77a445f7210d6dbab1d7bed336b61b3f7cad4f1fc9862a06935ed10125333d71

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26/05/2024, 17:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a30370816969cb3572f48f379f3f810_NeikiAnalytics.exe
Size

91KB
MD5

1a30370816969cb3572f48f379f3f810
SHA1

68e6d44d44468ab04a44d06bea9f9011cac54d86
SHA256

77a445f7210d6dbab1d7bed336b61b3f7cad4f1fc9862a06935ed10125333d71
SHA512

7939da857d373dcf110c9e0e118d857cb98ede8f0d3d235461a0d7cbb9d4ccaf9295df5c375d21ff85d211e93b3eb0cf4da0512d6ce82ca6df522d3403ddbcf9
SSDEEP

768:E3gRYjXbUeHORIC4ZxBMldNKm8Mxm8I+IxrjPfAQ4o3ImuGA3gRYjXbUeHORIC4q:uT3OA3+KQsxfS43ST3OA3+KQsxfS45W

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	1a30370816969cb3572f48f379f3f810_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	1a30370816969cb3572f48f379f3f810_NeikiAnalytics.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	1a30370816969cb3572f48f379f3f810_NeikiAnalytics.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	1a30370816969cb3572f48f379f3f810_NeikiAnalytics.exe

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	1a30370816969cb3572f48f379f3f810_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	1a30370816969cb3572f48f379f3f810_NeikiAnalytics.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 7 IoCs

pid	Process
2592	xk.exe
1912	IExplorer.exe
1240	WINLOGON.EXE
2584	CSRSS.EXE
1032	SERVICES.EXE
2864	LSASS.EXE
2192	SMSS.EXE

Loads dropped DLL 12 IoCs

pid	Process
2860	1a30370816969cb3572f48f379f3f810_NeikiAnalytics.exe
2860	1a30370816969cb3572f48f379f3f810_NeikiAnalytics.exe
2860	1a30370816969cb3572f48f379f3f810_NeikiAnalytics.exe
2860	1a30370816969cb3572f48f379f3f810_NeikiAnalytics.exe
2860	1a30370816969cb3572f48f379f3f810_NeikiAnalytics.exe
2860	1a30370816969cb3572f48f379f3f810_NeikiAnalytics.exe
2860	1a30370816969cb3572f48f379f3f810_NeikiAnalytics.exe
2860	1a30370816969cb3572f48f379f3f810_NeikiAnalytics.exe
2860	1a30370816969cb3572f48f379f3f810_NeikiAnalytics.exe
2860	1a30370816969cb3572f48f379f3f810_NeikiAnalytics.exe
2860	1a30370816969cb3572f48f379f3f810_NeikiAnalytics.exe
2860	1a30370816969cb3572f48f379f3f810_NeikiAnalytics.exe

Modifies system executable filetype association 2 TTPs 13 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	1a30370816969cb3572f48f379f3f810_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	1a30370816969cb3572f48f379f3f810_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	1a30370816969cb3572f48f379f3f810_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	1a30370816969cb3572f48f379f3f810_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	1a30370816969cb3572f48f379f3f810_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	1a30370816969cb3572f48f379f3f810_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	1a30370816969cb3572f48f379f3f810_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	1a30370816969cb3572f48f379f3f810_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	1a30370816969cb3572f48f379f3f810_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	1a30370816969cb3572f48f379f3f810_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	1a30370816969cb3572f48f379f3f810_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	1a30370816969cb3572f48f379f3f810_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	1a30370816969cb3572f48f379f3f810_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe"	1a30370816969cb3572f48f379f3f810_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	1a30370816969cb3572f48f379f3f810_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	1a30370816969cb3572f48f379f3f810_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	1a30370816969cb3572f48f379f3f810_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	1a30370816969cb3572f48f379f3f810_NeikiAnalytics.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\IExplorer.exe	1a30370816969cb3572f48f379f3f810_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	1a30370816969cb3572f48f379f3f810_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Mig2.scr	1a30370816969cb3572f48f379f3f810_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	1a30370816969cb3572f48f379f3f810_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\shell.exe	1a30370816969cb3572f48f379f3f810_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Mig2.scr	1a30370816969cb3572f48f379f3f810_NeikiAnalytics.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\xk.exe	1a30370816969cb3572f48f379f3f810_NeikiAnalytics.exe
File opened for modification	C:\Windows\xk.exe	1a30370816969cb3572f48f379f3f810_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\	1a30370816969cb3572f48f379f3f810_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR"	1a30370816969cb3572f48f379f3f810_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	1a30370816969cb3572f48f379f3f810_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	1a30370816969cb3572f48f379f3f810_NeikiAnalytics.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	1a30370816969cb3572f48f379f3f810_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	1a30370816969cb3572f48f379f3f810_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	1a30370816969cb3572f48f379f3f810_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	1a30370816969cb3572f48f379f3f810_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	1a30370816969cb3572f48f379f3f810_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	1a30370816969cb3572f48f379f3f810_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	1a30370816969cb3572f48f379f3f810_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	1a30370816969cb3572f48f379f3f810_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	1a30370816969cb3572f48f379f3f810_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	1a30370816969cb3572f48f379f3f810_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	1a30370816969cb3572f48f379f3f810_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	1a30370816969cb3572f48f379f3f810_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	1a30370816969cb3572f48f379f3f810_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	1a30370816969cb3572f48f379f3f810_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	1a30370816969cb3572f48f379f3f810_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2860	1a30370816969cb3572f48f379f3f810_NeikiAnalytics.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2860	1a30370816969cb3572f48f379f3f810_NeikiAnalytics.exe
2592	xk.exe
1912	IExplorer.exe
1240	WINLOGON.EXE
2584	CSRSS.EXE
1032	SERVICES.EXE
2864	LSASS.EXE
2192	SMSS.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2860 wrote to memory of 2592	2860	1a30370816969cb3572f48f379f3f810_NeikiAnalytics.exe	28
PID 2860 wrote to memory of 2592	2860	1a30370816969cb3572f48f379f3f810_NeikiAnalytics.exe	28
PID 2860 wrote to memory of 2592	2860	1a30370816969cb3572f48f379f3f810_NeikiAnalytics.exe	28
PID 2860 wrote to memory of 2592	2860	1a30370816969cb3572f48f379f3f810_NeikiAnalytics.exe	28
PID 2860 wrote to memory of 1912	2860	1a30370816969cb3572f48f379f3f810_NeikiAnalytics.exe	29
PID 2860 wrote to memory of 1912	2860	1a30370816969cb3572f48f379f3f810_NeikiAnalytics.exe	29
PID 2860 wrote to memory of 1912	2860	1a30370816969cb3572f48f379f3f810_NeikiAnalytics.exe	29
PID 2860 wrote to memory of 1912	2860	1a30370816969cb3572f48f379f3f810_NeikiAnalytics.exe	29
PID 2860 wrote to memory of 1240	2860	1a30370816969cb3572f48f379f3f810_NeikiAnalytics.exe	30
PID 2860 wrote to memory of 1240	2860	1a30370816969cb3572f48f379f3f810_NeikiAnalytics.exe	30
PID 2860 wrote to memory of 1240	2860	1a30370816969cb3572f48f379f3f810_NeikiAnalytics.exe	30
PID 2860 wrote to memory of 1240	2860	1a30370816969cb3572f48f379f3f810_NeikiAnalytics.exe	30
PID 2860 wrote to memory of 2584	2860	1a30370816969cb3572f48f379f3f810_NeikiAnalytics.exe	31
PID 2860 wrote to memory of 2584	2860	1a30370816969cb3572f48f379f3f810_NeikiAnalytics.exe	31
PID 2860 wrote to memory of 2584	2860	1a30370816969cb3572f48f379f3f810_NeikiAnalytics.exe	31
PID 2860 wrote to memory of 2584	2860	1a30370816969cb3572f48f379f3f810_NeikiAnalytics.exe	31
PID 2860 wrote to memory of 1032	2860	1a30370816969cb3572f48f379f3f810_NeikiAnalytics.exe	32
PID 2860 wrote to memory of 1032	2860	1a30370816969cb3572f48f379f3f810_NeikiAnalytics.exe	32
PID 2860 wrote to memory of 1032	2860	1a30370816969cb3572f48f379f3f810_NeikiAnalytics.exe	32
PID 2860 wrote to memory of 1032	2860	1a30370816969cb3572f48f379f3f810_NeikiAnalytics.exe	32
PID 2860 wrote to memory of 2864	2860	1a30370816969cb3572f48f379f3f810_NeikiAnalytics.exe	33
PID 2860 wrote to memory of 2864	2860	1a30370816969cb3572f48f379f3f810_NeikiAnalytics.exe	33
PID 2860 wrote to memory of 2864	2860	1a30370816969cb3572f48f379f3f810_NeikiAnalytics.exe	33
PID 2860 wrote to memory of 2864	2860	1a30370816969cb3572f48f379f3f810_NeikiAnalytics.exe	33
PID 2860 wrote to memory of 2192	2860	1a30370816969cb3572f48f379f3f810_NeikiAnalytics.exe	34
PID 2860 wrote to memory of 2192	2860	1a30370816969cb3572f48f379f3f810_NeikiAnalytics.exe	34
PID 2860 wrote to memory of 2192	2860	1a30370816969cb3572f48f379f3f810_NeikiAnalytics.exe	34
PID 2860 wrote to memory of 2192	2860	1a30370816969cb3572f48f379f3f810_NeikiAnalytics.exe	34

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	1a30370816969cb3572f48f379f3f810_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	1a30370816969cb3572f48f379f3f810_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	1a30370816969cb3572f48f379f3f810_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	1a30370816969cb3572f48f379f3f810_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\1a30370816969cb3572f48f379f3f810_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1a30370816969cb3572f48f379f3f810_NeikiAnalytics.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2860
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2592
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1912
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1240
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2584
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1032
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2864
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
91KB

MD5
b25aaebb9aaee624b1cbf4bbd60310f3

SHA1
f842e5d83b9ec23811126948ed068a8f6a8edc61

SHA256
7482e9b97fcb95af78f418ff2689516ab79ac2f1f67c7f3aeb0eab95f2ad4a62

SHA512
a77be42dee280b1de67b452d5c06ae4cf87148e47127e0490f4e1ad13a2ada05a37f6fb0127d2517e08f784c9e916b5015148095f61bb5c03227f67b59b641c4

Download Submit
C:\Users\Admin\AppData\Local\winlogon.exe

Filesize
91KB

MD5
1a30370816969cb3572f48f379f3f810

SHA1
68e6d44d44468ab04a44d06bea9f9011cac54d86

SHA256
77a445f7210d6dbab1d7bed336b61b3f7cad4f1fc9862a06935ed10125333d71

SHA512
7939da857d373dcf110c9e0e118d857cb98ede8f0d3d235461a0d7cbb9d4ccaf9295df5c375d21ff85d211e93b3eb0cf4da0512d6ce82ca6df522d3403ddbcf9

Download Submit
C:\Windows\xk.exe

Filesize
91KB

MD5
26e706eacf96701577cccfc182571479

SHA1
bd3ba40448f4b7d3572319f56c6ea585b97f4965

SHA256
16df2480ad79dfe376e05260f08cc9eb3764277516b3835cf290f30c8dc030ed

SHA512
e1a00614a46eb5b21245b8f6aac8a18ef7a2b4529e7703590fe488a5f8840d335ed7759d8ccdabb7fe6409b58703c8fe9ca288ab7d0920f11ba7e2bb0d1962da

Download Submit
\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
91KB

MD5
24da2e3ba2bb4fd1594047902eef5785

SHA1
0fd30770a99b1305ff4b64500169f5bbd58a9904

SHA256
3e02d35249b6678b1deca03aa51d491a2bee8779e036bc9670d441ce191e3146

SHA512
f77558fb07a0156dd12d9d83df152808327a07c16ea22a3fba02b7f09ef9884a0500b928219121a0642013c0214a7f5fd21a84807f071cfb95458bf8bb02d169

Download Submit
\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
91KB

MD5
8ec972c9aaac25281643e4acfb656b88

SHA1
4453279114ef1be2aa2775e3b45e1840ab9bab44

SHA256
a6c151641c2d3bf11fc9a38469a8d8e3f4604a24357523e49e8ec796bcfb6151

SHA512
d808fbe00fdcfd986ab919ec07378522761e9a2cb83cf80d141e932b4a70462cc85ee5476d5feaa8df5badb3e774ddcb3ec81eb465d553132b60bfbe428d525c

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
91KB

MD5
f7978180eb8c495493a72904daa7a183

SHA1
bc97a405cf687b26538fc95e708667f43e6223b2

SHA256
bb2efb963dfaef68b3ded5528e4f6f6387ebef9b879d9729b1ef78f1e761138d

SHA512
6c55a2a747283d006eba66d9292924f2bf13649f2bd60d08ee0f0c964826cb8a0ece318f14d61b4c1c06f9f3e19dcf55eeb8bc24d48c248f39495f13b866f34a

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
91KB

MD5
9d658d6f19663161353c11bfff1cc02c

SHA1
c1a42882c95d2fe120d60832626b897d542ccab9

SHA256
6b396f907aa65882f63aeea30fc4e96e40a9fdeb50962bcc333fc37bfa50044d

SHA512
b3d5fcdb3671429e57f568dafbd25170a4c68ecd4f07e8877f4afb77bc120a029e43e5867cfc46b59c3bb90a69b08e0be42ca03385a63a091dd4d80bb604c438

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
91KB

MD5
a0446e45f73dceefb47bf300fc6e1e8b

SHA1
edffe17ef20b488c1283cef1aa8b24e4fe8e7900

SHA256
fd5cf4a977bef71339151aa2bd64a74c59dd0b81e8b946ae85a3b8c55875e76e

SHA512
52eeffd7a4c8313875f614d330ba6a559838242596e82e3e97491fc76dd9beef85887a6a137fa9e478e81a4b40140e50d8511faa58d3c88c636f450b55eca129

Download Submit
memory/1032-180-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1032-176-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/1032-175-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1032-182-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1240-148-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/1240-153-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1240-152-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1912-133-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/1912-137-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2192-205-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2192-211-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2584-169-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2584-162-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2592-118-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2592-117-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2592-116-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2592-122-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2592-123-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2860-114-0x0000000001DE0000-0x0000000001E0C000-memory.dmp

Filesize
176KB

Download
memory/2860-203-0x0000000001DE0000-0x0000000001E0C000-memory.dmp

Filesize
176KB

Download
memory/2860-161-0x0000000001DE0000-0x0000000001E0C000-memory.dmp

Filesize
176KB

Download
memory/2860-4-0x0000000000401000-0x0000000000427000-memory.dmp

Filesize
152KB

Download
memory/2860-1-0x0000000000020000-0x0000000000024000-memory.dmp

Filesize
16KB

Download
memory/2860-146-0x0000000001DE0000-0x0000000001E0C000-memory.dmp

Filesize
176KB

Download
memory/2860-145-0x0000000000401000-0x0000000000427000-memory.dmp

Filesize
152KB

Download
memory/2860-113-0x0000000001DE0000-0x0000000001E0C000-memory.dmp

Filesize
176KB

Download
memory/2860-132-0x0000000001DE0000-0x0000000001E0C000-memory.dmp

Filesize
176KB

Download
memory/2860-0-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2860-147-0x0000000001DE0000-0x0000000001E0C000-memory.dmp

Filesize
176KB

Download
memory/2860-2-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2860-204-0x0000000001DE0000-0x0000000001E0C000-memory.dmp

Filesize
176KB

Download
memory/2860-125-0x0000000001DE0000-0x0000000001E0C000-memory.dmp

Filesize
176KB

Download
memory/2860-212-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2860-3-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2860-213-0x0000000000401000-0x0000000000427000-memory.dmp

Filesize
152KB

Download
memory/2864-201-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2864-190-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download