Malware Analysis Report

2024-09-11 00:53

Sample ID 240615-r1mfzaxhmm
Target 240613-mhrwhsyfjr_pw_infected.zip
SHA256 edd1776d51dc7b82153c41c5870afe1508dedbdd03994274d9d4f2deeef8fe8a
Tags
neshta persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

edd1776d51dc7b82153c41c5870afe1508dedbdd03994274d9d4f2deeef8fe8a

Threat Level: Known bad

The file 240613-mhrwhsyfjr_pw_infected.zip was found to be: Known bad.

Malicious Activity Summary

neshta persistence spyware stealer

Neshta

Neshta family

Detect Neshta payload

Executes dropped EXE

Reads user/profile data of web browsers

Checks computer location settings

Modifies system executable filetype association

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Checks SCSI registry key(s)

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Runs regedit.exe

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Modifies registry class

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-15 14:39

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A

Neshta family

neshta

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-15 14:39

Reported

2024-06-15 15:15

Platform

win10v2004-20240508-en

Max time kernel

828s

Max time network

759s

Command Line

"C:\Users\Admin\AppData\Local\Temp\747dd5a520297697c280a00436847460_NeikiAnalytics.exe"

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Neshta

persistence spyware neshta

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\747dd5a520297697c280a00436847460_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\747dd5a520297697c280a00436847460_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\747dd5a520297697c280a00436847460_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = " \"%1\" %*" C:\Windows\SysWOW64\regedit.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13187~1.37\MICROS~1.EXE C:\Users\Admin\AppData\Local\Temp\747dd5a520297697c280a00436847460_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE C:\Users\Admin\AppData\Local\Temp\747dd5a520297697c280a00436847460_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\124024~1.80\msedgewebview2.exe C:\Users\Admin\AppData\Local\Temp\747dd5a520297697c280a00436847460_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MICROS~3.EXE C:\Users\Admin\AppData\Local\Temp\747dd5a520297697c280a00436847460_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MI9C33~1.EXE C:\Users\Admin\AppData\Local\Temp\747dd5a520297697c280a00436847460_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe C:\Users\Admin\AppData\Local\Temp\747dd5a520297697c280a00436847460_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe C:\Users\Admin\AppData\Local\Temp\3582-490\747dd5a520297697c280a00436847460_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe C:\Users\Admin\AppData\Local\Temp\747dd5a520297697c280a00436847460_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\747dd5a520297697c280a00436847460_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\747dd5a520297697c280a00436847460_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\747dd5a520297697c280a00436847460_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\747dd5a520297697c280a00436847460_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe C:\Users\Admin\AppData\Local\Temp\3582-490\747dd5a520297697c280a00436847460_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe C:\Users\Admin\AppData\Local\Temp\3582-490\747dd5a520297697c280a00436847460_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\java.exe C:\Users\Admin\AppData\Local\Temp\3582-490\747dd5a520297697c280a00436847460_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\747dd5a520297697c280a00436847460_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MI9C33~1.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\747dd5a520297697c280a00436847460_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE C:\Users\Admin\AppData\Local\Temp\747dd5a520297697c280a00436847460_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\3582-490\747dd5a520297697c280a00436847460_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\124024~1.80\identity_helper.exe C:\Users\Admin\AppData\Local\Temp\747dd5a520297697c280a00436847460_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\124024~1.80\msedgewebview2.exe C:\Users\Admin\AppData\Local\Temp\3582-490\747dd5a520297697c280a00436847460_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE C:\Users\Admin\AppData\Local\Temp\747dd5a520297697c280a00436847460_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe C:\Users\Admin\AppData\Local\Temp\3582-490\747dd5a520297697c280a00436847460_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\747dd5a520297697c280a00436847460_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\124024~1.80\elevation_service.exe C:\Users\Admin\AppData\Local\Temp\747dd5a520297697c280a00436847460_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe C:\Users\Admin\AppData\Local\Temp\747dd5a520297697c280a00436847460_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\747dd5a520297697c280a00436847460_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\124024~1.80\msedge.exe C:\Users\Admin\AppData\Local\Temp\747dd5a520297697c280a00436847460_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE C:\Users\Admin\AppData\Local\Temp\747dd5a520297697c280a00436847460_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe C:\Users\Admin\AppData\Local\Temp\747dd5a520297697c280a00436847460_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe C:\Users\Admin\AppData\Local\Temp\747dd5a520297697c280a00436847460_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\747dd5a520297697c280a00436847460_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe C:\Users\Admin\AppData\Local\Temp\3582-490\747dd5a520297697c280a00436847460_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE C:\Users\Admin\AppData\Local\Temp\747dd5a520297697c280a00436847460_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE C:\Users\Admin\AppData\Local\Temp\747dd5a520297697c280a00436847460_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE C:\Users\Admin\AppData\Local\Temp\747dd5a520297697c280a00436847460_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE C:\Users\Admin\AppData\Local\Temp\747dd5a520297697c280a00436847460_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MIA062~1.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\747dd5a520297697c280a00436847460_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE C:\Users\Admin\AppData\Local\Temp\747dd5a520297697c280a00436847460_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\747dd5a520297697c280a00436847460_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE C:\Users\Admin\AppData\Local\Temp\747dd5a520297697c280a00436847460_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\747dd5a520297697c280a00436847460_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MI391D~1.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\747dd5a520297697c280a00436847460_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\747dd5a520297697c280a00436847460_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE C:\Users\Admin\AppData\Local\Temp\747dd5a520297697c280a00436847460_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe C:\Users\Admin\AppData\Local\Temp\3582-490\747dd5a520297697c280a00436847460_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\747dd5a520297697c280a00436847460_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\747dd5a520297697c280a00436847460_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe C:\Users\Admin\AppData\Local\Temp\3582-490\747dd5a520297697c280a00436847460_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe C:\Users\Admin\AppData\Local\Temp\747dd5a520297697c280a00436847460_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE C:\Users\Admin\AppData\Local\Temp\747dd5a520297697c280a00436847460_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\747dd5a520297697c280a00436847460_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe C:\Users\Admin\AppData\Local\Temp\747dd5a520297697c280a00436847460_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\747dd5a520297697c280a00436847460_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE C:\Users\Admin\AppData\Local\Temp\747dd5a520297697c280a00436847460_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\747dd5a520297697c280a00436847460_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\747dd5a520297697c280a00436847460_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe C:\Users\Admin\AppData\Local\Temp\747dd5a520297697c280a00436847460_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe C:\Users\Admin\AppData\Local\Temp\3582-490\747dd5a520297697c280a00436847460_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE C:\Users\Admin\AppData\Local\Temp\747dd5a520297697c280a00436847460_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\124024~1.80\msedge_proxy.exe C:\Users\Admin\AppData\Local\Temp\3582-490\747dd5a520297697c280a00436847460_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MI391D~1.EXE C:\Users\Admin\AppData\Local\Temp\747dd5a520297697c280a00436847460_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Users\Admin\AppData\Local\Temp\747dd5a520297697c280a00436847460_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\747dd5a520297697c280a00436847460_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\SysWOW64\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\SysWOW64\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\SysWOW64\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\SysWOW64\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\SysWOW64\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\SysWOW64\taskmgr.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\PROGRA~1\MOZILL~1\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\PROGRA~1\MOZILL~1\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\PROGRA~1\MOZILL~1\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\PROGRA~1\MOZILL~1\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\PROGRA~1\MOZILL~1\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\PROGRA~1\MOZILL~1\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\PROGRA~1\MOZILL~1\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\PROGRA~1\MOZILL~1\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\PROGRA~1\MOZILL~1\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\PROGRA~1\MOZILL~1\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\747dd5a520297697c280a00436847460_NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\PROGRA~1\MOZILL~1\firefox.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE N/A

