Analysis
-
max time kernel
7s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
19-06-2024 13:48
Behavioral task
behavioral1
Sample
c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe
-
Size
2.4MB
-
MD5
c1779426d93c21f8a8225ae0771a41c0
-
SHA1
3f6db29296d972691a377d1ca600dad1934a6ffb
-
SHA256
5b6ddc64b4f2d59e0d119fc8790852b47dc0b7c2f17da35ac540a512a70f529c
-
SHA512
b22ee5dd946bb6317cbbade882ea2d78ef5d9a7300707fcb2aa6ffd1f2e389f32e7dbf0b3de6e984f9b2cddafb11bd1635538cc31d21f8a045b778db2af058e8
-
SSDEEP
49152:UHyjtk2MYC5GDNHyjtk2MYC5GDJHyjtk2MYC5GDHnanWn9:Umtk2asmtk2aImtk2aInanWn9
Malware Config
Signatures
-
Detect Neshta payload 64 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\3582-490\c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe family_neshta C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe family_neshta \Users\Admin\AppData\Local\Temp\._cache_c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe family_neshta C:\Windows\svchost.com family_neshta C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe family_neshta C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe family_neshta C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE family_neshta C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE family_neshta behavioral1/memory/1284-60-0x0000000000400000-0x000000000066E000-memory.dmp family_neshta behavioral1/memory/2576-63-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE family_neshta behavioral1/memory/2448-83-0x0000000000400000-0x00000000005A8000-memory.dmp family_neshta C:\Users\Admin\AppData\Local\Temp\3582-490\._cache__CACHE~1.EXE family_neshta behavioral1/memory/3004-97-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1692-144-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2512-145-0x0000000000400000-0x000000000066E000-memory.dmp family_neshta C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe family_neshta C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE family_neshta C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe family_neshta C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE family_neshta C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE family_neshta behavioral1/memory/2692-105-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1648-117-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2832-138-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2772-148-0x0000000000400000-0x000000000066E000-memory.dmp family_neshta behavioral1/memory/1776-149-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/580-169-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1144-200-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2152-218-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/832-203-0x0000000000400000-0x00000000005A8000-memory.dmp family_neshta behavioral1/memory/900-229-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/560-231-0x0000000000400000-0x00000000005A8000-memory.dmp family_neshta behavioral1/memory/692-235-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1888-242-0x0000000000400000-0x00000000004E1000-memory.dmp family_neshta behavioral1/memory/2756-280-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2648-283-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1192-297-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2016-298-0x0000000000400000-0x00000000004E1000-memory.dmp family_neshta behavioral1/memory/2856-291-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2496-300-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1600-309-0x0000000000400000-0x00000000005A8000-memory.dmp family_neshta behavioral1/memory/1932-315-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2708-317-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1984-325-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/580-338-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1152-340-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/320-348-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/576-351-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/988-350-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2872-357-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/312-367-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/840-368-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2228-370-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2136-383-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2352-384-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2152-397-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2320-403-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2408-401-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1912-414-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/3004-415-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2412-423-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1240-422-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2636-425-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2844-424-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Executes dropped EXE 38 IoCs
Processes:
