Analysis

  • max time kernel
    149s
  • max time network
    108s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/05/2024, 03:39

General

  • Target

    5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe

  • Size

    91KB

  • MD5

    5d53a28bb3daf2eac3243d9b8bf62c00

  • SHA1

    6141c8ceab00d56d312101232c95e73e438d1612

  • SHA256

    7043d7fbb590e5ec27aa96924e458a0dfa8b7c65aac4c99aa4f176efa9164d44

  • SHA512

    e575a6b4d34757c1d5e058a889d53bf0863d4e76503c73eeb66191d5ec2199f56dd2aca1eed35c948b24b208f8506c91e34311b5e6b8fc982d53c375cda19db2

  • SSDEEP

    1536:yOcjUpkWb2TTgKwuSOcjUpkWb2TTgKwuq:yOcjWJu7tSOcjWJu7tq

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 16 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 8 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 8 IoCs
  • Disables RegEdit via registry modification 16 IoCs
  • Disables Task Manager via registry modification
  • Disables use of System Restore points 1 TTPs
  • Executes dropped EXE 56 IoCs
  • Loads dropped DLL 7 IoCs
  • Modifies system executable filetype association 2 TTPs 64 IoCs
  • UPX packed file 64 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 40 IoCs
  • Drops desktop.ini file(s) 4 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 50 IoCs
  • Drops file in Windows directory 32 IoCs
  • Modifies Control Panel 32 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 7 IoCs
  • Suspicious use of SetWindowsHookEx 57 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 40 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:3228
    • C:\Windows\4k51k4.exe
      C:\Windows\4k51k4.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:3624
      • C:\Windows\4k51k4.exe
        C:\Windows\4k51k4.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        PID:3160
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:832
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:4160
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:4628
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:4468
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1948
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:4996
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Drops desktop.ini file(s)
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2280
      • C:\Windows\4k51k4.exe
        C:\Windows\4k51k4.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        PID:1360
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:4180
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:4164
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:876
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1316
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:3648
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:4924
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1000
      • C:\Windows\4k51k4.exe
        C:\Windows\4k51k4.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        PID:4196
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:4860
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:4284
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:4556
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1832
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2928
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:720
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • System policy modification
      PID:4136
      • C:\Windows\4k51k4.exe
        C:\Windows\4k51k4.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        PID:3564
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:4384
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:3956
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1268
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1544
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:836
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:3888
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • System policy modification
      PID:396
      • C:\Windows\4k51k4.exe
        C:\Windows\4k51k4.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        PID:2468
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:4476
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1264
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1836
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1464
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:4704
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:3316
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • System policy modification
      PID:2420
      • C:\Windows\4k51k4.exe
        C:\Windows\4k51k4.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        PID:3716
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:1236
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:4980
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2532
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:3220
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:4336
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1272
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • System policy modification
      PID:4508
      • C:\Windows\4k51k4.exe
        C:\Windows\4k51k4.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        PID:4708
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:3044
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2636
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1672
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:3780
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1436
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1636

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\4k51k4.exe

          Filesize

          91KB

          MD5

          ee6a9fa20d6cae8d3dc86f5998057f66

          SHA1

          4593272829a104705dc3f5d37edcdebeabcfa62c

          SHA256

          166d2ac4a0f27ffd01d31c5f2ece6d155f0a3a4c7c36223d1fb6c3abfc871ae0

          SHA512

          16d11c3e0466c5d3c677863de7099e436af46a6379845acede65aff4ccc3d94f9af056838da0e9d3fda483d5bfd77be1585888c80588c180a409effd85fe724d

        • C:\4k51k4.exe

          Filesize

          91KB

          MD5

          9a3aff244d5e3828aee4d64ee18d9fb3

          SHA1

          5a5a0a6c30abb4f5ac41d6104584ef252a390013

          SHA256

          f70c6d6a6b9168f7872cf7430fe4ba23e9bec4cebb7b95e750835614805abf40

          SHA512

          2719d23e524770c6abdcd5de986df1b9d100f05551954b96a8ce07cc6d42fff229b01fb83443232fc23e36babe732dab9dd937754b9e1aa736b4afa462d77d70

