Overview

overview

10

Static

static

7

352ee5de7d...cs.exe

windows7-x64

10

352ee5de7d...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    01-07-2024 04:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    352ee5de7da7becfa320a4ad277e8dfb44d989ce706539302df6c14fbf2d353e_NeikiAnalytics.exe

  • Size

    91KB

  • MD5

    8817bdfda92eb788f989aa5305311820

  • SHA1

    c02ad0c8f7faaa7510c73796810e9c0e1cbd76e3

  • SHA256

    352ee5de7da7becfa320a4ad277e8dfb44d989ce706539302df6c14fbf2d353e

  • SHA512

    1ccf67b7b111c0f6d7b2c2025699510c7b3f2e5bc01673808839d5228320adf04c0b0f304730040499265593945f10e3e1f3f2f5c4e4c70273315dcd18f82898

  • SSDEEP

    1536:yOcjUpkWb2TTgKwu0haOcjUpkWb2TTgKwuq:yOcjWJu7trOcjWJu7tq

Score
10/10
evasionpersistenceupx

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 16 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 8 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 8 IoCs
    evasion
  • Disables RegEdit via registry modification 16 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Executes dropped EXE 56 IoCs
  • Loads dropped DLL 64 IoCs
  • Modifies system executable filetype association 2 TTPs 64 IoCs
    persistence
  • UPX packed file 64 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 40 IoCs
    persistence
  • Drops desktop.ini file(s) 4 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 50 IoCs
  • Drops file in Windows directory 32 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Control Panel 32 IoCs
    evasion
  • Modifies registry class 64 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 7 IoCs
  • Suspicious use of SetWindowsHookEx 57 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 40 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\352ee5de7da7becfa320a4ad277e8dfb44d989ce706539302df6c14fbf2d353e_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\352ee5de7da7becfa320a4ad277e8dfb44d989ce706539302df6c14fbf2d353e_NeikiAnalytics.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2136
    • C:\Windows\4k51k4.exe
      C:\Windows\4k51k4.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Drops desktop.ini file(s)
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1196
      • C:\Windows\Notepad.exe
        Notepad.exe C:\Puisi.txt
        3⤵
        • Opens file in notepad (likely ransom note)
        PID:2832
      • C:\Windows\4k51k4.exe
        C:\Windows\4k51k4.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1500
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:2396
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2988
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2952
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:3040
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2968
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1740
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2844
      • C:\Windows\4k51k4.exe
        C:\Windows\4k51k4.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:272
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:1992
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2424
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2940
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1824
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1948
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2860
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2180
      • C:\Windows\4k51k4.exe
        C:\Windows\4k51k4.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1048
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:2908
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1296
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2416
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:3016
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2432
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:296
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • System policy modification
      PID:1652
      • C:\Windows\4k51k4.exe
        C:\Windows\4k51k4.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2776
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:2620
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2556
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1684
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2324
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1792
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1680
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • System policy modification
      PID:1636
      • C:\Windows\4k51k4.exe
        C:\Windows\4k51k4.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2608
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:2640
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2740
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2696
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1700
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1548
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2252
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • System policy modification
      PID:2728
      • C:\Windows\4k51k4.exe
        C:\Windows\4k51k4.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1248
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:1256
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:264
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1048
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1056
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2172
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2316
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • System policy modification
      PID:1200
      • C:\Windows\4k51k4.exe
        C:\Windows\4k51k4.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1960
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:1816
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1400
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1488
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1964
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2304
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2312

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Defense Evasion

Modify Registry

6
T1112

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

1
T1490

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\4k51k4.exe
    Filesize

    91KB

    MD5

    9936f75965a4b81e87477b88ba35b0eb

    SHA1

    78563ad86dfea7faebddee04cc4e4697d1fdeef7

    SHA256

    dba5038f015542a95639501c97da6225a31adc0d086746bbed9a227ffb311b85

    SHA512

    e61195cfb54ce5cfef6ea2b8bbf5b8898228a4163607781b9507e5d10f9ee934372a6cc030dea31fdc99f521e0943ff4ce2d1a872a88785329e93b821b8287d8

