Analysis

  • max time kernel
    149s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    16-05-2024 00:44

General

  • Target

    66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe

  • Size

    45KB

  • MD5

    66caf603baa5fcce64131292a13afe30

  • SHA1

    7b8710d4c2a373f354d6b4dc1ad83422b3181ea1

  • SHA256

    0621355ac15ceecdedc4a2eb62db26b08643b3d52bed0275895abb3956cae3f3

  • SHA512

    b5185aa320fe3c65444520291a9cd9471ed3d5ce0828fb6ea709a65f3d0adf4adf0e04503049378d0807638f8eafd733e0aed8156cd3e1beff458f7f86230c7f

  • SSDEEP

    768:/h4AXKiTroAq0RB+XPPmNwQLNXEzTxideVASwekft5nEwe:/a8jroAbRB+XWCQLZeIdSwk9

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 12 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
  • Disables RegEdit via registry modification 6 IoCs
  • Disables Task Manager via registry modification
  • Disables cmd.exe use via registry modification 6 IoCs
  • Disables use of System Restore points 1 TTPs
  • ASPack v2.12-2.42 20 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Executes dropped EXE 30 IoCs
  • Loads dropped DLL 45 IoCs
  • Modifies system executable filetype association 2 TTPs 64 IoCs
  • Adds Run key to start application 2 TTPs 24 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 18 IoCs
  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 38 IoCs
  • Drops file in Windows directory 24 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Control Panel 54 IoCs
  • Modifies Internet Explorer settings 1 TTPs 18 IoCs
  • Modifies Internet Explorer start page 1 TTPs 6 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 5 IoCs
  • Suspicious use of SetWindowsHookEx 30 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Disables cmd.exe use via registry modification
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Modifies WinLogon
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies Internet Explorer settings
    • Modifies Internet Explorer start page
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2892
    • C:\Windows\babon.exe
      C:\Windows\babon.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2456
      • C:\Windows\babon.exe
        C:\Windows\babon.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1916
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:1704
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:3044
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"
        3⤵
        • Executes dropped EXE
        PID:3052
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2440
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2708
      • C:\Windows\babon.exe
        C:\Windows\babon.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1780
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:944
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1544
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:304
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2192
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1452
      • C:\Windows\babon.exe
        C:\Windows\babon.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1552
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:908
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2504
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2884
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1572
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1568
      • C:\Windows\babon.exe
        C:\Windows\babon.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1308
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:2800
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2868
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2560
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2148
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • System policy modification
      PID:2280
      • C:\Windows\babon.exe
        C:\Windows\babon.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2684
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:1788
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1240
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1796
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1564

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\WINDOWS\winlogon.exe

    Filesize

    45KB

    MD5

    71ec029fba6f14ab88800dd68c9968a2

    SHA1

    c839d264f0cf11218789af167105e5df93d1b93a

    SHA256

    b5b70f6056167a5e19d618e9b84c8af40db7bfe16a50dc9f5a43f161ef6cfe22

    SHA512

    6802f1ec287944aa3bb634c9d5ff6dcdab3c5e4e8c62f438a5e39335c975bef795bb190c5ef8a86e054f327c4fbd7d28e6e428f92fcc1a57d1c9b70977042e68

  • C:\Users\Admin\AppData\Local\winlogon.exe

    Filesize

    45KB

    MD5

    66caf603baa5fcce64131292a13afe30

    SHA1

    7b8710d4c2a373f354d6b4dc1ad83422b3181ea1

    SHA256

    0621355ac15ceecdedc4a2eb62db26b08643b3d52bed0275895abb3956cae3f3

    SHA512

    b5185aa320fe3c65444520291a9cd9471ed3d5ce0828fb6ea709a65f3d0adf4adf0e04503049378d0807638f8eafd733e0aed8156cd3e1beff458f7f86230c7f

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\smss.exe

    Filesize

    45KB

    MD5

    be3e355fe771f3db22f9af774afc53f3

    SHA1

    d5f3232c74e39199ac77ab78a41fa9f5aaf06227

    SHA256

    9efc32ebe95bdacd4d58eacfa1d5e0120eab655e3e7832074edb9a0d2d9e3f8a

    SHA512

    b34b246e3ab48e82267faedc77a8e087b95c99bb18fed779f01e3e8358643eeb69145f91e884588bc02af2dcd0b8ba3231af4a3dee88e92968eed7255648a033

