d44289e14cc4a6807c36d5f39a3b74a8bdcfa6bd687ec12254f04b276bcfce4b

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
19/05/2024, 22:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

482ff905f158982b6ac97ec78423bd60_NeikiAnalytics.exe
Size

45KB
MD5

482ff905f158982b6ac97ec78423bd60
SHA1

8ddf926035db93ae5217d4dd6baf2756fb9b471e
SHA256

d44289e14cc4a6807c36d5f39a3b74a8bdcfa6bd687ec12254f04b276bcfce4b
SHA512

68ce31fa62e31e7a5cf072a38c8cfc213750ad916bc823b6eb883421f5e3db700cfa9db2037c16b7d97ca046c64a1699d40d1c8172d9360f62c386341b715e77
SSDEEP

768:xmFQj8rM9whcqet8Wfxd9Mmnfa+TAOBJgZiPGyilSniJO14ktp7DFK+5nES:zAwEmBZ04faWmtN4nic+6GS

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	482ff905f158982b6ac97ec78423bd60_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	482ff905f158982b6ac97ec78423bd60_NeikiAnalytics.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	482ff905f158982b6ac97ec78423bd60_NeikiAnalytics.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	482ff905f158982b6ac97ec78423bd60_NeikiAnalytics.exe

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	482ff905f158982b6ac97ec78423bd60_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	482ff905f158982b6ac97ec78423bd60_NeikiAnalytics.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 7 IoCs

pid	Process
1500	xk.exe
1876	IExplorer.exe
1240	WINLOGON.EXE
2792	CSRSS.EXE
2704	SERVICES.EXE
2808	LSASS.EXE
1856	SMSS.EXE

Loads dropped DLL 12 IoCs

pid	Process
2240	482ff905f158982b6ac97ec78423bd60_NeikiAnalytics.exe
2240	482ff905f158982b6ac97ec78423bd60_NeikiAnalytics.exe
2240	482ff905f158982b6ac97ec78423bd60_NeikiAnalytics.exe
2240	482ff905f158982b6ac97ec78423bd60_NeikiAnalytics.exe
2240	482ff905f158982b6ac97ec78423bd60_NeikiAnalytics.exe
2240	482ff905f158982b6ac97ec78423bd60_NeikiAnalytics.exe
2240	482ff905f158982b6ac97ec78423bd60_NeikiAnalytics.exe
2240	482ff905f158982b6ac97ec78423bd60_NeikiAnalytics.exe
2240	482ff905f158982b6ac97ec78423bd60_NeikiAnalytics.exe
2240	482ff905f158982b6ac97ec78423bd60_NeikiAnalytics.exe
2240	482ff905f158982b6ac97ec78423bd60_NeikiAnalytics.exe
2240	482ff905f158982b6ac97ec78423bd60_NeikiAnalytics.exe

Modifies system executable filetype association 2 TTPs 13 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	482ff905f158982b6ac97ec78423bd60_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	482ff905f158982b6ac97ec78423bd60_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	482ff905f158982b6ac97ec78423bd60_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	482ff905f158982b6ac97ec78423bd60_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	482ff905f158982b6ac97ec78423bd60_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	482ff905f158982b6ac97ec78423bd60_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	482ff905f158982b6ac97ec78423bd60_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	482ff905f158982b6ac97ec78423bd60_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	482ff905f158982b6ac97ec78423bd60_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	482ff905f158982b6ac97ec78423bd60_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	482ff905f158982b6ac97ec78423bd60_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	482ff905f158982b6ac97ec78423bd60_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	482ff905f158982b6ac97ec78423bd60_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	482ff905f158982b6ac97ec78423bd60_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe"	482ff905f158982b6ac97ec78423bd60_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	482ff905f158982b6ac97ec78423bd60_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	482ff905f158982b6ac97ec78423bd60_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	482ff905f158982b6ac97ec78423bd60_NeikiAnalytics.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\shell.exe	482ff905f158982b6ac97ec78423bd60_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Mig2.scr	482ff905f158982b6ac97ec78423bd60_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	482ff905f158982b6ac97ec78423bd60_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	482ff905f158982b6ac97ec78423bd60_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Mig2.scr	482ff905f158982b6ac97ec78423bd60_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	482ff905f158982b6ac97ec78423bd60_NeikiAnalytics.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\xk.exe	482ff905f158982b6ac97ec78423bd60_NeikiAnalytics.exe
File created	C:\Windows\xk.exe	482ff905f158982b6ac97ec78423bd60_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\	482ff905f158982b6ac97ec78423bd60_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR"	482ff905f158982b6ac97ec78423bd60_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	482ff905f158982b6ac97ec78423bd60_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	482ff905f158982b6ac97ec78423bd60_NeikiAnalytics.exe

Modifies registry class 15 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	482ff905f158982b6ac97ec78423bd60_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	482ff905f158982b6ac97ec78423bd60_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	482ff905f158982b6ac97ec78423bd60_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	482ff905f158982b6ac97ec78423bd60_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	482ff905f158982b6ac97ec78423bd60_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	482ff905f158982b6ac97ec78423bd60_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	482ff905f158982b6ac97ec78423bd60_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	482ff905f158982b6ac97ec78423bd60_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	482ff905f158982b6ac97ec78423bd60_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	482ff905f158982b6ac97ec78423bd60_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	482ff905f158982b6ac97ec78423bd60_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	482ff905f158982b6ac97ec78423bd60_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	482ff905f158982b6ac97ec78423bd60_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	482ff905f158982b6ac97ec78423bd60_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	482ff905f158982b6ac97ec78423bd60_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2240	482ff905f158982b6ac97ec78423bd60_NeikiAnalytics.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2240	482ff905f158982b6ac97ec78423bd60_NeikiAnalytics.exe
1500	xk.exe
1876	IExplorer.exe
1240	WINLOGON.EXE
2792	CSRSS.EXE
2704	SERVICES.EXE
2808	LSASS.EXE
1856	SMSS.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 1500	2240	482ff905f158982b6ac97ec78423bd60_NeikiAnalytics.exe	28
PID 2240 wrote to memory of 1500	2240	482ff905f158982b6ac97ec78423bd60_NeikiAnalytics.exe	28
PID 2240 wrote to memory of 1500	2240	482ff905f158982b6ac97ec78423bd60_NeikiAnalytics.exe	28
PID 2240 wrote to memory of 1500	2240	482ff905f158982b6ac97ec78423bd60_NeikiAnalytics.exe	28
PID 2240 wrote to memory of 1876	2240	482ff905f158982b6ac97ec78423bd60_NeikiAnalytics.exe	29
PID 2240 wrote to memory of 1876	2240	482ff905f158982b6ac97ec78423bd60_NeikiAnalytics.exe	29
PID 2240 wrote to memory of 1876	2240	482ff905f158982b6ac97ec78423bd60_NeikiAnalytics.exe	29
PID 2240 wrote to memory of 1876	2240	482ff905f158982b6ac97ec78423bd60_NeikiAnalytics.exe	29
PID 2240 wrote to memory of 1240	2240	482ff905f158982b6ac97ec78423bd60_NeikiAnalytics.exe	30
PID 2240 wrote to memory of 1240	2240	482ff905f158982b6ac97ec78423bd60_NeikiAnalytics.exe	30
PID 2240 wrote to memory of 1240	2240	482ff905f158982b6ac97ec78423bd60_NeikiAnalytics.exe	30
PID 2240 wrote to memory of 1240	2240	482ff905f158982b6ac97ec78423bd60_NeikiAnalytics.exe	30
PID 2240 wrote to memory of 2792	2240	482ff905f158982b6ac97ec78423bd60_NeikiAnalytics.exe	31
PID 2240 wrote to memory of 2792	2240	482ff905f158982b6ac97ec78423bd60_NeikiAnalytics.exe	31
PID 2240 wrote to memory of 2792	2240	482ff905f158982b6ac97ec78423bd60_NeikiAnalytics.exe	31
PID 2240 wrote to memory of 2792	2240	482ff905f158982b6ac97ec78423bd60_NeikiAnalytics.exe	31
PID 2240 wrote to memory of 2704	2240	482ff905f158982b6ac97ec78423bd60_NeikiAnalytics.exe	32
PID 2240 wrote to memory of 2704	2240	482ff905f158982b6ac97ec78423bd60_NeikiAnalytics.exe	32
PID 2240 wrote to memory of 2704	2240	482ff905f158982b6ac97ec78423bd60_NeikiAnalytics.exe	32
PID 2240 wrote to memory of 2704	2240	482ff905f158982b6ac97ec78423bd60_NeikiAnalytics.exe	32
PID 2240 wrote to memory of 2808	2240	482ff905f158982b6ac97ec78423bd60_NeikiAnalytics.exe	33
PID 2240 wrote to memory of 2808	2240	482ff905f158982b6ac97ec78423bd60_NeikiAnalytics.exe	33
PID 2240 wrote to memory of 2808	2240	482ff905f158982b6ac97ec78423bd60_NeikiAnalytics.exe	33
PID 2240 wrote to memory of 2808	2240	482ff905f158982b6ac97ec78423bd60_NeikiAnalytics.exe	33
PID 2240 wrote to memory of 1856	2240	482ff905f158982b6ac97ec78423bd60_NeikiAnalytics.exe	34
PID 2240 wrote to memory of 1856	2240	482ff905f158982b6ac97ec78423bd60_NeikiAnalytics.exe	34
PID 2240 wrote to memory of 1856	2240	482ff905f158982b6ac97ec78423bd60_NeikiAnalytics.exe	34
PID 2240 wrote to memory of 1856	2240	482ff905f158982b6ac97ec78423bd60_NeikiAnalytics.exe	34

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	482ff905f158982b6ac97ec78423bd60_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	482ff905f158982b6ac97ec78423bd60_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	482ff905f158982b6ac97ec78423bd60_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	482ff905f158982b6ac97ec78423bd60_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\482ff905f158982b6ac97ec78423bd60_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\482ff905f158982b6ac97ec78423bd60_NeikiAnalytics.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2240
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1500
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1876
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1240
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2792
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2704
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2808
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\services.exe

Filesize
45KB

MD5
482ff905f158982b6ac97ec78423bd60

SHA1
8ddf926035db93ae5217d4dd6baf2756fb9b471e

SHA256
d44289e14cc4a6807c36d5f39a3b74a8bdcfa6bd687ec12254f04b276bcfce4b

SHA512
68ce31fa62e31e7a5cf072a38c8cfc213750ad916bc823b6eb883421f5e3db700cfa9db2037c16b7d97ca046c64a1699d40d1c8172d9360f62c386341b715e77

Download Submit
C:\Windows\xk.exe

Filesize
45KB

MD5
dd702b3ee76c7b89d10917b7045f1eea

SHA1
4792b43ef80364b18795757a76d548eb7e3706fc

SHA256
cc64771a52a45c1b35726c5b516bc350b0bb12251a32db6b9cc753df3c6157b1

SHA512
0d33400d8e09efb6071fa7830f3f65cd29b7679c04524ac0ac3d794d54f274eb4112114e2d08de37c7736a7b590f289d13e9694958dce30abe89158356efa236

Download Submit
\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
45KB

MD5
9a7bea0694ac37839d25de1c1f396152

SHA1
01085917b410cdab46cf148332d7bbf2a5680540

SHA256
d4e70efa83c22d5bb4be911a8386401bb4fc4e5c09e47d1aab4387e25340a48f

SHA512
8e372ded4e61f2e34322d0adeb36d56cf2c09a184a833a5750ec5c4684d0c8b55e6f93f2dc397accb65cf23457289124f83a06a890dd5e7205884223b8568a48

Download Submit
\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
45KB

MD5
3fc3bfb31ec6ae221c88979e5669d56a

SHA1
ce977095dd2a5a6cfa2a7b87567f7856750a3d5d

SHA256
6403dcb6515d8e0bbd6e43f91d8f8176ecbdd40d1b591c50d8822fdc1fbde3f2

SHA512
6d77b5338642b29127502313d7a20f6945a7b6b6b912b3846805ecd123bb634f93a30dfef1c3ff274bacec0d4bf59201572d41f656fc4d38917dc2d48741d40e

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
45KB

MD5
0b60576fe940106d14cff9f63945270c

SHA1
2143aa380cc8b0ff8f1b73b79b09500d830b74e1

SHA256
57404f9f40db2f960a1ad4b0a7ca4457fc5e6aa510f8ae560940ebafd2de08b9

SHA512
56b71b1bd915502f3f3485e6e935fcd9bd5167755951b6826e17a10930baba3e80d30a7503498cc34c223b7ce6299fad92e870e3373fe90716dc3a860acebc0e

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
45KB

MD5
8152bc98283aab7ffefbdf637a8e7368

SHA1
255e13d7a12c4abc616d3d8be822e91112c22db5

SHA256
200714df06c98653d9a19553e46a5016c3358eb589e1c6ca8a803ff5f2f2a245

SHA512
a4a462a8be4328015afc3402774263e060a875d948e127304d246a0ae8d3f000b7ce229f01a22e37ad7ac23c5eb5bd47b85f33d5d931edc4e2fbe3dee6761333

Download Submit
\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
45KB

MD5
061ed925aeb782a2fee592f344bdecbc

SHA1
8814b43860a01fcacd2b8ca5f034a03bcb93eed4

SHA256
622e884dbc96fdd97ef11cf39886a16072aa78d48d29c3ad6a22159c4599c350

SHA512
7e2ce2dc5c928bd5fab4b004c5105ecd32bc5e449b272f57f778d3a97e606b48b4a38f036f9520abb5a780a8afec660042d7947f6fcc12299b6d18e0db998bbb

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
45KB

MD5
2dc75994ec98b90529b017f337d8ce03

SHA1
01725d7e05965ff41cd4fb7dc19ad9b57667bc79

SHA256
aabeab8711c549f6e52ab9ee1cb6a5cc776f1931866c6c4975140f6716bee642

SHA512
48065480d196b61120bbc89249566ee25d192b06793fc78921aeaadfd6ecd2da6a78c035810d102c9239c67b3dd13fc71fdbe50bca7a01746f88a4c13670a518

Download Submit
memory/1240-136-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1240-138-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1500-115-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1500-112-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1856-185-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1876-122-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1876-128-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2240-186-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2240-0-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2240-157-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2240-111-0x0000000000470000-0x000000000049E000-memory.dmp

Filesize
184KB

Download
memory/2704-159-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2704-161-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2792-149-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2792-146-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2808-175-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2808-169-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download