083f117bd5a2da17a0d840d15107a8dbb85ea28d1d1

Download Submit
C:\Windows\xk.exe

Filesize
91KB

MD5
d0dbc241db51c3f236441a6c56aae9ef

SHA1
47bcd701ea5a67d55ad6648ab5044cf4d155845a

SHA256
4ba17b24435c1132a2c4127a86a267f2471f6e45b2b5dfbc4463c6a14beedd83

SHA512
a541ea38868d1139f978a42f8e30381da2d87a8f540b7f4f4f28935c85d469cd09cea400f39e6ea8fed3c177bc25918f0e147431988a50bacb902ff916e4c813

Download Submit
\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
91KB

MD5
4a192fa37c92bbe9f368b8f99459a2e2

SHA1
f638596e3f4046627fdaa3f7a30272bed4685397

SHA256
c88f700a89c72edbd7d0496ab1ac443f5b1ca8cdc0a88fd613d7f4015ae0c201

SHA512
31b60b454fb9f4b1f4ec63c9b8900ee160b51d973f52c4ac155e66d0569aef8ec2bb68e2e9be63c2dbaa04bbf8f6edaa320a1bd3ec176a7aa135d03969e7644b

Download Submit
\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
91KB

MD5
acc7650d84a3796bc8276ecf691324c9

SHA1
0bfa42b049d6477ee12d52b744ec0aa4afb5b94d

SHA256
a6e3f0a146495642b5774fdb27607236fa30c7ef712966477a20f4104c5b3eb7

SHA512
e64eadb51d01f4944953eca8fa49481fcb703b782c3e85c5bafc80a8654ca36ac45f143120f0e738e8b46c22b8ac3051877895d4c7288c261f8fef317b64af78

Download Submit
\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
91KB

MD5
dd95af9c1d6d119542ca2bcec593a0ef

SHA1
681cb98c9c8d5d0e75b18679e01c0cd922c96834

SHA256
a23aec98b994a13b1e534808e8b85588b73e5ca7f2a155910fc29f2f245c1ac3

SHA512
45fb6ada59b60c366b615a05087e0d3fd72bc0cd3166ba66a0065bbc764fcae8113e780624500b3a071d42d85c4eb749e4a50723c4882da79141f35faa30166e

Download Submit
\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
91KB

MD5
702bde8eb93bee363940ba618195a040

SHA1
2e4548ff363e43d46bb32529dacd82563b92e8f8

SHA256
697d0c8ef9b9dc72c977226d5017ba2538896cd7cd9812e9bde7d1bc77a31711

SHA512
0febb95d8f36ac5147d2b045ac8ff92335f7b33b1216256db1855ef08153f8d4c50ac880519858a2e563786891caa28df07e12958eb61e3af22a04e26b2c971a

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
91KB

MD5
06fbd1dc4bfe56e7a391f92ac057141b

SHA1
5f118f485027772a35e3b64e50742714d6ee14d5

SHA256
1dc031419e82f775e04b6c41eb7a6a3fb4645e5ad15aab4acbb2ce4aabe3bbaa

SHA512
fdc3335c8946ea0efc76a57cf57c1bf399faed96b9cd090bbec16c8b0802da8232e841ccd5875b8da673660800f568b0d23769e4e3c799c70a249bbccff18f9f

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
91KB

MD5
60166ba936f3604928b8c11733611f83

SHA1
72475fb75490a17f73cf2360138cbe30cd4f3212

SHA256
b13f7a80c40fb9dba2e3ab02f48f0351dfb05fcaa84b9d408f9957bb2d9f212b

SHA512
2c7d1721da8a07b9064ed3c4a07f1a5c7dbd7cf060b158d8484027c56264cc54cb6b6f9fdb0be772714a337d1732199f830c516b17933f0cef7a423e7ad21967

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
91KB

MD5
e96e8bc112b42471f5e85250f63d1b0d

SHA1
7aa57d2df28be5bf5ce0b8609412578c17e41445

SHA256
1312c1c7674f9648630510a14777e66df013ac3954706dce682a63d962f55f88

SHA512
6ed6906c5f89bdb34a191e32736a9c4c943806605ebc18e72184d68f72489b3f62913b155a69f86cabd94e428c3f02cf8d7d5818b78854c0b510a6b8829ffffb