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\smss.exe

    Filesize

    45KB

    MD5

    e2c45ee0f2f2e9bb44d3ccb64676f5e2

    SHA1

    04075517d2de4869ecf204ed563d589fb8a96731

    SHA256

    a758c7e9ff2db67190b2b39f1543efd334240527a0fd5eb6cebf57a30eef989a

    SHA512

    c079eace12ee2b5ff90595e6f818302e299119c35ae4805ee1ca275cf2fde60e868981e50585fcd2206512041462067b2656df0eef8dbb0a048a3f73e846c174

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\smss.exe

    Filesize

    45KB

    MD5

    f20867020f5be84267177e69c711f699

    SHA1

    89dfc84bb4f7073519bd40d0d5972fd88ae6ac61

    SHA256

    96f1c46eb1d0d448f1eb4a4ef596898ff290438aa1e7675fc13d04b23337d529

    SHA512

    c5e0da83cb17522bfccd298bbc15ee04f810d19f50fe7757bdde276fa955fa08dacca20a6c6385632ee8417c4d2d39a56e00e7e4d404b570f37267f8c8252f6d

  • C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

    Filesize

    45KB

    MD5

    09336b13f5cb090875d7fdca8d1fc56f

    SHA1

    9b4f7c35f415a02cf0cc1b81fc14218f8f8beb04

    SHA256

    f6e66fdf154e1a80029698b589120b79ef40eb117b9aa6737c09822309e6fa94

    SHA512

    de8733e54ffaaf5799ddb6be3950025afbd3ae228d1334945704183a77f67b41ab7c629490fe4dd56cd78adfc2ac77ba96f0116f8c1a869518e1adc2ae4aacdc

  • C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

    Filesize

    45KB

    MD5

    d35eba2194c17da1e2b5b8c69099ab3f

    SHA1

    cbc586b394e3a7013009c092cf446c136f535930

    SHA256

    2517714b2925eb83f029ad61d83697f12e8d644bbfaec02700d30bec0d983788

    SHA512

    6889b07f0f7abcb1e3237c1833a8617c68571a298dfaa13c9ec04b54d36c251fe24742671288d0ed90b8549ed91d4ec602199df74edd46c8538712717483fefb

  • C:\Windows\SysWOW64\babon.scr

    Filesize

    45KB

    MD5

    ae4dd6588c5bd43d7f4ae12a3e0dcb58

    SHA1

    f317b5fad75adc2351342aa63c75283880bddceb

    SHA256

    26cac18c65b89bb95595d194ca52e4589be680e3a7c7d48119e6ff22a0f4d007

    SHA512

    7b77fa8934cfc76e83575b0ca67a7b1ea41e2a937265a5d374035f32a2c5722db07eebf77175d87f292a2ba737019e1448038b4b1a2f670e701c55668ce709bd

  • C:\Windows\SysWOW64\babon.scr

    Filesize

    45KB

    MD5

    df9e6a58adb06b3ecb1272faf54d67d1

    SHA1

    0bb414a863cb0cfe0431b41220b83b564d920cbb

    SHA256

    ee5e4bad22d880d900db543137f363684d5f8cd563e507f5ce2e9ee676beabc9

    SHA512

    da92ed2a88d504a2494246ae4d60cc6aa2b7c6246908e8a8bb4946d55dfe14dc3daf5b7bb15333e9254575254959c044118140c646ec7c7b5ea4f0aa27871d54

  • C:\Windows\SysWOW64\shell.exe

    Filesize

    45KB

    MD5

    c3a1c8450179586138ec48488c9ead84

    SHA1

    97018c82409849604c3649362525895bfe2b8ccb

    SHA256

    55f7aadeee5c8932fbebddc1859b8f7286a9ba85f809334cf26aa1890ee2df16

    SHA512

    d3a64e3f8326203d06df0d18ea014005b97dcc884774a230659fc3c8de8777643dbbc6c9573ce49e54ac61f177501d324de632437ecb48cb85a60beb245ad59b

  • C:\Windows\SysWOW64\shell.exe

    Filesize

    45KB

    MD5

    f066590deb760a5c731ac0d1b900eaae

    SHA1

    f6c886a65ee981ea76145c868c2972cc01602a82

    SHA256

    aa55ba24c5ffc5839c48dcfe1691afc74459d2d7b2cc818cea154038f8e066c3

    SHA512

    c075d757edae6aadc035dfc92655cd151a4f1be29f05310d229635e28d9d749490653a70d7a183b6c3b561fe988bf13bf963c74838903c517d39ddc035772b77

