Analysis Overview
SHA256
edd1776d51dc7b82153c41c5870afe1508dedbdd03994274d9d4f2deeef8fe8a
Threat Level: Known bad
The file 240613-mhrwhsyfjr_pw_infected.zip was found to be: Known bad.
Malicious Activity Summary
Neshta
Neshta family
Detect Neshta payload
Executes dropped EXE
Reads user/profile data of web browsers
Checks computer location settings
Modifies system executable filetype association
Drops file in Program Files directory
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
Checks processor information in registry
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Uses Task Scheduler COM API
Checks SCSI registry key(s)
Suspicious use of SendNotifyMessage
Suspicious use of FindShellTrayWindow
Runs regedit.exe
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Modifies registry class
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-15 14:39
Signatures
Detect Neshta payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Neshta family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-15 14:39
Reported
2024-06-15 15:15
Platform
win10v2004-20240508-en
Max time kernel
828s
Max time network
759s
Command Line
Signatures
Detect Neshta payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Neshta
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3582-490\747dd5a520297697c280a00436847460_NeikiAnalytics.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
Executes dropped EXE
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\747dd5a520297697c280a00436847460_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = " \"%1\" %*" | C:\Windows\SysWOW64\regedit.exe | N/A |
Reads user/profile data of web browsers
Drops file in Program Files directory
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\SysWOW64\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\SysWOW64\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\SysWOW64\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\SysWOW64\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\SysWOW64\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\SysWOW64\taskmgr.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\PROGRA~1\MOZILL~1\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\PROGRA~1\MOZILL~1\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\PROGRA~1\MOZILL~1\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\PROGRA~1\MOZILL~1\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\PROGRA~1\MOZILL~1\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\PROGRA~1\MOZILL~1\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\PROGRA~1\MOZILL~1\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\PROGRA~1\MOZILL~1\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\PROGRA~1\MOZILL~1\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\PROGRA~1\MOZILL~1\firefox.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\747dd5a520297697c280a00436847460_NeikiAnalytics.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings | C:\PROGRA~1\MOZILL~1\firefox.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE | N/A |
Runs regedit.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskmgr.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\taskmgr.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\SysWOW64\taskmgr.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\taskmgr.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\taskmgr.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskmgr.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\taskmgr.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\SysWOW64\taskmgr.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\PROGRA~1\MOZILL~1\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\PROGRA~1\MOZILL~1\firefox.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\taskmgr.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\taskmgr.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\747dd5a520297697c280a00436847460_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\747dd5a520297697c280a00436847460_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Local\Temp\3582-490\747dd5a520297697c280a00436847460_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\747dd5a520297697c280a00436847460_NeikiAnalytics.exe"
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:ShellFeedsUI.AppXnj65k2d1a1rnztt2t2nng5ctmk3e76pn.mca
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4152,i,6166776566165096562,4582328833313060853,262144 --variations-seed-version --mojo-platform-channel-handle=3464 /prefetch:8
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\system32\taskmgr.exe" /4
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Windows\SysWOW64\taskmgr.exe
C:\Windows\system32\taskmgr.exe /4
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv 7qDJgvaIoEm4mb39VIyvMw.0.2
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 456 -p 3972 -ip 3972
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Windows\svchost.com"
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\system32\taskmgr.exe" /4
C:\Windows\SysWOW64\taskmgr.exe
C:\Windows\system32\taskmgr.exe /4
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3836,i,6166776566165096562,4582328833313060853,262144 --variations-seed-version --mojo-platform-channel-handle=3360 /prefetch:8
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\PROGRA~1\MOZILL~1\firefox.exe"
C:\PROGRA~1\MOZILL~1\firefox.exe
C:\PROGRA~1\MOZILL~1\firefox.exe
C:\PROGRA~1\MOZILL~1\firefox.exe
C:\PROGRA~1\MOZILL~1\firefox.exe
C:\PROGRA~1\MOZILL~1\firefox.exe
"C:\PROGRA~1\MOZILL~1\firefox.exe" -contentproc --channel="1508.0.540630610\1460042517" -parentBuildID 20230214051806 -prefsHandle 1772 -prefMapHandle 1764 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\PROGRA~1\MOZILL~1\browser" - {0cf0ee91-301d-4af7-b319-cfdbccc22514} 1508 "\\.\pipe\gecko-crash-server-pipe.1508" 1852 1dac5b0db58 gpu
C:\PROGRA~1\MOZILL~1\firefox.exe
"C:\PROGRA~1\MOZILL~1\firefox.exe" -contentproc --channel="1508.1.328560089\1636503531" -parentBuildID 20230214051806 -prefsHandle 2388 -prefMapHandle 2384 -prefsLen 22170 -prefMapSize 235121 -win32kLockedDown -appDir "C:\PROGRA~1\MOZILL~1\browser" - {0ee7f14c-c4fd-4ff0-b8dd-493365f72584} 1508 "\\.\pipe\gecko-crash-server-pipe.1508" 2408 1dab8d89f58 socket
C:\PROGRA~1\MOZILL~1\firefox.exe
"C:\PROGRA~1\MOZILL~1\firefox.exe" -contentproc --channel="1508.2.1473701523\1584155856" -childID 1 -isForBrowser -prefsHandle 2700 -prefMapHandle 2904 -prefsLen 22208 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\PROGRA~1\MOZILL~1\browser" - {1c8f0422-de75-42dc-8780-81119a55b86f} 1508 "\\.\pipe\gecko-crash-server-pipe.1508" 2880 1dac8630658 tab
C:\PROGRA~1\MOZILL~1\firefox.exe
"C:\PROGRA~1\MOZILL~1\firefox.exe" -contentproc --channel="1508.3.11069858\1147711007" -childID 2 -isForBrowser -prefsHandle 3760 -prefMapHandle 3756 -prefsLen 27674 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\PROGRA~1\MOZILL~1\browser" - {9651d29d-0c06-49df-af56-df68d6a500ca} 1508 "\\.\pipe\gecko-crash-server-pipe.1508" 3772 1dab8d7ab58 tab
C:\PROGRA~1\MOZILL~1\firefox.exe
"C:\PROGRA~1\MOZILL~1\firefox.exe" -contentproc --channel="1508.4.907635242\2078079628" -childID 3 -isForBrowser -prefsHandle 4648 -prefMapHandle 3760 -prefsLen 27780 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\PROGRA~1\MOZILL~1\browser" - {48cb2fa7-d45a-4b41-88a2-066ec06384e2} 1508 "\\.\pipe\gecko-crash-server-pipe.1508" 3424 1daccceb758 tab
C:\PROGRA~1\MOZILL~1\firefox.exe
"C:\PROGRA~1\MOZILL~1\firefox.exe" -contentproc --channel="1508.5.1462121661\519421820" -childID 4 -isForBrowser -prefsHandle 5328 -prefMapHandle 5324 -prefsLen 27780 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\PROGRA~1\MOZILL~1\browser" - {b3326218-3523-4a82-a8d7-33039096b83c} 1508 "\\.\pipe\gecko-crash-server-pipe.1508" 5336 1dacccec358 tab
C:\PROGRA~1\MOZILL~1\firefox.exe
"C:\PROGRA~1\MOZILL~1\firefox.exe" -contentproc --channel="1508.6.1881463614\76302595" -childID 5 -isForBrowser -prefsHandle 5128 -prefMapHandle 5236 -prefsLen 27780 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\PROGRA~1\MOZILL~1\browser" - {15026783-8fda-4b93-8a37-4cc6dbe0423d} 1508 "\\.\pipe\gecko-crash-server-pipe.1508" 5224 1daccced558 tab
C:\PROGRA~1\MOZILL~1\firefox.exe
"C:\PROGRA~1\MOZILL~1\firefox.exe" -contentproc --channel="1508.7.866761058\529719560" -childID 6 -isForBrowser -prefsHandle 5632 -prefMapHandle 4648 -prefsLen 27859 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\PROGRA~1\MOZILL~1\browser" - {be2fa63a-daa1-45ae-bd35-33dcf85d7d69} 1508 "\\.\pipe\gecko-crash-server-pipe.1508" 5624 1dac8353e58 tab
C:\PROGRA~1\MOZILL~1\firefox.exe
"C:\PROGRA~1\MOZILL~1\firefox.exe" -contentproc --channel="1508.8.548660315\991208746" -childID 7 -isForBrowser -prefsHandle 4876 -prefMapHandle 5232 -prefsLen 28124 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\PROGRA~1\MOZILL~1\browser" - {22c3ea16-a4dc-4263-bd0f-b57774855d7c} 1508 "\\.\pipe\gecko-crash-server-pipe.1508" 5688 1dac4a5fe58 tab
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\regedit.exe"
C:\Windows\SysWOW64\regedit.exe
C:\Windows\regedit.exe
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| N/A | 127.0.0.1:51102 | tcp | |
| N/A | 127.0.0.1:51379 | tcp | |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | spocs.getpocket.com | udp |
| US | 8.8.8.8:53 | getpocket.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | content-signature-2.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | shavar.services.mozilla.com | udp |
| US | 8.8.8.8:53 | push.services.mozilla.com | udp |
| US | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| US | 8.8.8.8:53 | push.services.mozilla.com | udp |
| US | 8.8.8.8:53 | push.services.mozilla.com | udp |
| US | 8.8.8.8:53 | ds1nc.ru | udp |
| US | 8.8.8.8:53 | support.mozilla.org | udp |
| US | 8.8.8.8:53 | push.services.mozilla.com | udp |
| US | 8.8.8.8:53 | push.services.mozilla.com | udp |