c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe._cache_c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exesvchost.com_CACHE~1.EXESynaptics.exe._cache__CACHE~1.EXESynaptics.exe._cache_Synaptics.exesvchost.comsvchost.com_CACHE~1.EXE._cache_Synaptics.exe._cache__CACHE~1.EXEsvchost.com_CACHE~1.EXEsvchost.com_CACHE~2.EXE._cache__CACHE~1.EXESynaptics.exesvchost.com_CACHE~2.EXEsvchost.comSYNAPT~1.EXESynaptics.exe._cache__CACHE~2.EXE._cache__CACHE~2.EXE._cache_SYNAPT~1.EXEsvchost.comSynaptics.exe._cache_Synaptics.exesvchost.comsvchost.comSynaptics.exe_CACHE~3.EXE_CACHE~1.EXE_CACHE~1.EXEsvchost.com_CACHE~4.EXEpid process 1284 c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe 2636 ._cache_c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe 2576 svchost.com 2448 _CACHE~1.EXE 2512 Synaptics.exe 3004 ._cache__CACHE~1.EXE 2772 Synaptics.exe 1648 ._cache_Synaptics.exe 2692 svchost.com 2832 svchost.com 832 _CACHE~1.EXE 1692 ._cache_Synaptics.exe 1776 ._cache__CACHE~1.EXE 580 svchost.com 560 _CACHE~1.EXE 1144 svchost.com 2016 _CACHE~2.EXE 2152 ._cache__CACHE~1.EXE 1864 Synaptics.exe 900 svchost.com 1888 _CACHE~2.EXE 692 svchost.com 1600 SYNAPT~1.EXE 804 Synaptics.exe 2648 ._cache__CACHE~2.EXE 2856 ._cache__CACHE~2.EXE 2756 ._cache_SYNAPT~1.EXE 1932 svchost.com 2456 Synaptics.exe 2708 ._cache_Synaptics.exe 1192 svchost.com 2496 svchost.com 2692 Synaptics.exe 1928 _CACHE~3.EXE 1292 _CACHE~1.EXE 2788 _CACHE~1.EXE 1984 svchost.com 2924 _CACHE~4.EXE -
Loads dropped DLL 64 IoCs
Processes:
c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exec1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exesvchost.com_CACHE~1.EXESynaptics.exeSynaptics.exesvchost.com._cache_c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe_CACHE~1.EXEsvchost.comsvchost.com_CACHE~1.EXEsvchost.com_CACHE~2.EXEsvchost.comSynaptics.exe_CACHE~2.EXESYNAPT~1.EXE._cache_SYNAPT~1.EXEsvchost.com._cache__CACHE~2.EXEsvchost.compid process 2844 c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe 2844 c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe 1284 c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe 1284 c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe 1284 c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe 2576 svchost.com 2576 svchost.com 1284 c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe 1284 c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe 2448 _CACHE~1.EXE 2448 _CACHE~1.EXE 2448 _CACHE~1.EXE 2512 Synaptics.exe 2448 _CACHE~1.EXE 2512 Synaptics.exe 2512 Synaptics.exe 2772 Synaptics.exe 2832 svchost.com 2832 svchost.com 2772 Synaptics.exe 2772 Synaptics.exe 2772 Synaptics.exe 2636 ._cache_c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe 2844 c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe 832 _CACHE~1.EXE 832 _CACHE~1.EXE 832 _CACHE~1.EXE 832 _CACHE~1.EXE 580 svchost.com 580 svchost.com 1144 svchost.com 1144 svchost.com 560 _CACHE~1.EXE 560 _CACHE~1.EXE 560 _CACHE~1.EXE 560 _CACHE~1.EXE 832 _CACHE~1.EXE 900 svchost.com 900 svchost.com 1888 _CACHE~2.EXE 692 svchost.com 692 svchost.com 560 _CACHE~1.EXE 804 Synaptics.exe 1888 _CACHE~2.EXE 2016 _CACHE~2.EXE 1888 _CACHE~2.EXE 2016 _CACHE~2.EXE 1888 _CACHE~2.EXE 2016 _CACHE~2.EXE 1888 _CACHE~2.EXE 1600 SYNAPT~1.EXE 1600 SYNAPT~1.EXE 1600 SYNAPT~1.EXE 804 Synaptics.exe 804 Synaptics.exe 804 Synaptics.exe 2756 ._cache_SYNAPT~1.EXE 1932 svchost.com 2648 ._cache__CACHE~2.EXE 2016 _CACHE~2.EXE 1932 svchost.com 1932 svchost.com 1192 svchost.com -
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe_CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE_CACHE~2.EXE_CACHE~2.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" _CACHE~1.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" _CACHE~1.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" _CACHE~1.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" _CACHE~2.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" _CACHE~2.EXE -
Drops file in Program Files directory 64 IoCs
Processes:
._cache_c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exec1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exesvchost.comdescription ioc process File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE ._cache_c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE ._cache_c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE ._cache_c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE ._cache_c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe ._cache_c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe ._cache_c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE ._cache_c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE ._cache_c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE ._cache_c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE ._cache_c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE ._cache_c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE ._cache_c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE ._cache_c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE ._cache_c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE ._cache_c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE ._cache_c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE ._cache_c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\WINDOW~1\WinMail.exe c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE ._cache_c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe ._cache_c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE ._cache_c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE ._cache_c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\WI4223~1\sidebar.exe ._cache_c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe ._cache_c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE ._cache_c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe ._cache_c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe ._cache_c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe ._cache_c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE ._cache_c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe ._cache_c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~3\SYNAPT~1\SYNAPT~1.EXE svchost.com File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE ._cache_c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe -
Drops file in Windows directory 42 IoCs
Processes:
._cache_Synaptics.exesvchost.com._cache__CACHE~1.EXEsvchost.comsvchost.comsvchost.comsvchost.com._cache__CACHE~2.EXEsvchost.com._cache_Synaptics.exesvchost.com._cache__CACHE~2.EXEsvchost.comsvchost.com._cache_c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe._cache_SYNAPT~1.EXE._cache__CACHE~1.EXE._cache__CACHE~1.EXEsvchost.comsvchost.comc1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe._cache_Synaptics.exedescription ioc process File opened for modification C:\Windows\directx.sys ._cache_Synaptics.exe File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys ._cache__CACHE~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com ._cache__CACHE~2.EXE File opened for modification C:\Windows\svchost.com ._cache_Synaptics.exe File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com ._cache_Synaptics.exe File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com ._cache__CACHE~1.EXE File opened for modification C:\Windows\svchost.com ._cache__CACHE~2.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com ._cache_c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\Windows\directx.sys ._cache_Synaptics.exe File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys ._cache_SYNAPT~1.EXE File opened for modification C:\Windows\directx.sys ._cache__CACHE~2.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys ._cache__CACHE~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com ._cache__CACHE~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com ._cache_SYNAPT~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com ._cache__CACHE~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys ._cache__CACHE~2.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys ._cache_Synaptics.exe File opened for modification C:\Windows\svchost.com ._cache_Synaptics.exe File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys ._cache__CACHE~1.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
EXCEL.EXEEXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Processes:
EXCEL.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit EXCEL.EXE -
Modifies registry class 64 IoCs
Processes:
EXCEL.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1448 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
_CACHE~1.EXEpid process 832 _CACHE~1.EXE 832 _CACHE~1.EXE 832 _CACHE~1.EXE 832 _CACHE~1.EXE 832 _CACHE~1.EXE 832 _CACHE~1.EXE 832 _CACHE~1.EXE 832 _CACHE~1.EXE 832 _CACHE~1.EXE 832 _CACHE~1.EXE 832 _CACHE~1.EXE 832 _CACHE~1.EXE 832 _CACHE~1.EXE 832 _CACHE~1.EXE 832 _CACHE~1.EXE 832 _CACHE~1.EXE 832 _CACHE~1.EXE 832 _CACHE~1.EXE 832 _CACHE~1.EXE 832 _CACHE~1.EXE 832 _CACHE~1.EXE 832 _CACHE~1.EXE 832 _CACHE~1.EXE 832 _CACHE~1.EXE 832 _CACHE~1.EXE 832 _CACHE~1.EXE 832 _CACHE~1.EXE 832 _CACHE~1.EXE 832 _CACHE~1.EXE 832 _CACHE~1.EXE 832 _CACHE~1.EXE 832 _CACHE~1.EXE 832 _CACHE~1.EXE 832 _CACHE~1.EXE 832 _CACHE~1.EXE 832 _CACHE~1.EXE 832 _CACHE~1.EXE 832 _CACHE~1.EXE 832 _CACHE~1.EXE 832 _CACHE~1.EXE 832 _CACHE~1.EXE 832 _CACHE~1.EXE 832 _CACHE~1.EXE 832 _CACHE~1.EXE 832 _CACHE~1.EXE 832 _CACHE~1.EXE 832 _CACHE~1.EXE 832 _CACHE~1.EXE 832 _CACHE~1.EXE 832 _CACHE~1.EXE 832 _CACHE~1.EXE 832 _CACHE~1.EXE 832 _CACHE~1.EXE 832 _CACHE~1.EXE 832 _CACHE~1.EXE 832 _CACHE~1.EXE 832 _CACHE~1.EXE 832 _CACHE~1.EXE 832 _CACHE~1.EXE 832 _CACHE~1.EXE 832 _CACHE~1.EXE 832 _CACHE~1.EXE 832 _CACHE~1.EXE 832 _CACHE~1.EXE -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