Runs regedit.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\SysWOW64\taskmgr.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\taskmgr.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\taskmgr.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\SysWOW64\taskmgr.exe N/A
Token: SeDebugPrivilege N/A C:\PROGRA~1\MOZILL~1\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\PROGRA~1\MOZILL~1\firefox.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\taskmgr.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\taskmgr.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\PROGRA~1\MOZILL~1\firefox.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2040 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\747dd5a520297697c280a00436847460_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\3582-490\747dd5a520297697c280a00436847460_NeikiAnalytics.exe
PID 2040 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\747dd5a520297697c280a00436847460_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\3582-490\747dd5a520297697c280a00436847460_NeikiAnalytics.exe
PID 2040 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\747dd5a520297697c280a00436847460_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\3582-490\747dd5a520297697c280a00436847460_NeikiAnalytics.exe
PID 4464 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\747dd5a520297697c280a00436847460_NeikiAnalytics.exe C:\Windows\svchost.com
PID 4464 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\747dd5a520297697c280a00436847460_NeikiAnalytics.exe C:\Windows\svchost.com
PID 4464 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\747dd5a520297697c280a00436847460_NeikiAnalytics.exe C:\Windows\svchost.com
PID 3380 wrote to memory of 1636 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
PID 3380 wrote to memory of 1636 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
PID 3380 wrote to memory of 1636 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
PID 1636 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE C:\Windows\svchost.com
PID 1636 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE C:\Windows\svchost.com
PID 1636 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE C:\Windows\svchost.com
PID 2164 wrote to memory of 5004 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
PID 2164 wrote to memory of 5004 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
PID 2164 wrote to memory of 5004 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
PID 5004 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE C:\Windows\svchost.com
PID 5004 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE C:\Windows\svchost.com
PID 5004 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE C:\Windows\svchost.com
PID 4196 wrote to memory of 4160 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
PID 4196 wrote to memory of 4160 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
PID 4196 wrote to memory of 4160 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
PID 4160 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE C:\Windows\svchost.com
PID 4160 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE C:\Windows\svchost.com
PID 4160 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE C:\Windows\svchost.com
PID 2828 wrote to memory of 4984 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
PID 2828 wrote to memory of 4984 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
PID 2828 wrote to memory of 4984 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
PID 4984 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
PID 4984 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
PID 4984 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
PID 3160 wrote to memory of 4624 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
PID 3160 wrote to memory of 4624 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
PID 3160 wrote to memory of 4624 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
PID 4624 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE C:\Windows\svchost.com
PID 4624 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE C:\Windows\svchost.com
PID 4624 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE C:\Windows\svchost.com
PID 4288 wrote to memory of 3564 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
PID 4288 wrote to memory of 3564 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
PID 4288 wrote to memory of 3564 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
PID 3564 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE C:\Windows\svchost.com
PID 3564 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE C:\Windows\svchost.com
PID 3564 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE C:\Windows\svchost.com
PID 1100 wrote to memory of 512 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
PID 1100 wrote to memory of 512 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
PID 1100 wrote to memory of 512 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
PID 512 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE C:\Windows\svchost.com
PID 512 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE C:\Windows\svchost.com
PID 512 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE C:\Windows\svchost.com
PID 5052 wrote to memory of 3456 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
PID 5052 wrote to memory of 3456 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
PID 5052 wrote to memory of 3456 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
PID 3456 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE C:\Windows\svchost.com
PID 3456 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE C:\Windows\svchost.com
PID 3456 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE C:\Windows\svchost.com
PID 3184 wrote to memory of 2000 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
PID 3184 wrote to memory of 2000 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
PID 3184 wrote to memory of 2000 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
PID 2000 wrote to memory of 3292 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE C:\Windows\svchost.com
PID 2000 wrote to memory of 3292 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE C:\Windows\svchost.com
PID 2000 wrote to memory of 3292 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE C:\Windows\svchost.com
PID 3292 wrote to memory of 3240 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
PID 3292 wrote to memory of 3240 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
PID 3292 wrote to memory of 3240 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE
PID 3240 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE C:\Windows\svchost.com

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\747dd5a520297697c280a00436847460_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\747dd5a520297697c280a00436847460_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\3582-490\747dd5a520297697c280a00436847460_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\3582-490\747dd5a520297697c280a00436847460_NeikiAnalytics.exe"

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:ShellFeedsUI.AppXnj65k2d1a1rnztt2t2nng5ctmk3e76pn.mca

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4152,i,6166776566165096562,4582328833313060853,262144 --variations-seed-version --mojo-platform-channel-handle=3464 /prefetch:8

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\system32\taskmgr.exe" /4

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Windows\SysWOW64\taskmgr.exe

C:\Windows\system32\taskmgr.exe /4

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\System32\sihclient.exe

C:\Windows\System32\sihclient.exe /cv 7qDJgvaIoEm4mb39VIyvMw.0.2

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\747DD5~1.EXE

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\System32\mousocoreworker.exe

C:\Windows\System32\mousocoreworker.exe -Embedding

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 456 -p 3972 -ip 3972

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Windows\svchost.com"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\system32\taskmgr.exe" /4

C:\Windows\SysWOW64\taskmgr.exe

C:\Windows\system32\taskmgr.exe /4

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3836,i,6166776566165096562,4582328833313060853,262144 --variations-seed-version --mojo-platform-channel-handle=3360 /prefetch:8

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\PROGRA~1\MOZILL~1\firefox.exe"

C:\PROGRA~1\MOZILL~1\firefox.exe

C:\PROGRA~1\MOZILL~1\firefox.exe

C:\PROGRA~1\MOZILL~1\firefox.exe

C:\PROGRA~1\MOZILL~1\firefox.exe

C:\PROGRA~1\MOZILL~1\firefox.exe

"C:\PROGRA~1\MOZILL~1\firefox.exe" -contentproc --channel="1508.0.540630610\1460042517" -parentBuildID 20230214051806 -prefsHandle 1772 -prefMapHandle 1764 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\PROGRA~1\MOZILL~1\browser" - {0cf0ee91-301d-4af7-b319-cfdbccc22514} 1508 "\\.\pipe\gecko-crash-server-pipe.1508" 1852 1dac5b0db58 gpu

C:\PROGRA~1\MOZILL~1\firefox.exe

"C:\PROGRA~1\MOZILL~1\firefox.exe" -contentproc --channel="1508.1.328560089\1636503531" -parentBuildID 20230214051806 -prefsHandle 2388 -prefMapHandle 2384 -prefsLen 22170 -prefMapSize 235121 -win32kLockedDown -appDir "C:\PROGRA~1\MOZILL~1\browser" - {0ee7f14c-c4fd-4ff0-b8dd-493365f72584} 1508 "\\.\pipe\gecko-crash-server-pipe.1508" 2408 1dab8d89f58 socket

C:\PROGRA~1\MOZILL~1\firefox.exe

"C:\PROGRA~1\MOZILL~1\firefox.exe" -contentproc --channel="1508.2.1473701523\1584155856" -childID 1 -isForBrowser -prefsHandle 2700 -prefMapHandle 2904 -prefsLen 22208 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\PROGRA~1\MOZILL~1\browser" - {1c8f0422-de75-42dc-8780-81119a55b86f} 1508 "\\.\pipe\gecko-crash-server-pipe.1508" 2880 1dac8630658 tab

C:\PROGRA~1\MOZILL~1\firefox.exe

"C:\PROGRA~1\MOZILL~1\firefox.exe" -contentproc --channel="1508.3.11069858\1147711007" -childID 2 -isForBrowser -prefsHandle 3760 -prefMapHandle 3756 -prefsLen 27674 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\PROGRA~1\MOZILL~1\browser" - {9651d29d-0c06-49df-af56-df68d6a500ca} 1508 "\\.\pipe\gecko-crash-server-pipe.1508" 3772 1dab8d7ab58 tab

C:\PROGRA~1\MOZILL~1\firefox.exe

"C:\PROGRA~1\MOZILL~1\firefox.exe" -contentproc --channel="1508.4.907635242\2078079628" -childID 3 -isForBrowser -prefsHandle 4648 -prefMapHandle 3760 -prefsLen 27780 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\PROGRA~1\MOZILL~1\browser" - {48cb2fa7-d45a-4b41-88a2-066ec06384e2} 1508 "\\.\pipe\gecko-crash-server-pipe.1508" 3424 1daccceb758 tab

C:\PROGRA~1\MOZILL~1\firefox.exe

"C:\PROGRA~1\MOZILL~1\firefox.exe" -contentproc --channel="1508.5.1462121661\519421820" -childID 4 -isForBrowser -prefsHandle 5328 -prefMapHandle 5324 -prefsLen 27780 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\PROGRA~1\MOZILL~1\browser" - {b3326218-3523-4a82-a8d7-33039096b83c} 1508 "\\.\pipe\gecko-crash-server-pipe.1508" 5336 1dacccec358 tab

C:\PROGRA~1\MOZILL~1\firefox.exe

"C:\PROGRA~1\MOZILL~1\firefox.exe" -contentproc --channel="1508.6.1881463614\76302595" -childID 5 -isForBrowser -prefsHandle 5128 -prefMapHandle 5236 -prefsLen 27780 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\PROGRA~1\MOZILL~1\browser" - {15026783-8fda-4b93-8a37-4cc6dbe0423d} 1508 "\\.\pipe\gecko-crash-server-pipe.1508" 5224 1daccced558 tab

C:\PROGRA~1\MOZILL~1\firefox.exe

"C:\PROGRA~1\MOZILL~1\firefox.exe" -contentproc --channel="1508.7.866761058\529719560" -childID 6 -isForBrowser -prefsHandle 5632 -prefMapHandle 4648 -prefsLen 27859 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\PROGRA~1\MOZILL~1\browser" - {be2fa63a-daa1-45ae-bd35-33dcf85d7d69} 1508 "\\.\pipe\gecko-crash-server-pipe.1508" 5624 1dac8353e58 tab

C:\PROGRA~1\MOZILL~1\firefox.exe

"C:\PROGRA~1\MOZILL~1\firefox.exe" -contentproc --channel="1508.8.548660315\991208746" -childID 7 -isForBrowser -prefsHandle 4876 -prefMapHandle 5232 -prefsLen 28124 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\PROGRA~1\MOZILL~1\browser" - {22c3ea16-a4dc-4263-bd0f-b57774855d7c} 1508 "\\.\pipe\gecko-crash-server-pipe.1508" 5688 1dac4a5fe58 tab

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\regedit.exe"

C:\Windows\SysWOW64\regedit.exe

C:\Windows\regedit.exe

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
N/A 127.0.0.1:51102 tcp
N/A 127.0.0.1:51379 tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 getpocket.cdn.mozilla.net udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 8.8.8.8:53 ds1nc.ru udp
US 8.8.8.8:53 support.mozilla.org udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 8.8.8.8:53 push.services.mozilla.com udp

Files

C:\Users\Admin\AppData\Local\Temp\3582-490\747dd5a520297697c280a00436847460_NeikiAnalytics.exe

MD5 1df5bef57c72b8d23f5263046e5dd043
SHA1 68e859eca519f8f5cc1c9ceb3dfaaac87e17b544
SHA256 43bb08a4762778843eca24c57d61f854a3c4a21f4da9f6bb15a34764a07596f3
SHA512 4bee5ae57f39b842c481280ac98c75106ed41aa34b783c2967a705511268fe2a4a2a489386c9b5bd2d291454989b9d7f7d644ef36300ca9feada4f016c592332

C:\Windows\svchost.com

MD5 223dd32576ace5da898257671c5cdf36
SHA1 87474af22e6a24ef24de43d2e798c87bd986514c
SHA256 8d4dbd3013a493f904e0863bb55d910bbb640ef3bdc6fcbaf3c78e95fbdd5254
SHA512 aaef06b777e4b015af8843b2955af6fbc4c6c7a0630729737a76464d9a443cf673b5b583ae7cf2ea2333f81bd083cf104bb4da9add41a5da48bc4eb1bf0dbdc7

C:\Windows\directx.sys

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/3380-18-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Windows\directx.sys

MD5 5ac1fd5515366b3ff2073ec90f52d9a2
SHA1 b5e7a378b2d0c9084d492031515f961cc1da3ed7
SHA256 2a8028d5bc2b012f2339457aa33c11232fac465b5e78115eee2675c5a172b437
SHA512 df68050295166523a52ff35224e77bc74b1f9a5c5c3a462b19cade714c4b64c68b957570a0d679f550d415f8a5abd16f175ec4275a950e2d89186582a00f0244

memory/1636-29-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2164-30-0x0000000000400000-0x000000000041B000-memory.dmp

memory/5004-34-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4196-42-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4160-46-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2828-54-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4984-58-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3160-66-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4624-70-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4288-78-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3564-82-0x0000000000400000-0x000000000041B000-memory.dmp

C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe

MD5 8ffc3bdf4a1903d9e28b99d1643fc9c7
SHA1 919ba8594db0ae245a8abd80f9f3698826fc6fe5
SHA256 8268d3fefe8ca96a25a73690d14bacf644170ab5e9e70d2f8eeb350a4c83f9f6
SHA512 0b94ead97374d74eaee87e7614ddd3911d2cf66d4c49abbfd06b02c03e5dd56fd00993b4947e8a4bcd9d891fa39cab18cc6b61efc7d0812e91eb3aea9cd1a427

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe

MD5 576410de51e63c3b5442540c8fdacbee
SHA1 8de673b679e0fee6e460cbf4f21ab728e41e0973
SHA256 3f00404dd591c2856e6f71bd78423ed47199902e0b85f228e6c4de72c59ddffe
SHA512 f7761f3878775b30cc3d756fa122e74548dfc0a27e38fa4109e34a59a009df333d074bf14a227549ae347605f271be47984c55148685faac479aeb481f7191db

C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE

MD5 4ddc609ae13a777493f3eeda70a81d40
SHA1 8957c390f9b2c136d37190e32bccae3ae671c80a
SHA256 16d65f2463658a72dba205dcaa18bc3d0bab4453e726233d68bc176e69db0950
SHA512 9d7f90d1529cab20078c2690bf7bffab5a451a41d8993781effe807e619da0e7292f991da2f0c5c131b111d028b3e6084e5648c90816e74dfb664e7f78181bc5

C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe

MD5 5791075058b526842f4601c46abd59f5
SHA1 b2748f7542e2eebcd0353c3720d92bbffad8678f
SHA256 5c3ef3ec7594c040146e908014791dd15201ba58b4d70032770bb661b6a0e394
SHA512 83e303971ed64019fde9e4ba6f6e889f8fb105088490dfa7dcf579a12baff20ef491f563d132d60c7b24a4fd3cac29bd9dc974571cd162000fae8fba4e0e54fb

C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe

MD5 cce8964848413b49f18a44da9cb0a79b
SHA1 0b7452100d400acebb1c1887542f322a92cbd7ae
SHA256 fe44ca8d5050932851aa54c23133277e66db939501af58e5aeb7b67ec1dde7b5
SHA512 bf8fc270229d46a083ced30da6637f3ca510b0ce44624a9b21ec6aacac81666dffd41855053a936aa9e8ea6e745a09b820b506ec7bf1173b6f1837828a35103d

memory/512-120-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1100-110-0x0000000000400000-0x000000000041B000-memory.dmp

memory/5052-122-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3456-126-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3184-134-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2000-144-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3292-150-0x0000000000400000-0x000000000041B000-memory.dmp

C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe

MD5 e7a27a45efa530c657f58fda9f3b9f4a
SHA1 6c0d29a8b75574e904ab1c39fc76b39ca8f8e461
SHA256 d6f11401f57293922fb36cd7542ae811ab567a512449e566f83ce0dcef5ff8e5
SHA512 0c37b41f3c075cd89a764d81f751c3a704a19240ad8e4ebab591f399b9b168b920575749e9d24c2a8f0400b9f340ab9fea4db76ff7060d8af00e2b36ac0c4a54

C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe

MD5 e316c67c785d3e39e90341b0bbaac705
SHA1 7ffd89492438a97ad848068cfdaab30c66afca35
SHA256 4fc8b9433b45c2607cbdf3d1c042c3918b854c9db3ade13b5bb2761d28f1c478
SHA512 25ec433c10adc69305de97107463be74d7b4768acca27886498485e8bc2c8b099994e6c1c6c09a7e603816203d6b18e509fb79f24992915eb802f59bcb790090

memory/3240-165-0x0000000000400000-0x000000000041B000-memory.dmp

C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE

MD5 cbd96ba6abe7564cb5980502eec0b5f6
SHA1 74e1fe1429cec3e91f55364e5cb8385a64bb0006
SHA256 405b8bd647fa703e233b8b609a18999abe465a8458168f1daf23197bd2ea36aa
SHA512 a551001853f6b93dfbc6cf6a681820af31330a19d5411076ff3dbce90937b3d92173085a15f29ebf56f2ef12a4e86860ac6723ebc89c98ea31ea7a6c7e3d7cdc

C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe

MD5 f94d1febf682583dbcf8a65c58b23d63
SHA1 7d2f2a91426a47822d2eeacf81f57959f226590e
SHA256 cdd94dcaff86e76861fa547ef47a20b9cf7347301363ddfb5a2550a5d7502a18
SHA512 f25ea048b2b52e540e8f8270fc1fb8b24f625d0fe6f72749617b8fd6f1f00a95d9e2f95c912290362fffbf967781fbbc1795f76deac5220a12071d6d4eb125cc

C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE

MD5 5da33a7b7941c4e76208ee7cddec8e0b
SHA1 cdd2e7b9b0e4be68417d4618e20a8283887c489c
SHA256 531e735e4e8940dfe21e30be0d4179ceaecb57ce431cf63c5044e07048ac1751
SHA512 977aeecfbc693c9d5746fedf08b99e0b0f6fd7b0c7b41ac2b34a832e68a2e6f3c68f38af2e65c87075fcf00c1c6103e34324df45d7da9412cbbeea7e410794b6

C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE

MD5 3b0e91f9bb6c1f38f7b058c91300e582
SHA1 6e2e650941b1a96bb0bb19ff26a5d304bb09df5f
SHA256 57c993cadf4bf84810cea23a7112c6e260624beaab48d0e4332d3462900fec1d
SHA512 a4fbe28a0135f4632e0a5b6bd775f8d010250b0fbfe223db1fe81d18552a6bc166ebce807853ba02e6a476e9829454805e415ca828a5e043bd1e63dc53599d0f

C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE

MD5 f7c714dbf8e08ca2ed1a2bfb8ca97668
SHA1 cc78bf232157f98b68b8d81327f9f826dabb18ab
SHA256 fc379fda348644fef660a3796861c122aa2dd5498e80279d1279a7ddb259e899
SHA512 28bc04c4df3f632865e68e83d045b3ecd2a263e62853c922b260d0734026e8a1541988fcbf4ddc9cf3aba6863214d6c6eb51f8bbb2586122a7cb01a70f08d16c

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\124024~1.80\BHO\ie_to_edge_stub.exe

MD5 ac0d708bbcd017ea66c1e5342769247f
SHA1 80ac2eba3acd2c5cd46b5dd0d7d4e50bc1dcd832
SHA256 9bad891baaba2084cb551b981b9eec735f3a9482b51b4b3abbabf76dbc217cd2
SHA512 4bc2f1d9d86407776a725a97f80f8ffd88c5139977ee84bbefd7e01b37a4665f1ccf23bde4ac3f9bcaf8bb4159868577153bf93bb07abc4e7924b12019cb18a2

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\124024~1.80\cookie_exporter.exe

MD5 452b247061b3cf1def0aceee27b4a522
SHA1 2ce1a0ce564e41095691184682518826db1d7e9c
SHA256 484ca6e9fbfea88a939ff7cc511ac52b40631554efaf35ffc210dd56f2b2d9fa
SHA512 d395a82ac1e4e4a926b91e8ee465a2f457f20e011822c08ad17282378382dfe980b13b979db9aadce201df41c27922f77ba4c18b81c336744cfcf955b42c1f21

C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE

MD5 25e165d6a9c6c0c77ee1f94c9e58754b
SHA1 9b614c1280c75d058508bba2a468f376444b10c1
SHA256 8bbe59987228dd9ab297f9ea34143ea1e926bfb19f3d81c2904ab877f31e1217
SHA512 7d55c7d86ccabb6e9769ebca44764f4d89e221d5756e5c5d211e52c271e3ce222df90bc9938248e2e210d6695f30f6280d929d19ef41c09d3ea31688ae24d4bf

C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE

MD5 e5589ec1e4edb74cc7facdaac2acabfd
SHA1 9b12220318e848ed87bb7604d6f6f5df5dbc6b3f
SHA256 6ce92587a138ec07dac387a294d0bbe8ab629599d1a2868d2afaccea3b245d67
SHA512 f36ab33894681f51b9cec7ea5a738eb081a56bcd7625bdd2f5ef2c084e4beb7378be8f292af3aeae79d9317ba57cc41df89f00aef52e58987bdb2eac3f48171a

C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe

MD5 de69c005b0bbb513e946389227183eeb
SHA1 2a64efdcdc71654356f77a5b77da8b840dcc6674
SHA256 ad7b167ab599b6dad7e7f0ad47368643d91885253f95fadf0fadd1f8eb6ee9c7
SHA512 6ca8cec0cf20ee9b8dfe263e48f211b6f1e19e3b4fc0f6e89807f39d3f4e862f0139eb5b35e3133ef60555589ad54406fb11d95845568a5538602f287863b7d7

C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe

MD5 6f87ccb8ab73b21c9b8288b812de8efa
SHA1 a709254f843a4cb50eec3bb0a4170ad3e74ea9b3
SHA256 14e7a1f2f930380903ae3c912b4a70fd0a59916315c46874805020fe41215c22
SHA512 619b45b9728880691a88fbfc396c9d34b41d5e349e04d2eb2d18c535fffc079395835af2af7ca69319954a98852d2f9b7891eff91864d63bf25759c156e192ee

memory/2544-233-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4676-246-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4492-252-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2516-259-0x0000000000400000-0x000000000041B000-memory.dmp

memory/380-267-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3040-274-0x0000000000400000-0x000000000041B000-memory.dmp

memory/756-279-0x0000000000400000-0x000000000041B000-memory.dmp

memory/432-281-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4928-287-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3368-289-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2740-295-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4628-302-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4480-303-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4404-310-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4448-311-0x0000000000400000-0x000000000041B000-memory.dmp

memory/464-318-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4700-319-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2892-321-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1420-327-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4956-329-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2240-335-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3972-337-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2828-343-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3472-345-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1524-351-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3160-358-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3748-359-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4776-361-0x0000000000400000-0x000000000041B000-memory.dmp

memory/744-367-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4840-369-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3932-375-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3040-382-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4052-383-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4864-385-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1848-391-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3248-393-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4120-399-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1108-406-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3820-407-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2416-414-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4616-415-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3380-422-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1636-423-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3240-425-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Windows\directx.sys

MD5 48074663d65be1968b6d38fba27cfb9d
SHA1 5b23440ce1976b8472bc586215cc23c515498e4c
SHA256 17b685b05977c384b09a328064920abd0a64e8bbc1644a4bd92ce00cee8c356f
SHA512 33b2dd9e68092d5083cf60f957bb576925f8baeb3fba8731f35d73626e769f6157616d0fe1edb8a70065256bdaa3ffe8564a0e4248b16684cc1d2299533431d9

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\prefs-1.js

MD5 3485ad5156cb30200028c5894bbb0949
SHA1 7ec5abc98a9f47c7ca4174382b7f428139f1e935
SHA256 3e4d23f5500ab3f11176c1acafec9c57f3908a9eda0e066100c0cf5275fda054
SHA512 943912a5ed4057dc4be3d089549c8acbc252844ded1d48f79f74188985dc552f82e35e935d1eb3471aa29c54ef4b58599e47307e33cd26988eb7fb20d5ab933f

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n9vxbo99.default-release\activity-stream.discovery_stream.json.tmp

MD5 2b30ba45daa7c9ee5ea8d124b0073f39
SHA1 1e8b858edc9f58306128f2f95a2ad5bd4fc0173a
SHA256 b1591ccbc66453ddedad3899838657e8bb38f5207b9406f6d4c59851988d3203
SHA512 7842e9df2d8eb985b935b33806951ea2699e5408ef9ea61437e52c13761f285d739af2d4a1e5dc8f7cd9a3d8c53e6071da679feb8e78b3b5115248bbfae9a7b0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\sessionstore-backups\recovery.jsonlz4

MD5 fe9a9ec01e4b05ea9d5026c5842eef57
SHA1 32fdef78bae59fa5d52a401d88fae990867d7993
SHA256 baf90a417c6ed1773c017a480fae709293d1cde5702b4d3962a0fed43718b4a6
SHA512 120135bdc8aa8613094c5940b9332a6635e105d17b76d70f7b83f760cd91b1ee061ef3097c5bbd97442db123a32e1f454fa8ed0c17ac5961a36659ca7569f6d2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\prefs-1.js

MD5 332615607f001d454d8fb60e5dd53cb9
SHA1 651aca115f3385beeec90a284942d9fe2829403d
SHA256 07566585684a47f771f30acc4e50ed89acaf8e12869690546ae4909daa29fd8a
SHA512 c2cb1463a7ce076a7ae5f2be281816dad1b6c6be535f8b227fe8b9265d1a3df1ea5c975e1be237f5e7907da11d5dde73ba843e0c152c454869f6078fa8802b6e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\sessionstore-backups\recovery.jsonlz4

MD5 571f8440cd6a03fc55ce352f1c156310
SHA1 73b268044ffdb52231d59605579788b5500f336f
SHA256 992107502eee40c9029952fd801747c72ac082d88086e8d42bcab95d1ca3e616
SHA512 072465b64efd85005f7f24673c7f82bbc92cb2e122d6f20820bfa6b81ad25768d3bf912dd9e3fbc4509e1c1167eff59656c4d0c329ce89683d349b3d9c4dd486

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\sessionstore-backups\recovery.jsonlz4

MD5 0b5c7db6cf4fb821627bf7b95ffd4db0
SHA1 247b7449fac316119b966cae8a709a4f3f64b97d
SHA256 e8c2330c98ebff2ea6617ec5c2857318429827b8473bb0b1e413d4138a8c99b7
SHA512 ba899444c742a208aaf4fca9ca69a5028298ef773d921e056a4a84bfbe73a091aee627925d3d7810e408cac4db0434882f16358af4948441c714f4c14530e15f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\sessionstore-backups\recovery.jsonlz4

MD5 3af7197d404b454299c6a08bb0341cd6
SHA1 a71927bf981b10233754dd23d96784cb139d0c7b
SHA256 423a40ec704fd69f203c7f9ec5cb1a3d83850ee71ea33843947c3431c0e7f464
SHA512 0030b4ad0c5bc96004f6a4bd2005f72d50d34a71e428eb5abffc9d29a9bd7359151fc355925cfb56501abece6f673c65a766ee4487432356c3b5dd1b157036b5

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\prefs-1.js

MD5 321b8208a2f016aa9215d9fc251fa27c
SHA1 7d5f58a8343284fa314f23d6ff497eea425a28a2
SHA256 7e7bf4dd8adb641a01d2ae94e99197017d90b74c42d407d03adba00757243f8b
SHA512 3123f44bfb8c6a2226a622c079e1a190368bd1af31d5cd21a298ee3cddb9bfa971cb71d98911cb34c98d8cf46db492bea23a86d07a542c826678de1049ee203d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\sessionCheckpoints.json.tmp

MD5 e6c20f53d6714067f2b49d0e9ba8030e
SHA1 f516dc1084cdd8302b3e7f7167b905e603b6f04f
SHA256 50a670fb78ff2712aae2c16d9499e01c15fddf24e229330d02a69b0527a38092
SHA512 462415b8295c1cdcac0a7cb16bb8a027ef36ae2ce0b061071074ac3209332a7eae71de843af4b96bbbd6158ca8fd5c18147bf9a79b8a7768a9a35edce8b784bf

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\sessionstore.jsonlz4

MD5 2192217d448ba8bbdd9704fe2bf02728
SHA1 924798c5db789484d1b6e0562cf8d0b5595368f6
SHA256 631dc0e4029cc0a062fabd1923866bd462681b7964e51abe316d7797f354bb1b
SHA512 49d84906b6ebda56eb6c756e75c09b4085387fa4beca8b13998707b1c3626cf1bdacf5359efd96ce4a3f798e9433baa2c4c19d4d007f76b1f6d4249ebb375b9e

C:\Windows\directx.sys

MD5 32f05aab0bc985994bc008fb2e8c476e
SHA1 9af2cd824b0f1d061b6f4f5ced6440bb4595995e
SHA256 44d1c2cfb1cc0ccea5a3360ea718e151ade30e5c186b04437cbb084ae9205a9d
SHA512 493fdc20a6584d86eed9d7cbb8615b1d5099b27b5dda7e268a4b03a9f91d9d99b45c199b98cd6b89142397255544ce70e8e0e2ee51f7fb2afb43ef603ff591eb