Files
C:\Users\Admin\AppData\Local\Temp\3582-490\747dd5a520297697c280a00436847460_NeikiAnalytics.exe
| MD5 | 1df5bef57c72b8d23f5263046e5dd043 |
| SHA1 | 68e859eca519f8f5cc1c9ceb3dfaaac87e17b544 |
| SHA256 | 43bb08a4762778843eca24c57d61f854a3c4a21f4da9f6bb15a34764a07596f3 |
| SHA512 | 4bee5ae57f39b842c481280ac98c75106ed41aa34b783c2967a705511268fe2a4a2a489386c9b5bd2d291454989b9d7f7d644ef36300ca9feada4f016c592332 |
C:\Windows\svchost.com
| MD5 | 223dd32576ace5da898257671c5cdf36 |
| SHA1 | 87474af22e6a24ef24de43d2e798c87bd986514c |
| SHA256 | 8d4dbd3013a493f904e0863bb55d910bbb640ef3bdc6fcbaf3c78e95fbdd5254 |
| SHA512 | aaef06b777e4b015af8843b2955af6fbc4c6c7a0630729737a76464d9a443cf673b5b583ae7cf2ea2333f81bd083cf104bb4da9add41a5da48bc4eb1bf0dbdc7 |
C:\Windows\directx.sys
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/3380-18-0x0000000000400000-0x000000000041B000-memory.dmp
C:\Windows\directx.sys
| MD5 | 5ac1fd5515366b3ff2073ec90f52d9a2 |
| SHA1 | b5e7a378b2d0c9084d492031515f961cc1da3ed7 |
| SHA256 | 2a8028d5bc2b012f2339457aa33c11232fac465b5e78115eee2675c5a172b437 |
| SHA512 | df68050295166523a52ff35224e77bc74b1f9a5c5c3a462b19cade714c4b64c68b957570a0d679f550d415f8a5abd16f175ec4275a950e2d89186582a00f0244 |
memory/1636-29-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2164-30-0x0000000000400000-0x000000000041B000-memory.dmp
memory/5004-34-0x0000000000400000-0x000000000041B000-memory.dmp
memory/4196-42-0x0000000000400000-0x000000000041B000-memory.dmp
memory/4160-46-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2828-54-0x0000000000400000-0x000000000041B000-memory.dmp
memory/4984-58-0x0000000000400000-0x000000000041B000-memory.dmp
memory/3160-66-0x0000000000400000-0x000000000041B000-memory.dmp
memory/4624-70-0x0000000000400000-0x000000000041B000-memory.dmp
memory/4288-78-0x0000000000400000-0x000000000041B000-memory.dmp
memory/3564-82-0x0000000000400000-0x000000000041B000-memory.dmp
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe
| MD5 | 8ffc3bdf4a1903d9e28b99d1643fc9c7 |
| SHA1 | 919ba8594db0ae245a8abd80f9f3698826fc6fe5 |
| SHA256 | 8268d3fefe8ca96a25a73690d14bacf644170ab5e9e70d2f8eeb350a4c83f9f6 |
| SHA512 | 0b94ead97374d74eaee87e7614ddd3911d2cf66d4c49abbfd06b02c03e5dd56fd00993b4947e8a4bcd9d891fa39cab18cc6b61efc7d0812e91eb3aea9cd1a427 |
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe
| MD5 | 576410de51e63c3b5442540c8fdacbee |
| SHA1 | 8de673b679e0fee6e460cbf4f21ab728e41e0973 |
| SHA256 | 3f00404dd591c2856e6f71bd78423ed47199902e0b85f228e6c4de72c59ddffe |
| SHA512 | f7761f3878775b30cc3d756fa122e74548dfc0a27e38fa4109e34a59a009df333d074bf14a227549ae347605f271be47984c55148685faac479aeb481f7191db |
C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE
| MD5 | 4ddc609ae13a777493f3eeda70a81d40 |
| SHA1 | 8957c390f9b2c136d37190e32bccae3ae671c80a |
| SHA256 | 16d65f2463658a72dba205dcaa18bc3d0bab4453e726233d68bc176e69db0950 |
| SHA512 | 9d7f90d1529cab20078c2690bf7bffab5a451a41d8993781effe807e619da0e7292f991da2f0c5c131b111d028b3e6084e5648c90816e74dfb664e7f78181bc5 |
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe
| MD5 | 5791075058b526842f4601c46abd59f5 |
| SHA1 | b2748f7542e2eebcd0353c3720d92bbffad8678f |
| SHA256 | 5c3ef3ec7594c040146e908014791dd15201ba58b4d70032770bb661b6a0e394 |