    Download Submit
  • C:\4k51k4.exe
    Filesize

    91KB

    MD5

    9fb93e83dccbd4f484fe94a3bea31729

    SHA1

    5b31c7b017b940ece387597e3daaef2d3692e1a5

    SHA256

    8a896269ef5b581355844cf83e973d23f9e8c07f62fa01fd77d4d4007fd768be

    SHA512

    7b59da968225d80b8b40097add761e8796a74f000fd380695c17764bdc846157d5c1fbe63d0456ccd8f6d62e35701024e6e0139a370a41492ba13880ddd75a42

    Download Submit
  • C:\Puisi.txt
    Filesize

    442B

    MD5

    001424d7974b9a3995af292f6fcfe171

    SHA1

    f8201d49d594d712c8450679c856c2e8307d2337

    SHA256

    660ecfcd91ba19959d0c348724da95d7fd6dd57359898e6e3bcce600ff3c797d

    SHA512

    66ec4330b9a9961a2926516ec96d71e3311f67a61e6ac3070303453d26fa4fdc9524296f583c0e2179414f1a0d795cedbd094a83f5ecd3f1faa0cccfe4276657

    Download Submit
  • C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE
    Filesize

    91KB

    MD5

    3db47f9427d21fcaad354868337a2352

    SHA1

    cedf36aa8493f0d3ec044f48e65763ee7aefbe9e

    SHA256

    69d6a33f152ded3312dc61dd2ae64034952a46a5605fe8169a7bd25bba8d3747

    SHA512

    4a4d9dc761645f9d517fd8e1ed8092a00b942817dbb787ad50df9b3de450ab270bc1d12c5209673ef822c9679e4265d574e596eb7e0e5b8f9bea2610c2f1ff82

    Download Submit
  • C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE
    Filesize

    91KB

    MD5

    61da4db7a0eed043c4ce9f290852135c

    SHA1

    c48d7f4ec55fd83b20167598f598137e44b95143

    SHA256

    da5878c87f0242ff1895703d57b544227f1a9793a9d0fe3061a0ef6552252d1e

    SHA512

    081fdc5f8f8a66b90337b6c341d55c954481d5722d8d18e7e9d0f0320079657417512bee931967e5fa5ecc7f825175ebc33d5bd3b5314fb35f4155bf5b58c32b

    Download Submit
  • C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE
    Filesize

    91KB

    MD5

    167853398d01cfb0fb69b9e06d228d29

    SHA1

    5e80d5ee7ffb275d10cea4dac9c747ae1fd01b84

    SHA256

    c09b778172a70ffd9849d61988225807c2fa644a321b3c7d329642f645878f18

    SHA512

    9559ac0c139d0294daab22c228a87da89739489ca35a4a11574c87343a4a6e6840a059204771c2c5d29aa5ae4efbbf8922d4824bc06a32b6ce2be0584432a960

    Download Submit
  • C:\Users\Admin\AppData\Local\winlogon.exe
    Filesize

    91KB

    MD5

    8817bdfda92eb788f989aa5305311820

    SHA1

    c02ad0c8f7faaa7510c73796810e9c0e1cbd76e3

    SHA256

    352ee5de7da7becfa320a4ad277e8dfb44d989ce706539302df6c14fbf2d353e

    SHA512

    1ccf67b7b111c0f6d7b2c2025699510c7b3f2e5bc01673808839d5228320adf04c0b0f304730040499265593945f10e3e1f3f2f5c4e4c70273315dcd18f82898

    Download Submit
  • C:\Windows\4k51k4.exe
    Filesize

    91KB

    MD5

    275f32f9ddd235610766fe5f82e8e6c9

    SHA1

    e9bfd25e958596666618a85366e05f43eb888b6e

    SHA256

    6f7d656d55e12c488e22f5a2a4a5e91e9c80019162602ae7dd0b025a634b5147

    SHA512

    c1ffe5d997c69b64d424f2ce4a64d05f16d86fa8b721d87f533c2ba5c17b42754983c350ad95f497941dfa782e9a2cbcd608ec9697a00fe04938be8b4fab826d

