4368d3e18a33778253cf7e6970d5d7fb2c07bc57a36023e8af2f7ebd2bb9d7f4

Analysis

max time kernel
120s
max time network
126s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
27-05-2024 00:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

112c52e278c178740ad6ab8db2df1730_NeikiAnalytics.exe
Size

45KB
MD5

112c52e278c178740ad6ab8db2df1730
SHA1

07f953bfd3819edd5667ebfeefa33a38d2777d57
SHA256

4368d3e18a33778253cf7e6970d5d7fb2c07bc57a36023e8af2f7ebd2bb9d7f4
SHA512

d5e82fabdc75110cc2db15c1c05ed33741b8acf69cb6e7f4d93ccdcb971e69dd279a2f19e82d2d7fc09e2d5b8d85ca05046d182ffd2b21e1fefc2c32571210e0
SSDEEP

768:PmFQj8rM9whcqet8WfuzHVHFNNqDaG0XjqGoxhz/8szBnP7DFK+5nEa2:FAwEmBGz1lNNqDaG0PoxhlzmL

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	112c52e278c178740ad6ab8db2df1730_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	112c52e278c178740ad6ab8db2df1730_NeikiAnalytics.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	112c52e278c178740ad6ab8db2df1730_NeikiAnalytics.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	112c52e278c178740ad6ab8db2df1730_NeikiAnalytics.exe

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	112c52e278c178740ad6ab8db2df1730_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	112c52e278c178740ad6ab8db2df1730_NeikiAnalytics.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 7 IoCs

pid	Process
2816	xk.exe
2928	IExplorer.exe
1792	WINLOGON.EXE
1864	CSRSS.EXE
1696	SERVICES.EXE
2312	LSASS.EXE
1252	SMSS.EXE

Loads dropped DLL 12 IoCs

pid	Process
2956	112c52e278c178740ad6ab8db2df1730_NeikiAnalytics.exe
2956	112c52e278c178740ad6ab8db2df1730_NeikiAnalytics.exe
2956	112c52e278c178740ad6ab8db2df1730_NeikiAnalytics.exe
2956	112c52e278c178740ad6ab8db2df1730_NeikiAnalytics.exe
2956	112c52e278c178740ad6ab8db2df1730_NeikiAnalytics.exe
2956	112c52e278c178740ad6ab8db2df1730_NeikiAnalytics.exe
2956	112c52e278c178740ad6ab8db2df1730_NeikiAnalytics.exe
2956	112c52e278c178740ad6ab8db2df1730_NeikiAnalytics.exe
2956	112c52e278c178740ad6ab8db2df1730_NeikiAnalytics.exe
2956	112c52e278c178740ad6ab8db2df1730_NeikiAnalytics.exe
2956	112c52e278c178740ad6ab8db2df1730_NeikiAnalytics.exe
2956	112c52e278c178740ad6ab8db2df1730_NeikiAnalytics.exe

Modifies system executable filetype association 2 TTPs 13 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	112c52e278c178740ad6ab8db2df1730_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	112c52e278c178740ad6ab8db2df1730_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	112c52e278c178740ad6ab8db2df1730_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	112c52e278c178740ad6ab8db2df1730_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	112c52e278c178740ad6ab8db2df1730_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	112c52e278c178740ad6ab8db2df1730_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	112c52e278c178740ad6ab8db2df1730_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	112c52e278c178740ad6ab8db2df1730_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	112c52e278c178740ad6ab8db2df1730_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	112c52e278c178740ad6ab8db2df1730_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	112c52e278c178740ad6ab8db2df1730_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	112c52e278c178740ad6ab8db2df1730_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	112c52e278c178740ad6ab8db2df1730_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe"	112c52e278c178740ad6ab8db2df1730_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	112c52e278c178740ad6ab8db2df1730_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	112c52e278c178740ad6ab8db2df1730_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	112c52e278c178740ad6ab8db2df1730_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	112c52e278c178740ad6ab8db2df1730_NeikiAnalytics.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\shell.exe	112c52e278c178740ad6ab8db2df1730_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Mig2.scr	112c52e278c178740ad6ab8db2df1730_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	112c52e278c178740ad6ab8db2df1730_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	112c52e278c178740ad6ab8db2df1730_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Mig2.scr	112c52e278c178740ad6ab8db2df1730_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	112c52e278c178740ad6ab8db2df1730_NeikiAnalytics.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\xk.exe	112c52e278c178740ad6ab8db2df1730_NeikiAnalytics.exe
File created	C:\Windows\xk.exe	112c52e278c178740ad6ab8db2df1730_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\	112c52e278c178740ad6ab8db2df1730_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR"	112c52e278c178740ad6ab8db2df1730_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	112c52e278c178740ad6ab8db2df1730_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	112c52e278c178740ad6ab8db2df1730_NeikiAnalytics.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	112c52e278c178740ad6ab8db2df1730_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	112c52e278c178740ad6ab8db2df1730_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	112c52e278c178740ad6ab8db2df1730_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	112c52e278c178740ad6ab8db2df1730_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	112c52e278c178740ad6ab8db2df1730_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	112c52e278c178740ad6ab8db2df1730_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	112c52e278c178740ad6ab8db2df1730_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	112c52e278c178740ad6ab8db2df1730_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	112c52e278c178740ad6ab8db2df1730_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	112c52e278c178740ad6ab8db2df1730_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	112c52e278c178740ad6ab8db2df1730_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	112c52e278c178740ad6ab8db2df1730_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	112c52e278c178740ad6ab8db2df1730_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	112c52e278c178740ad6ab8db2df1730_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	112c52e278c178740ad6ab8db2df1730_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2956	112c52e278c178740ad6ab8db2df1730_NeikiAnalytics.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2956	112c52e278c178740ad6ab8db2df1730_NeikiAnalytics.exe
2816	xk.exe
2928	IExplorer.exe
1792	WINLOGON.EXE
1864	CSRSS.EXE
1696	SERVICES.EXE
2312	LSASS.EXE
1252	SMSS.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2956 wrote to memory of 2816	2956	112c52e278c178740ad6ab8db2df1730_NeikiAnalytics.exe	28
PID 2956 wrote to memory of 2816	2956	112c52e278c178740ad6ab8db2df1730_NeikiAnalytics.exe	28
PID 2956 wrote to memory of 2816	2956	112c52e278c178740ad6ab8db2df1730_NeikiAnalytics.exe	28
PID 2956 wrote to memory of 2816	2956	112c52e278c178740ad6ab8db2df1730_NeikiAnalytics.exe	28
PID 2956 wrote to memory of 2928	2956	112c52e278c178740ad6ab8db2df1730_NeikiAnalytics.exe	29
PID 2956 wrote to memory of 2928	2956	112c52e278c178740ad6ab8db2df1730_NeikiAnalytics.exe	29
PID 2956 wrote to memory of 2928	2956	112c52e278c178740ad6ab8db2df1730_NeikiAnalytics.exe	29
PID 2956 wrote to memory of 2928	2956	112c52e278c178740ad6ab8db2df1730_NeikiAnalytics.exe	29
PID 2956 wrote to memory of 1792	2956	112c52e278c178740ad6ab8db2df1730_NeikiAnalytics.exe	30
PID 2956 wrote to memory of 1792	2956	112c52e278c178740ad6ab8db2df1730_NeikiAnalytics.exe	30
PID 2956 wrote to memory of 1792	2956	112c52e278c178740ad6ab8db2df1730_NeikiAnalytics.exe	30
PID 2956 wrote to memory of 1792	2956	112c52e278c178740ad6ab8db2df1730_NeikiAnalytics.exe	30
PID 2956 wrote to memory of 1864	2956	112c52e278c178740ad6ab8db2df1730_NeikiAnalytics.exe	31
PID 2956 wrote to memory of 1864	2956	112c52e278c178740ad6ab8db2df1730_NeikiAnalytics.exe	31
PID 2956 wrote to memory of 1864	2956	112c52e278c178740ad6ab8db2df1730_NeikiAnalytics.exe	31
PID 2956 wrote to memory of 1864	2956	112c52e278c178740ad6ab8db2df1730_NeikiAnalytics.exe	31
PID 2956 wrote to memory of 1696	2956	112c52e278c178740ad6ab8db2df1730_NeikiAnalytics.exe	32
PID 2956 wrote to memory of 1696	2956	112c52e278c178740ad6ab8db2df1730_NeikiAnalytics.exe	32
PID 2956 wrote to memory of 1696	2956	112c52e278c178740ad6ab8db2df1730_NeikiAnalytics.exe	32
PID 2956 wrote to memory of 1696	2956	112c52e278c178740ad6ab8db2df1730_NeikiAnalytics.exe	32
PID 2956 wrote to memory of 2312	2956	112c52e278c178740ad6ab8db2df1730_NeikiAnalytics.exe	33
PID 2956 wrote to memory of 2312	2956	112c52e278c178740ad6ab8db2df1730_NeikiAnalytics.exe	33
PID 2956 wrote to memory of 2312	2956	112c52e278c178740ad6ab8db2df1730_NeikiAnalytics.exe	33
PID 2956 wrote to memory of 2312	2956	112c52e278c178740ad6ab8db2df1730_NeikiAnalytics.exe	33
PID 2956 wrote to memory of 1252	2956	112c52e278c178740ad6ab8db2df1730_NeikiAnalytics.exe	34
PID 2956 wrote to memory of 1252	2956	112c52e278c178740ad6ab8db2df1730_NeikiAnalytics.exe	34
PID 2956 wrote to memory of 1252	2956	112c52e278c178740ad6ab8db2df1730_NeikiAnalytics.exe	34
PID 2956 wrote to memory of 1252	2956	112c52e278c178740ad6ab8db2df1730_NeikiAnalytics.exe	34

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	112c52e278c178740ad6ab8db2df1730_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	112c52e278c178740ad6ab8db2df1730_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	112c52e278c178740ad6ab8db2df1730_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	112c52e278c178740ad6ab8db2df1730_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\112c52e278c178740ad6ab8db2df1730_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\112c52e278c178740ad6ab8db2df1730_NeikiAnalytics.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2956
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2816
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2928
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1792
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1864
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1696
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2312
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
45KB

MD5
129826c7ed04419b5d4ebe81082145a8

SHA1
8277d293178194af3b1c2f4d434b68c9b9222d3c

SHA256
4d2f540c7c2d4b9b045a516df64cc920a421c1308efb9d24789e192f1cadb01a

SHA512
7b151280d42aa15c90fb309b753c54f761f783b9d101459f94dfbe62e453c33415ef799e7a4e699ef55b9bb71cebc0f10ce50106bcb754a6da33476b9a53e77c

Download Submit
C:\Users\Admin\AppData\Local\services.exe

Filesize
45KB

MD5
112c52e278c178740ad6ab8db2df1730

SHA1
07f953bfd3819edd5667ebfeefa33a38d2777d57

SHA256
4368d3e18a33778253cf7e6970d5d7fb2c07bc57a36023e8af2f7ebd2bb9d7f4

SHA512
d5e82fabdc75110cc2db15c1c05ed33741b8acf69cb6e7f4d93ccdcb971e69dd279a2f19e82d2d7fc09e2d5b8d85ca05046d182ffd2b21e1fefc2c32571210e0

Download Submit
C:\Windows\xk.exe

Filesize
45KB

MD5
cf6b8f6642d99a9d1616fdab223424ec

SHA1
1d231f14c8f8d65567f60c005f9145bcf507d350

SHA256
a36d09a71f959d115c899f723cfe0f091c3d3ecfaff8c4e6345a7545cc5ac37d

SHA512
9b5ddb1a381b9cf7c8082ab7c4368d9e78de4eae2e1760ba72c0baf49acae9e76c77d8d0f9b103c678635607be0c00706048145741f1f55f2786fc2067436cb0

Download Submit
\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
45KB

MD5
5b8562540c2236ba44bfd70ea8c53151

SHA1
c5b9ddcc213622b6bb87805792dbe1b757e48289

SHA256
accb64910d57d1898b7012f9c677588e500a9dbec67af74910b23ede781abd76

SHA512
1fc443a9bed7a3506a451fd7debdc4c2e38d4e57d833d16c8c42933d2447541b654e6ff4b7e1fa05b8e4aaae4fa951e98fb0ad15c51c895016d9f48ca2344750

Download Submit
\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
45KB

MD5
a01d89fe9115862c9f1407344b12807f

SHA1
865eb49b030696fe97d05b33f79109d06a4f11e5

SHA256
5053247fed813ea9739e96b3124fe04b74fcfe65e683a669d2df08b17178f5e1

SHA512
dfa2ba81cc2fbb148e179560965dae5ae14434b17dcaf0501d27254457910f63425202dd5c6c7d590ccc1476c75cf46debbc089f2fef35e97d21177e7c25abb5

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
45KB

MD5
dd7644dc0c65091c0d7423cfcb9561a7

SHA1
7a1ee5b4d9c3e2ad9f6d3b63cab0f92d9fa2b9a0

SHA256
396f5451d643886dc2a3d1c52ce96657c767c5a2db5d59af2ac9520974871887

SHA512
029dc867be6c664e6892ebdf6fa7ba86a575ec71f7772feac539a57d8243a008cd504ee733655da01d8160323a32fda30aaf6d697b2d2da342ea3921e0a84186

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
45KB

MD5
1b61d9f39ef173979eccbc2a96c90504

SHA1
66b3005b41657460f13e85bd962b282d6bc570b1

SHA256
987db19fe8e65ff386fb7f51f4699607129e37a4726f2ad808a9d96df47ea187

SHA512
c6ab22e26e1077f5d0844eb8544163816e7a979609da85f015af716a6cd35f29465b24d22792bd07eeb6a0573f5398c7435f72bfd2871e55581a26b5d42dad21

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
45KB

MD5
58163e0c0dc9fb94d434a28519c18682

SHA1
d79de007d23f6d3005841728f4b98b461e1bc1ca

SHA256
968564787eeaede85e492b3d8af796b96b4cc78ca0e527479cd91e313853da86

SHA512
d2e6b1931940668939885396a10eb613d43d7f3ce41e252c8a847c5b930ebe6fb13c707da383272426a7a42db08a7a0b6c489c3a4db4501229eb9d17ce34613f

Download Submit
memory/1252-182-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1696-162-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1792-138-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1864-148-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2312-173-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2816-115-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2816-110-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2928-129-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2928-123-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2956-156-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2956-0-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2956-122-0x00000000004B0000-0x00000000004DE000-memory.dmp

Filesize
184KB

Download
memory/2956-109-0x00000000004B0000-0x00000000004DE000-memory.dmp

Filesize
184KB

Download
memory/2956-184-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download