Malware Analysis Report

2024-09-11 00:04

Sample ID 240619-fck3fstgpe
Target 8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe
SHA256 3429a934434f068f592511a10583933e0f7ec8d18eaef4c4f508615115f74e40
Tags
neshta persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3429a934434f068f592511a10583933e0f7ec8d18eaef4c4f508615115f74e40

Threat Level: Known bad

The file 8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

neshta persistence spyware stealer

Neshta

Detect Neshta payload

Neshta family

Checks computer location settings

Modifies system executable filetype association

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of SetWindowsHookEx

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-19 04:43

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A

Neshta family

neshta

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-19 04:43

Reported

2024-06-19 04:46

Platform

win7-20240508-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe"

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Neshta

persistence spyware neshta

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A N/A N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\MICROS~1\Office14\misc.exe C:\Users\Admin\AppData\Local\Temp\8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE C:\Users\Admin\AppData\Local\Temp\8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE C:\Users\Admin\AppData\Local\Temp\8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE C:\Users\Admin\AppData\Local\Temp\8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe C:\Users\Admin\AppData\Local\Temp\8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe C:\Users\Admin\AppData\Local\Temp\8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\WI4223~1\sidebar.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\WI4223~1\sidebar.exe C:\Users\Admin\AppData\Local\Temp\8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe C:\Users\Admin\AppData\Local\Temp\8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE C:\Users\Admin\AppData\Local\Temp\8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE C:\Users\Admin\AppData\Local\Temp\8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe C:\Users\Admin\AppData\Local\Temp\8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE C:\Users\Admin\AppData\Local\Temp\8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe C:\Users\Admin\AppData\Local\Temp\8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE C:\Users\Admin\AppData\Local\Temp\8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE C:\Users\Admin\AppData\Local\Temp\8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE C:\Users\Admin\AppData\Local\Temp\8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE C:\Users\Admin\AppData\Local\Temp\8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE C:\Users\Admin\AppData\Local\Temp\8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe C:\Users\Admin\AppData\Local\Temp\8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE C:\Users\Admin\AppData\Local\Temp\8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\WINDOW~1\WinMail.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE C:\Users\Admin\AppData\Local\Temp\8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE C:\Users\Admin\AppData\Local\Temp\8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE C:\Users\Admin\AppData\Local\Temp\8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE C:\Users\Admin\AppData\Local\Temp\8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE C:\Users\Admin\AppData\Local\Temp\8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Users\Admin\AppData\Local\Temp\8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE C:\Windows\svchost.com N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E8658416-7CCB-4c1d-A021-AFF0A2EB8004} C:\Users\Admin\AppData\Local\Temp\3582-490\8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2280 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\3582-490\8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe
PID 2280 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\3582-490\8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe
PID 2280 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\3582-490\8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe
PID 2280 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\3582-490\8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe
PID 2064 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe C:\Windows\svchost.com
PID 2064 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe C:\Windows\svchost.com
PID 2064 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe C:\Windows\svchost.com
PID 2064 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe C:\Windows\svchost.com
PID 2684 wrote to memory of 2720 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\regsvr32.exe
PID 2684 wrote to memory of 2720 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\regsvr32.exe
PID 2684 wrote to memory of 2720 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\regsvr32.exe
PID 2684 wrote to memory of 2720 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\regsvr32.exe
PID 2684 wrote to memory of 2720 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\regsvr32.exe
PID 2684 wrote to memory of 2720 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\regsvr32.exe
PID 2684 wrote to memory of 2720 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\3582-490\8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\3582-490\8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe"

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\3582-490\PWRISOSH.DLL"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\System32\regsvr32.exe /s C:\Users\Admin\AppData\Local\Temp\3582-490\PWRISOSH.DLL

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\3582-490\8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe

MD5 8803e7c609fa926a782a879ddf4aed31
SHA1 96c8fdaff82508341c4e227776e9f22b38362f10
SHA256 4371c16ac11f9f66e5467dbbc1066c1a6d9b7320cdece579a62f9296014c8211
SHA512 b3faeeb690e3738079a43d36ac5d920a0e041b25cef0215e23abe13d7eeb5d7c1e716b817e7a9f3b3ed4f205e4d616ccd8a2ecbd7b106fa7c480ef6afd1ed96b

C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

MD5 cf6c595d3e5e9667667af096762fd9c4
SHA1 9bb44da8d7f6457099cb56e4f7d1026963dce7ce
SHA256 593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d
SHA512 ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

C:\Windows\svchost.com

MD5 29fcbce31956f368109ec1fc6e5148ff
SHA1 cc297e4f5d7e7ca35ee4e565c8d3262168524d4b
SHA256 c6e8ecbb783ffaf1d834b61a20c384d04a8af72eeaf83cdee4dc75f654fcfcd2
SHA512 3f73585c1f1f34b5c4db941c6c61d85b830bf4af89be2ddf391b766e13797f27cc8d8f22ea8402e97143c5503216be4fbdd2914f3b2e0c73bfd4c85583c0d159