    Download Submit
  • C:\Windows\MSVBVM60.DLL
    Filesize

    1.3MB

    MD5

    5343a19c618bc515ceb1695586c6c137

    SHA1

    4dedae8cbde066f31c8e6b52c0baa3f8b1117742

    SHA256

    2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

    SHA512

    708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

    Download Submit
  • C:\Windows\SysWOW64\shell.exe
    Filesize

    91KB

    MD5

    0f6ac3d326a4a75f6c628f3a6d9f12e0

    SHA1

    27f3f429f876226ff00331b38c9e9727c59a04eb

    SHA256

    884bfaf545113c2e8809587aefc5a8f259d04d3c7dbfe40b683b6bee286e0570

    SHA512

    7a962b8018ea257e9e2daacdc47fe00cf03f52f63cb9ea85e3531a7cd87d660db7bf968b3815f9de0f2cdd9a7d2634bee754bf2574d4edc32b2f67a382c1b38e

    Download Submit
  • \Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE
    Filesize

    91KB

    MD5

    f647db30515831c1e17e9cdddb420028

    SHA1

    ea9dbf7c4007f3321e25bcd1a22fae0abf1f1429

    SHA256

    83ff00676184bffe804bce78a13adcf975ab46a7b4583bddcabd00c15d4e8451

    SHA512

    00f217f81ad6097c5391952211d8b3cf880595eeb7ec16aeed87d86a63bd50696353587962365da60f9e10f6d72d867d842258ab2099d2aad743c31bc0d61cb5

    Download Submit
  • \Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE
    Filesize

    91KB

    MD5

    8b6501ec496939a12e41f169cccb1f5f

    SHA1

    42c0e548436c99446fa9a8acb80d2f74d6cdf078

    SHA256

    36d89080b229729b62e697f3b5947a1b7aa97e49b850bcec83d3a2284d3d6614

    SHA512

    48e9f4dec227b240cb43437073022821ec6c0e0df4b03c2e538f2145d7a79a16d39b59d63806a441f0000c244978f334e640656a2a76f90d90bd7c42b6f63b89

    Download Submit
  • \Windows\SysWOW64\IExplorer.exe
    Filesize

    91KB

    MD5

    ed73bbed67c4030a9ef221f9f75795a7

    SHA1

    bd0d4c587b539e163827322fb2e318f0ff605e11

    SHA256

    264681e034b0e419de72c62f00bf7d26049db043a330ad17bcb323a2112e8980

    SHA512

    62921220e9850b3ef2f5004bf4c3173c725e3e3c1e327ce79975b25364f1e3a7a19f27a660aa78e13aeda94e7e0e3299af0fe28f8363099ed036341fccab9532

    Download Submit
  • memory/264-526-0x0000000000400000-0x0000000000423000-memory.dmp
    Filesize

    140KB

    Download
  • memory/264-524-0x0000000000400000-0x0000000000423000-memory.dmp
    Filesize

    140KB

    Download
  • memory/272-298-0x0000000000400000-0x0000000000423000-memory.dmp
    Filesize

    140KB

    Download
  • memory/272-297-0x0000000072940000-0x0000000072A93000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/296-553-0x0000000000400000-0x0000000000423000-memory.dmp
    Filesize

    140KB

    Download
  • memory/1048-294-0x0000000000400000-0x0000000000423000-memory.dmp
    Filesize

    140KB

    Download
  • memory/1048-291-0x0000000072940000-0x0000000072A93000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/1048-566-0x0000000000220000-0x0000000000230000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1048-565-0x0000000000220000-0x0000000000230000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1048-568-0x0000000000400000-0x0000000000423000-memory.dmp
    Filesize

    140KB

    Download
  • memory/1056-580-0x0000000000400000-0x0000000000423000-memory.dmp
    Filesize

    140KB

    Download
  • memory/1196-452-0x00000000031F0000-0x0000000003213000-memory.dmp
    Filesize