_CACHE~1.EXEdescription pid process Token: SeSystemProfilePrivilege 832 _CACHE~1.EXE Token: SeSystemProfilePrivilege 832 _CACHE~1.EXE Token: SeSystemProfilePrivilege 832 _CACHE~1.EXE Token: SeSystemProfilePrivilege 832 _CACHE~1.EXE Token: SeSystemProfilePrivilege 832 _CACHE~1.EXE Token: SeSystemProfilePrivilege 832 _CACHE~1.EXE Token: SeSystemProfilePrivilege 832 _CACHE~1.EXE Token: SeSystemProfilePrivilege 832 _CACHE~1.EXE Token: SeSystemProfilePrivilege 832 _CACHE~1.EXE Token: SeSystemProfilePrivilege 832 _CACHE~1.EXE Token: SeSystemProfilePrivilege 832 _CACHE~1.EXE Token: SeSystemProfilePrivilege 832 _CACHE~1.EXE Token: SeSystemProfilePrivilege 832 _CACHE~1.EXE Token: SeSystemProfilePrivilege 832 _CACHE~1.EXE Token: SeSystemProfilePrivilege 832 _CACHE~1.EXE Token: SeSystemProfilePrivilege 832 _CACHE~1.EXE Token: SeSystemProfilePrivilege 832 _CACHE~1.EXE Token: SeSystemProfilePrivilege 832 _CACHE~1.EXE Token: SeSystemProfilePrivilege 832 _CACHE~1.EXE Token: SeSystemProfilePrivilege 832 _CACHE~1.EXE Token: SeSystemProfilePrivilege 832 _CACHE~1.EXE Token: SeSystemProfilePrivilege 832 _CACHE~1.EXE Token: SeSystemProfilePrivilege 832 _CACHE~1.EXE Token: SeSystemProfilePrivilege 832 _CACHE~1.EXE Token: SeSystemProfilePrivilege 832 _CACHE~1.EXE Token: SeSystemProfilePrivilege 832 _CACHE~1.EXE Token: SeSystemProfilePrivilege 832 _CACHE~1.EXE Token: SeSystemProfilePrivilege 832 _CACHE~1.EXE Token: SeSystemProfilePrivilege 832 _CACHE~1.EXE Token: SeSystemProfilePrivilege 832 _CACHE~1.EXE Token: SeSystemProfilePrivilege 832 _CACHE~1.EXE Token: SeSystemProfilePrivilege 832 _CACHE~1.EXE Token: SeSystemProfilePrivilege 832 _CACHE~1.EXE Token: SeSystemProfilePrivilege 832 _CACHE~1.EXE Token: SeSystemProfilePrivilege 832 _CACHE~1.EXE Token: SeSystemProfilePrivilege 832 _CACHE~1.EXE Token: SeSystemProfilePrivilege 832 _CACHE~1.EXE Token: SeSystemProfilePrivilege 832 _CACHE~1.EXE Token: SeSystemProfilePrivilege 832 _CACHE~1.EXE Token: SeSystemProfilePrivilege 832 _CACHE~1.EXE Token: SeSystemProfilePrivilege 832 _CACHE~1.EXE Token: SeSystemProfilePrivilege 832 _CACHE~1.EXE Token: SeSystemProfilePrivilege 832 _CACHE~1.EXE Token: SeSystemProfilePrivilege 832 _CACHE~1.EXE Token: SeSystemProfilePrivilege 832 _CACHE~1.EXE Token: SeSystemProfilePrivilege 832 _CACHE~1.EXE Token: SeSystemProfilePrivilege 832 _CACHE~1.EXE Token: SeSystemProfilePrivilege 832 _CACHE~1.EXE Token: SeSystemProfilePrivilege 832 _CACHE~1.EXE Token: SeSystemProfilePrivilege 832 _CACHE~1.EXE Token: SeSystemProfilePrivilege 832 _CACHE~1.EXE Token: SeSystemProfilePrivilege 832 _CACHE~1.EXE Token: SeSystemProfilePrivilege 832 _CACHE~1.EXE Token: SeSystemProfilePrivilege 832 _CACHE~1.EXE Token: SeSystemProfilePrivilege 832 _CACHE~1.EXE Token: SeSystemProfilePrivilege 832 _CACHE~1.EXE Token: SeSystemProfilePrivilege 832 _CACHE~1.EXE Token: SeSystemProfilePrivilege 832 _CACHE~1.EXE Token: SeSystemProfilePrivilege 832 _CACHE~1.EXE Token: SeSystemProfilePrivilege 832 _CACHE~1.EXE Token: SeSystemProfilePrivilege 832 _CACHE~1.EXE Token: SeSystemProfilePrivilege 832 _CACHE~1.EXE Token: SeSystemProfilePrivilege 832 _CACHE~1.EXE Token: SeSystemProfilePrivilege 832 _CACHE~1.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
EXCEL.EXEEXCEL.EXEpid process 1448 EXCEL.EXE 2932 EXCEL.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exec1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe._cache_c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exesvchost.com_CACHE~1.EXESynaptics.exe._cache__CACHE~1.EXE._cache_Synaptics.exesvchost.comSynaptics.exe_CACHE~1.EXE._cache_Synaptics.exe._cache__CACHE~1.EXEsvchost.comdescription pid process target process PID 2844 wrote to memory of 1284 2844 c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe PID 2844 wrote to memory of 1284 2844 c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe PID 2844 wrote to memory of 1284 2844 c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe PID 2844 wrote to memory of 1284 2844 c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe PID 1284 wrote to memory of 2636 1284 c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe ._cache_c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe PID 1284 wrote to memory of 2636 1284 c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe ._cache_c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe PID 1284 wrote to memory of 2636 1284 c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe ._cache_c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe PID 1284 wrote to memory of 2636 1284 c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe ._cache_c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe PID 2636 wrote to memory of 2576 2636 ._cache_c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe svchost.com PID 2636 wrote to memory of 2576 2636 ._cache_c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe svchost.com PID 2636 wrote to memory of 2576 2636 ._cache_c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe svchost.com PID 2636 wrote to memory of 2576 2636 ._cache_c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe svchost.com PID 2576 wrote to memory of 2448 2576 svchost.com _CACHE~1.EXE PID 2576 wrote to memory of 2448 2576 svchost.com _CACHE~1.EXE PID 2576 wrote to memory of 2448 2576 svchost.com _CACHE~1.EXE PID 2576 wrote to memory of 2448 2576 svchost.com _CACHE~1.EXE PID 1284 wrote to memory of 2512 1284 c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe Synaptics.exe PID 1284 wrote to memory of 2512 1284 c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe Synaptics.exe PID 1284 wrote to memory of 2512 1284 c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe Synaptics.exe PID 1284 wrote to memory of 2512 1284 c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe Synaptics.exe PID 2448 wrote to