Download Submit
\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
91KB

MD5
1769231d3631ab9c6b914e797fde22b9

SHA1
b389aeda5d1111457ece5096fe43769c3ecc7495

SHA256
dc8bd1764f61f5f5f8784f2cdc81d043fe16316c092e6e1c5b4cba8c29fc35f2

SHA512
0b3c9668214f003be84a6ca81d5166e6aedaca9fe2189ae6f838611b716e0accb8dbe4eaa3de835e99263bbfcc785935ebcdd4d5e4f6ce2fccd7a3675ae2528a

Download Submit
\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
91KB

MD5
d6e101b10e588749637b06b739510ce2

SHA1
7be57ed7b86cea791a6a77fda08bd43ad5fe7b43

SHA256
9d291d882de1d1c8272c548bf1709268288573b0666fb7b65beda8f511886d9e

SHA512
0f2a7d5950e58566f96af9c28a0bf943e62984b9a0f7d3a2d1dd4bb06dd65e083c166f33f29ff95532bb22c7d0aaac4f8f660e9dfc578f4612a9ead0e2023b85

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
91KB

MD5
612ae95e9fa63e4aec30e9cec1627129

SHA1
986e681c59c5e28885562251afdb83958565e62e

SHA256
1e948888be6fdd0d2157abf506d021daaf65cfb096117ab2c0bbdb7020636e1b

SHA512
a40e06e2c6e76abb882ef50516e4ac03f1568119d8ff5e93c2a46cbd8d26ea65737f99258b480d147c8d3643e87c99b765f4e39da10fabe300d59e320c9249a1

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
91KB

MD5
fe74136e92a092c67a95b29f44363b81

SHA1
0af719a0d18df62bb86636dbd6dc79b95566f348

SHA256
0642af4833f5ee5f3ae9f766604b0026fc3504c6d1a0142bb9948be574e44e37

SHA512
64d8d333b80d76ad2d84243f88d9068580eb31698a60a812bb6644a475ca5fb279e97ed09e10c1cea779b4e57443e01eafd9fdeac1bf0dd68e90ff1023d8c21e

Download Submit
memory/308-128-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/308-124-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/580-114-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/692-275-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/884-308-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1060-291-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1284-157-0x0000000000510000-0x000000000053E000-memory.dmp

Filesize
184KB

Download
memory/1284-110-0x0000000000510000-0x000000000053E000-memory.dmp

Filesize
184KB

Download
memory/1284-461-0x0000000000510000-0x000000000053E000-memory.dmp

Filesize
184KB

Download
memory/1284-460-0x0000000000510000-0x000000000053E000-memory.dmp

Filesize
184KB

Download
memory/1284-230-0x0000000000510000-0x000000000053E000-memory.dmp

Filesize
184KB

Download
memory/1284-256-0x0000000000510000-0x000000000053E000-memory.dmp

Filesize
184KB

Download
memory/1284-255-0x0000000000510000-0x000000000053E000-memory.dmp

Filesize
184KB

Download
memory/1284-170-0x0000000000510000-0x000000000053E000-memory.dmp

Filesize
184KB

Download
memory/1284-458-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1284-269-0x0000000000510000-0x000000000053E000-memory.dmp

Filesize
184KB

Download
memory/1284-268-0x0000000000510000-0x000000000053E000-memory.dmp

Filesize
184KB

Download
memory/1284-111-0x0000000000510000-0x000000000053E000-memory.dmp

Filesize
184KB

Download
memory/1284-243-0x0000000000510000-0x000000000053E000-memory.dmp

Filesize
184KB

Download
memory/1284-159-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1284-281-0x0000000000510000-0x000000000053E000-memory.dmp

Filesize
184KB

Download
memory/1284-0-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1284-116-0x0000000000510000-0x000000000053E000-memory.dmp

Filesize
184KB

Download
memory/1284-123-0x0000000000510000-0x000000000053E000-memory.dmp

Filesize
184KB

Download
memory/1284-304-0x0000000000510000-0x000000000053E000-memory.dmp

Filesize
184KB

Download
memory/1376-175-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2060-253-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2072-262-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2112-333-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2144-156-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2176-296-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2672-162-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2816-139-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3032-241-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download