    140KB

    Download
  • memory/1196-116-0x0000000000400000-0x0000000000423000-memory.dmp
    Filesize

    140KB

    Download
  • memory/1196-348-0x00000000031F0000-0x0000000003213000-memory.dmp
    Filesize

    140KB

    Download
  • memory/1196-218-0x0000000000400000-0x0000000000423000-memory.dmp
    Filesize

    140KB

    Download
  • memory/1196-253-0x00000000031F0000-0x0000000003213000-memory.dmp
    Filesize

    140KB

    Download
  • memory/1196-220-0x00000000031F0000-0x0000000003213000-memory.dmp
    Filesize

    140KB

    Download
  • memory/1196-312-0x00000000031F0000-0x0000000003213000-memory.dmp
    Filesize

    140KB

    Download
  • memory/1196-614-0x0000000000400000-0x0000000000423000-memory.dmp
    Filesize

    140KB

    Download
  • memory/1196-330-0x00000000031F0000-0x0000000003213000-memory.dmp
    Filesize

    140KB

    Download
  • memory/1196-221-0x00000000031F0000-0x0000000003213000-memory.dmp
    Filesize

    140KB

    Download
  • memory/1196-340-0x00000000031F0000-0x0000000003213000-memory.dmp
    Filesize

    140KB

    Download
  • memory/1200-520-0x00000000030E0000-0x0000000003103000-memory.dmp
    Filesize

    140KB

    Download
  • memory/1200-326-0x0000000000400000-0x0000000000423000-memory.dmp
    Filesize

    140KB

    Download
  • memory/1248-457-0x0000000072940000-0x0000000072A93000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/1248-458-0x0000000000400000-0x0000000000423000-memory.dmp
    Filesize

    140KB

    Download
  • memory/1248-455-0x0000000000400000-0x0000000000423000-memory.dmp
    Filesize

    140KB

    Download
  • memory/1256-485-0x0000000000400000-0x0000000000423000-memory.dmp
    Filesize

    140KB

    Download
  • memory/1296-344-0x0000000000400000-0x0000000000423000-memory.dmp
    Filesize

    140KB

    Download
  • memory/1296-342-0x0000000000400000-0x0000000000423000-memory.dmp
    Filesize

    140KB

    Download
  • memory/1400-521-0x0000000000400000-0x0000000000423000-memory.dmp
    Filesize

    140KB

    Download
  • memory/1400-535-0x0000000000400000-0x0000000000423000-memory.dmp
    Filesize

    140KB

    Download
  • memory/1488-558-0x0000000000400000-0x0000000000423000-memory.dmp
    Filesize

    140KB

    Download
  • memory/1500-219-0x0000000000400000-0x0000000000423000-memory.dmp
    Filesize

    140KB

    Download
  • memory/1500-217-0x0000000072940000-0x0000000072A93000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/1548-537-0x0000000000400000-0x0000000000423000-memory.dmp
    Filesize

    140KB

    Download
  • memory/1636-454-0x0000000000540000-0x0000000000563000-memory.dmp
    Filesize

    140KB

    Download
  • memory/1636-300-0x0000000000400000-0x0000000000423000-memory.dmp
    Filesize

    140KB

    Download
  • memory/1636-518-0x0000000000540000-0x0000000000563000-memory.dmp
    Filesize

    140KB

    Download
  • memory/1652-281-0x0000000000400000-0x0000000000423000-memory.dmp
    Filesize

    140KB

    Download
  • memory/1652-361-0x0000000001E70000-0x0000000001E93000-memory.dmp
    Filesize

    140KB

    Download
  • memory/1652-617-0x0000000000400000-0x0000000000423000-memory.dmp
    Filesize

    140KB

    Download
  • memory/1652-404-0x0000000001E70000-0x0000000001E93000-memory.dmp
    Filesize

    140KB

    Download
  • memory/1680-590-0x0000000000220000-0x0000000000230000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1684-515-0x0000000000400000-0x0000000000423000-memory.dmp
    Filesize

    140KB

    Download
  • memory/1700-544-0x0000000000400000-0x0000000000423000-memory.dmp
    Filesize

    140KB

    Download
  • memory/1700-522-0x0000000000400000-0x0000000000423000-memory.dmp
    Filesize

    140KB

    Download
  • memory/1740-449-0x0000000000400000-0x0000000000423000-memory.dmp
    Filesize

    140KB

    Download
  • memory/1792-572-0x0000000000400000-0x0000000000423000-memory.dmp
    Filesize

    140KB

    Download
  • memory/1792-578-0x0000000000400000-0x0000000000423000-memory.dmp
    Filesize

    140KB

    Download
  • memory/1816-475-0x0000000000400000-0x0000000000423000-memory.dmp
    Filesize

    140KB

    Download
  • memory/1824-559-0x0000000000400000-0x0000000000423000-memory.dmp
    Filesize

    140KB

    Download
  • memory/1824-554-0x0000000000400000-0x0000000000423000-memory.dmp
    Filesize

    140KB

    Download
  • memory/1960-460-0x0000000072940000-0x0000000072A93000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/1960-461-0x0000000000400000-0x0000000000423000-memory.dmp
    Filesize

    140KB

    Download
  • memory/1960-453-0x0000000000400000-0x0000000000423000-memory.dmp
    Filesize

    140KB

    Download
  • memory/1964-564-0x0000000000400000-0x0000000000423000-memory.dmp
    Filesize

    140KB

    Download
  • memory/2136-139-0x0000000000560000-0x0000000000583000-memory.dmp
    Filesize

    140KB

    Download
  • memory/2136-159-0x0000000000560000-0x0000000000583000-memory.dmp
    Filesize

    140KB

    Download
  • memory/2136-0-0x0000000000400000-0x0000000000423000-memory.dmp
    Filesize

    140KB

    Download
  • memory/2136-121-0x0000000000560000-0x0000000000583000-memory.dmp
    Filesize

    140KB

    Download
  • memory/2136-115-0x0000000000560000-0x0000000000583000-memory.dmp
    Filesize

    140KB

    Download
  • memory/2136-181-0x0000000000400000-0x0000000000423000-memory.dmp
    Filesize

    140KB

    Download
  • memory/2136-114-0x0000000000560000-0x0000000000583000-memory.dmp
    Filesize

    140KB

    Download
  • memory/2180-470-0x0000000001C30000-0x0000000001C53000-memory.dmp
    Filesize

    140KB

    Download
  • memory/2180-301-0x0000000001C30000-0x0000000001C53000-memory.dmp
    Filesize

    140KB

    Download
  • memory/2180-616-0x0000000000400000-0x0000000000423000-memory.dmp
    Filesize

    140KB

    Download
  • memory/2180-255-0x0000000000400000-0x0000000000423000-memory.dmp
    Filesize

    140KB

    Download
  • memory/2180-401-0x0000000001C30000-0x0000000001C53000-memory.dmp
    Filesize

    140KB

    Download
  • memory/2180-398-0x0000000001C30000-0x0000000001C53000-memory.dmp
    Filesize

    140KB

    Download
  • memory/2180-141-0x0000000000400000-0x0000000000423000-memory.dmp
    Filesize

    140KB

    Download
  • memory/2252-556-0x0000000000400000-0x0000000000423000-memory.dmp
    Filesize

    140KB

    Download
  • memory/2396-234-0x0000000000400000-0x0000000000423000-memory.dmp
    Filesize

    140KB

    Download
  • memory/2416-390-0x0000000000400000-0x0000000000423000-memory.dmp
    Filesize

    140KB

    Download
  • memory/2432-501-0x0000000000400000-0x0000000000423000-memory.dmp
    Filesize

    140KB

    Download
  • memory/2556-407-0x0000000000400000-0x0000000000423000-memory.dmp
    Filesize

    140KB

    Download
  • memory/2556-417-0x0000000000400000-0x0000000000423000-memory.dmp
    Filesize

    140KB

    Download
  • memory/2608-392-0x0000000072940000-0x0000000072A93000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/2608-393-0x0000000000400000-0x0000000000423000-memory.dmp
    Filesize