C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE

MD5 02ee6a3424782531461fb2f10713d3c1
SHA1 b581a2c365d93ebb629e8363fd9f69afc673123f
SHA256 ead58c483cb20bcd57464f8a4929079539d634f469b213054bf737d227c026dc
SHA512 6c9272cb1b6bde3ee887e1463ab30ea76568cb1a285d11393337b78c4ad1c3b7e6ce47646a92ab6d70bff4b02ab9d699b84af9437b720e52dcd35579fe2693ec

C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe

MD5 566ed4f62fdc96f175afedd811fa0370
SHA1 d4b47adc40e0d5a9391d3f6f2942d1889dd2a451
SHA256 e17cd94c08fc0e001a49f43a0801cea4625fb9aee211b6dfebebec446c21f460
SHA512 cdf8f508d396a1a0d2e0fc25f2ae46398b25039a0dafa0919737cc44e3e926ebae4c3aa26f1a3441511430f1a36241f8e61c515a5d9bd98ad4740d4d0f7b8db7

C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe

MD5 58b58875a50a0d8b5e7be7d6ac685164
SHA1 1e0b89c1b2585c76e758e9141b846ed4477b0662
SHA256 2a0aa0763fdef9c38c5dd4d50703f0c7e27f4903c139804ec75e55f8388139ae
SHA512 d67214077162a105d01b11a8e207fab08b45b08fbfba0615a2ea146e1dd99eea35e4f02958a1754d3192292c00caf777f186f0a362e4b8b0da51fabbdb76375b

C:\Users\Admin\AppData\Local\Temp\$PowerISO$\169C.tmp.ico

MD5 4198afdeb9ace242c575ee572af22e1f
SHA1 32784594ec69ca459878010401c3931be8e5e15e
SHA256 b4d6704aabfcc8b7cb8f4ee58b162dd124e2d0e4dce20ecf13eebd262dd1e76e
SHA512 d4288466d9a669c7735dc788f81fd5581876048644c48a58df5e2f8c70d468464d9de2bcbd295cdfe8510fd77a9a3cc26e3de0a1cf985622fec00baefda7f4cc

C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe

MD5 e1833678885f02b5e3cf1b3953456557
SHA1 c197e763500002bc76a8d503933f1f6082a8507a
SHA256 bd9a16d8d7590a2ec827913db5173f8beb1d1ef44dab1920ef52a307f922bc14
SHA512 fe107e1c8631ec6ac94f772e6a7be1fdc2a533fe3cfcf36b1ff018c8d01bd7f1f818f0a2448f736838c953cd516ea7327c416dea20706ed2420327af8ef01abe

\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

MD5 9e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1 ec66cda99f44b62470c6930e5afda061579cde35
SHA256 8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA512 2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE

MD5 e19544c111fefa491cfe53b99f8bebc2
SHA1 a05e096689dd82751ccd0a4eec0db54a5f972830
SHA256 82a14caee30a4f86dd143015fc852220a36cc96cdbb9f65aaca87d80f2c43762
SHA512 0f017e3aeea8de42195687c2745b9eccc174e6430149edf22a8f4b5fc24e7881654ba7c55ed2327b9c710787dffa3c438c0d99b06e7e12f6126bc3e86392d4db

C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE

MD5 9c10a5ec52c145d340df7eafdb69c478
SHA1 57f3d99e41d123ad5f185fc21454367a7285db42
SHA256 ccf37e88447a7afdb0ba4351b8c5606dbb05b984fb133194d71bcc00d7be4e36
SHA512 2704cfd1a708bfca6db7c52467d3abf0b09313db0cdd1ea8e5d48504c8240c4bf24e677f17c5df9e3ac1f6a678e0328e73e951dc4481f35027cb03b2966dc38f

C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE

MD5 07e194ce831b1846111eb6c8b176c86e
SHA1 b9c83ec3b0949cb661878fb1a8b43a073e15baf1
SHA256 d882f673ddf40a7ea6d89ce25e4ee55d94a5ef0b5403aa8d86656fd960d0e4ac
SHA512 55f9b6d3199aa60d836b6792ae55731236fb2a99c79ce8522e07e579c64eabb88fa413c02632deb87a361dd8490361aa1424beed2e01ba28be220f8c676a1bb5

C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE

MD5 87f15006aea3b4433e226882a56f188d
SHA1 e3ad6beb8229af62b0824151dbf546c0506d4f65
SHA256 8d0045c74270281c705009d49441167c8a51ac70b720f84ff941b39fad220919
SHA512 b01a8af6dc836044d2adc6828654fa7a187c3f7ffe2a4db4c73021be6d121f9c1c47b1643513c3f25c0e1b5123b8ce2dc78b2ca8ce638a09c2171f158762c7c1

C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE

MD5 9597098cfbc45fae685d9480d135ed13
SHA1 84401f03a7942a7e4fcd26e4414b227edd9b0f09
SHA256 45966655baaed42df92cd6d8094b4172c0e7a0320528b59cf63fca7c25d66e9c
SHA512 16afbdffe4b4b2e54b4cc96fe74e49ca367dea50752321ddf334756519812ba8ce147ef5459e421dc42e103bc3456aab1d185588cc86b35fa2315ac86b2a0164

