4f4cb7610809fa4eaefa419a1ee6a90d07ed4ea911cc27a05b81561d6c253551

Analysis

max time kernel
122s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16/05/2024, 13:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e0f5eeca391f562e9b47684478f8fe70_NeikiAnalytics.exe
Size

91KB
MD5

e0f5eeca391f562e9b47684478f8fe70
SHA1

b9d651efa29afe6e1ff5969abbaea4771befc774
SHA256

4f4cb7610809fa4eaefa419a1ee6a90d07ed4ea911cc27a05b81561d6c253551
SHA512

bc41f0318f9356d75f6d9e8af33ab0c352e4e572aae99222091965ceafc241103b30941f1a73e7ae8fedea9cd937405a672b3f5e6761cc8140594b1ab1c40429
SSDEEP

768:E3gRYjXbUeHORIC4ZxBMldNKm8Mxm8I+IxrjPfAQ4o3Imu73gRYjXbUeHORIC4Zk:uT3OA3+KQsxfS4GT3OA3+KQsxfS45W

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	e0f5eeca391f562e9b47684478f8fe70_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	e0f5eeca391f562e9b47684478f8fe70_NeikiAnalytics.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	e0f5eeca391f562e9b47684478f8fe70_NeikiAnalytics.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	e0f5eeca391f562e9b47684478f8fe70_NeikiAnalytics.exe

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	e0f5eeca391f562e9b47684478f8fe70_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	e0f5eeca391f562e9b47684478f8fe70_NeikiAnalytics.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 7 IoCs

pid	Process
1640	xk.exe
2612	IExplorer.exe
2672	WINLOGON.EXE
1784	CSRSS.EXE
1564	SERVICES.EXE
2784	LSASS.EXE
1372	SMSS.EXE

Loads dropped DLL 12 IoCs

pid	Process
2120	e0f5eeca391f562e9b47684478f8fe70_NeikiAnalytics.exe
2120	e0f5eeca391f562e9b47684478f8fe70_NeikiAnalytics.exe
2120	e0f5eeca391f562e9b47684478f8fe70_NeikiAnalytics.exe
2120	e0f5eeca391f562e9b47684478f8fe70_NeikiAnalytics.exe
2120	e0f5eeca391f562e9b47684478f8fe70_NeikiAnalytics.exe
2120	e0f5eeca391f562e9b47684478f8fe70_NeikiAnalytics.exe
2120	e0f5eeca391f562e9b47684478f8fe70_NeikiAnalytics.exe
2120	e0f5eeca391f562e9b47684478f8fe70_NeikiAnalytics.exe
2120	e0f5eeca391f562e9b47684478f8fe70_NeikiAnalytics.exe
2120	e0f5eeca391f562e9b47684478f8fe70_NeikiAnalytics.exe
2120	e0f5eeca391f562e9b47684478f8fe70_NeikiAnalytics.exe
2120	e0f5eeca391f562e9b47684478f8fe70_NeikiAnalytics.exe