  • C:\Windows\babon.exe

    Filesize

    45KB

    MD5

    60e5a30dcda5f60ef24b93336249b4ec

    SHA1

    eda7c7738f5181c24ac3fa538526ed90394a5003

    SHA256

    c4406cffb91b773a664aee35e2176e364f6071d2777f7ff32cdde18419c70b76

    SHA512

    7275ccf01b616db43a96c62a9b5d068102985f08fb8dc5abd27e7e4069a8630b34508da393961fda16ac3cb8a27b24ce08402430f8b4bbb55a593ac8d7478f6a

  • C:\Windows\msvbvm60.dll

    Filesize

    1.3MB

    MD5

    5343a19c618bc515ceb1695586c6c137

    SHA1

    4dedae8cbde066f31c8e6b52c0baa3f8b1117742

    SHA256

    2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

    SHA512

    708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

  • C:\babon.exe

    Filesize

    45KB

    MD5

    5cbd20ed1f30408497ab072a3ce2e4d5

    SHA1

    08f9ceccaa42d687595553cd98d54829c517017e

    SHA256

    265fa290c5151adafa1e1673d09c6a2e54eaaa9bdc69900d97b5c8e9558187c4

    SHA512

    f9e1cbaf6706808bf1a4a72f8889d303d897ba85c40c13a9bc5d2565303acafe287b20692ab82c1821c91e57658d9d86849619e00eec9b078b2f42dca0e13d8e

  • C:\babon.exe

    Filesize

    45KB

    MD5

    5cd4bcda4a7bb946a75a6600b8e635f3

    SHA1

    96eccd596480ce448b5f399b9864c94eaa5fb71e

    SHA256

    2160b17d656762a795eb36074bc0d4b975b43e6fb6ce66f2c0216f56fb17b68c

    SHA512

    f5202e2bed8640ec87f90b9b202c0cbee9fd4390f9712fbe3a2a7e1695a748043cdbbf09031b38f723f44b910ee851eea0287d7e77f3ba01b524926b5e3de0e0

  • C:\wangsit.txt

    Filesize

    416B

    MD5

    8c460e27a1949370d14f20942ef964c3

    SHA1

    fb1f75839903c83911b45b49956792d27db56185

    SHA256

    2c001b5c9684baf861870ffbaf0bec9df22560cdf3cd5a719a78a882e3122f8d

    SHA512

    ad4299385bd91f7157f4d4b01025664333423f15f796a9a70e3f5df251842cdef3ad8f1158dc3c8b51c8ea4d082d62d56a6b57fade7b563fb953f8b511a17bcd

  • F:\autorun.inf

    Filesize

    41B

    MD5

    097661e74e667ec2329bc274acb87b0d

    SHA1

    91c68a6089af2f61035e2e5f2a8da8c908dc93ed

    SHA256

    aab4cf640f2520966a0aac31af8d1b819eea28736c6b103db16b07c3188ec6c0

    SHA512

    e90e678526270cd9388538246793534411c478b082ab914bfe2756b18771229f146c731c0f9c94ed59d8689b2ef77d25f7b22d3d6b8c2d439e5b3437f8dc649e

  • \Users\Admin\AppData\Local\WINDOWS\csrss.exe

    Filesize

    45KB

    MD5

    4d43371ee6ffd6a008ac914468423a60

    SHA1

    21c8f0a4155faa42da2909d9a9018908d86f87fa

    SHA256

    08366ca71a1e66ab88a47350372ee04f4d37fef3cdd89d21c5da74e239b6b110

    SHA512

    61fa73b1c0d31ae64d56c55b681c0a2d3dfc90916095b5d342b0b9293bb1884a25a060fd3196bf2ca57556fbc82c92cc200b407e26ddcf63568b3b1661ca00ec

  • \Users\Admin\AppData\Local\WINDOWS\lsass.exe

    Filesize

    45KB

    MD5

    c1d54ac9765463d55cbaf3b8e333e760

    SHA1

    0f892d1b9e8f19a654067d1afc13fba64188c0e6

    SHA256

    173397d503c3d3f5b7049b3c6d18884b213421c709797dbced6815b4e0234868

    SHA512

    bfc4f07cbe2cdc2e6a5f227b363eac42c390e1e3eb88a34e1dc8b9d829ca26e3d8b82afda35f56ee336a2ec231687f0a4604d7a16d4073470e93a91c22065118