C:\Users\ALLUSE~1\PACKAG~1\{57A73~1\VC_RED~1.EXE

MD5 f34835c1f458f93cd9041bfa7d01ee7d
SHA1 283ac4059492a22e10f7fcef219e52e0400a8926
SHA256 afc5cc567db1a3318c89dd0efad2ca60a353290bc25d98bbbba8e6f1492e23b1
SHA512 d5cc2244f1b6492dd9e66c6e917c2dfaa11376d4a8d1dea2c241cd35ce947ad919e47d1a78dea0c1f6cd6fa1e74426f806ddcf9ed3e8f25a9ae7c370b09e6857

C:\Users\ALLUSE~1\PACKAG~1\{4D8DC~1\VC_RED~1.EXE

MD5 af347c1ed4c9439b511585d607aa7a81
SHA1 5bccf29c6de8d1e005450f84d8e0ea597d290329
SHA256 94626f607c789acc73135c18be6fd93a9e56e839d4739dfebf45ce03d55386b9
SHA512 f314ad43f0af94f1178fb40a503c869c2a51ef04f78ee59b8236ca886c01ab7f50b4eb322cf16cbb7fde7015bc926b08df6ef50828c09178da82f2b5d512a5c1

C:\Users\ALLUSE~1\PACKAG~1\{33D1F~1\VCREDI~1.EXE

MD5 7ec5ddf3fcc6796ca4e49ba4b3cf196a
SHA1 0f5d6a04f70f466b3cbe1750d9be78da80579e07
SHA256 f71d62354d4c6eec8a9cd14db442b9a5f2a6550468b01bda06f82acaa8e0c9b8
SHA512 f3884675fd5d324843102bf7dcc22885962ce1feaaf9f2460af8de36d594102957da993576405f18686e04ac693b651fec22c4e66a9821329f53f712281c87ea

memory/2684-168-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2280-167-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2684-173-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp5023.tmp

MD5 aa939d42a2d12874c4f9c641b0e47c2e
SHA1 82200fb9d0cf9e295679187485a20cbd3d6c4103
SHA256 9dc5998587f4e0826080001b2c597553052d704f7bc0f01a86fff89afbbe2db1
SHA512 f61717606c7fd9d367f5aedbdbadb93ff5ee1fcb6784563b46b7727aba7168db444107d56f24f289b5c741328a4cba4b2cf0d7a7dfd3f9d1b4a7c01208811303

memory/2280-170-0x0000000000400000-0x000000000041B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-19 04:43

Reported

2024-06-19 04:46

Platform

win10v2004-20240611-en

Max time kernel

141s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe"

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Neshta

persistence spyware neshta

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\svchost.com N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\125025~1.92\BHO\ie_to_edge_stub.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\125025~1.92\cookie_exporter.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\125025~1.92\notification_helper.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\125025~1.92\elevation_service.exe C:\Users\Admin\AppData\Local\Temp\8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe C:\Users\Admin\AppData\Local\Temp\8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe C:\Users\Admin\AppData\Local\Temp\8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE C:\Users\Admin\AppData\Local\Temp\8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe C:\Users\Admin\AppData\Local\Temp\8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE C:\Users\Admin\AppData\Local\Temp\8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe C:\Users\Admin\AppData\Local\Temp\8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\125025~1.92\msedgewebview2.exe C:\Users\Admin\AppData\Local\Temp\8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe C:\Users\Admin\AppData\Local\Temp\8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\125025~1.92\INSTAL~1\setup.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe C:\Users\Admin\AppData\Local\Temp\8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MICROS~2.EXE C:\Users\Admin\AppData\Local\Temp\8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE C:\Users\Admin\AppData\Local\Temp\8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe C:\Users\Admin\AppData\Local\Temp\8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe C:\Users\Admin\AppData\Local\Temp\8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MICROS~1.EXE C:\Users\Admin\AppData\Local\Temp\8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\125025~1.92\msedgewebview2.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\125025~1.92\notification_helper.exe C:\Users\Admin\AppData\Local\Temp\8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MICROS~4.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe C:\Users\Admin\AppData\Local\Temp\8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\125025~1.92\pwahelper.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MI9C33~1.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13187~1.41\MICROS~1.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE C:\Users\Admin\AppData\Local\Temp\8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\125025~1.92\cookie_exporter.exe C:\Users\Admin\AppData\Local\Temp\8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MI391D~1.EXE C:\Users\Admin\AppData\Local\Temp\8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MICROS~3.EXE C:\Users\Admin\AppData\Local\Temp\8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe C:\Users\Admin\AppData\Local\Temp\8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\125025~1.92\BHO\ie_to_edge_stub.exe C:\Users\Admin\AppData\Local\Temp\8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\125025~1.92\notification_click_helper.exe C:\Users\Admin\AppData\Local\Temp\8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE C:\Users\Admin\AppData\Local\Temp\8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Users\Admin\AppData\Local\Temp\8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\125025~1.92\msedge_pwa_launcher.exe C:\Users\Admin\AppData\Local\Temp\8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MIA062~1.EXE C:\Users\Admin\AppData\Local\Temp\8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE C:\Users\Admin\AppData\Local\Temp\8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe C:\Users\Admin\AppData\Local\Temp\8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E8658416-7CCB-4c1d-A021-AFF0A2EB8004} C:\Users\Admin\AppData\Local\Temp\3582-490\8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\3582-490\8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\3582-490\8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe"