Modifies system executable filetype association 2 TTPs 13 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	e0f5eeca391f562e9b47684478f8fe70_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	e0f5eeca391f562e9b47684478f8fe70_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	e0f5eeca391f562e9b47684478f8fe70_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	e0f5eeca391f562e9b47684478f8fe70_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	e0f5eeca391f562e9b47684478f8fe70_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	e0f5eeca391f562e9b47684478f8fe70_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	e0f5eeca391f562e9b47684478f8fe70_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	e0f5eeca391f562e9b47684478f8fe70_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	e0f5eeca391f562e9b47684478f8fe70_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	e0f5eeca391f562e9b47684478f8fe70_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	e0f5eeca391f562e9b47684478f8fe70_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	e0f5eeca391f562e9b47684478f8fe70_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	e0f5eeca391f562e9b47684478f8fe70_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	e0f5eeca391f562e9b47684478f8fe70_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	e0f5eeca391f562e9b47684478f8fe70_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe"	e0f5eeca391f562e9b47684478f8fe70_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	e0f5eeca391f562e9b47684478f8fe70_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	e0f5eeca391f562e9b47684478f8fe70_NeikiAnalytics.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	e0f5eeca391f562e9b47684478f8fe70_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Mig2.scr	e0f5eeca391f562e9b47684478f8fe70_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	e0f5eeca391f562e9b47684478f8fe70_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\shell.exe	e0f5eeca391f562e9b47684478f8fe70_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Mig2.scr	e0f5eeca391f562e9b47684478f8fe70_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	e0f5eeca391f562e9b47684478f8fe70_NeikiAnalytics.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\xk.exe	e0f5eeca391f562e9b47684478f8fe70_NeikiAnalytics.exe
File created	C:\Windows\xk.exe	e0f5eeca391f562e9b47684478f8fe70_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\	e0f5eeca391f562e9b47684478f8fe70_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR"	e0f5eeca391f562e9b47684478f8fe70_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	e0f5eeca391f562e9b47684478f8fe70_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	e0f5eeca391f562e9b47684478f8fe70_NeikiAnalytics.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	e0f5eeca391f562e9b47684478f8fe70_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	e0f5eeca391f562e9b47684478f8fe70_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	e0f5eeca391f562e9b47684478f8fe70_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	e0f5eeca391f562e9b47684478f8fe70_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	e0f5eeca391f562e9b47684478f8fe70_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	e0f5eeca391f562e9b47684478f8fe70_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	e0f5eeca391f562e9b47684478f8fe70_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	e0f5eeca391f562e9b47684478f8fe70_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	e0f5eeca391f562e9b47684478f8fe70_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	e0f5eeca391f562e9b47684478f8fe70_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	e0f5eeca391f562e9b47684478f8fe70_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	e0f5eeca391f562e9b47684478f8fe70_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	e0f5eeca391f562e9b47684478f8fe70_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	e0f5eeca391f562e9b47684478f8fe70_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	e0f5eeca391f562e9b47684478f8fe70_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2120	e0f5eeca391f562e9b47684478f8fe70_NeikiAnalytics.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2120	e0f5eeca391f562e9b47684478f8fe70_NeikiAnalytics.exe
1640	xk.exe
2612	IExplorer.exe
2672	WINLOGON.EXE
1784	CSRSS.EXE
1564	SERVICES.EXE
2784	LSASS.EXE
1372	SMSS.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2120 wrote to memory of 1640	2120	e0f5eeca391f562e9b47684478f8fe70_NeikiAnalytics.exe	28
PID 2120 wrote to memory of 1640	2120	e0f5eeca391f562e9b47684478f8fe70_NeikiAnalytics.exe	28
PID 2120 wrote to memory of 1640	2120	e0f5eeca391f562e9b47684478f8fe70_NeikiAnalytics.exe	28
PID 2120 wrote to memory of 1640	2120	e0f5eeca391f562e9b47684478f8fe70_NeikiAnalytics.exe	28
PID 2120 wrote to memory of 2612	2120	e0f5eeca391f562e9b47684478f8fe70_NeikiAnalytics.exe	29
PID 2120 wrote to memory of 2612	2120	e0f5eeca391f562e9b47684478f8fe70_NeikiAnalytics.exe	29
PID 2120 wrote to memory of 2612	2120	e0f5eeca391f562e9b47684478f8fe70_NeikiAnalytics.exe	29
PID 2120 wrote to memory of 2612	2120	e0f5eeca391f562e9b47684478f8fe70_NeikiAnalytics.exe	29
PID 2120 wrote to memory of 2672	2120	e0f5eeca391f562e9b47684478f8fe70_NeikiAnalytics.exe	30
PID 2120 wrote to memory of 2672	2120	e0f5eeca391f562e9b47684478f8fe70_NeikiAnalytics.exe	30
PID 2120 wrote to memory of 2672	2120	e0f5eeca391f562e9b47684478f8fe70_NeikiAnalytics.exe	30
PID 2120 wrote to memory of 2672	2120	e0f5eeca391f562e9b47684478f8fe70_NeikiAnalytics.exe	30
PID 2120 wrote to memory of 1784	2120	e0f5eeca391f562e9b47684478f8fe70_NeikiAnalytics.exe	31
PID 2120 wrote to memory of 1784	2120	e0f5eeca391f562e9b47684478f8fe70_NeikiAnalytics.exe	31
PID 2120 wrote to memory of 1784	2120	e0f5eeca391f562e9b47684478f8fe70_NeikiAnalytics.exe	31
PID 2120 wrote to memory of 1784	2120	e0f5eeca391f562e9b47684478f8fe70_NeikiAnalytics.exe	31
PID 2120 wrote to memory of 1564	2120	e0f5eeca391f562e9b47684478f8fe70_NeikiAnalytics.exe	32
PID 2120 wrote to memory of 1564	2120	e0f5eeca391f562e9b47684478f8fe70_NeikiAnalytics.exe	32
PID 2120 wrote to memory of 1564	2120	e0f5eeca391f562e9b47684478f8fe70_NeikiAnalytics.exe	32
PID 2120 wrote to memory of 1564	2120	e0f5eeca391f562e9b47684478f8fe70_NeikiAnalytics.exe	32
PID 2120 wrote to memory of 2784	2120	e0f5eeca391f562e9b47684478f8fe70_NeikiAnalytics.exe	33
PID 2120 wrote to memory of 2784	2120	e0f5eeca391f562e9b47684478f8fe70_NeikiAnalytics.exe	33
PID 2120 wrote to memory of 2784	2120	e0f5eeca391f562e9b47684478f8fe70_NeikiAnalytics.exe	33
PID 2120 wrote to memory of 2784	2120	e0f5eeca391f562e9b47684478f8fe70_NeikiAnalytics.exe	33
PID 2120 wrote to memory of 1372	2120	e0f5eeca391f562e9b47684478f8fe70_NeikiAnalytics.exe	34
PID 2120 wrote to memory of 1372	2120	e0f5eeca391f562e9b47684478f8fe70_NeikiAnalytics.exe	34
PID 2120 wrote to memory of 1372	2120	e0f5eeca391f562e9b47684478f8fe70_NeikiAnalytics.exe	34
PID 2120 wrote to memory of 1372	2120	e0f5eeca391f562e9b47684478f8fe70_NeikiAnalytics.exe	34

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	e0f5eeca391f562e9b47684478f8fe70_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	e0f5eeca391f562e9b47684478f8fe70_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	e0f5eeca391f562e9b47684478f8fe70_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	e0f5eeca391f562e9b47684478f8fe70_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\e0f5eeca391f562e9b47684478f8fe70_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\e0f5eeca391f562e9b47684478f8fe70_NeikiAnalytics.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2120
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1640
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2612
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2672
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1784
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1564
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2784
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
91KB

MD5
e069f6fd75e304c977e7668fb92cd080

SHA1
3efd3156bcb33b6dc5f05f89048ee472e4edfebe

SHA256
b487c452d820b26d4d0436a03bb5b68fa91561654fdda4e5be6bca3ac67e4d6d

SHA512
e225ac9270724e0b64246a3ffd279d4b3e1502f5b6d309083464d9b258b6fe92230dca849086d826428a4566094e379b0b38395c3ec4dc7ed6e88b0bf40c614b

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
91KB

MD5
6dae7cd758812b878c31d1dc9dec6b9f

SHA1
17c8b652f50563eca1e1f9e53aa5c741c3bd09e1

SHA256
1195a4cd64a17dde453769ce4ad19017819d7337ef9352e7bbb73a92d0fd9aaf

SHA512
479a25aa83be446778784de7f333e1999920cb50e3772d835facb6238247d5065f977ad06fd2902e9b914cc1d4003528121b1aff9a77fe81c84df720fc8f4dea

Download Submit
C:\Users\Admin\AppData\Local\winlogon.exe

Filesize
91KB

MD5
e0f5eeca391f562e9b47684478f8fe70

SHA1
b9d651efa29afe6e1ff5969abbaea4771befc774

SHA256
4f4cb7610809fa4eaefa419a1ee6a90d07ed4ea911cc27a05b81561d6c253551

SHA512
bc41f0318f9356d75f6d9e8af33ab0c352e4e572aae99222091965ceafc241103b30941f1a73e7ae8fedea9cd937405a672b3f5e6761cc8140594b1ab1c40429