memory of 3004 2448 _CACHE~1.EXE svchost.com PID 2448 wrote to memory of 3004 2448 _CACHE~1.EXE svchost.com PID 2448 wrote to memory of 3004 2448 _CACHE~1.EXE svchost.com PID 2448 wrote to memory of 3004 2448 _CACHE~1.EXE svchost.com PID 2448 wrote to memory of 2772 2448 _CACHE~1.EXE Synaptics.exe PID 2448 wrote to memory of 2772 2448 _CACHE~1.EXE Synaptics.exe PID 2448 wrote to memory of 2772 2448 _CACHE~1.EXE Synaptics.exe PID 2448 wrote to memory of 2772 2448 _CACHE~1.EXE Synaptics.exe PID 2512 wrote to memory of 1648 2512 Synaptics.exe ._cache_Synaptics.exe PID 2512 wrote to memory of 1648 2512 Synaptics.exe ._cache_Synaptics.exe PID 2512 wrote to memory of 1648 2512 Synaptics.exe ._cache_Synaptics.exe PID 2512 wrote to memory of 1648 2512 Synaptics.exe ._cache_Synaptics.exe PID 3004 wrote to memory of 2692 3004 ._cache__CACHE~1.EXE Synaptics.exe PID 3004 wrote to memory of 2692 3004 ._cache__CACHE~1.EXE Synaptics.exe PID 3004 wrote to memory of 2692 3004 ._cache__CACHE~1.EXE Synaptics.exe PID 3004 wrote to memory of 2692 3004 ._cache__CACHE~1.EXE Synaptics.exe PID 1648 wrote to memory of 2832 1648 ._cache_Synaptics.exe svchost.com PID 1648 wrote to memory of 2832 1648 ._cache_Synaptics.exe svchost.com PID 1648 wrote to memory of 2832 1648 ._cache_Synaptics.exe svchost.com PID 1648 wrote to memory of 2832 1648 ._cache_Synaptics.exe svchost.com PID 2832 wrote to memory of 832 2832 svchost.com _CACHE~1.EXE PID 2832 wrote to memory of 832 2832 svchost.com _CACHE~1.EXE PID 2832 wrote to memory of 832 2832 svchost.com _CACHE~1.EXE PID 2832 wrote to memory of 832 2832 svchost.com _CACHE~1.EXE PID 2772 wrote to memory of 1692 2772 Synaptics.exe ._cache_Synaptics.exe PID 2772 wrote to memory of 1692 2772 Synaptics.exe ._cache_Synaptics.exe PID 2772 wrote to memory of 1692 2772 Synaptics.exe ._cache_Synaptics.exe PID 2772 wrote to memory of 1692 2772 Synaptics.exe ._cache_Synaptics.exe PID 832 wrote to memory of 1776 832 _CACHE~1.EXE ._cache__CACHE~1.EXE PID 832 wrote to memory of 1776 832 _CACHE~1.EXE ._cache__CACHE~1.EXE PID 832 wrote to memory of 1776 832 _CACHE~1.EXE ._cache__CACHE~1.EXE PID 832 wrote to memory of 1776 832 _CACHE~1.EXE ._cache__CACHE~1.EXE PID 1692 wrote to memory of 580 1692 ._cache_Synaptics.exe ._cache_Synaptics.exe PID 1692 wrote to memory of 580 1692 ._cache_Synaptics.exe ._cache_Synaptics.exe PID 1692 wrote to memory of 580 1692 ._cache_Synaptics.exe ._cache_Synaptics.exe PID 1692 wrote to memory of 580 1692 ._cache_Synaptics.exe ._cache_Synaptics.exe PID 1776 wrote to memory of 1144 1776 ._cache__CACHE~1.EXE svchost.com PID 1776 wrote to memory of 1144 1776 ._cache__CACHE~1.EXE svchost.com PID 1776 wrote to memory of 1144 1776 ._cache__CACHE~1.EXE svchost.com PID 1776 wrote to memory of 1144 1776 ._cache__CACHE~1.EXE svchost.com PID 580 wrote to memory of 560 580 svchost.com _CACHE~1.EXE PID 580 wrote to memory of 560 580 svchost.com _CACHE~1.EXE PID 580 wrote to memory of 560 580 svchost.com _CACHE~1.EXE PID 580 wrote to memory of 560 580 svchost.com _CACHE~1.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\._cache_c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE5⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"6⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\._cache__CACHE~1.EXE"7⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate7⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate9⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate10⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate12⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate13⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate14⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate15⤵
- Executes dropped EXE
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate13⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate14⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE" InjUpdate15⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE InjUpdate16⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE" InjUpdate17⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE" InjUpdate18⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate19⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__C578E~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__C578E~1.EXE" InjUpdate20⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C6820~1.EXE" InjUpdate21⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_C6820~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_C6820~1.EXE InjUpdate22⤵
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate10⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate11⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE" InjUpdate12⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE InjUpdate13⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE" InjUpdate14⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE" InjUpdate15⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate16⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__C578E~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__C578E~1.EXE" InjUpdate17⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C6820~1.EXE" InjUpdate18⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_C6820~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_C6820~1.EXE InjUpdate19⤵