| SHA512 | 83e303971ed64019fde9e4ba6f6e889f8fb105088490dfa7dcf579a12baff20ef491f563d132d60c7b24a4fd3cac29bd9dc974571cd162000fae8fba4e0e54fb |
C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe
| MD5 | cce8964848413b49f18a44da9cb0a79b |
| SHA1 | 0b7452100d400acebb1c1887542f322a92cbd7ae |
| SHA256 | fe44ca8d5050932851aa54c23133277e66db939501af58e5aeb7b67ec1dde7b5 |
| SHA512 | bf8fc270229d46a083ced30da6637f3ca510b0ce44624a9b21ec6aacac81666dffd41855053a936aa9e8ea6e745a09b820b506ec7bf1173b6f1837828a35103d |
memory/512-120-0x0000000000400000-0x000000000041B000-memory.dmp
memory/1100-110-0x0000000000400000-0x000000000041B000-memory.dmp
memory/5052-122-0x0000000000400000-0x000000000041B000-memory.dmp
memory/3456-126-0x0000000000400000-0x000000000041B000-memory.dmp
memory/3184-134-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2000-144-0x0000000000400000-0x000000000041B000-memory.dmp
memory/3292-150-0x0000000000400000-0x000000000041B000-memory.dmp
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe
| MD5 | e7a27a45efa530c657f58fda9f3b9f4a |
| SHA1 | 6c0d29a8b75574e904ab1c39fc76b39ca8f8e461 |
| SHA256 | d6f11401f57293922fb36cd7542ae811ab567a512449e566f83ce0dcef5ff8e5 |
| SHA512 | 0c37b41f3c075cd89a764d81f751c3a704a19240ad8e4ebab591f399b9b168b920575749e9d24c2a8f0400b9f340ab9fea4db76ff7060d8af00e2b36ac0c4a54 |
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe
| MD5 | e316c67c785d3e39e90341b0bbaac705 |
| SHA1 | 7ffd89492438a97ad848068cfdaab30c66afca35 |
| SHA256 | 4fc8b9433b45c2607cbdf3d1c042c3918b854c9db3ade13b5bb2761d28f1c478 |
| SHA512 | 25ec433c10adc69305de97107463be74d7b4768acca27886498485e8bc2c8b099994e6c1c6c09a7e603816203d6b18e509fb79f24992915eb802f59bcb790090 |
memory/3240-165-0x0000000000400000-0x000000000041B000-memory.dmp
C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE
| MD5 | cbd96ba6abe7564cb5980502eec0b5f6 |
| SHA1 | 74e1fe1429cec3e91f55364e5cb8385a64bb0006 |
| SHA256 | 405b8bd647fa703e233b8b609a18999abe465a8458168f1daf23197bd2ea36aa |
| SHA512 | a551001853f6b93dfbc6cf6a681820af31330a19d5411076ff3dbce90937b3d92173085a15f29ebf56f2ef12a4e86860ac6723ebc89c98ea31ea7a6c7e3d7cdc |
C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe
| MD5 | f94d1febf682583dbcf8a65c58b23d63 |
| SHA1 | 7d2f2a91426a47822d2eeacf81f57959f226590e |
| SHA256 | cdd94dcaff86e76861fa547ef47a20b9cf7347301363ddfb5a2550a5d7502a18 |
| SHA512 | f25ea048b2b52e540e8f8270fc1fb8b24f625d0fe6f72749617b8fd6f1f00a95d9e2f95c912290362fffbf967781fbbc1795f76deac5220a12071d6d4eb125cc |
C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE
| MD5 | 5da33a7b7941c4e76208ee7cddec8e0b |
| SHA1 | cdd2e7b9b0e4be68417d4618e20a8283887c489c |
| SHA256 | 531e735e4e8940dfe21e30be0d4179ceaecb57ce431cf63c5044e07048ac1751 |
| SHA512 | 977aeecfbc693c9d5746fedf08b99e0b0f6fd7b0c7b41ac2b34a832e68a2e6f3c68f38af2e65c87075fcf00c1c6103e34324df45d7da9412cbbeea7e410794b6 |
C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE
| MD5 | 3b0e91f9bb6c1f38f7b058c91300e582 |
| SHA1 | 6e2e650941b1a96bb0bb19ff26a5d304bb09df5f |
| SHA256 | 57c993cadf4bf84810cea23a7112c6e260624beaab48d0e4332d3462900fec1d |
| SHA512 | a4fbe28a0135f4632e0a5b6bd775f8d010250b0fbfe223db1fe81d18552a6bc166ebce807853ba02e6a476e9829454805e415ca828a5e043bd1e63dc53599d0f |
C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE
| MD5 | f7c714dbf8e08ca2ed1a2bfb8ca97668 |
| SHA1 | cc78bf232157f98b68b8d81327f9f826dabb18ab |
| SHA256 | fc379fda348644fef660a3796861c122aa2dd5498e80279d1279a7ddb259e899 |
| SHA512 | 28bc04c4df3f632865e68e83d045b3ecd2a263e62853c922b260d0734026e8a1541988fcbf4ddc9cf3aba6863214d6c6eb51f8bbb2586122a7cb01a70f08d16c |
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\124024~1.80\BHO\ie_to_edge_stub.exe
| MD5 | ac0d708bbcd017ea66c1e5342769247f |
| SHA1 | 80ac2eba3acd2c5cd46b5dd0d7d4e50bc1dcd832 |
| SHA256 | 9bad891baaba2084cb551b981b9eec735f3a9482b51b4b3abbabf76dbc217cd2 |
| SHA512 | 4bc2f1d9d86407776a725a97f80f8ffd88c5139977ee84bbefd7e01b37a4665f1ccf23bde4ac3f9bcaf8bb4159868577153bf93bb07abc4e7924b12019cb18a2 |
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\124024~1.80\cookie_exporter.exe
| MD5 | 452b247061b3cf1def0aceee27b4a522 |
| SHA1 | 2ce1a0ce564e41095691184682518826db1d7e9c |
| SHA256 | 484ca6e9fbfea88a939ff7cc511ac52b40631554efaf35ffc210dd56f2b2d9fa |
| SHA512 | d395a82ac1e4e4a926b91e8ee465a2f457f20e011822c08ad17282378382dfe980b13b979db9aadce201df41c27922f77ba4c18b81c336744cfcf955b42c1f21 |
C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE
| MD5 | 25e165d6a9c6c0c77ee1f94c9e58754b |
| SHA1 | 9b614c1280c75d058508bba2a468f376444b10c1 |
| SHA256 | 8bbe59987228dd9ab297f9ea34143ea1e926bfb19f3d81c2904ab877f31e1217 |
| SHA512 | 7d55c7d86ccabb6e9769ebca44764f4d89e221d5756e5c5d211e52c271e3ce222df90bc9938248e2e210d6695f30f6280d929d19ef41c09d3ea31688ae24d4bf |
C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE
| MD5 | e5589ec1e4edb74cc7facdaac2acabfd |
| SHA1 | 9b12220318e848ed87bb7604d6f6f5df5dbc6b3f |
| SHA256 | 6ce92587a138ec07dac387a294d0bbe8ab629599d1a2868d2afaccea3b245d67 |
| SHA512 | f36ab33894681f51b9cec7ea5a738eb081a56bcd7625bdd2f5ef2c084e4beb7378be8f292af3aeae79d9317ba57cc41df89f00aef52e58987bdb2eac3f48171a |
C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe
| MD5 | de69c005b0bbb513e946389227183eeb |
| SHA1 | 2a64efdcdc71654356f77a5b77da8b840dcc6674 |
| SHA256 | ad7b167ab599b6dad7e7f0ad47368643d91885253f95fadf0fadd1f8eb6ee9c7 |
| SHA512 | 6ca8cec0cf20ee9b8dfe263e48f211b6f1e19e3b4fc0f6e89807f39d3f4e862f0139eb5b35e3133ef60555589ad54406fb11d95845568a5538602f287863b7d7 |
C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe
| MD5 | 6f87ccb8ab73b21c9b8288b812de8efa |
| SHA1 | a709254f843a4cb50eec3bb0a4170ad3e74ea9b3 |
| SHA256 | 14e7a1f2f930380903ae3c912b4a70fd0a59916315c46874805020fe41215c22 |
| SHA512 | 619b45b9728880691a88fbfc396c9d34b41d5e349e04d2eb2d18c535fffc079395835af2af7ca69319954a98852d2f9b7891eff91864d63bf25759c156e192ee |
memory/2544-233-0x0000000000400000-0x000000000041B000-memory.dmp
memory/4676-246-0x0000000000400000-0x000000000041B000-memory.dmp
memory/4492-252-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2516-259-0x0000000000400000-0x000000000041B000-memory.dmp
memory/380-267-0x0000000000400000-0x000000000041B000-memory.dmp
memory/3040-274-0x0000000000400000-0x000000000041B000-memory.dmp
memory/756-279-0x0000000000400000-0x000000000041B000-memory.dmp
memory/432-281-0x0000000000400000-0x000000000041B000-memory.dmp
memory/4928-287-0x0000000000400000-0x000000000041B000-memory.dmp
memory/3368-289-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2740-295-0x0000000000400000-0x000000000041B000-memory.dmp
memory/4628-302-0x0000000000400000-0x000000000041B000-memory.dmp
memory/4480-303-0x0000000000400000-0x000000000041B000-memory.dmp
memory/4404-310-0x0000000000400000-0x000000000041B000-memory.dmp
memory/4448-311-0x0000000000400000-0x000000000041B000-memory.dmp
memory/464-318-0x0000000000400000-0x000000000041B000-memory.dmp
memory/4700-319-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2892-321-0x0000000000400000-0x000000000041B000-memory.dmp
memory/1420-327-0x0000000000400000-0x000000000041B000-memory.dmp
memory/4956-329-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2240-335-0x0000000000400000-0x000000000041B000-memory.dmp
memory/3972-337-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2828-343-0x0000000000400000-0x000000000041B000-memory.dmp
memory/3472-345-0x0000000000400000-0x000000000041B000-memory.dmp
memory/1524-351-0x0000000000400000-0x000000000041B000-memory.dmp
memory/3160-358-0x0000000000400000-0x000000000041B000-memory.dmp
memory/3748-359-0x0000000000400000-0x000000000041B000-memory.dmp
memory/4776-361-0x0000000000400000-0x000000000041B000-memory.dmp
memory/744-367-0x0000000000400000-0x000000000041B000-memory.dmp
memory/4840-369-0x0000000000400000-0x000000000041B000-memory.dmp
memory/3932-375-0x0000000000400000-0x000000000041B000-memory.dmp
memory/3040-382-0x0000000000400000-0x000000000041B000-memory.dmp
memory/4052-383-0x0000000000400000-0x000000000041B000-memory.dmp
memory/4864-385-0x0000000000400000-0x000000000041B000-memory.dmp
memory/1848-391-0x0000000000400000-0x000000000041B000-memory.dmp
memory/3248-393-0x0000000000400000-0x000000000041B000-memory.dmp
memory/4120-399-0x0000000000400000-0x000000000041B000-memory.dmp
memory/1108-406-0x0000000000400000-0x000000000041B000-memory.dmp
memory/3820-407-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2416-414-0x0000000000400000-0x000000000041B000-memory.dmp
memory/4616-415-0x0000000000400000-0x000000000041B000-memory.dmp
memory/3380-422-0x0000000000400000-0x000000000041B000-memory.dmp
memory/1636-423-0x0000000000400000-0x000000000041B000-memory.dmp
memory/3240-425-0x0000000000400000-0x000000000041B000-memory.dmp
C:\Windows\directx.sys
| MD5 | 48074663d65be1968b6d38fba27cfb9d |
| SHA1 | 5b23440ce1976b8472bc586215cc23c515498e4c |
| SHA256 | 17b685b05977c384b09a328064920abd0a64e8bbc1644a4bd92ce00cee8c356f |
| SHA512 | 33b2dd9e68092d5083cf60f957bb576925f8baeb3fba8731f35d73626e769f6157616d0fe1edb8a70065256bdaa3ffe8564a0e4248b16684cc1d2299533431d9 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\prefs-1.js
| MD5 | 3485ad5156cb30200028c5894bbb0949 |
| SHA1 | 7ec5abc98a9f47c7ca4174382b7f428139f1e935 |
| SHA256 | 3e4d23f5500ab3f11176c1acafec9c57f3908a9eda0e066100c0cf5275fda054 |
| SHA512 | 943912a5ed4057dc4be3d089549c8acbc252844ded1d48f79f74188985dc552f82e35e935d1eb3471aa29c54ef4b58599e47307e33cd26988eb7fb20d5ab933f |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n9vxbo99.default-release\activity-stream.discovery_stream.json.tmp
| MD5 | 2b30ba45daa7c9ee5ea8d124b0073f39 |
| SHA1 | 1e8b858edc9f58306128f2f95a2ad5bd4fc0173a |
| SHA256 | b1591ccbc66453ddedad3899838657e8bb38f5207b9406f6d4c59851988d3203 |
| SHA512 | 7842e9df2d8eb985b935b33806951ea2699e5408ef9ea61437e52c13761f285d739af2d4a1e5dc8f7cd9a3d8c53e6071da679feb8e78b3b5115248bbfae9a7b0 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | fe9a9ec01e4b05ea9d5026c5842eef57 |
| SHA1 | 32fdef78bae59fa5d52a401d88fae990867d7993 |
| SHA256 | baf90a417c6ed1773c017a480fae709293d1cde5702b4d3962a0fed43718b4a6 |
| SHA512 | 120135bdc8aa8613094c5940b9332a6635e105d17b76d70f7b83f760cd91b1ee061ef3097c5bbd97442db123a32e1f454fa8ed0c17ac5961a36659ca7569f6d2 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\prefs-1.js
| MD5 | 332615607f001d454d8fb60e5dd53cb9 |
| SHA1 | 651aca115f3385beeec90a284942d9fe2829403d |
| SHA256 | 07566585684a47f771f30acc4e50ed89acaf8e12869690546ae4909daa29fd8a |
| SHA512 | c2cb1463a7ce076a7ae5f2be281816dad1b6c6be535f8b227fe8b9265d1a3df1ea5c975e1be237f5e7907da11d5dde73ba843e0c152c454869f6078fa8802b6e |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 571f8440cd6a03fc55ce352f1c156310 |
| SHA1 | 73b268044ffdb52231d59605579788b5500f336f |
| SHA256 | 992107502eee40c9029952fd801747c72ac082d88086e8d42bcab95d1ca3e616 |
| SHA512 | 072465b64efd85005f7f24673c7f82bbc92cb2e122d6f20820bfa6b81ad25768d3bf912dd9e3fbc4509e1c1167eff59656c4d0c329ce89683d349b3d9c4dd486 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 0b5c7db6cf4fb821627bf7b95ffd4db0 |
| SHA1 | 247b7449fac316119b966cae8a709a4f3f64b97d |
| SHA256 | e8c2330c98ebff2ea6617ec5c2857318429827b8473bb0b1e413d4138a8c99b7 |
| SHA512 | ba899444c742a208aaf4fca9ca69a5028298ef773d921e056a4a84bfbe73a091aee627925d3d7810e408cac4db0434882f16358af4948441c714f4c14530e15f |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 3af7197d404b454299c6a08bb0341cd6 |
| SHA1 | a71927bf981b10233754dd23d96784cb139d0c7b |
| SHA256 | 423a40ec704fd69f203c7f9ec5cb1a3d83850ee71ea33843947c3431c0e7f464 |
| SHA512 | 0030b4ad0c5bc96004f6a4bd2005f72d50d34a71e428eb5abffc9d29a9bd7359151fc355925cfb56501abece6f673c65a766ee4487432356c3b5dd1b157036b5 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\prefs-1.js
| MD5 | 321b8208a2f016aa9215d9fc251fa27c |
| SHA1 | 7d5f58a8343284fa314f23d6ff497eea425a28a2 |
| SHA256 | 7e7bf4dd8adb641a01d2ae94e99197017d90b74c42d407d03adba00757243f8b |
| SHA512 | 3123f44bfb8c6a2226a622c079e1a190368bd1af31d5cd21a298ee3cddb9bfa971cb71d98911cb34c98d8cf46db492bea23a86d07a542c826678de1049ee203d |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\sessionCheckpoints.json.tmp
| MD5 | e6c20f53d6714067f2b49d0e9ba8030e |
| SHA1 | f516dc1084cdd8302b3e7f7167b905e603b6f04f |
| SHA256 | 50a670fb78ff2712aae2c16d9499e01c15fddf24e229330d02a69b0527a38092 |
| SHA512 | 462415b8295c1cdcac0a7cb16bb8a027ef36ae2ce0b061071074ac3209332a7eae71de843af4b96bbbd6158ca8fd5c18147bf9a79b8a7768a9a35edce8b784bf |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\sessionstore.jsonlz4
| MD5 | 2192217d448ba8bbdd9704fe2bf02728 |
| SHA1 | 924798c5db789484d1b6e0562cf8d0b5595368f6 |
| SHA256 | 631dc0e4029cc0a062fabd1923866bd462681b7964e51abe316d7797f354bb1b |
| SHA512 | 49d84906b6ebda56eb6c756e75c09b4085387fa4beca8b13998707b1c3626cf1bdacf5359efd96ce4a3f798e9433baa2c4c19d4d007f76b1f6d4249ebb375b9e |
C:\Windows\directx.sys
| MD5 | 32f05aab0bc985994bc008fb2e8c476e |
| SHA1 | 9af2cd824b0f1d061b6f4f5ced6440bb4595995e |
| SHA256 | 44d1c2cfb1cc0ccea5a3360ea718e151ade30e5c186b04437cbb084ae9205a9d |
| SHA512 | 493fdc20a6584d86eed9d7cbb8615b1d5099b27b5dda7e268a4b03a9f91d9d99b45c199b98cd6b89142397255544ce70e8e0e2ee51f7fb2afb43ef603ff591eb |