Download Submit
C:\Windows\xk.exe

Filesize
91KB

MD5
0f3989ecda890b3a4eb1b9468b5d6373

SHA1
b9ce59e00fe83b244a8c376b89abcf2365162b13

SHA256
548c2c7b85562704f45ff81989c72d3d598e7ee9784c9470c4a02e85f12c44bf

SHA512
ed1e75797c687248a5163678d1863c8e203ef2ef98f6ddfd476130c4881ddfea2d49790709347261ab496438193420b4f50b78e61d52b4fc7c82c5f9e7206d63

Download Submit
\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
91KB

MD5
f587886459f8057b77ae86e8c88b1ed2

SHA1
a94036487d3c92eb08e35975e2b4f39b5ae73a3d

SHA256
962fb324b747a9dee256d044977666214c44faa54343214d512ba184e655af7b

SHA512
c41dd7e1d5e7fbb373adca38739702ec492d0bcdc8ae0b27d08c3707ebc6b4db5d4742e1df21699b0ee1ab18b06af97b9e0f6b2d61a61ad385926f240c1d8eb4

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
91KB

MD5
5f2d88bee2477fe46286a5df57c6597c

SHA1
e538f4d72d0fe88cf4e03dae624682d13fb59bb9

SHA256
86270ec5d6461ddd3e51b15cc937e4ab4213644b6546a75eddac10fd70d4fcab

SHA512
f2c97ace25a0a000d3cae00dc0ce253a8a748dd9d67aa45e6be7c762ef170232cddd2414de1eca21bf8d7d75c3cc926cc0b3ae4ee8208481e0b1251b7ad2c047

Download Submit
\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
91KB

MD5
da471305524d4f0c8bfc1265c44d480c

SHA1
6be27fc251d68b8e761dd3325905733df856185f

SHA256
fb17a02a9b83c84f9b24cc0e0849457fe2eca379aa3dba84cd029fba8c69171a

SHA512
4cc964080ef1d7a41bcb8c60b219147a54c0c9776562d23a4dcc0272c9f776f85e98b5dc260c2ede95c6590dea865d2e64b52913d87b0c21352d2aaaf537a6dc

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
91KB

MD5
527a0c783a6e158c7a17ace23d21c9bf

SHA1
4dcb87d90b44da0919dc4d8fb27f8a2fd7dacba6

SHA256
02995eeeedcc5b82da074d925b143a17dd1df747ae3994704bcedc6978b0d000

SHA512
afcf4e37c6627303b44469723adda2cd3140c64f13c3a6f8a3d1751511637799fa5f0d2d761be8e6263f8b2e4d7160b8e04be4e5bff4d1358fbde7facee6ff06

Download Submit
memory/1372-200-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/1372-204-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1564-177-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1564-176-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1564-172-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/1640-120-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1640-114-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/1640-117-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1784-159-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/1784-164-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2120-116-0x0000000002600000-0x000000000262C000-memory.dmp

Filesize
176KB

Download
memory/2120-1-0x0000000000020000-0x0000000000024000-memory.dmp

Filesize
16KB

Download
memory/2120-0-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2120-205-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2120-122-0x0000000002600000-0x000000000262C000-memory.dmp

Filesize
176KB

Download
memory/2120-158-0x0000000000020000-0x0000000000024000-memory.dmp

Filesize
16KB

Download
memory/2120-4-0x0000000000401000-0x0000000000427000-memory.dmp

Filesize
152KB

Download
memory/2120-161-0x0000000000401000-0x0000000000427000-memory.dmp

Filesize
152KB

Download
memory/2120-198-0x0000000002600000-0x000000000262C000-memory.dmp

Filesize
176KB

Download
memory/2120-199-0x0000000002600000-0x000000000262C000-memory.dmp

Filesize
176KB

Download
memory/2120-206-0x0000000000401000-0x0000000000427000-memory.dmp

Filesize
152KB

Download
memory/2120-2-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2120-129-0x0000000002600000-0x000000000262C000-memory.dmp

Filesize
176KB

Download
memory/2120-3-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2612-132-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2612-131-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2612-136-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2612-137-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2612-130-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2672-145-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2672-149-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2784-185-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2784-189-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download