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate6⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate7⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate9⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate12⤵
- Executes dropped EXE
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate10⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate11⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE" InjUpdate12⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE InjUpdate13⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE" InjUpdate14⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE" InjUpdate15⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE InjUpdate16⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__C578E~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__C578E~1.EXE" InjUpdate17⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C6820~1.EXE" InjUpdate18⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_C6820~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_C6820~1.EXE InjUpdate19⤵
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate7⤵
- Executes dropped EXE
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\PROGRA~3\SYNAPT~1\SYNAPT~1.EXE" InjUpdate7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
-
C:\PROGRA~3\SYNAPT~1\SYNAPT~1.EXEC:\PROGRA~3\SYNAPT~1\SYNAPT~1.EXE InjUpdate8⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\._cache_SYNAPT~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache_SYNAPT~1.EXE" InjUpdate9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE" InjUpdate10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE InjUpdate11⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE" InjUpdate12⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C1267~1.EXE" InjUpdate13⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_C1267~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_C1267~1.EXE InjUpdate14⤵
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding1⤵
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Event Triggered Execution
1Change Default File Association
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXEFilesize
859KB
MD502ee6a3424782531461fb2f10713d3c1
SHA1b581a2c365d93ebb629e8363fd9f69afc673123f
SHA256ead58c483cb20bcd57464f8a4929079539d634f469b213054bf737d227c026dc
SHA5126c9272cb1b6bde3ee887e1463ab30ea76568cb1a285d11393337b78c4ad1c3b7e6ce47646a92ab6d70bff4b02ab9d699b84af9437b720e52dcd35579fe2693ec
-
C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exeFilesize
547KB
MD5cf6c595d3e5e9667667af096762fd9c4
SHA19bb44da8d7f6457099cb56e4f7d1026963dce7ce
SHA256593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d
SHA512ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80
-
C:\MSOCache\ALLUSE~1\{9A861~1\ose.exeFilesize
186KB
MD558b58875a50a0d8b5e7be7d6ac685164
SHA11e0b89c1b2585c76e758e9141b846ed4477b0662
SHA2562a0aa0763fdef9c38c5dd4d50703f0c7e27f4903c139804ec75e55f8388139ae
SHA512d67214077162a105d01b11a8e207fab08b45b08fbfba0615a2ea146e1dd99eea35e4f02958a1754d3192292c00caf777f186f0a362e4b8b0da51fabbdb76375b
-
C:\MSOCache\ALLUSE~1\{9A861~1\setup.exeFilesize
1.1MB
MD5566ed4f62fdc96f175afedd811fa0370
SHA1d4b47adc40e0d5a9391d3f6f2942d1889dd2a451
SHA256e17cd94c08fc0e001a49f43a0801cea4625fb9aee211b6dfebebec446c21f460
SHA512cdf8f508d396a1a0d2e0fc25f2ae46398b25039a0dafa0919737cc44e3e926ebae4c3aa26f1a3441511430f1a36241f8e61c515a5d9bd98ad4740d4d0f7b8db7
-
C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXEFilesize
285KB
MD5831270ac3db358cdbef5535b0b3a44e6
SHA1c0423685c09bbe465f6bb7f8672c936e768f05a3
SHA256a8f78ac26c738b13564252f1048ca784bf152ef048b829d3d22650b7f62078f0
SHA512f64a00977d4b6f8c43f53cee7bb450f3c8cbef08525975055fde5d8c515db32d2bfad92e99313b3a10a72a50dd09b4ffe28e9af4c148c6480622ba486776e450
-
C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXEFilesize
313KB
MD58c4f4eb73490ca2445d8577cf4bb3c81
SHA10f7d1914b7aeabdb1f1e4caedd344878f48be075
SHA25685f7249bfac06b5ee9b20c7f520e3fdc905be7d64cfbefb7dcd82cd8d44686d5
SHA51265453075c71016b06430246c1ee2876b7762a03112caf13cff4699b7b40487616c88a1160d31e86697083e2992e0dd88ebf1721679981077799187efaa0a1769
-
C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXEFilesize
569KB
MD5eef2f834c8d65585af63916d23b07c36
SHA18cb85449d2cdb21bd6def735e1833c8408b8a9c6
SHA2563cd34a88e3ae7bd3681a7e3c55832af026834055020add33e6bd6f552fc0aabd
SHA5122ee8766e56e5b1e71c86f7d1a1aa1882706d0bca8f84b2b2c54dd4c255e04f037a6eb265302449950e5f5937b0e57f17a6aa45e88a407ace4b3945e65043d9b7
-
C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exeFilesize
381KB
MD53ec4922dbca2d07815cf28144193ded9
SHA175cda36469743fbc292da2684e76a26473f04a6d
SHA2560587fd366ea7e94b3ae500874b1c5d684b5357fcc7389682d5a13c3301a28801
SHA512956c3a1f2689cb72600edd2e90d652b77592a8a81d319dce026e88f6c02231af06aebd57d68460eb406de00c113522173423cb1b339a41a3918f379c7dc311f7
-
C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exeFilesize
137KB
MD5e1833678885f02b5e3cf1b3953456557