        • C:\Puisi.txt

          Filesize

          442B

          MD5

          001424d7974b9a3995af292f6fcfe171

          SHA1

          f8201d49d594d712c8450679c856c2e8307d2337

          SHA256

          660ecfcd91ba19959d0c348724da95d7fd6dd57359898e6e3bcce600ff3c797d

          SHA512

          66ec4330b9a9961a2926516ec96d71e3311f67a61e6ac3070303453d26fa4fdc9524296f583c0e2179414f1a0d795cedbd094a83f5ecd3f1faa0cccfe4276657

        • C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

          Filesize

          91KB

          MD5

          871be703aca346d79dd82003515a529d

          SHA1

          e69da354bfd0803bd5598f8c6031386ff7fe2d25

          SHA256

          ea7e7b7c6cad7cf42c5ab07e9caf6eace00ece0316f0f235b6e8799d6b8fb304

          SHA512

          b45ded96f103b2a3ce7afab8ecdc79736baa61806139a42f2951b209de85d5985897ef0868e875d582ce3b6782299b8834d060c7e30d39d5bf98f0bafbfbd68f

        • C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

          Filesize

          91KB

          MD5

          74e473ca0a41a34d4201e223af31bca4

          SHA1

          6510311ed895c32e0ab3ee505f0b673d100747b4

          SHA256

          329d467cf944105db4328fc12a7a22adf48cfbd217e976e2e0372024a1668849

          SHA512

          a046d1941ca29de11940c9fbb8695ab71e3ce36fba65729fa8456e2c780d01bdf304f16a23a4844e5b050d95f55d8a940827473b91084ce8112ae3bb5433d54f

        • C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

          Filesize

          91KB

          MD5

          b605b1df3d682e2d569f700073f164b9

          SHA1

          0b1aa9ba58a4dc03581dcfe005f7b5f978b7e67f

          SHA256

          61e2e92cf9ecfdd8ab6cd0e16025ca009e39ca9c4c4af2dd7e8499c5efcf9cfc

          SHA512

          4149ed44ee4dc72718a0602aabb9775b4d8cc78c46ded9ebef0772bfc545ba0c9aa1d2e5a36cf66e1a8a94ef19453039eceda10739f72d90bf6b2165c21ac151

        • C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

          Filesize

          91KB

          MD5

          72dcd32c5e60b36512fe7bf71ef428b0

          SHA1

          14dccb1f4d37a54e1bc4cf385b169f9042e2659f

          SHA256

          dda66a43b6e86903bff35e02875d5edabc688e5fe3386d8011e2ab812ea61a03

          SHA512

          2a3a18cda35ee513f5a2fc85f85455708147a71425ee7a9b93f228585093c306692d53dda026e75bfeb9f7b0c7a41e777ab18e344094dee7235c5aa417ea77f7

        • C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

          Filesize

          91KB

          MD5

          04ec7cf90223414e92bfd6537a86beeb

          SHA1

          34c3d1c6f2e95024bdc4713c6ef2bb0326f9acb4

          SHA256

          2a45e6c0d9ef8f4fd2b17d46cc415bdebe6d835717eab296b191f98f4354f687

          SHA512

          2aff2cc959c2bdb1cbb6a0bf14bb6fc28b0ac63a58cee6ac166a3d23bc36b1f1a9f7f93ac02945c99852b9dfd212b3e32a7d0fa5143d98998d2f557e86994a22

        • C:\Users\Admin\AppData\Local\winlogon.exe

          Filesize

          91KB

          MD5

          5d53a28bb3daf2eac3243d9b8bf62c00

          SHA1

          6141c8ceab00d56d312101232c95e73e438d1612

          SHA256

          7043d7fbb590e5ec27aa96924e458a0dfa8b7c65aac4c99aa4f176efa9164d44

          SHA512

          e575a6b4d34757c1d5e058a889d53bf0863d4e76503c73eeb66191d5ec2199f56dd2aca1eed35c948b24b208f8506c91e34311b5e6b8fc982d53c375cda19db2

        • C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

          Filesize

          91KB

          MD5

          4c2958054d5c23e603e1621be8b2457c

          SHA1

          6f0810a815d207c98a66249754e38f82b89f6a2b

          SHA256

          19a4b6789165a62d2d52af5a5c8b317dce51a8d4866a164b3be3ced381f98b90

          SHA512

          08376acad7129dcd461128a77e141aaf5693a017ec1a4e2280944aa23ba9ff8376c9a72134baf1719c3e3badcfd480d3b9edd98fd5d90cd6a096a40adb55113e

        • C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

          Filesize

          91KB

          MD5

          3d1a186bb8e9f17300df9ecb04e1617f

          SHA1

          4b3848f3cf43d80f468e7e15b4ec7cba4529d0dc

          SHA256

          d7b6bfd2aeba125441dde40b13ffe95fac0c9c17fd3443036d5d1041ecb5f230

          SHA512

          96951946e57fbfe45470f6c1709e1ec4c1fc9b61997225aa2fdb8149aa64f64515217814fef121136b10804f32a84c209da7cd2607d1e550c1e860f6243c52ec

        • C:\Windows\4k51k4.exe

          Filesize

          91KB

          MD5

          7190b38b2940345ace84e2c3356b8d14

          SHA1

          e26c5c3b2a7f5500093735007cf85193c29a4f70

          SHA256

          be5faaafb0bc258d13ec49320f2b60532e129b534e08ef506826c57a678b5d8e

          SHA512

          3ee61933845aaf9fe59952cc897d4947edb7b7a79c9713c0ce26cfdaec4f6293eaf6cb739cf3f9e7505cac17ad8feb65a578d0b12a1195c3627bfe3efd248332

        • C:\Windows\MSVBVM60.DLL

          Filesize

          1.4MB

          MD5

          25f62c02619174b35851b0e0455b3d94

          SHA1

          4e8ee85157f1769f6e3f61c0acbe59072209da71

          SHA256

          898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

          SHA512

          f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

        • C:\Windows\SysWOW64\IExplorer.exe

          Filesize

          91KB

          MD5

          08ff110ff32f6817ae2b1980bd8a6059

          SHA1

          b8321f5602f4ab0247a58b05058e4023e69ffbda

          SHA256

          ae240ab44ec8650d9f0efb236210cf66f7b576584fdaf58c5d490fdf8304625c

          SHA512

          8283c5c6ef045b65bf1603ccf4063e0a396be6e792fbb5e5354a5e722b3377b73a38a9a7e93f26c05b995dc3550f97be23453027fc788734e43aa3bb8e074971

        • C:\Windows\SysWOW64\MrHelloween.scr

          Filesize

          91KB

          MD5

          44420f206c3da33898d8476fd9ce24a5

          SHA1

          9eff89b58ac646c70e74123d035620720fc36a8c

          SHA256

          313d6a61b173fa211bf5e9ac44a6c801117ca2abb93cc5dedac0ca2b5193122d

          SHA512

          696879a8e0084094f3eed65f1bfe5d6bcc7686ef3bb3d0524cc4d33392b8b1531b69ba0c8f20071a797f2dc8a977d0c60d977de3542ea5ef2108640381af7ad8

        • C:\Windows\SysWOW64\MrHelloween.scr

          Filesize

          91KB

          MD5

          8b74c71f06b8c10a43df5f338beb3852

          SHA1

          4f04c9712abdd68089f7e04cec96bf4992f05032

          SHA256

          b04b5c519245d38bad0403471127fa45972f25047c5a087042df55e1bc8ecd23

          SHA512

          8d5d9b11eeb217ead6090354c920d28f4201504876d133e620b14f4a01db216483f7a7b3fae6bce0811f63904ec56aab654f3b46ced721d6d2d1d2ecd36a2acb

        • C:\Windows\SysWOW64\shell.exe

          Filesize

          91KB

          MD5

          99bfe8511257d272b35e1ea8615cd578

          SHA1

          9db7daeaccc8c1d740c1e2d9768956d7384731cf

          SHA256

          3472bfa0cbe00741010d61ce077ecf63a4a7e5455375fd9817fa1ac9f3ccc94f

          SHA512

          1f006dc41bc3aef461b4d26614451e5351581900c6b73ba460c84f015ac8616d595262c3521174bc96d9290e8d87c17a07415479fefd25dccf686726f4302f30