    140KB

    Download
  • memory/2620-385-0x0000000000400000-0x0000000000423000-memory.dmp
    Filesize

    140KB

    Download
  • memory/2620-388-0x0000000000400000-0x0000000000423000-memory.dmp
    Filesize

    140KB

    Download
  • memory/2640-424-0x0000000000400000-0x0000000000423000-memory.dmp
    Filesize

    140KB

    Download
  • memory/2696-483-0x0000000000400000-0x0000000000423000-memory.dmp
    Filesize

    140KB

    Download
  • memory/2728-519-0x0000000000820000-0x0000000000843000-memory.dmp
    Filesize

    140KB

    Download
  • memory/2728-560-0x0000000000820000-0x0000000000843000-memory.dmp
    Filesize

    140KB

    Download
  • memory/2728-523-0x0000000000820000-0x0000000000843000-memory.dmp
    Filesize

    140KB

    Download
  • memory/2728-311-0x0000000000400000-0x0000000000423000-memory.dmp
    Filesize

    140KB

    Download
  • memory/2740-431-0x0000000000400000-0x0000000000423000-memory.dmp
    Filesize

    140KB

    Download
  • memory/2776-382-0x0000000000400000-0x0000000000423000-memory.dmp
    Filesize

    140KB

    Download
  • memory/2776-381-0x0000000072940000-0x0000000072A93000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/2844-615-0x0000000000400000-0x0000000000423000-memory.dmp
    Filesize

    140KB

    Download
  • memory/2844-252-0x0000000000400000-0x0000000000423000-memory.dmp
    Filesize

    140KB

    Download
  • memory/2844-549-0x00000000004F0000-0x0000000000513000-memory.dmp
    Filesize

    140KB

    Download
  • memory/2844-406-0x00000000004F0000-0x0000000000513000-memory.dmp
    Filesize

    140KB

    Download
  • memory/2844-341-0x00000000004F0000-0x0000000000513000-memory.dmp
    Filesize

    140KB

    Download
  • memory/2844-473-0x00000000004F0000-0x0000000000513000-memory.dmp
    Filesize

    140KB

    Download
  • memory/2844-403-0x00000000004F0000-0x0000000000513000-memory.dmp
    Filesize

    140KB

    Download
  • memory/2844-279-0x00000000004F0000-0x0000000000513000-memory.dmp
    Filesize

    140KB

    Download
  • memory/2844-467-0x00000000004F0000-0x0000000000513000-memory.dmp
    Filesize

    140KB

    Download
  • memory/2844-360-0x00000000004F0000-0x0000000000513000-memory.dmp
    Filesize

    140KB

    Download
  • memory/2844-542-0x00000000004F0000-0x0000000000513000-memory.dmp
    Filesize

    140KB

    Download
  • memory/2844-359-0x00000000004F0000-0x0000000000513000-memory.dmp
    Filesize

    140KB

    Download
  • memory/2908-350-0x0000000000400000-0x0000000000423000-memory.dmp
    Filesize

    140KB

    Download
  • memory/2940-539-0x0000000000400000-0x0000000000423000-memory.dmp
    Filesize

    140KB

    Download
  • memory/2952-305-0x0000000000400000-0x0000000000423000-memory.dmp
    Filesize

    140KB

    Download
  • memory/2968-327-0x0000000000400000-0x0000000000423000-memory.dmp
    Filesize

    140KB

    Download
  • memory/2968-329-0x0000000000400000-0x0000000000423000-memory.dmp
    Filesize

    140KB

    Download
  • memory/2988-288-0x0000000000400000-0x0000000000423000-memory.dmp
    Filesize

    140KB

    Download
  • memory/3016-479-0x0000000000400000-0x0000000000423000-memory.dmp
    Filesize

    140KB

    Download
  • memory/3040-321-0x0000000000400000-0x0000000000423000-memory.dmp
    Filesize

    140KB

    Download
  • memory/3040-313-0x0000000000400000-0x0000000000423000-memory.dmp
    Filesize

    140KB

    Download