Malware Analysis Report

2024-09-11 03:12

Sample ID 240520-jdl8paae3w
Target d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe
SHA256 e696c3c7054174c5b6fffdc39abcb7bf08cb51fa52b8429ca279b1d5b6eb097f
Tags
neshta persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e696c3c7054174c5b6fffdc39abcb7bf08cb51fa52b8429ca279b1d5b6eb097f

Threat Level: Known bad

The file d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

neshta persistence spyware stealer

Detect Neshta payload

Neshta family

Neshta

Reads user/profile data of web browsers

Loads dropped DLL

Modifies system executable filetype association

Checks computer location settings

Executes dropped EXE

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

NSIS installer

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Modifies registry class

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Event Triggered Execution
T1546
Change Default File Association
T1546.001
Privilege Escalation
TA0004
Event Triggered Execution
T1546
Change Default File Association
T1546.001
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-05-20 07:33

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A

Neshta family

neshta

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-20 07:33

Reported

2024-05-20 07:35

Platform

win7-20240508-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe"

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Neshta

persistence spyware neshta

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\WinMail.exe C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\misc.exe C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1672 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\3582-490\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe
PID 1672 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\3582-490\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe
PID 1672 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\3582-490\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe
PID 1672 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\3582-490\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe
PID 1672 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\3582-490\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe
PID 1672 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\3582-490\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe
PID 1672 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\3582-490\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\3582-490\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\3582-490\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\3582-490\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe

MD5 077939ac8bf1b058cf97930223f4dcbd
SHA1 4e2f4bba3c1628345baae4daa8da8614240c045b
SHA256 3f18cb377bc5f4a063f98fd56ba3f6df38b990f0c495ca7937ef00d0a9a745e1
SHA512 02f02989f7a284f0962bd583b04de02448b96dba36bcfd0d45da1dd4b44dda982becd4ec2ab49164db16f5c47c0138a1b73774c5a8d5e7a0402416d75d0a4b1d

C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

MD5 cf6c595d3e5e9667667af096762fd9c4
SHA1 9bb44da8d7f6457099cb56e4f7d1026963dce7ce
SHA256 593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d
SHA512 ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

C:\Users\Admin\AppData\Local\Temp\nst1CA7.tmp\ioSpecial.ini

MD5 d315541ec1b59aa5ffb71a15eb3d8b86
SHA1 fe9eb7de865cf46e20bb6a70fe52ebffe44a9893
SHA256 4c851769acb08e4c0bae7c91222016971e419d00c4359b19c889056796c39394
SHA512 f82e4cb8fac3522dcf93ce847782be3bcce94dd7a791688132f31f29c18f594f353fc349c2bb996980742996597210e22fd2fc69a6ee75847f958fc027d75e77

\Users\Admin\AppData\Local\Temp\nst1CA7.tmp\InstallOptions.dll

MD5 0dc0cc7a6d9db685bf05a7e5f3ea4781
SHA1 5d8b6268eeec9d8d904bc9d988a4b588b392213f
SHA256 8e287326f1cdd5ef2dcd7a72537c68cbe4299ceb1f820707c5820f3aa6d8206c
SHA512 814dd17ebb434f4a3356f716c783ab7f569f9ee34ce5274fa50392526925f044798f8006198ac7afe3d1c2ca83a2ca8c472ca53fec5f12bbfbbe0707abacd6b0

C:\Users\Admin\AppData\Local\Temp\nst1CA7.tmp\ioSpecial.ini

MD5 d0f7e9ccf2c26b16bfdf2b979226381b
SHA1 bc180efc636bf7b4d6b836c0e384aa3ddd394f69
SHA256 d68b50c8f2bc4aa1925bca76d64aa11e51c540f1d48e246632aa6ea939512bfd
SHA512 fb75779e317ed5b8288c6108414c00e89ca502cf6bd2c75e7ecd97c0cfd3f8bbd270d650340b85de52f0ec607cc5a624a1f05057fcaf98e0999987e9d70ee9e0

\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

MD5 9e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1 ec66cda99f44b62470c6930e5afda061579cde35
SHA256 8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA512 2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

memory/1672-162-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1672-164-0x0000000000400000-0x000000000041B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-20 07:33

Reported

2024-05-20 07:35

Platform

win10v2004-20240508-en

Max time kernel

93s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe"

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Neshta

persistence spyware neshta

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~4.EXE C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~3.EXE C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~2.EXE C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3388 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\3582-490\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe
PID 3388 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\3582-490\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe
PID 3388 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\3582-490\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\3582-490\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\3582-490\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 130.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\3582-490\d2d6856b1465044e5c94cb14145a8f00_NeikiAnalytics.exe

MD5 077939ac8bf1b058cf97930223f4dcbd
SHA1 4e2f4bba3c1628345baae4daa8da8614240c045b
SHA256 3f18cb377bc5f4a063f98fd56ba3f6df38b990f0c495ca7937ef00d0a9a745e1
SHA512 02f02989f7a284f0962bd583b04de02448b96dba36bcfd0d45da1dd4b44dda982becd4ec2ab49164db16f5c47c0138a1b73774c5a8d5e7a0402416d75d0a4b1d

C:\Users\Admin\AppData\Local\Temp\nsi5B70.tmp\ioSpecial.ini

MD5 80d9cf8db45467cfd95a2f38f7bc9b0b
SHA1 dfd4010563ffb6f769bb2d1ef563c79e31bc47b7
SHA256 6a26faf181c020f33de66863b68043f9cab6e89f35e5924b4e5720a10ff2f396
SHA512 2ed1aa8f6c72f6893e8a2645ed8f3ab3664202910a01b41717978c40cd7c87ee0058d7fc9f77b6434789730120a700f6994dab892f6603b73216377503731b33

C:\Users\Admin\AppData\Local\Temp\nsi5B70.tmp\InstallOptions.dll

MD5 0dc0cc7a6d9db685bf05a7e5f3ea4781
SHA1 5d8b6268eeec9d8d904bc9d988a4b588b392213f
SHA256 8e287326f1cdd5ef2dcd7a72537c68cbe4299ceb1f820707c5820f3aa6d8206c
SHA512 814dd17ebb434f4a3356f716c783ab7f569f9ee34ce5274fa50392526925f044798f8006198ac7afe3d1c2ca83a2ca8c472ca53fec5f12bbfbbe0707abacd6b0

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE

MD5 3b73078a714bf61d1c19ebc3afc0e454
SHA1 9abeabd74613a2f533e2244c9ee6f967188e4e7e
SHA256 ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29
SHA512 75959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4

memory/3388-175-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3388-176-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3388-178-0x0000000000400000-0x000000000041B000-memory.dmp