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\3582-490\PWRISOSH.DLL"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\System32\regsvr32.exe /s C:\Users\Admin\AppData\Local\Temp\3582-490\PWRISOSH.DLL

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=2736,i,11069752405888604640,8928124405695604965,262144 --variations-seed-version --mojo-platform-channel-handle=4616 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
BE 88.221.83.178:443 www.bing.com tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 178.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 31.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\3582-490\8a63dd9d554d110d50c9a5fc7be6ddf0_NeikiAnalytics.exe

MD5 8803e7c609fa926a782a879ddf4aed31
SHA1 96c8fdaff82508341c4e227776e9f22b38362f10
SHA256 4371c16ac11f9f66e5467dbbc1066c1a6d9b7320cdece579a62f9296014c8211
SHA512 b3faeeb690e3738079a43d36ac5d920a0e041b25cef0215e23abe13d7eeb5d7c1e716b817e7a9f3b3ed4f205e4d616ccd8a2ecbd7b106fa7c480ef6afd1ed96b

C:\Windows\svchost.com

MD5 29fcbce31956f368109ec1fc6e5148ff
SHA1 cc297e4f5d7e7ca35ee4e565c8d3262168524d4b
SHA256 c6e8ecbb783ffaf1d834b61a20c384d04a8af72eeaf83cdee4dc75f654fcfcd2
SHA512 3f73585c1f1f34b5c4db941c6c61d85b830bf4af89be2ddf391b766e13797f27cc8d8f22ea8402e97143c5503216be4fbdd2914f3b2e0c73bfd4c85583c0d159

C:\Users\Admin\AppData\Local\Temp\$PowerISO$\D968.tmp.ico

MD5 4198afdeb9ace242c575ee572af22e1f
SHA1 32784594ec69ca459878010401c3931be8e5e15e
SHA256 b4d6704aabfcc8b7cb8f4ee58b162dd124e2d0e4dce20ecf13eebd262dd1e76e
SHA512 d4288466d9a669c7735dc788f81fd5581876048644c48a58df5e2f8c70d468464d9de2bcbd295cdfe8510fd77a9a3cc26e3de0a1cf985622fec00baefda7f4cc

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE

MD5 a344438de9e499ca3d9038688440f406
SHA1 c961917349de7e9d269f6f4a5593b6b9d3fcd4d2
SHA256 715f6420c423ae4068b25a703d5575f7c147b26e388f0fff1ae20c6abe821557
SHA512 8bf3c621725fddafa6326b057fee9beee95966e43c5fbab40ebaa4a1a64d17acca97a19d0ece10c3574e13e194ff191316871d1d46d4d74ffc0ac3efb403bca9

C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe

MD5 322302633e36360a24252f6291cdfc91
SHA1 238ed62353776c646957efefc0174c545c2afa3d
SHA256 31da9632f5d25806b77b617d48da52a14afc574bbe1653120f97705284ea566c
SHA512 5a1f7c44ce7f5036bffc18ebac39e2bf70e6f35fa252617d665b26448f4c4473adfa115467b7e2d9b7068823e448f74410cdcdfef1ac1c09021e051921787373

C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe

MD5 cce8964848413b49f18a44da9cb0a79b
SHA1 0b7452100d400acebb1c1887542f322a92cbd7ae
SHA256 fe44ca8d5050932851aa54c23133277e66db939501af58e5aeb7b67ec1dde7b5
SHA512 bf8fc270229d46a083ced30da6637f3ca510b0ce44624a9b21ec6aacac81666dffd41855053a936aa9e8ea6e745a09b820b506ec7bf1173b6f1837828a35103d

C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE

MD5 4ddc609ae13a777493f3eeda70a81d40
SHA1 8957c390f9b2c136d37190e32bccae3ae671c80a
SHA256 16d65f2463658a72dba205dcaa18bc3d0bab4453e726233d68bc176e69db0950
SHA512 9d7f90d1529cab20078c2690bf7bffab5a451a41d8993781effe807e619da0e7292f991da2f0c5c131b111d028b3e6084e5648c90816e74dfb664e7f78181bc5

C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE

MD5 12c29dd57aa69f45ddd2e47620e0a8d9
SHA1 ba297aa3fe237ca916257bc46370b360a2db2223
SHA256 22a585c183e27b3c732028ff193733c2f9d03700a0e95e65c556b0592c43d880
SHA512 255176cd1a88dfa2af3838769cc20dc7ad9d969344801f07b9ebb372c12cee3f47f2dba3559f391deab10650875cad245d9724acfa23a42b336bfa96559a5488

C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE

MD5 3b35b268659965ab93b6ee42f8193395
SHA1 8faefc346e99c9b2488f2414234c9e4740b96d88
SHA256 750824b5f75c91a6c2eeb8c5e60ae28d7a81e323d3762c8652255bfea5cba0bb
SHA512 035259a7598584ddb770db3da4e066b64dc65638501cdd8ff9f8e2646f23b76e3dfffa1fb5ed57c9bd15bb4efa3f7dd33fdc2e769e5cc195c25de0e340eb89ab

C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE

MD5 cbd96ba6abe7564cb5980502eec0b5f6
SHA1 74e1fe1429cec3e91f55364e5cb8385a64bb0006
SHA256 405b8bd647fa703e233b8b609a18999abe465a8458168f1daf23197bd2ea36aa
SHA512 a551001853f6b93dfbc6cf6a681820af31330a19d5411076ff3dbce90937b3d92173085a15f29ebf56f2ef12a4e86860ac6723ebc89c98ea31ea7a6c7e3d7cdc

C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe

MD5 f94d1febf682583dbcf8a65c58b23d63
SHA1 7d2f2a91426a47822d2eeacf81f57959f226590e
SHA256 cdd94dcaff86e76861fa547ef47a20b9cf7347301363ddfb5a2550a5d7502a18
SHA512 f25ea048b2b52e540e8f8270fc1fb8b24f625d0fe6f72749617b8fd6f1f00a95d9e2f95c912290362fffbf967781fbbc1795f76deac5220a12071d6d4eb125cc

C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\javaws.exe

MD5 e9fb27bf62ef26b3288b5fe9ddf2f482
SHA1 eb4908aa50c11ae43df2fbdb0c80ddd41443624e
SHA256 9ea04cf00d8c01e4099195e5289c2e8221cdb7217c773222d1a55473b854f1b3
SHA512 89fc0a4d2fa078315ca25ddeeaaa911ffb82d10669b0987d9bd67b149e09d73d0c356c656a519be7d65b93da831ea9da4f7617595ec01697390ca8bb00743ffa

C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\javaw.exe

MD5 6f87ccb8ab73b21c9b8288b812de8efa
SHA1 a709254f843a4cb50eec3bb0a4170ad3e74ea9b3
SHA256 14e7a1f2f930380903ae3c912b4a70fd0a59916315c46874805020fe41215c22
SHA512 619b45b9728880691a88fbfc396c9d34b41d5e349e04d2eb2d18c535fffc079395835af2af7ca69319954a98852d2f9b7891eff91864d63bf25759c156e192ee

C:\PROGRA~2\Google\Update\DISABL~1.EXE

MD5 3b0e91f9bb6c1f38f7b058c91300e582
SHA1 6e2e650941b1a96bb0bb19ff26a5d304bb09df5f
SHA256 57c993cadf4bf84810cea23a7112c6e260624beaab48d0e4332d3462900fec1d
SHA512 a4fbe28a0135f4632e0a5b6bd775f8d010250b0fbfe223db1fe81d18552a6bc166ebce807853ba02e6a476e9829454805e415ca828a5e043bd1e63dc53599d0f

C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE

MD5 f7c714dbf8e08ca2ed1a2bfb8ca97668
SHA1 cc78bf232157f98b68b8d81327f9f826dabb18ab
SHA256 fc379fda348644fef660a3796861c122aa2dd5498e80279d1279a7ddb259e899
SHA512 28bc04c4df3f632865e68e83d045b3ecd2a263e62853c922b260d0734026e8a1541988fcbf4ddc9cf3aba6863214d6c6eb51f8bbb2586122a7cb01a70f08d16c

C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE

MD5 25e165d6a9c6c0c77ee1f94c9e58754b
SHA1 9b614c1280c75d058508bba2a468f376444b10c1
SHA256 8bbe59987228dd9ab297f9ea34143ea1e926bfb19f3d81c2904ab877f31e1217
SHA512 7d55c7d86ccabb6e9769ebca44764f4d89e221d5756e5c5d211e52c271e3ce222df90bc9938248e2e210d6695f30f6280d929d19ef41c09d3ea31688ae24d4bf

C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE

MD5 e5589ec1e4edb74cc7facdaac2acabfd
SHA1 9b12220318e848ed87bb7604d6f6f5df5dbc6b3f
SHA256 6ce92587a138ec07dac387a294d0bbe8ab629599d1a2868d2afaccea3b245d67
SHA512 f36ab33894681f51b9cec7ea5a738eb081a56bcd7625bdd2f5ef2c084e4beb7378be8f292af3aeae79d9317ba57cc41df89f00aef52e58987bdb2eac3f48171a

C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE

MD5 96a14f39834c93363eebf40ae941242c
SHA1 5a3a676403d4e6ad0a51d0f0e2bbdd636ae5d6fc
SHA256 8ee4aa23eb92c4aba9a46b18ac249a5fa11c5abb7e2c1ca82cd5196401db790a
SHA512 fbf307a8053e9478a52cfdf8e8bad3d7c6664c893458786ae6ee4fffc6fe93006e99a2a60c97fb62dad1addd5247621517f4edee5d9545717c4587a272cef9a2

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\125025~1.92\msedge_proxy.exe

MD5 a354708b6142711dc8414d725015ff26
SHA1 b064eccfc464db92d2e4ed1c4f8372de5fda68a3
SHA256 572e5256d6d477edfc35384cfb118b44a3aa49e1e5741ded41dfea98fc70a4c3
SHA512 0bf3ae2f1ed58aab55412789e07ba3f17d181a84f13f5300270934dee926f94c6a26426a15cb0f3049abdb068dac54532d00a5add91b0b15878cc9892f25508c

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\125025~1.92\INSTAL~1\setup.exe

MD5 2dd6e2d0c378e8523177bf1820ace70d
SHA1 25a8c006f14c67b9f0c440bee9be65619f314864
SHA256 02312194edf7891c4cf5d6f609cd37689beb9154ad6a20aa5f7cd142c53f33f6
SHA512 e8e2217ab3a5c37f6ffc526c9f564fc32cd5538c06b5196ca4f041f0f6bd3ff9e5f61123f5e31690084247f5f15a6d9323bffff788aa122fa0e9b9dd38df9780

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\125025~1.92\identity_helper.exe

MD5 3556d1955447a98178c968c98e036256
SHA1 1e6ce04e1cc0a94a9e400f0f171b05c9d5d3b602
SHA256 c2d226bb23cd9e01f6f06579c393046591311e74f6b39e87c1afd5feaf4f9dd7
SHA512 f29c8c97de8fd1d9994558da6d924923f215238b467d5e31e58eb60ff2d7a1640df7cafa5f04fb3d2f916bde5fc94038f22696fdb0ab953bf436166df663b1f3

C:\PROGRA~2\MICROS~1\EdgeCore\125025~1.92\COOKIE~1.EXE

MD5 6279e8a45e8ef98e1723925e3699e431
SHA1 e3adc55efbd3ac8053b5cc6550bbc8e9b566eae0
SHA256 3206f548299b900fd941c5404e393c868d95f696839c07c09ff5a6591cc070c3
SHA512 35842fe0b5e2b4b723f37fce3c66d60f3caeb85d4a1eb17a6c255a6503e0ef6f0202012fc720d926f25687eb6b6aaa53697482ffe7a40358fef48c221682b9a2

C:\PROGRA~2\MICROS~1\EdgeCore\125025~1.92\PWAHEL~1.EXE

MD5 09e65dbdab3dc90ce0a2d6577f8f802f
SHA1 260cec74012a11f5136da7e3f95dfa1f505e3431
SHA256 c638fe82ee529ef387e223d0a883551eb52644a3d6cce2afc0319cdc37b0feb9
SHA512 eb8d979ab2a9f2857439f5fdb6fe20c1a0d5cdc4e161d9d636465fd643176ac202db7c95f2cdc8c0e91112e57174e36dcd39bc7066540c64f8112254682102e6

C:\PROGRA~2\MICROS~1\EdgeCore\125025~1.92\NOTIFI~1.EXE

MD5 66f5c082a287fb8ed9a92382a30bc9b3
SHA1 27242e3dad97b62a8567f97f45bba267e0ee4033
SHA256 e5cbccebeb828eb0df1d107a3d44d866c29bb0e99494d4897c30b5e5eb41bd98
SHA512 391d67c759e249694b3e69fc0a620c5bfe8d4ca7f4a9d3f8391fa6840c339c4411a082c43feabe65c60f7f95b4d4bd06dd1e73503c9147c72d5958af134cca16

C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MI391D~1.EXE

MD5 17910e3ec1e0ce140176be114622722f
SHA1 945c03c0fef71864818c3f93ce9c0233ca98ce2e
SHA256 af6787dc006c5ccf12de2a10bccef2fa71fb6ab6d9d39e8d405c09f2b6141401
SHA512 5a504fa3b3cddc5ad01edd1cd8351d8dea4ec94215fc800e752bd27ec5e5452d5748be96e08087f6b718c1805f17cf1262b648a706cba2725f21fda860ec3cba

C:\PROGRA~2\MICROS~1\EdgeCore\125025~1.92\MSEDGE~3.EXE

MD5 14c76fcbecbac25811d3e3af4a1d9535
SHA1 4a65c0e22f4b4c9419f3cc4a961281eab6ba24de
SHA256 e7ce3131d752da7061f691032510e3d054386865744d4149c2f672d682ac295d
SHA512 a95a3bb03bc46f1362bac78bed0b9df05395917b5d6cde48f184b2a11b69f0a183d3e36e016ce647398ce79e008b75bc5776211d4b1eb1ee0554c5fd3b58d3a4

C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe

MD5 5d656c152b22ddd4f875306ca928243a
SHA1 177ff847aa898afa1b786077ae87b5ae0c7687c7
SHA256 4d87b0eb331443b473c90650d31b893d00373ff88dcbcb3747f494407799af69
SHA512 d5e50ee909ea06e69fc0d9999c6d142f9154e6f63462312b4e950cf6e26a7d395dbb50c8e2a8c4f4e1cfb7b2c6ae8ad19e3b7c204c20e7557daa1a0deb454160

C:\PROGRA~2\MICROS~1\EdgeCore\125025~1.92\MSEDGE~1.EXE

MD5 0b606b814550d9224a87bbf23d369ed9
SHA1 10509e9950bba1dcdc8e56e3fdfb93bfdc5068c6
SHA256 ceace61c93a564e0a8510ed68f45371fc394cbaecc4a5e85f0cd474cf36fd7b1
SHA512 5b3e4ae2de47589298b76980f0b654c5eb647cdf667a7001d7698e30132d7cf709683d348c39eab5d5f61ef63a06d339734781be1a4af0edfbf32ed5c5956b30

C:\PROGRA~2\MICROS~1\EdgeCore\125025~1.92\msedge.exe

MD5 9f856a0e7bae49fc835e91528bed630d
SHA1 ed243416e5cf929cb9172c978a320f85f29c1499
SHA256 b66c2df83c930f028865c31ef4e2fafffa969de7ab4712b87dac7ccbe70d376b
SHA512 fc66d089ce8e7671e520a1bb40c96504ed064da7a004eff0d5c248f78cc4f889952ad0318a5f1524856eacdba49e9859b2a5687b0bd99163d1565439a75c4970

C:\PROGRA~2\MICROS~1\EdgeCore\125025~1.92\BHO\IE_TO_~1.EXE

MD5 6f8451ebd872f0cf0b4ac8cdc48d21d0
SHA1 619aa4f17cf90b114faf2643ca3ca1b36ce089ad
SHA256 09c249bf6569f009bfcb67dc6e0c92ce8d8482634b9776454186140b5dbde23e
SHA512 3cf890ba0a39cb3609f0ab2203dbfaaa92748e76dd150f19ce14d60a18c41248f15e184a18a72a796fe83662686cb94a2d5b19f0b20c070d12f49ce429c710db

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\125025~1.92\elevation_service.exe

MD5 b9a8002e7ce47ab04e60008fb45ef10a
SHA1 c1fdc96ed002227f507662dd71521e40c1856dea
SHA256 d5482f8c53f136ef3be0156ad214b404dfcd3ebd2118f199a77fb596df9f5ca6
SHA512 4457df873f210e329736b32afd16de8eb335065b945f4bbc654883e1e759e55c47d7c3ca248e470bebb666eb1dbeb7f8db1f220663e87ae337c890c5dcfbdedb

C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE

MD5 400836f307cf7dbfb469cefd3b0391e7
SHA1 7af3cbb12d3b2d8b5d9553c687c6129d1dd90a10
SHA256 cb5c5abb625a812d47007c75e3855be3f29da527a41cf03730ad5c81f3eb629a
SHA512 aa53cb304478585d6f83b19a6de4a7938ba2570d380a565a56ff5365aed073d5f56b95ad3228eb7d1e7e6110c6172a58b97bd6a5e57e4a8d39e762ed31dc17c8

C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE

MD5 97510a7d9bf0811a6ea89fad85a9f3f3
SHA1 2ac0c49b66a92789be65580a38ae9798237711db
SHA256 c48abbc29405559e68cc9f8fc6d218aa317a9d0023839c7846ca509c1f563fea
SHA512 2a93e2a3bd187fdde160f87ef777ccd1d1c398d547b7c869e6b64469b9418ad04d887cdfe94af7407476377bf2d009f576de3935c025b7aefbab26fbcd8f90fb

C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE

MD5 86749cd13537a694795be5d87ef7106d
SHA1 538030845680a8be8219618daee29e368dc1e06c
SHA256 8c35dcc975a5c7c687686a3970306452476d17a89787bc5bd3bf21b9de0d36a5
SHA512 7b6ae20515fb6b13701df422cbb0844d26c8a98087b2758427781f0bf11eb9ec5da029096e42960bf99ddd3d4f817db6e29ac172039110df6ea92547d331db4c

C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE

MD5 07e194ce831b1846111eb6c8b176c86e
SHA1 b9c83ec3b0949cb661878fb1a8b43a073e15baf1
SHA256 d882f673ddf40a7ea6d89ce25e4ee55d94a5ef0b5403aa8d86656fd960d0e4ac
SHA512 55f9b6d3199aa60d836b6792ae55731236fb2a99c79ce8522e07e579c64eabb88fa413c02632deb87a361dd8490361aa1424beed2e01ba28be220f8c676a1bb5

C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE

MD5 2f826daacb184077b67aad3fe30e3413
SHA1 981d415fe70414aaac3a11024e65ae2e949aced8
SHA256 a6180f0aa9c56c32e71fe8dc150131177e4036a5a2111d0f3ec3c341fd813222
SHA512 2a6d9bdf4b7be9b766008e522cbb2c21921ba55d84dfde653ca977f70639e342a9d5548768de29ae2a85031c11dac2ae4b3c76b9136c020a6e7c9a9a5879caeb

C:\Users\Admin\AppData\Local\MICROS~1\OneDrive\181510~1.001\FILECO~1.EXE

MD5 346d2ff654d6257364a7c32b1ec53c09
SHA1 224301c0f56a870f20383c45801ec16d01dc48d1
SHA256 a811042693bc2b31be7e3f454b12312f67bc97f2b15335a97e8d8f2ba0a6b255
SHA512 223545e3fc9f3cd66c5cbcb50dd7103743788f03a9db398da6dd2744ccaeee291f385ce4f2758d4504fc0f6b968fabbfe16ba03b5f546b743c51dacad7a049c3

C:\Users\Admin\AppData\Local\MICROS~1\OneDrive\ONEDRI~1.EXE

MD5 1319acbba64ecbcd5e3f16fc3acd693c
SHA1 f5d64f97194846bd0564d20ee290d35dd3df40b0
SHA256 8c6f9493c2045bb7c08630cf3709a63e221001f04289b311efb259de3eb76bce
SHA512 abbbb0abfff1698e2d3c4d27d84421b90abba1238b45884b82ace20d11ddfdd92bf206519fc01714235fb840258bb1c647c544b9a19d36f155bf3224916805b8

C:\Users\ALLUSE~1\PACKAG~1\{57A73~1\VC_RED~1.EXE

MD5 9c10a5ec52c145d340df7eafdb69c478
SHA1 57f3d99e41d123ad5f185fc21454367a7285db42
SHA256 ccf37e88447a7afdb0ba4351b8c5606dbb05b984fb133194d71bcc00d7be4e36
SHA512 2704cfd1a708bfca6db7c52467d3abf0b09313db0cdd1ea8e5d48504c8240c4bf24e677f17c5df9e3ac1f6a678e0328e73e951dc4481f35027cb03b2966dc38f

C:\Users\ALLUSE~1\PACKAG~1\{EF5AF~1\WINDOW~1.EXE

MD5 72d0addae57f28c993b319bfafa190ac
SHA1 8082ad7a004a399f0edbf447425f6a0f6c772ff3
SHA256 671be498af4e13872784eeae4bae2e462dfac62d51d7057b2b3bebff511b7d18
SHA512 98bcde1133edbff713aa43b944dceb5dae20a9cbdf8009f5b758da20ccfbcdf6d617f609a7094aa52a514373f6695b0fd43c3d601538483816cd08832edd15ab

C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\VCREDI~1.EXE

MD5 87f15006aea3b4433e226882a56f188d
SHA1 e3ad6beb8229af62b0824151dbf546c0506d4f65
SHA256 8d0045c74270281c705009d49441167c8a51ac70b720f84ff941b39fad220919
SHA512 b01a8af6dc836044d2adc6828654fa7a187c3f7ffe2a4db4c73021be6d121f9c1c47b1643513c3f25c0e1b5123b8ce2dc78b2ca8ce638a09c2171f158762c7c1

C:\Users\ALLUSE~1\PACKAG~1\{63880~1\WINDOW~1.EXE

MD5 558fdb0b9f097118b0c928bb6062370a
SHA1 ad971a9a4cac3112a494a167e1b7736dcd6718b3
SHA256 90cee4a89cc1401ac464818226b7df69aa930804cefce56758d4e2ea0009d924
SHA512 5d08d5428e82fb3dad55c19e2c029de8f16e121faac87575b97f468b0ec312b3e0696225546cba91addaaf8f2451d44ae6386b4e4f7f621ce45055f3be797d7c

C:\Users\ALLUSE~1\PACKAG~1\{61087~1\VCREDI~1.EXE

MD5 9597098cfbc45fae685d9480d135ed13
SHA1 84401f03a7942a7e4fcd26e4414b227edd9b0f09
SHA256 45966655baaed42df92cd6d8094b4172c0e7a0320528b59cf63fca7c25d66e9c
SHA512 16afbdffe4b4b2e54b4cc96fe74e49ca367dea50752321ddf334756519812ba8ce147ef5459e421dc42e103bc3456aab1d185588cc86b35fa2315ac86b2a0164

C:\Users\ALLUSE~1\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE

MD5 63dc05e27a0b43bf25f151751b481b8c
SHA1 b20321483dac62bce0aa0cef1d193d247747e189
SHA256 7d607fb69c69a72a5bf4305599279f46318312ce1082b6a34ac9100b8c7762ce
SHA512 374d705704d456cc5f9f79b7f465f6ec7c775dc43001c840e9d6efbbdef20926ed1fa97f8a9b1e73161e17f72520b96c05fa58ac86b3945208b405f9166e7ba3

C:\Users\ALLUSE~1\Adobe\Setup\{AC76B~1\setup.exe

MD5 8a403bc371b84920c641afa3cf9fef2f
SHA1 d6c9d38f3e571b54132dd7ee31a169c683abfd63
SHA256 614a701b90739e7dbf66b14fbdb6854394290030cc87bbcb3f47e1c45d1f06c3
SHA512 b376ef1f49b793a8cd8b7af587f538cf87cb2fffa70fc144e1d1b7e2e8e365ba4ad0568321a0b1c04e69b4b8b694d77e812597a66be1c59eda626cbf132e2c72

memory/512-171-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2268-172-0x0000000000400000-0x000000000041B000-memory.dmp

memory/512-173-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2268-174-0x0000000000400000-0x000000000041B000-memory.dmp

memory/512-175-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp5023.tmp

MD5 890855a876bdf96e79e45771f2633b9f
SHA1 5eec35c4d84794116bbaf9ab0c267c9b9fc6eaaf
SHA256 5b1a72775fea8137a970e3d87ef7bfa523d662b19d9fa26e4576a432f6a4dabd
SHA512 22c25b8fd7f2cbd94587e5c1cdd7983154cdff67b6f9e4fc4da832d182c1454f76f1e82f542e5259adb244b122929dc9f2277c537b9f9350dc341226dbedda8d

memory/2268-180-0x0000000000400000-0x000000000041B000-memory.dmp

memory/512-179-0x0000000000400000-0x000000000041B000-memory.dmp