        • C:\Windows\SysWOW64\shell.exe

          Filesize

          91KB

          MD5

          cf60e2f9cebc828575125c68ddbd106a

          SHA1

          506380afc378b29aced025d05abecadacd9351fd

          SHA256

          78118668735635081af03a88d32a19c9722af1fc69654ff69a259fb33075cef7

          SHA512

          bb5b13f6faa5a84840a164ac6eee8d9fca8ccf80e1754dca648214fe8eab16d190f146dc0d4b18a71060037a9429ecb0b3586b304bcfb727c8ca2986b4cd714a

        • memory/396-513-0x0000000000400000-0x0000000000423000-memory.dmp

          Filesize

          140KB

        • memory/396-261-0x0000000000400000-0x0000000000423000-memory.dmp

          Filesize

          140KB

        • memory/720-415-0x0000000000400000-0x0000000000423000-memory.dmp

          Filesize

          140KB

        • memory/832-203-0x0000000000400000-0x0000000000423000-memory.dmp

          Filesize

          140KB

        • memory/832-213-0x0000000000400000-0x0000000000423000-memory.dmp

          Filesize

          140KB

        • memory/836-425-0x0000000000400000-0x0000000000423000-memory.dmp

          Filesize

          140KB

        • memory/876-263-0x0000000000400000-0x0000000000423000-memory.dmp

          Filesize

          140KB

        • memory/1000-511-0x0000000000400000-0x0000000000423000-memory.dmp

          Filesize

          140KB

        • memory/1000-239-0x0000000000400000-0x0000000000423000-memory.dmp

          Filesize

          140KB

        • memory/1236-438-0x0000000000400000-0x0000000000423000-memory.dmp

          Filesize

          140KB

        • memory/1264-448-0x0000000000400000-0x0000000000423000-memory.dmp

          Filesize

          140KB

        • memory/1272-492-0x0000000000400000-0x0000000000423000-memory.dmp

          Filesize

          140KB

        • memory/1316-303-0x0000000000400000-0x0000000000423000-memory.dmp

          Filesize

          140KB

        • memory/1360-211-0x0000000000400000-0x0000000000423000-memory.dmp

          Filesize

          140KB

        • memory/1360-204-0x0000000000400000-0x0000000000423000-memory.dmp

          Filesize

          140KB

        • memory/1436-505-0x0000000000400000-0x0000000000423000-memory.dmp

          Filesize

          140KB

        • memory/1464-463-0x0000000000400000-0x0000000000423000-memory.dmp

          Filesize

          140KB

        • memory/1672-497-0x0000000000400000-0x0000000000423000-memory.dmp

          Filesize

          140KB

        • memory/1832-396-0x0000000000400000-0x0000000000423000-memory.dmp

          Filesize

          140KB

        • memory/1836-455-0x0000000000400000-0x0000000000423000-memory.dmp

          Filesize

          140KB

        • memory/1948-323-0x0000000000400000-0x0000000000423000-memory.dmp

          Filesize

          140KB

        • memory/1948-314-0x0000000000400000-0x0000000000423000-memory.dmp

          Filesize

          140KB

        • memory/2280-236-0x0000000000400000-0x0000000000423000-memory.dmp

          Filesize

          140KB

        • memory/2280-510-0x0000000000400000-0x0000000000423000-memory.dmp

          Filesize

          140KB

        • memory/2420-514-0x0000000000400000-0x0000000000423000-memory.dmp

          Filesize

          140KB

        • memory/2420-296-0x0000000000400000-0x0000000000423000-memory.dmp

          Filesize

          140KB

        • memory/2468-428-0x0000000000400000-0x0000000000423000-memory.dmp

          Filesize

          140KB

        • memory/2532-453-0x0000000000400000-0x0000000000423000-memory.dmp

          Filesize

          140KB

        • memory/2636-494-0x0000000000400000-0x0000000000423000-memory.dmp

          Filesize

          140KB

        • memory/2928-404-0x0000000000400000-0x0000000000423000-memory.dmp

          Filesize

          140KB

        • memory/2928-400-0x0000000000400000-0x0000000000423000-memory.dmp

          Filesize

          140KB

        • memory/3044-487-0x0000000000400000-0x0000000000423000-memory.dmp

          Filesize

          140KB

        • memory/3044-483-0x0000000000400000-0x0000000000423000-memory.dmp

          Filesize

          140KB

        • memory/3160-189-0x0000000000400000-0x0000000000423000-memory.dmp

          Filesize

          140KB

        • memory/3220-461-0x0000000000400000-0x0000000000423000-memory.dmp

          Filesize

          140KB

        • memory/3228-148-0x0000000000400000-0x0000000000423000-memory.dmp

          Filesize

          140KB

        • memory/3228-0-0x0000000000400000-0x0000000000423000-memory.dmp

          Filesize

          140KB

        • memory/3316-482-0x0000000000400000-0x0000000000423000-memory.dmp

          Filesize

          140KB

        • memory/3564-364-0x0000000000400000-0x0000000000423000-memory.dmp

          Filesize

          140KB

        • memory/3564-341-0x0000000000400000-0x0000000000423000-memory.dmp

          Filesize

          140KB

        • memory/3624-225-0x0000000000400000-0x0000000000423000-memory.dmp

          Filesize

          140KB

        • memory/3624-509-0x0000000000400000-0x0000000000423000-memory.dmp

          Filesize

          140KB

        • memory/3648-310-0x0000000000400000-0x0000000000423000-memory.dmp

          Filesize

          140KB

        • memory/3716-429-0x0000000000400000-0x0000000000423000-memory.dmp

          Filesize

          140KB

        • memory/3780-501-0x0000000000400000-0x0000000000423000-memory.dmp

          Filesize

          140KB

        • memory/3888-441-0x0000000000400000-0x0000000000423000-memory.dmp

          Filesize

          140KB

        • memory/3956-390-0x0000000000400000-0x0000000000423000-memory.dmp

          Filesize

          140KB

        • memory/3956-384-0x0000000000400000-0x0000000000423000-memory.dmp

          Filesize

          140KB

        • memory/4136-129-0x0000000000400000-0x0000000000423000-memory.dmp

          Filesize

          140KB

        • memory/4136-512-0x0000000000400000-0x0000000000423000-memory.dmp

          Filesize

          140KB

        • memory/4136-241-0x0000000000400000-0x0000000000423000-memory.dmp

          Filesize

          140KB

        • memory/4160-231-0x0000000000400000-0x0000000000423000-memory.dmp

          Filesize

          140KB

        • memory/4164-235-0x0000000000400000-0x0000000000423000-memory.dmp

          Filesize

          140KB

        • memory/4180-229-0x0000000000400000-0x0000000000423000-memory.dmp

          Filesize

          140KB

        • memory/4196-324-0x0000000000400000-0x0000000000423000-memory.dmp

          Filesize

          140KB

        • memory/4284-370-0x0000000000400000-0x0000000000423000-memory.dmp

          Filesize

          140KB

        • memory/4384-379-0x0000000000400000-0x0000000000423000-memory.dmp

          Filesize

          140KB

        • memory/4468-308-0x0000000000400000-0x0000000000423000-memory.dmp

          Filesize

          140KB

        • memory/4476-437-0x0000000000400000-0x0000000000423000-memory.dmp

          Filesize

          140KB

        • memory/4508-305-0x0000000000400000-0x0000000000423000-memory.dmp

          Filesize

          140KB

        • memory/4508-515-0x0000000000400000-0x0000000000423000-memory.dmp

          Filesize

          140KB

        • memory/4556-388-0x0000000000400000-0x0000000000423000-memory.dmp

          Filesize

          140KB

        • memory/4628-265-0x0000000000400000-0x0000000000423000-memory.dmp

          Filesize

          140KB

        • memory/4708-477-0x0000000000400000-0x0000000000423000-memory.dmp

          Filesize

          140KB

        • memory/4860-362-0x0000000000400000-0x0000000000423000-memory.dmp

          Filesize

          140KB

        • memory/4924-326-0x0000000000400000-0x0000000000423000-memory.dmp

          Filesize

          140KB

        • memory/4980-447-0x0000000000400000-0x0000000000423000-memory.dmp

          Filesize

          140KB

        • memory/4996-367-0x0000000000400000-0x0000000000423000-memory.dmp

          Filesize

          140KB