6c5a1126072bc5ae15385bf2097e8da72f8145345a47bab35c5716389ff5453d

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
07/06/2024, 02:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
Size

272KB
MD5

317861e60ac84ff8427325e249887160
SHA1

37d9a6bee3eba04971dc7a174113141078f250bd
SHA256

6c5a1126072bc5ae15385bf2097e8da72f8145345a47bab35c5716389ff5453d
SHA512

f8db51d9878169cf9903c86bf238c46564a5b837d10f8b3119a9a686c03219165bb6441e729dd3bee651da33ddc3318a7ac9c0167dc03c0741c715c03e89d43a
SSDEEP

3072:Ax/5F/E7tEf07jU+p+tYlpJH7iXQNgggHlxDZiYLK5Wpht4xZVX4/awxf/:AxhF4cV+wWJH7igNgjdFKsCRAR/

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 7 IoCs

pid	Process
1056	xk.exe
2808	IExplorer.exe
2728	WINLOGON.EXE
1892	CSRSS.EXE
376	SERVICES.EXE
1608	LSASS.EXE
1588	SMSS.EXE

Loads dropped DLL 12 IoCs

pid	Process
2044	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
2044	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
2044	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
2044	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
2044	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
2044	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
2044	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
2044	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
2044	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
2044	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
2044	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
2044	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe

Modifies system executable filetype association 2 TTPs 13 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe"	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mig2.scr	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Mig2.scr	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\shell.exe	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\xk.exe	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
File created	C:\Windows\xk.exe	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR"	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe

Modifies registry class 15 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2044	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2044	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
1056	xk.exe
2808	IExplorer.exe
2728	WINLOGON.EXE
1892	CSRSS.EXE
376	SERVICES.EXE
1608	LSASS.EXE
1588	SMSS.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 1056	2044	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe	28
PID 2044 wrote to memory of 1056	2044	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe	28
PID 2044 wrote to memory of 1056	2044	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe	28
PID 2044 wrote to memory of 1056	2044	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe	28
PID 2044 wrote to memory of 2808	2044	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe	29
PID 2044 wrote to memory of 2808	2044	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe	29
PID 2044 wrote to memory of 2808	2044	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe	29
PID 2044 wrote to memory of 2808	2044	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe	29
PID 2044 wrote to memory of 2728	2044	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe	30
PID 2044 wrote to memory of 2728	2044	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe	30
PID 2044 wrote to memory of 2728	2044	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe	30
PID 2044 wrote to memory of 2728	2044	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe	30
PID 2044 wrote to memory of 1892	2044	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe	31
PID 2044 wrote to memory of 1892	2044	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe	31
PID 2044 wrote to memory of 1892	2044	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe	31
PID 2044 wrote to memory of 1892	2044	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe	31
PID 2044 wrote to memory of 376	2044	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe	32
PID 2044 wrote to memory of 376	2044	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe	32
PID 2044 wrote to memory of 376	2044	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe	32
PID 2044 wrote to memory of 376	2044	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe	32
PID 2044 wrote to memory of 1608	2044	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe	33
PID 2044 wrote to memory of 1608	2044	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe	33
PID 2044 wrote to memory of 1608	2044	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe	33
PID 2044 wrote to memory of 1608	2044	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe	33
PID 2044 wrote to memory of 1588	2044	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe	34
PID 2044 wrote to memory of 1588	2044	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe	34
PID 2044 wrote to memory of 1588	2044	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe	34
PID 2044 wrote to memory of 1588	2044	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe	34

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\317861e60ac84ff8427325e249887160_NeikiAnalytics.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2044
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1056
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2808
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2728
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1892
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:376
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1608
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
272KB

MD5
fd2b9347e94a0e51b6db31b4886f258b

SHA1
f0fde328763841e210f8e6b68d37c34b75c0dc48

SHA256
f5b1855f7ced0a0e54de1197a1220f4877466b3ac58afb297c400658c0c66bb7

SHA512
e85655440615c740e47ead1ccde424cba3b90ad39b2b44d1b6d787d7fc7ffc7f91b143dd9895f95a1148f01203c1086400868daad23862223c36e9deb7a1cab0

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
272KB

MD5
e38406495e23a2d44839757b4ae6558c

SHA1
46091021f96bf485171fb15792bdcdb9931a6954

SHA256
7e8107ea941335cabe33105c05ae4666ea7151fb2b422c7c587eeac1078c519b

SHA512
60dd151032533298be936411308f907c94e782bb9c39bf8a8161c12925d2743765aea350a460d5321426dc4216d16e00c4e67edf379be54ee68a7f4fe881cac1

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
272KB

MD5
95e63bda7b79926f854a3716afdce098

SHA1
95c2e3039732b77b93d7053ce2118ece16c5bdc4

SHA256
96cb8ae0048ad3174fafdd50d14556a9bb0ceb820a0aeea816ef725dd4e11000

SHA512
016bc0310bf1be12724f3490d2d382d92bbda9c62eafba7f735e358151aa3fa3d521d470e4c30e0c9f9d968cbd7366b77cf21335ab3e21acf7a968c064539c9e

Download Submit
C:\Users\Admin\AppData\Local\winlogon.exe

Filesize
272KB

MD5
317861e60ac84ff8427325e249887160

SHA1
37d9a6bee3eba04971dc7a174113141078f250bd

SHA256
6c5a1126072bc5ae15385bf2097e8da72f8145345a47bab35c5716389ff5453d

SHA512
f8db51d9878169cf9903c86bf238c46564a5b837d10f8b3119a9a686c03219165bb6441e729dd3bee651da33ddc3318a7ac9c0167dc03c0741c715c03e89d43a

Download Submit
C:\Windows\SysWOW64\IExplorer.exe

Filesize
128KB

MD5
81df711af52e37ad1fedb08f120723aa

SHA1
34b444a05458bfcbbf372213728cfc679ed22c1f

SHA256
4f2996b2b26186587f3ac0414a19907dc3c51e209382ea4f4460809a4c07535c

SHA512
6c8cd74d65dbfdaa25df730cbf5a603d0e1794ed3bca42d188e19b1a0c55aa553488f511068f65ea1d214600ffe59234f897fed7fb5339c18729875581f6ad05

Download Submit
C:\Windows\xk.exe

Filesize
272KB

MD5
c66ba444280f87cc838fa17b91498c82

SHA1
420b1872f8382f3d84c79cffb0727c866896be87

SHA256
4c20665a7369990148ead2905be6fce72ac5780b7754bf29b5a6807322f28b62

SHA512
c88f208b96fa3fefe1d91a72f88877aef32416684900ca5f8998cb64aed753085f0ada145728346b5a563e50952a247debe05d0a7bae5c0234bf90c59ce888aa

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
128KB

MD5
fc14ffd586403abc45151dc2c3be3000

SHA1
9c34c185fb3b25f5ea92ef18a4f1c2b16986a985

SHA256
966c1c80cc737b41685511b371a0751e4c5df9f382ab87c2db602c92f596e8d6

SHA512
e8316238ca72499229e11129cb0a408b7cb33d20174a1b5fcdc989ad14ad43ff61816d6688ad8f651b10ba86f67493a52133ef91ba3a2f8b6fdf77dd7101714e

Download Submit