cf5b0b153fa2e108c83665ea9c13a5d0f44e73e97d59190fef243b2bdc85cdab

Analysis

max time kernel
120s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28/05/2024, 00:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe
Size

205KB
MD5

28357c37e444030d84a1b4516ddc32d0
SHA1

5467b9cd50846d306ac8206b51e6b9841386db14
SHA256

cf5b0b153fa2e108c83665ea9c13a5d0f44e73e97d59190fef243b2bdc85cdab
SHA512

39203541af816de57577387bc36463fd5dcc1c5bac3020d3bc6c0d733503f910d3b7e3adc33d5562b1becfeb5d236a309662905c1beebd6ecab1bbf80a3e64ed
SSDEEP

3072:E/5F/E7tEf0i+p+tYlpJH7iXQNgggHlxDZiYLK5WpY9vSGmF3onW+MBm:EhF4cH+wWJH7igNgjdFKsAvHmF3onW+x

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 11 IoCs

pid	Process
2852	xk.exe
1072	IExplorer.exe
1740	WINLOGON.EXE
2492	CSRSS.EXE
2216	xk.exe
2304	IExplorer.exe
2292	WINLOGON.EXE
1936	CSRSS.EXE
2948	SERVICES.EXE
1296	LSASS.EXE
1828	SMSS.EXE

Loads dropped DLL 18 IoCs

pid	Process
2192	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe
2192	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe
2192	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe
2192	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe
2192	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe
2192	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe
2192	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe
2192	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe
2192	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe
2192	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe
2192	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe
2192	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe
2192	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe
2192	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe
2192	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe
2192	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe
2192	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe
2192	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe

Modifies system executable filetype association 2 TTPs 13 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe"	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File opened for modification	C:\desktop.ini	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe
File created	C:\desktop.ini	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe
File opened for modification	F:\desktop.ini	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe
File created	F:\desktop.ini	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe
File opened (read-only)	\??\O:	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe
File opened (read-only)	\??\Q:	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe
File opened (read-only)	\??\R:	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe
File opened (read-only)	\??\V:	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe
File opened (read-only)	\??\X:	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe
File opened (read-only)	\??\G:	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe
File opened (read-only)	\??\K:	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe
File opened (read-only)	\??\Y:	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe
File opened (read-only)	\??\H:	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe
File opened (read-only)	\??\J:	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe
File opened (read-only)	\??\L:	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe
File opened (read-only)	\??\T:	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe
File opened (read-only)	\??\W:	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe
File opened (read-only)	\??\B:	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe
File opened (read-only)	\??\E:	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe
File opened (read-only)	\??\S:	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe
File opened (read-only)	\??\I:	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe
File opened (read-only)	\??\M:	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe
File opened (read-only)	\??\Z:	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe
File opened (read-only)	\??\P:	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe
File opened (read-only)	\??\U:	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe

Drops file in System32 directory 20 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mig2.scr	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe
File created	C:\Windows\system32\perfh00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh010.dat	OUTLOOK.EXE
File opened for modification	C:\Windows\SysWOW64\shell.exe	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\shell.exe	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Mig2.scr	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe
File created	C:\Windows\system32\perfc007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc011.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh011.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00C.dat	OUTLOOK.EXE
File created	C:\Windows\SysWOW64\IExplorer.exe	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\PerfStringBackup.TMP	OUTLOOK.EXE
File opened for modification	C:\Windows\SysWOW64\PerfStringBackup.INI	OUTLOOK.EXE
File created	C:\Windows\system32\perfc009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc010.dat	OUTLOOK.EXE

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\xk.exe	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe
File created	C:\Windows\xk.exe	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe
File created	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File opened for modification	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File created	C:\Windows\inf\Outlook\0009\outlperf.ini	OUTLOOK.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR"	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	OUTLOOK.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	OUTLOOK.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	OUTLOOK.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DE-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063041-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630B0-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630EC-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063072-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672EE-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FD-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CC-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063095-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063062-0000-0000-C000-000000000046}\ = "_MeetingItem"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F9-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063040-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063085-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006304D-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DF-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067352-0000-0000-C000-000000000046}\ = "_OlkFrameHeader"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300B-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006309C-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630EE-0000-0000-C000-000000000046}\ = "_NotesModule"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F2-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063039-0000-0000-C000-000000000046}\ = "_TaskRequestDeclineItem"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063001-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063043-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063046-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CB-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006309B-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E8-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C4-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063078-0000-0000-C000-000000000046}\ = "ExplorersEvents"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630DF-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063020-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067366-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063089-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067366-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630DA-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006302C-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063044-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063104-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063003-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063089-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006304F-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067367-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303C-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A2-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063036-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006F025-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063048-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063008-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063020-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063077-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A1-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063059-0000-0000-C000-000000000046}\ = "_FormRegionStartup"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DD-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E2-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E3-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063103-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C4-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063034-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FC-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672D9-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E2-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A8-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006309A-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1544	OUTLOOK.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2192	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1544	OUTLOOK.EXE

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1544	OUTLOOK.EXE
1544	OUTLOOK.EXE
1544	OUTLOOK.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1544	OUTLOOK.EXE
1544	OUTLOOK.EXE

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
2192	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe
2852	xk.exe
1072	IExplorer.exe
1740	WINLOGON.EXE
2492	CSRSS.EXE
2216	xk.exe
2304	IExplorer.exe
2292	WINLOGON.EXE
1936	CSRSS.EXE
2948	SERVICES.EXE
1296	LSASS.EXE
1828	SMSS.EXE
1544	OUTLOOK.EXE

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 2192 wrote to memory of 2852	2192	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe	28
PID 2192 wrote to memory of 2852	2192	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe	28
PID 2192 wrote to memory of 2852	2192	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe	28
PID 2192 wrote to memory of 2852	2192	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe	28
PID 2192 wrote to memory of 1072	2192	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe	29
PID 2192 wrote to memory of 1072	2192	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe	29
PID 2192 wrote to memory of 1072	2192	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe	29
PID 2192 wrote to memory of 1072	2192	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe	29
PID 2192 wrote to memory of 1740	2192	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe	30
PID 2192 wrote to memory of 1740	2192	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe	30
PID 2192 wrote to memory of 1740	2192	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe	30
PID 2192 wrote to memory of 1740	2192	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe	30
PID 2192 wrote to memory of 2492	2192	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe	31
PID 2192 wrote to memory of 2492	2192	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe	31
PID 2192 wrote to memory of 2492	2192	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe	31
PID 2192 wrote to memory of 2492	2192	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe	31
PID 2192 wrote to memory of 2216	2192	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe	32
PID 2192 wrote to memory of 2216	2192	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe	32
PID 2192 wrote to memory of 2216	2192	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe	32
PID 2192 wrote to memory of 2216	2192	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe	32
PID 2192 wrote to memory of 2304	2192	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe	33
PID 2192 wrote to memory of 2304	2192	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe	33
PID 2192 wrote to memory of 2304	2192	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe	33
PID 2192 wrote to memory of 2304	2192	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe	33
PID 2192 wrote to memory of 2292	2192	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe	34
PID 2192 wrote to memory of 2292	2192	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe	34
PID 2192 wrote to memory of 2292	2192	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe	34
PID 2192 wrote to memory of 2292	2192	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe	34
PID 2192 wrote to memory of 1936	2192	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe	35
PID 2192 wrote to memory of 1936	2192	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe	35
PID 2192 wrote to memory of 1936	2192	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe	35
PID 2192 wrote to memory of 1936	2192	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe	35
PID 2192 wrote to memory of 2948	2192	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe	36
PID 2192 wrote to memory of 2948	2192	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe	36
PID 2192 wrote to memory of 2948	2192	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe	36
PID 2192 wrote to memory of 2948	2192	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe	36
PID 2192 wrote to memory of 1296	2192	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe	37
PID 2192 wrote to memory of 1296	2192	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe	37
PID 2192 wrote to memory of 1296	2192	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe	37
PID 2192 wrote to memory of 1296	2192	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe	37
PID 2192 wrote to memory of 1828	2192	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe	38
PID 2192 wrote to memory of 1828	2192	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe	38
PID 2192 wrote to memory of 1828	2192	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe	38
PID 2192 wrote to memory of 1828	2192	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe	38

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2192
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2852
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1072
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1740
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2492
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2216
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2304
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2292
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1936
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2948
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1296
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1828

C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" -Embedding
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
240KB

MD5
05752fedf99b822551217763df90d983

SHA1
b012420b2be15ef2ab66176645ad726f9db08f91

SHA256
5a4391db53ea958a2c845094fc18cea18593609b593808edd245f744d1cb079f

SHA512
112dc77769d1f64ec4bdae3aa86eefd346609183dac5d432520b11f43ad29f750314de07728e61cbcb0dc177133e394abdcaaee69fc1e91fd5ee1a2c58bfe38a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
240KB

MD5
0a5b3a65e01ff54cfd6c8f89546a4d75

SHA1
5176cfe73d02d360b6c91fd7cb81cfd848c0bb12

SHA256
7446ce621fddabc5e0d0eeaea16c0e4350d3d6bd943444fc280b7a53aaf0fff7

SHA512
251b6adcc0956ae6416e198c28bd4df4741d2143ee67fa80f45f8136265fef2d65f7c3def99a1c01f53f83f795d5669a34ced9df793d755adfb5a7402d44a7a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Outlook\mapisvc.inf

Filesize
1KB

MD5
48dd6cae43ce26b992c35799fcd76898

SHA1
8e600544df0250da7d634599ce6ee50da11c0355

SHA256
7bfe1f3691e2b4fb4d61fbf5e9f7782fbe49da1342dbd32201c2cc8e540dbd1a

SHA512
c1b9322c900f5be0ad166ddcfec9146918fb2589a17607d61490fd816602123f3af310a3e6d98a37d16000d4acbbcd599236f03c3c7f9376aeba7a489b329f31

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
205KB

MD5
b1d2f287c3cb6df505d4fdff012adf46

SHA1
270fefe8d9f147d983fb33035548d1b739742467

SHA256
6f576b920e95c4335789bcdf72fa945cd3a005eb96f6c3da011a6781f483af8b

SHA512
57d1c7d5218138f6e910664d7b2f7b32132f72e6d1f60b61377597b3508ebfb949f2a10afe57f1acb20624e9fae341b9c5893308bfaace34b94e4baa484399c2

Download Submit
C:\Users\Admin\AppData\Local\winlogon.exe

Filesize
205KB

MD5
28357c37e444030d84a1b4516ddc32d0

SHA1
5467b9cd50846d306ac8206b51e6b9841386db14

SHA256
cf5b0b153fa2e108c83665ea9c13a5d0f44e73e97d59190fef243b2bdc85cdab

SHA512
39203541af816de57577387bc36463fd5dcc1c5bac3020d3bc6c0d733503f910d3b7e3adc33d5562b1becfeb5d236a309662905c1beebd6ecab1bbf80a3e64ed

Download Submit
C:\Windows\xk.exe

Filesize
205KB

MD5
1eca2818da9fddc71098a6e91d783bf4

SHA1
ba76726bdae3de7cd4c4cb3abaceb25a13350d03

SHA256
7ac2c59989c4a9e8c4a99e9219f371b6891a1881fbc6ce23c015ad24a86515c8

SHA512
90c92a53dcefd8935b52a2a7128d9ebc4326b3db2451751d4ac3f76156fd17e8cb56f0b71a5dca98c920c40415f7034f5160e9c5a902d8419e87d6daf90fa2b6

Download Submit
C:\Windows\xk.exe

Filesize
205KB

MD5
658b898117744e260c4165cf0204bf63

SHA1
79fb83ba31cc3c52f8c53e8153c19c5e7b6e1c5b

SHA256
74dd8957de9e648486206781dfdcf58dae383fb59eb3f5334ceb5bdd22f37bc4

SHA512
0d641ea21241f957faab4c66d5b6cfb4ef2ee85e9658e2b60cb3157bc5235ba6bb73ece94faa20009bc5264a1fa952f23b27ddd15d958ac11c01207441d8ac53

Download Submit
\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
205KB

MD5
6e72d51997875b13c1afcba58768fed6

SHA1
c9b96469ebbced45fb8994cc59b5a97e2ef3514f

SHA256
e0227f3f62553acc4beb40ac37eab821afb383dcc74954ae05648d29b558eab6

SHA512
fcc50e084ae836480ad6f9e9ba5d238e29fe7ce893408044a20c8def749092a9a92b6fa39184830a7aa8c315e59bb7c023296d7d005a50212a736f2586ab21f2

Download Submit
\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
205KB

MD5
336fedc7266d26c776abb9b3889caae9

SHA1
7b474a3d34895bbf620851431d3601eee701a116

SHA256
f4c178a82195731385c96b074150695e22a31f6cdc67a73aa79e2eb6fbc00069

SHA512
ff8773c66141c273f071c66e83721f4a069d9599e6b723edbb153db653daedae3cd2eed9de720ec28f3aede74d70ed6f0cfc107fe149dee318396aa66aff4753

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
205KB

MD5
860e65bc7cd7e3635482ac459903ca21

SHA1
8a8d445c54e7639c484b161887f6209f4811d8fe

SHA256
9ecd9c4a307919b58b212a6832d3ad8b0db5bbbbb574bad3e90b81f2b472bf85

SHA512
ea69680ff9b92b1097de746955cbb20dd550b0b06972b5cdcd2cb5186095af6ef102c7a83ab941a81000a23bbeb5a3df9c8b428ad6ffa714bc58f609f540f6af

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
205KB

MD5
0a567337ea368e08bbe3894447de33ed

SHA1
6b5ff6e2b1f84da5fdf02c0b6efe532352b3f0e2

SHA256
0e7f1c48d3ae5a6918d9bf8d270e04cfabe290830092921c8d5e1b0569365fce

SHA512
f54ad18e1391e8e4c98f8452952e05b20f505e9c6316f353a3f8a210a1fa52497fe87b2fc1c67df03ec9c425c6d66d4ce85b9aa08e50697265181b58a3fb51c4

Download Submit
\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
205KB

MD5
1a3be70c68593b58caf9fb51b35411f1

SHA1
e1dca5902d47344aaf0ac1e6ea66d0cb0b3a112a

SHA256
e7e1fb6bac47db652f029e6bf2fde86ccf1708d22ff66d98d00305144d77f8cd

SHA512
53202f892ec50da104d0bb4c5f8dcebbe85a147cb5e59adcada03e89ea0c6bccb738a5d68ec3e620b27990a80f0a69c40eee485cb48fc8925da2d1feeb69ea2c

Download Submit
\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
205KB

MD5
058b78c4cc2bd68071a83761cd9627a0

SHA1
5a4b996ef5bd3b34adc2c50c50e8ba2f1d8bc733

SHA256
a406f4d6ccb319c6e884d6c658edc925b6d00492dceecc5abc59bfea03b4e4af

SHA512
93d303d93a535a6b22bec0af0cc6de167b707465b8bbd3f436b0fd5627cad6aab4ec2880d88c5f8de5c627e9796b17edfd61836f58a6b76f4ebe67b6f18fc0aa

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
205KB

MD5
2d1733e42edc294afe38ebaea40ef94c

SHA1
8294249512ba8fc6997f7a48f3cb8b803767f5ac

SHA256
4653ee8c9bdb89258457795102a649461a0c4bc68011564386bc815e7b10f96b

SHA512
2a53b366d85755d0e70cf020aa9fe8a3fe74a2ca3ea5ee72ce690e2bd656f3db4483b6ffe40940d32b3bdc40ed11c23e3df98dfaaa88c4aa5408531893a19bbd

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
205KB

MD5
d5451c9f71d42a38bc4bb3765ec3a085

SHA1
267d59e29949547aa346fb545e6cfaf3530e2867

SHA256
01e0d52670d5cd077bb9392eb8c78f18a78d553929fd16264dc7cba72d00016d

SHA512
fff6723987d3eef9179deaadd67118c6f4b4913c429202d790163f5979485bebceb9187c8fb54f549d30a3a6603b3266fb6082e35b5e8696356aa75de427a328

Download Submit
memory/1072-133-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1072-124-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1296-270-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1296-267-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1544-307-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1740-135-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1740-138-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1828-282-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1828-279-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1936-244-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1936-247-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2192-254-0x00000000005F0000-0x000000000061F000-memory.dmp

Filesize
188KB

Download
memory/2192-209-0x00000000005F0000-0x000000000061F000-memory.dmp

Filesize
188KB

Download
memory/2192-233-0x00000000005F0000-0x000000000061F000-memory.dmp

Filesize
188KB

Download
memory/2192-434-0x00000000005F0000-0x000000000061F000-memory.dmp

Filesize
188KB

Download
memory/2192-147-0x00000000005F0000-0x000000000061F000-memory.dmp

Filesize
188KB

Download
memory/2192-433-0x00000000005F0000-0x000000000061F000-memory.dmp

Filesize
188KB

Download
memory/2192-432-0x00000000005F0000-0x000000000061F000-memory.dmp

Filesize
188KB

Download
memory/2192-106-0x00000000005F0000-0x000000000061F000-memory.dmp

Filesize
188KB

Download
memory/2192-110-0x00000000005F0000-0x000000000061F000-memory.dmp

Filesize
188KB

Download
memory/2192-123-0x00000000005F0000-0x000000000061F000-memory.dmp

Filesize
188KB

Download
memory/2192-116-0x00000000005F0000-0x000000000061F000-memory.dmp

Filesize
188KB

Download
memory/2192-141-0x00000000005F0000-0x000000000061F000-memory.dmp

Filesize
188KB

Download
memory/2192-215-0x00000000005F0000-0x000000000061F000-memory.dmp

Filesize
188KB

Download
memory/2192-266-0x00000000005F0000-0x000000000061F000-memory.dmp

Filesize
188KB

Download
memory/2192-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2192-207-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2192-278-0x00000000005F0000-0x000000000061F000-memory.dmp

Filesize
188KB

Download
memory/2216-220-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2216-210-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2292-235-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2292-236-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2304-231-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2492-148-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2492-151-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2852-115-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2948-258-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download