c53cd48d775b617fa66e0fa29faa4cd5588c246b20d05726b0a8730ca87af459

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
03/06/2024, 02:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

990516abde06236247cb12203e637b00_NeikiAnalytics.exe
Size

91KB
MD5

990516abde06236247cb12203e637b00
SHA1

0cf9a0169dc3265faee8122875289ff52cc14383
SHA256

c53cd48d775b617fa66e0fa29faa4cd5588c246b20d05726b0a8730ca87af459
SHA512

c4019972e34ae53c5e9cfe472f86ae112782f2671bf6ddb0ff1b6f5653e5f94453207698fe980c6742f0dbd63d3808958e9de31b9f0611a41e8622a1994a4ea3
SSDEEP

768:E3gRYjXbUeHORIC4ZxBMldNKm8Mxm8I+IxrjPfAQ4o3ImuF3gRYjXbUeHORIC4Z6:uT3OA3+KQsxfS4iT3OA3+KQsxfS4u

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	990516abde06236247cb12203e637b00_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	990516abde06236247cb12203e637b00_NeikiAnalytics.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	990516abde06236247cb12203e637b00_NeikiAnalytics.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	990516abde06236247cb12203e637b00_NeikiAnalytics.exe

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	990516abde06236247cb12203e637b00_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	990516abde06236247cb12203e637b00_NeikiAnalytics.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 7 IoCs

pid	Process
632	xk.exe
2456	IExplorer.exe
1512	WINLOGON.EXE
2148	CSRSS.EXE
1560	SERVICES.EXE
2040	LSASS.EXE
2740	SMSS.EXE

Loads dropped DLL 12 IoCs

pid	Process
2084	990516abde06236247cb12203e637b00_NeikiAnalytics.exe
2084	990516abde06236247cb12203e637b00_NeikiAnalytics.exe
2084	990516abde06236247cb12203e637b00_NeikiAnalytics.exe
2084	990516abde06236247cb12203e637b00_NeikiAnalytics.exe
2084	990516abde06236247cb12203e637b00_NeikiAnalytics.exe
2084	990516abde06236247cb12203e637b00_NeikiAnalytics.exe
2084	990516abde06236247cb12203e637b00_NeikiAnalytics.exe
2084	990516abde06236247cb12203e637b00_NeikiAnalytics.exe
2084	990516abde06236247cb12203e637b00_NeikiAnalytics.exe
2084	990516abde06236247cb12203e637b00_NeikiAnalytics.exe
2084	990516abde06236247cb12203e637b00_NeikiAnalytics.exe
2084	990516abde06236247cb12203e637b00_NeikiAnalytics.exe

Modifies system executable filetype association 2 TTPs 13 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	990516abde06236247cb12203e637b00_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	990516abde06236247cb12203e637b00_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	990516abde06236247cb12203e637b00_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	990516abde06236247cb12203e637b00_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	990516abde06236247cb12203e637b00_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	990516abde06236247cb12203e637b00_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	990516abde06236247cb12203e637b00_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	990516abde06236247cb12203e637b00_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	990516abde06236247cb12203e637b00_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	990516abde06236247cb12203e637b00_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	990516abde06236247cb12203e637b00_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	990516abde06236247cb12203e637b00_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	990516abde06236247cb12203e637b00_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe"	990516abde06236247cb12203e637b00_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	990516abde06236247cb12203e637b00_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	990516abde06236247cb12203e637b00_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	990516abde06236247cb12203e637b00_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	990516abde06236247cb12203e637b00_NeikiAnalytics.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	990516abde06236247cb12203e637b00_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Mig2.scr	990516abde06236247cb12203e637b00_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	990516abde06236247cb12203e637b00_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\shell.exe	990516abde06236247cb12203e637b00_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Mig2.scr	990516abde06236247cb12203e637b00_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	990516abde06236247cb12203e637b00_NeikiAnalytics.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\xk.exe	990516abde06236247cb12203e637b00_NeikiAnalytics.exe
File created	C:\Windows\xk.exe	990516abde06236247cb12203e637b00_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\	990516abde06236247cb12203e637b00_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR"	990516abde06236247cb12203e637b00_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	990516abde06236247cb12203e637b00_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	990516abde06236247cb12203e637b00_NeikiAnalytics.exe

Modifies registry class 15 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	990516abde06236247cb12203e637b00_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	990516abde06236247cb12203e637b00_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	990516abde06236247cb12203e637b00_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	990516abde06236247cb12203e637b00_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	990516abde06236247cb12203e637b00_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	990516abde06236247cb12203e637b00_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	990516abde06236247cb12203e637b00_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	990516abde06236247cb12203e637b00_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	990516abde06236247cb12203e637b00_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	990516abde06236247cb12203e637b00_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	990516abde06236247cb12203e637b00_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	990516abde06236247cb12203e637b00_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	990516abde06236247cb12203e637b00_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	990516abde06236247cb12203e637b00_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	990516abde06236247cb12203e637b00_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2084	990516abde06236247cb12203e637b00_NeikiAnalytics.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2084	990516abde06236247cb12203e637b00_NeikiAnalytics.exe
632	xk.exe
2456	IExplorer.exe
1512	WINLOGON.EXE
2148	CSRSS.EXE
1560	SERVICES.EXE
2040	LSASS.EXE
2740	SMSS.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 632	2084	990516abde06236247cb12203e637b00_NeikiAnalytics.exe	28
PID 2084 wrote to memory of 632	2084	990516abde06236247cb12203e637b00_NeikiAnalytics.exe	28
PID 2084 wrote to memory of 632	2084	990516abde06236247cb12203e637b00_NeikiAnalytics.exe	28
PID 2084 wrote to memory of 632	2084	990516abde06236247cb12203e637b00_NeikiAnalytics.exe	28
PID 2084 wrote to memory of 2456	2084	990516abde06236247cb12203e637b00_NeikiAnalytics.exe	29
PID 2084 wrote to memory of 2456	2084	990516abde06236247cb12203e637b00_NeikiAnalytics.exe	29
PID 2084 wrote to memory of 2456	2084	990516abde06236247cb12203e637b00_NeikiAnalytics.exe	29
PID 2084 wrote to memory of 2456	2084	990516abde06236247cb12203e637b00_NeikiAnalytics.exe	29
PID 2084 wrote to memory of 1512	2084	990516abde06236247cb12203e637b00_NeikiAnalytics.exe	30
PID 2084 wrote to memory of 1512	2084	990516abde06236247cb12203e637b00_NeikiAnalytics.exe	30
PID 2084 wrote to memory of 1512	2084	990516abde06236247cb12203e637b00_NeikiAnalytics.exe	30
PID 2084 wrote to memory of 1512	2084	990516abde06236247cb12203e637b00_NeikiAnalytics.exe	30
PID 2084 wrote to memory of 2148	2084	990516abde06236247cb12203e637b00_NeikiAnalytics.exe	31
PID 2084 wrote to memory of 2148	2084	990516abde06236247cb12203e637b00_NeikiAnalytics.exe	31
PID 2084 wrote to memory of 2148	2084	990516abde06236247cb12203e637b00_NeikiAnalytics.exe	31
PID 2084 wrote to memory of 2148	2084	990516abde06236247cb12203e637b00_NeikiAnalytics.exe	31
PID 2084 wrote to memory of 1560	2084	990516abde06236247cb12203e637b00_NeikiAnalytics.exe	32
PID 2084 wrote to memory of 1560	2084	990516abde06236247cb12203e637b00_NeikiAnalytics.exe	32
PID 2084 wrote to memory of 1560	2084	990516abde06236247cb12203e637b00_NeikiAnalytics.exe	32
PID 2084 wrote to memory of 1560	2084	990516abde06236247cb12203e637b00_NeikiAnalytics.exe	32
PID 2084 wrote to memory of 2040	2084	990516abde06236247cb12203e637b00_NeikiAnalytics.exe	33
PID 2084 wrote to memory of 2040	2084	990516abde06236247cb12203e637b00_NeikiAnalytics.exe	33
PID 2084 wrote to memory of 2040	2084	990516abde06236247cb12203e637b00_NeikiAnalytics.exe	33
PID 2084 wrote to memory of 2040	2084	990516abde06236247cb12203e637b00_NeikiAnalytics.exe	33
PID 2084 wrote to memory of 2740	2084	990516abde06236247cb12203e637b00_NeikiAnalytics.exe	34
PID 2084 wrote to memory of 2740	2084	990516abde06236247cb12203e637b00_NeikiAnalytics.exe	34
PID 2084 wrote to memory of 2740	2084	990516abde06236247cb12203e637b00_NeikiAnalytics.exe	34
PID 2084 wrote to memory of 2740	2084	990516abde06236247cb12203e637b00_NeikiAnalytics.exe	34

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	990516abde06236247cb12203e637b00_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	990516abde06236247cb12203e637b00_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	990516abde06236247cb12203e637b00_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	990516abde06236247cb12203e637b00_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\990516abde06236247cb12203e637b00_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\990516abde06236247cb12203e637b00_NeikiAnalytics.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2084
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:632
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2456
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1512
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2148
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1560
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2040
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\services.exe

Filesize
91KB

MD5
990516abde06236247cb12203e637b00

SHA1
0cf9a0169dc3265faee8122875289ff52cc14383

SHA256
c53cd48d775b617fa66e0fa29faa4cd5588c246b20d05726b0a8730ca87af459

SHA512
c4019972e34ae53c5e9cfe472f86ae112782f2671bf6ddb0ff1b6f5653e5f94453207698fe980c6742f0dbd63d3808958e9de31b9f0611a41e8622a1994a4ea3

Download Submit
C:\Windows\xk.exe

Filesize
91KB

MD5
9ec4e5848565bfc7e7aded8669565493

SHA1
363c75beede68c50a3bc431dbe043e1aced80dc7

SHA256
374a398c8dbe16dd55588f9af632b57e62d8c92197adee9826796b0c2c13bea6

SHA512
1924f5b77769864d2717fb0decb7a7cc3f7b9a7e63d3ec597e6bb80f2739af47fa24d9c726e37818f5ad78805e96bad9311da5c3039588051698c475a8e49fff

Download Submit
\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
91KB

MD5
c4c20993e7bd5374fd53664802eb9a89

SHA1
895d84e01af0efcdc730bedf0c619375ff4a022a

SHA256
b69c92e8c464bed2ccaf5a340ac0587e8e9f6b2c69681dd89b70a33039adde49

SHA512
6c151a46534010c3eceb3817b18b5444822f41180c944ff992b227e8c614e5f8e7efe1a56899034b666cd3b2a7e5f5d82dfecfd60fcb198a8c011681a7e56072

Download Submit
\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
91KB

MD5
1f412dee4366f9a41c556333fcdf9871

SHA1
93faa370fc27db099c833ed7e8a93aabe3e44704

SHA256
aaee0a10a924434bfafde010697438bddf330df23d9a39cb98349c31a4ceda17

SHA512
63383f1596bf7fbe1b02512edbdd142af9b9b90abf886c8598840b3415b55b7c2404de7d12f5d453ebb57e786d681b53cd89577ba8ac79e689f0344f3d707377

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
91KB

MD5
77bdddb1e651da955337bb4c95f694b2

SHA1
8cd0bdd47f5369ff19a1d54603e406a086b3766c

SHA256
776b3d5047e86b072fcc858b292f35796d5743188057749bb16fe71dcda63ed4

SHA512
59d8cb0f5bfb756c47f14fedd7d543f2866019e05afd428e1d8b60eeff87f3a16013e49ddb573a113729b59dd93fbe0b3c7efbc618078019dc09dddf29cdcaa9

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
91KB

MD5
2df816356aee1f18084000f782b24229

SHA1
3a56fb2ac16f198a209243311dde98898e06b510

SHA256
7a799fc8d6df293cd80fea2c54911dbba429bdcc774ef85f1233293ec748d3f7

SHA512
8c6c0e06bade3a7c8baed87484176539852c343e73e203c369af09776d4b0bc5942dad6c1b56201bff473a9c95c9ca0385bbb10286ed6b321c8548b1d338ba89

Download Submit
\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
91KB

MD5
ea0e566ea99ecab9551783ac6523e973

SHA1
f17fa6957745a60e3ad3a5e02005cb13948dd451

SHA256
eddbf7950dbf907ee8f446b8970ae90c58a48f817ff191aaf03886677f8bb482

SHA512
4548ec5c6de96f32100ab0f69312ad22c8edacc93780295e9a157916df042705ba46caad6eea26a4b1b7165a21ba2056e4ed5ddb8efc7cc532b5932b2b357955

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
91KB

MD5
fe5e34ffa62c658457a5e3d48a0f4e2f

SHA1
9847a2efa45e25872f9330af460b60452910a5a6

SHA256
d6a2966dce76ad8efa4b1767cfc2fd9109de76b94b3ac11a13aa797251a86c78

SHA512
15ac9373de67782809a990780b61bd90edfaa2ead6dfe4b485c377a30779f5ed5943b9fc3abd60e477de40d3cbdfa676df12b235032d62cbc0a6f39883a60600

Download Submit
memory/632-123-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/632-117-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/632-118-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/632-115-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/1512-149-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1512-148-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1512-144-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/1560-188-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1560-173-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/1560-178-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2040-193-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2040-189-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2084-0-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2084-1-0x0000000000020000-0x0000000000024000-memory.dmp

Filesize
16KB

Download
memory/2084-3-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2084-153-0x0000000000401000-0x0000000000427000-memory.dmp

Filesize
152KB

Download
memory/2084-158-0x00000000030B0000-0x00000000030DC000-memory.dmp

Filesize
176KB

Download
memory/2084-208-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2084-209-0x0000000000401000-0x0000000000427000-memory.dmp

Filesize
152KB

Download
memory/2084-4-0x0000000000401000-0x0000000000427000-memory.dmp

Filesize
152KB

Download
memory/2084-177-0x00000000030B0000-0x00000000030DC000-memory.dmp

Filesize
176KB

Download
memory/2084-113-0x00000000030B0000-0x00000000030DC000-memory.dmp

Filesize
176KB

Download
memory/2084-112-0x00000000030B0000-0x00000000030DC000-memory.dmp

Filesize
176KB

Download
memory/2084-2-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2084-181-0x00000000030B0000-0x00000000030DC000-memory.dmp

Filesize
176KB

Download
memory/2148-165-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2148-160-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2456-135-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2456-131-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2456-130-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2456-136-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2740-201-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2740-206-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download