  • \Windows\SysWOW64\IExplorer.exe

    Filesize

    45KB

    MD5

    8aa6abc612498a95ec3525786f339472

    SHA1

    ef14ab90a926bb4436790e06b4ecd1c511931838

    SHA256

    4c9e34123d622794a967da4486b37dd96bda6e673db728539226be79ef6df97f

    SHA512

    8606ecc690d35b38cf99f3273955863614f9ad08014f9208f73857225f9478ddb284bdfb063cb57dbc253a11c720bb546a2ddecfd9b61c2f8524c381ecb7c992

  • memory/304-326-0x0000000000220000-0x0000000000230000-memory.dmp

    Filesize

    64KB

  • memory/304-331-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/304-327-0x0000000000220000-0x0000000000230000-memory.dmp

    Filesize

    64KB

  • memory/908-376-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/944-284-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/944-241-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/1240-452-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/1308-390-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/1308-398-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

  • memory/1452-132-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/1452-446-0x00000000024B0000-0x00000000024D3000-memory.dmp

    Filesize

    140KB

  • memory/1452-445-0x00000000024B0000-0x00000000024D3000-memory.dmp

    Filesize

    140KB

  • memory/1452-417-0x00000000024B0000-0x00000000024D3000-memory.dmp

    Filesize

    140KB

  • memory/1452-275-0x00000000024B0000-0x00000000024D3000-memory.dmp

    Filesize

    140KB

  • memory/1452-464-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/1544-328-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/1552-287-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

  • memory/1552-286-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/1564-461-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/1568-142-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/1568-399-0x0000000002760000-0x0000000002783000-memory.dmp

    Filesize

    140KB

  • memory/1568-465-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/1568-391-0x0000000002760000-0x0000000002783000-memory.dmp

    Filesize

    140KB

  • memory/1568-375-0x0000000002760000-0x0000000002783000-memory.dmp

    Filesize

    140KB

  • memory/1572-447-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/1704-233-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/1704-244-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/1780-240-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

  • memory/1780-242-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/1788-440-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/1788-423-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/1796-453-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/1796-457-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/1916-227-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

  • memory/1916-228-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/1916-191-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2148-418-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2148-432-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2192-339-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2280-153-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2280-466-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2280-443-0x00000000003D0000-0x00000000003F3000-memory.dmp

    Filesize

    140KB

  • memory/2280-444-0x00000000003D0000-0x00000000003F3000-memory.dmp

    Filesize

    140KB

  • memory/2280-422-0x00000000003D0000-0x00000000003F3000-memory.dmp

    Filesize

    140KB

  • memory/2440-407-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2440-434-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2456-234-0x00000000024D0000-0x00000000024F3000-memory.dmp

    Filesize

    140KB

  • memory/2456-532-0x00000000024D0000-0x00000000024F3000-memory.dmp

    Filesize

    140KB

  • memory/2456-106-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2456-462-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2456-406-0x00000000024D0000-0x00000000024F3000-memory.dmp

    Filesize

    140KB

  • memory/2456-405-0x00000000024D0000-0x00000000024F3000-memory.dmp

    Filesize

    140KB

  • memory/2504-412-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2560-427-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2684-429-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

  • memory/2684-430-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2708-223-0x0000000002640000-0x0000000002663000-memory.dmp

    Filesize

    140KB

  • memory/2708-329-0x0000000002640000-0x0000000002663000-memory.dmp

    Filesize

    140KB

  • memory/2708-118-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2708-463-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2708-330-0x0000000002640000-0x0000000002663000-memory.dmp

    Filesize

    140KB

  • memory/2800-389-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2868-396-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2884-436-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2892-157-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2892-105-0x0000000001F50000-0x0000000001F73000-memory.dmp

    Filesize

    140KB

  • memory/2892-104-0x0000000001F50000-0x0000000001F73000-memory.dmp

    Filesize

    140KB

  • memory/2892-152-0x0000000001F50000-0x0000000001F73000-memory.dmp

    Filesize

    140KB

  • memory/2892-110-0x0000000001F50000-0x0000000001F73000-memory.dmp

    Filesize

    140KB

  • memory/2892-0-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2892-117-0x0000000001F50000-0x0000000001F73000-memory.dmp

    Filesize

    140KB

  • memory/2892-130-0x0000000001F50000-0x0000000001F73000-memory.dmp

    Filesize

    140KB

  • memory/2892-131-0x0000000001F50000-0x0000000001F73000-memory.dmp

    Filesize

    140KB

  • memory/3044-313-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/3044-290-0x00000000001B0000-0x00000000001C0000-memory.dmp

    Filesize

    64KB

  • memory/3052-392-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/3052-416-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB