002224a293bc6555797a4a5ac337b12f49e9fc394b8cc31061268e0cb20154e1

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
30/05/2024, 06:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

6900029338f303d8158a0a72a07e0120_NeikiAnalytics.exe
Size

45KB
MD5

6900029338f303d8158a0a72a07e0120
SHA1

9191870df680df8e8c7497e1384430071510f302
SHA256

002224a293bc6555797a4a5ac337b12f49e9fc394b8cc31061268e0cb20154e1
SHA512

8a5d227d6f7e60aaed5cc16244ae9507871c829a56c43987af5782b28f58879b70967184a7104c508ca086cd42b26e19e10752657a941830734dd4bab4abe424
SSDEEP

768:xmFQj8rM9whcqet8Wfxd9Mmnfa+TAOBJgZiPGyilSniJO14ktp7DFK+5nE5:zAwEmBZ04faWmtN4nic+6G5

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	6900029338f303d8158a0a72a07e0120_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	6900029338f303d8158a0a72a07e0120_NeikiAnalytics.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	6900029338f303d8158a0a72a07e0120_NeikiAnalytics.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	6900029338f303d8158a0a72a07e0120_NeikiAnalytics.exe

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	6900029338f303d8158a0a72a07e0120_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	6900029338f303d8158a0a72a07e0120_NeikiAnalytics.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 7 IoCs

pid	Process
776	xk.exe
2760	IExplorer.exe
2108	WINLOGON.EXE
2376	CSRSS.EXE
1812	SERVICES.EXE
2412	LSASS.EXE
912	SMSS.EXE

Loads dropped DLL 12 IoCs

pid	Process
2080	6900029338f303d8158a0a72a07e0120_NeikiAnalytics.exe
2080	6900029338f303d8158a0a72a07e0120_NeikiAnalytics.exe
2080	6900029338f303d8158a0a72a07e0120_NeikiAnalytics.exe
2080	6900029338f303d8158a0a72a07e0120_NeikiAnalytics.exe
2080	6900029338f303d8158a0a72a07e0120_NeikiAnalytics.exe
2080	6900029338f303d8158a0a72a07e0120_NeikiAnalytics.exe
2080	6900029338f303d8158a0a72a07e0120_NeikiAnalytics.exe
2080	6900029338f303d8158a0a72a07e0120_NeikiAnalytics.exe
2080	6900029338f303d8158a0a72a07e0120_NeikiAnalytics.exe
2080	6900029338f303d8158a0a72a07e0120_NeikiAnalytics.exe
2080	6900029338f303d8158a0a72a07e0120_NeikiAnalytics.exe
2080	6900029338f303d8158a0a72a07e0120_NeikiAnalytics.exe

Modifies system executable filetype association 2 TTPs 13 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	6900029338f303d8158a0a72a07e0120_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	6900029338f303d8158a0a72a07e0120_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	6900029338f303d8158a0a72a07e0120_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	6900029338f303d8158a0a72a07e0120_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	6900029338f303d8158a0a72a07e0120_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	6900029338f303d8158a0a72a07e0120_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	6900029338f303d8158a0a72a07e0120_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	6900029338f303d8158a0a72a07e0120_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	6900029338f303d8158a0a72a07e0120_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	6900029338f303d8158a0a72a07e0120_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	6900029338f303d8158a0a72a07e0120_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	6900029338f303d8158a0a72a07e0120_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	6900029338f303d8158a0a72a07e0120_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	6900029338f303d8158a0a72a07e0120_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe"	6900029338f303d8158a0a72a07e0120_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	6900029338f303d8158a0a72a07e0120_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	6900029338f303d8158a0a72a07e0120_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	6900029338f303d8158a0a72a07e0120_NeikiAnalytics.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\shell.exe	6900029338f303d8158a0a72a07e0120_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Mig2.scr	6900029338f303d8158a0a72a07e0120_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	6900029338f303d8158a0a72a07e0120_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	6900029338f303d8158a0a72a07e0120_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Mig2.scr	6900029338f303d8158a0a72a07e0120_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	6900029338f303d8158a0a72a07e0120_NeikiAnalytics.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\xk.exe	6900029338f303d8158a0a72a07e0120_NeikiAnalytics.exe
File created	C:\Windows\xk.exe	6900029338f303d8158a0a72a07e0120_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR"	6900029338f303d8158a0a72a07e0120_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	6900029338f303d8158a0a72a07e0120_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	6900029338f303d8158a0a72a07e0120_NeikiAnalytics.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop\	6900029338f303d8158a0a72a07e0120_NeikiAnalytics.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	6900029338f303d8158a0a72a07e0120_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	6900029338f303d8158a0a72a07e0120_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	6900029338f303d8158a0a72a07e0120_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	6900029338f303d8158a0a72a07e0120_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	6900029338f303d8158a0a72a07e0120_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	6900029338f303d8158a0a72a07e0120_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	6900029338f303d8158a0a72a07e0120_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	6900029338f303d8158a0a72a07e0120_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	6900029338f303d8158a0a72a07e0120_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	6900029338f303d8158a0a72a07e0120_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	6900029338f303d8158a0a72a07e0120_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	6900029338f303d8158a0a72a07e0120_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	6900029338f303d8158a0a72a07e0120_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	6900029338f303d8158a0a72a07e0120_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	6900029338f303d8158a0a72a07e0120_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2080	6900029338f303d8158a0a72a07e0120_NeikiAnalytics.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2080	6900029338f303d8158a0a72a07e0120_NeikiAnalytics.exe
776	xk.exe
2760	IExplorer.exe
2108	WINLOGON.EXE
2376	CSRSS.EXE
1812	SERVICES.EXE
2412	LSASS.EXE
912	SMSS.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 776	2080	6900029338f303d8158a0a72a07e0120_NeikiAnalytics.exe	28
PID 2080 wrote to memory of 776	2080	6900029338f303d8158a0a72a07e0120_NeikiAnalytics.exe	28
PID 2080 wrote to memory of 776	2080	6900029338f303d8158a0a72a07e0120_NeikiAnalytics.exe	28
PID 2080 wrote to memory of 776	2080	6900029338f303d8158a0a72a07e0120_NeikiAnalytics.exe	28
PID 2080 wrote to memory of 2760	2080	6900029338f303d8158a0a72a07e0120_NeikiAnalytics.exe	29
PID 2080 wrote to memory of 2760	2080	6900029338f303d8158a0a72a07e0120_NeikiAnalytics.exe	29
PID 2080 wrote to memory of 2760	2080	6900029338f303d8158a0a72a07e0120_NeikiAnalytics.exe	29
PID 2080 wrote to memory of 2760	2080	6900029338f303d8158a0a72a07e0120_NeikiAnalytics.exe	29
PID 2080 wrote to memory of 2108	2080	6900029338f303d8158a0a72a07e0120_NeikiAnalytics.exe	30
PID 2080 wrote to memory of 2108	2080	6900029338f303d8158a0a72a07e0120_NeikiAnalytics.exe	30
PID 2080 wrote to memory of 2108	2080	6900029338f303d8158a0a72a07e0120_NeikiAnalytics.exe	30
PID 2080 wrote to memory of 2108	2080	6900029338f303d8158a0a72a07e0120_NeikiAnalytics.exe	30
PID 2080 wrote to memory of 2376	2080	6900029338f303d8158a0a72a07e0120_NeikiAnalytics.exe	31
PID 2080 wrote to memory of 2376	2080	6900029338f303d8158a0a72a07e0120_NeikiAnalytics.exe	31
PID 2080 wrote to memory of 2376	2080	6900029338f303d8158a0a72a07e0120_NeikiAnalytics.exe	31
PID 2080 wrote to memory of 2376	2080	6900029338f303d8158a0a72a07e0120_NeikiAnalytics.exe	31
PID 2080 wrote to memory of 1812	2080	6900029338f303d8158a0a72a07e0120_NeikiAnalytics.exe	32
PID 2080 wrote to memory of 1812	2080	6900029338f303d8158a0a72a07e0120_NeikiAnalytics.exe	32
PID 2080 wrote to memory of 1812	2080	6900029338f303d8158a0a72a07e0120_NeikiAnalytics.exe	32
PID 2080 wrote to memory of 1812	2080	6900029338f303d8158a0a72a07e0120_NeikiAnalytics.exe	32
PID 2080 wrote to memory of 2412	2080	6900029338f303d8158a0a72a07e0120_NeikiAnalytics.exe	33
PID 2080 wrote to memory of 2412	2080	6900029338f303d8158a0a72a07e0120_NeikiAnalytics.exe	33
PID 2080 wrote to memory of 2412	2080	6900029338f303d8158a0a72a07e0120_NeikiAnalytics.exe	33
PID 2080 wrote to memory of 2412	2080	6900029338f303d8158a0a72a07e0120_NeikiAnalytics.exe	33
PID 2080 wrote to memory of 912	2080	6900029338f303d8158a0a72a07e0120_NeikiAnalytics.exe	34
PID 2080 wrote to memory of 912	2080	6900029338f303d8158a0a72a07e0120_NeikiAnalytics.exe	34
PID 2080 wrote to memory of 912	2080	6900029338f303d8158a0a72a07e0120_NeikiAnalytics.exe	34
PID 2080 wrote to memory of 912	2080	6900029338f303d8158a0a72a07e0120_NeikiAnalytics.exe	34

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	6900029338f303d8158a0a72a07e0120_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	6900029338f303d8158a0a72a07e0120_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	6900029338f303d8158a0a72a07e0120_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	6900029338f303d8158a0a72a07e0120_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\6900029338f303d8158a0a72a07e0120_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6900029338f303d8158a0a72a07e0120_NeikiAnalytics.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2080
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:776
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2760
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2108
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2376
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1812
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2412
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\services.exe

Filesize
45KB

MD5
6900029338f303d8158a0a72a07e0120

SHA1
9191870df680df8e8c7497e1384430071510f302

SHA256
002224a293bc6555797a4a5ac337b12f49e9fc394b8cc31061268e0cb20154e1

SHA512
8a5d227d6f7e60aaed5cc16244ae9507871c829a56c43987af5782b28f58879b70967184a7104c508ca086cd42b26e19e10752657a941830734dd4bab4abe424

Download Submit
C:\Windows\xk.exe

Filesize
45KB

MD5
87b6a7df4b47c3ab08712fb834228918

SHA1
b2e9e350571f2e17404dba6850ec543523cff893

SHA256
aaeba1f3957843dc17298ba3a6030ca156bce54577fb3975fe7ce0425f84ad48

SHA512
3a722c1e80e501dd7a20d35855d7dfcf4cc17d910bccc1a88d5083c361580ba966002fc4d2f0c0c065b1c25cd04da485b06e297b4dc86f7297b7093df779946b

Download Submit
\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
45KB

MD5
943f8cb7bbeacc1d34db1eebe7851128

SHA1
6d5aa125c0cc6ed99ea6eeae37842434394190d2

SHA256
4380344aeabd48228470217af1dc3e68c3cb3ddf0da8facaca64b7ace4bf8e8b

SHA512
22ef00c93b3bcdbea54a03aebbdfde1b1da17abdecec91d2c77e825e884ab6e51fc2f95436c62aebd23efebadad293ecfe617c63adf1a12aa5227e14733ba3ef

Download Submit
\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
45KB

MD5
5dbbd7584129e0f18971362eeca05b2f

SHA1
e6b5e83b8fe249f26e3a1eb8e33f95f1efea1221

SHA256
6679c38dea9f0e3c55c4ec689eb2302c85f40e2789db190b0c624f5563fc58a8

SHA512
6e7cbb0fb73606382be73aca5d75ca5794e6ce0f8dc09840acc1af54e23df045a683bbdf0f5a63ef815016161150ffd5016de0a16e380c298289d9e5565034d6

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
45KB

MD5
da4479a4af9b91b5090105fa8ebfcd93

SHA1
567cf9f71d9601153c293dc827d969361db022ed

SHA256
8e9e6c24d195a67b276762a8846b4d445c44ad09c0b443c24d0a7b487244c4c2

SHA512
2c58482850e5b2f812ceb3527afe6e5770e4c187bfec31004231fe97f72f33bd38a035c866388708602fd3dbe5e9c2489931b9d0fc7183f1892a8d5d1b29d7a3

Download Submit
\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
45KB

MD5
5ede8e3b0b17682920a6810fa82968c9

SHA1
da362fc98f1b73473aa163ddc1863beea79dd9f3

SHA256
4e4de8ed22476f8b9579da1ce919d40c0e7e9431f246a4d99a3dab83b0a7a5e5

SHA512
2acf9be7c8d6a0061ace50c4c713903ad80b58d74ee52529e02ceeebc8229ca2db555ae17a21759cbcee40a9c125ef53c1072a0533f1953ed1be386127f58a94

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
45KB

MD5
cd053e2ba1dbbb187458079d0f6c8db7

SHA1
3535380fbc2d7299847af40e3ffcb35e1b1bd943

SHA256
2cef8d6a7034610d7d4eaec49c59f2f90e1f3df6df1e0103966cb10e0d971446

SHA512
71a22ea5aa573a4cdb843a3ae780bcef5e629c8dd044d2b091a0b3b79090fc8c323754d9a945f006908cd17b3c40cc79aa0d203842ecc2f54fa5d0f4ab6fe641

Download Submit
memory/776-111-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/776-115-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/912-189-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1812-165-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1812-163-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2080-162-0x0000000002690000-0x00000000026BE000-memory.dmp

Filesize
184KB

Download
memory/2080-109-0x0000000002690000-0x00000000026BE000-memory.dmp

Filesize
184KB

Download
memory/2080-138-0x0000000002690000-0x00000000026BE000-memory.dmp

Filesize
184KB

Download
memory/2080-137-0x0000000002690000-0x00000000026BE000-memory.dmp

Filesize
184KB

Download
memory/2080-184-0x0000000002690000-0x00000000026BE000-memory.dmp

Filesize
184KB

Download
memory/2080-190-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2080-149-0x0000000002690000-0x00000000026BE000-memory.dmp

Filesize
184KB

Download
memory/2080-124-0x0000000002690000-0x00000000026BE000-memory.dmp

Filesize
184KB

Download
memory/2080-110-0x0000000002690000-0x00000000026BE000-memory.dmp

Filesize
184KB

Download
memory/2080-0-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2080-117-0x0000000002690000-0x00000000026BE000-memory.dmp

Filesize
184KB

Download
memory/2108-141-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2108-139-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2376-152-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2412-178-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2760-130-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2760-125-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download