SHA1c197e763500002bc76a8d503933f1f6082a8507a
SHA256bd9a16d8d7590a2ec827913db5173f8beb1d1ef44dab1920ef52a307f922bc14
SHA512fe107e1c8631ec6ac94f772e6a7be1fdc2a533fe3cfcf36b1ff018c8d01bd7f1f818f0a2448f736838c953cd516ea7327c416dea20706ed2420327af8ef01abe
-
C:\ProgramData\Synaptics\RCX367B.tmpFilesize
753KB
MD502897faa98bb7b124155dc43b1504d57
SHA1a09167f95ca0327fceaebae3438d244baeaecbe8
SHA256610c75b1ae3062f4896bf0fb822036de8d04402fc4267955aec1d1d04993743d
SHA51205f48e90a5eb7c00b78c659a95925a31a534c55bd38f8b62c854c6266390036ee934f6d9f11ac32a7be476875d52a3e7a9562f3f8f3e31fa8bc2addee78a1c0e
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXEFilesize
918KB
MD51f2d31de738d923eb7d41f0c98706b8c
SHA1d1ea22a446f9a72727c4fbfd8f4efa9ce8d9d9fe
SHA256297ecec2de8c1a5ceb6c282122b399a71e9afdbd2bbe8a64221016f0537eedc6
SHA5126e1e79cb9a62f800a789eaabedd089838253c546b72b1caec483160a515637723778a6039847dfb8083d795def49216f7ba9cdd3ddc4abb73938dd0a3ee19929
-
C:\Users\Admin\AppData\Local\Temp\3582-490\._cache__CACHE~1.EXEFilesize
878KB
MD5a8469ddf986bcb4f537fc485c54f978b
SHA10702f0ae7439eb364529ecfc20b02bd29d6ceaa9
SHA2560bfc09be218031d20af69113ae93f523b3c36e5433f17b930ad5855ed8a0bc19
SHA512e8ba54557042264e86a4bc7523981db7d9bb87a6afadc9a7423f9e1b7180839c0392b3a6fc6da0ed424b4d09bd45654cc5a422598458664dd14f8df4c5835817
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEFilesize
1.6MB
MD5e930adc587d1844dfeba862f8e2400ce
SHA18cb7df27da77b1144478333701e2f58460d70e13
SHA256626978116cd621e2bde6915f8e04883bf2aaa925eeb724ea6587e94d119245df
SHA512b07ef9c7fa33f587a57b7733bb774d53e986e8e2bd28496f28c89541500e0e24b8e98ccbff7082f0bf1e5bc3d7b8991cacd2269c75057be38cb6002ad0885a97
-
C:\Windows\directx.sysFilesize
57B
MD556abc40d1e45c091d8afddb90a4ce6b4
SHA108db549484467b32b79958700300cabefc659848
SHA256a43fa861957415e3b0f25e2b54d931961cd309ff1d5354a9362852895b90b3e1
SHA51251625c015a7c8fcf6fb51d3396aa08d2068772e3fcacaf32c409e82071af4ba1eb2ee94f36c06a98c32ba59d23bbaa6b540f7bd418a9472303cc225151daa698
-
C:\Windows\directx.sysFilesize
57B
MD56b3bfceb3942a9508a2148acbee89007
SHA13622ac7466cc40f50515eb6fcdc15d1f34ad3be3
SHA256e0a7bae2a9ac263cff5d725922e40272d8854278d901233a93a5267859c00a3c
SHA512fa222bfcade636824af32124b45450c92b1abec7a33e6e647a9248eef5371c127d22ccb7cc5a096b4d5d52e2457f3841293a1b34304e8e5523549856ac02f224
-
C:\Windows\directx.sysFilesize
35B
MD510320b53df6530a542f13adf5f36d39a
SHA1386dd879a3e1176b0c91328ce8254174e4220569
SHA2569c4249eb6a5603fcc10a8c8c3c4d8f028a98ebcd9179c0836faacf1d03a48ce7
SHA512c8007820db892b374dee1e6917c6caa4981d3f230ffc11d6753951ff46861ee4b0035544b3309b3008a2a769266639ce45ebc023b1748730cf0cf67844a065d6
-
C:\Windows\directx.sysFilesize
92B
MD521d4ea9de48032aaf048ee7b6a32199e
SHA16103e4da901ef085be832c783e35b77fed850b00
SHA2565beb53e3fff94531257affda6d616ce3c589cb5c366b4fb1580bff8ce9468b53
SHA512131044994427c79b0d700ba8e63ce4ef954439603d063bda3797015d1a9cd89c4f0a57cca62afee31313a2fbcb5f4bd2e64f6bd7311a39f49508dbaa38d1f198
-
C:\Windows\directx.sysFilesize
92B
MD527b81f62272c4fb29d767dcc7c54c4ad
SHA14a7b9dd9c6e3cb6d1d9ed951f72852b7009b7aff
SHA256ece9360499614dc21a8647ab5b5c9f7d6516f7e27278a1cd8cdcadd984c0d3b1
SHA51264b0a19341af5a2c1d6616930ec3d487b696f03f710111ef0a10ed95fa82e58ee6289006d281f646c67def44ce56d5d574664d8906e0a3de5725b95a7ff44ba2
-
C:\Windows\directx.sysFilesize
92B
MD5c4388baf1b613f8cf2dd0b8ceb366cc0
SHA14dddb68a6b17cb998f79aa33474cb19c03517519
SHA256854a0aaccbdac572fc47ad16327158b08d24d1ab7980183df2119755882a638f
SHA512c199f136b5427f4357aa2e124c0d9186c2378a549c89ea9454218b741ede23e7e1ac6f07d2afce1fd30599a564828d5ef91fa65d3795a7a9ecf7d30006c8e3b2
-
C:\Windows\directx.sysFilesize
92B
MD550f9540e92cf29209f78b355a43d1b90
SHA18abcaab03e674ea2809493e7b877510c8d3a26cc
SHA256a80262da854cfc312ba1ab8e9b563f50c7fff642aa3cb10f4c39f6007d57ba3f
SHA512b76e8239ab638ab8ca81f4bb065a6113931a53bf0b441513482d3553cc64ba13f84233faa280be6b0212465b94c099feef19a4dd6e294542f7ea88d6c49f3b7f
-
C:\Windows\directx.sysFilesize
92B
MD5a02f4e4e38e7216dfb30fd12b4705a54
SHA1087b04d108c83eff19e9ad7a83a0ebe956cdeb5c
SHA2564d2cea730594f9a6635d1e777b09e753c9243afeabf9d310e40c9a9bb19abce8
SHA512ac6ce4182f608fc03f774a7d5c04965de7497c136c230f384b078391ad97adeddfda4626d10caabf5c2055b220f2fe83c3fbe25ceb7f361ac790fc3a18f8ddf9
-
C:\Windows\directx.sysFilesize
65B
MD548666032bcbce70055a4b8477879c103
SHA1080069095e146772bae92f4281c9a8245b4bce69
SHA2564476a30a9745e1ce4ff339c4d4e3fea9be5dc2238e4b74f4106c24f14f3d88f4
SHA51288488a7545aa2225864c3ccbeb41edeada19402131f34cae7d4981612efb868f7ba071dded738299e1a6dd9b081bcc43eb3921d6d6c3e453597a3f02af4b18b3
-
C:\Windows\svchost.comFilesize
40KB
MD5795dec5bafd15c555abfede51795b91b
SHA1f16953ae5c96220776d37b971ba00a191c4b083c
SHA256d0e01f71c109b1c9ab478d5da4e1dd393d524aabfb4bfabedcc8940d70a41e2a
SHA51237484352af113d6a874f0a32ada106589e789b0784400004c973915601abe5d0fb3f42a52711bd4259d03468f2ffa89c3a849d89575464d3aef079f656c4e6d8
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXEFilesize
252KB
MD59e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1ec66cda99f44b62470c6930e5afda061579cde35
SHA2568899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA5122ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156
-
\Users\Admin\AppData\Local\Temp\._cache_c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exeFilesize
1.7MB
MD5e55c49f2a991537646875937ca47effb
SHA17663b801a90a0458f5340735c4495a2d5ad0bd05
SHA256d5883da8a53b0072eb6a2b85e8227f6d16639eaca1167cc5e240e616d18bbe00
SHA51248560369845c5b3315de8e0c5821aee9ce97b3ec8c712c699f37c9294cfabb8a23f2d969a05a3b40a431d187ee836cddb259b367805b297ed7742cb410181ef0
-
\Users\Admin\AppData\Local\Temp\3582-490\c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exeFilesize
2.4MB
MD52f80797c60331299f3d30144650ed45b
SHA1707e60c90ea8defb5b52398abd3ce51a6f65cea1
SHA2563f10b6b47789e3eff7b0f9b6e121fb9aa3e2b93786b891b01e1f23ad60d06f15
SHA512a9257e4a83270e515c751e59966efea2fbd9de0d2585abf5f375a49512392593b9610e19d409bd29c015eeabb1c7cf687ceff6160ba0c3a984d9b7db5b1910f7
-
memory/312-367-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/320-348-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/560-231-0x0000000000400000-0x00000000005A8000-memory.dmpFilesize
1.7MB
-
memory/576-351-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/580-169-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/580-338-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/692-235-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/768-436-0x0000000000400000-0x00000000005A8000-memory.dmpFilesize
1.7MB
-
memory/804-443-0x0000000000400000-0x00000000005A8000-memory.dmpFilesize
1.7MB
-
memory/804-426-0x0000000000400000-0x00000000005A8000-memory.dmpFilesize
1.7MB
-
memory/832-203-0x0000000000400000-0x00000000005A8000-memory.dmpFilesize
1.7MB
-
memory/840-368-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/900-229-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/988-350-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1144-200-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1152-340-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1156-438-0x0000000000400000-0x00000000004E1000-memory.dmpFilesize
900KB
-
memory/1192-297-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1240-422-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1284-9-0x0000000000220000-0x0000000000221000-memory.dmpFilesize
4KB
-
memory/1284-60-0x0000000000400000-0x000000000066E000-memory.dmpFilesize
2.4MB
-
memory/1396-437-0x0000000000400000-0x00000000005A8000-memory.dmpFilesize
1.7MB
-
memory/1448-222-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1600-309-0x0000000000400000-0x00000000005A8000-memory.dmpFilesize
1.7MB
-
memory/1648-117-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1692-144-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1776-149-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1888-242-0x0000000000400000-0x00000000004E1000-memory.dmpFilesize
900KB
-
memory/1912-414-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1928-434-0x0000000000400000-0x00000000004E1000-memory.dmpFilesize
900KB
-
memory/1932-315-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1984-325-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2016-298-0x0000000000400000-0x00000000004E1000-memory.dmpFilesize
900KB
-
memory/2136-383-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2152-218-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2152-397-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2228-370-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2320-403-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2352-384-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2408-401-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2412-423-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2448-83-0x0000000000400000-0x00000000005A8000-memory.dmpFilesize
1.7MB
-
memory/2456-432-0x0000000000400000-0x00000000005A8000-memory.dmpFilesize
1.7MB
-
memory/2496-300-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2512-145-0x0000000000400000-0x000000000066E000-memory.dmpFilesize
2.4MB
-
memory/2544-440-0x0000000000400000-0x00000000004E1000-memory.dmpFilesize
900KB
-
memory/2576-63-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2636-425-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2636-442-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2648-283-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2692-433-0x0000000000400000-0x00000000005A8000-memory.dmpFilesize
1.7MB
-
memory/2692-105-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2708-317-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2744-439-0x0000000000400000-0x00000000004E1000-memory.dmpFilesize
900KB
-
memory/2756-280-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2772-148-0x0000000000400000-0x000000000066E000-memory.dmpFilesize
2.4MB
-
memory/2832-138-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2844-424-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2844-441-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2856-291-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2872-357-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2924-435-0x0000000000400000-0x00000000005A8000-memory.dmpFilesize
1.7MB
-
memory/3004-97-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/3004-415-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB