Analysis
-
max time kernel
7s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
19-06-2024 13:48
Behavioral task
behavioral1
Sample
c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe
-
Size
2.4MB
-
MD5
c1779426d93c21f8a8225ae0771a41c0
-
SHA1
3f6db29296d972691a377d1ca600dad1934a6ffb
-
SHA256
5b6ddc64b4f2d59e0d119fc8790852b47dc0b7c2f17da35ac540a512a70f529c
-
SHA512
b22ee5dd946bb6317cbbade882ea2d78ef5d9a7300707fcb2aa6ffd1f2e389f32e7dbf0b3de6e984f9b2cddafb11bd1635538cc31d21f8a045b778db2af058e8
-
SSDEEP
49152:UHyjtk2MYC5GDNHyjtk2MYC5GDJHyjtk2MYC5GDHnanWn9:Umtk2asmtk2aImtk2aInanWn9
Malware Config
Signatures
-
Detect Neshta payload 64 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\3582-490\c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe family_neshta C:\Users\Admin\AppData\Local\Temp\._cache_c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe family_neshta C:\Users\Admin\AppData\Local\Temp\3582-490\._cache_c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe family_neshta C:\Windows\svchost.com family_neshta behavioral2/memory/632-120-0x0000000000400000-0x000000000066E000-memory.dmp family_neshta behavioral2/memory/2324-151-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE family_neshta C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe family_neshta C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE family_neshta C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE family_neshta C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE family_neshta C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE family_neshta C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE family_neshta C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe family_neshta C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE family_neshta C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe family_neshta C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE family_neshta C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe family_neshta C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE family_neshta C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe family_neshta C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\javaw.exe family_neshta C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\java.exe family_neshta C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE family_neshta C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe family_neshta C:\PROGRA~2\Google\Update\DISABL~1.EXE family_neshta C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE family_neshta C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe family_neshta C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE family_neshta C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MI391D~1.EXE family_neshta C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MI9C33~1.EXE family_neshta C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MICROS~1.EXE family_neshta C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE family_neshta C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE family_neshta C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE family_neshta behavioral2/memory/408-272-0x0000000000400000-0x00000000005A8000-memory.dmp family_neshta C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE family_neshta C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE family_neshta C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE family_neshta C:\Users\Admin\AppData\Local\MICROS~1\OneDrive\181510~1.001\FILESY~1.EXE family_neshta behavioral2/memory/2276-346-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta C:\Users\Admin\AppData\Local\Temp\3582-490\._cache__CACHE~1.EXE family_neshta C:\Users\ALLUSE~1\Adobe\Setup\{AC76B~1\setup.exe family_neshta C:\Users\ALLUSE~1\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE family_neshta C:\Users\ALLUSE~1\PACKAG~1\{57A73~1\VC_RED~1.EXE family_neshta behavioral2/memory/540-375-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3036-376-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta C:\Users\ALLUSE~1\PACKAG~1\{61087~1\VCREDI~1.EXE family_neshta behavioral2/memory/240-379-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta C:\Users\ALLUSE~1\PACKAG~1\{4D8DC~1\VC_RED~1.EXE family_neshta C:\Users\ALLUSE~1\PACKAG~1\{33D1F~1\VCREDI~1.EXE family_neshta C:\Users\ALLUSE~1\PACKAG~1\{D87AE~1\WINDOW~1.EXE family_neshta behavioral2/memory/3276-433-0x0000000000400000-0x000000000066E000-memory.dmp family_neshta behavioral2/memory/2296-498-0x0000000000400000-0x00000000004E1000-memory.dmp family_neshta behavioral2/memory/3760-507-0x0000000000400000-0x00000000005A8000-memory.dmp family_neshta behavioral2/memory/5004-528-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4916-536-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2084-535-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4184-537-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/5056-545-0x0000000000400000-0x00000000004E1000-memory.dmp family_neshta behavioral2/memory/2244-560-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1792-561-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4952-563-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1684-569-0x0000000000400000-0x00000000005A8000-memory.dmp family_neshta behavioral2/memory/3196-570-0x0000000000400000-0x00000000005A8000-memory.dmp family_neshta -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Checks computer location settings 2 TTPs 13 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exeSynaptics.exe_CACHE~1.EXE._cache__CACHE~1.EXE._cache__CACHE~2.EXEc1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exeSynaptics.exe_CACHE~1.EXE._cache_c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe._cache_Synaptics.exe_CACHE~2.EXE_CACHE~3.EXE._cache__CACHE~3.EXEdescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation Synaptics.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation _CACHE~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation ._cache__CACHE~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation ._cache__CACHE~2.EXE Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation Synaptics.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation _CACHE~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation ._cache_c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation ._cache_Synaptics.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation _CACHE~2.EXE Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation _CACHE~3.EXE Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation ._cache__CACHE~3.EXE -
Executes dropped EXE 21 IoCs
Processes:
c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe._cache_c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exeSynaptics.exesvchost.com_CACHE~1.EXE._cache_Synaptics.exe._cache__CACHE~1.EXEsvchost.com_CACHE~2.EXEsvchost.com_CACHE~3.EXE._cache__CACHE~2.EXE._cache__CACHE~3.EXESynaptics.exesvchost.com_CACHE~1.EXEsvchost.com_CACHE~4.EXE._cache__CACHE~1.EXE._cache_Synaptics.exeSynaptics.exepid process 632 c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe 1508 ._cache_c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe 3276 Synaptics.exe 2324 svchost.com 408 _CACHE~1.EXE 2276 ._cache_Synaptics.exe 540 ._cache__CACHE~1.EXE 3036 svchost.com 3760 _CACHE~2.EXE 240 svchost.com 2296 _CACHE~3.EXE 5004 ._cache__CACHE~2.EXE 4916 ._cache__CACHE~3.EXE 1684 Synaptics.exe 2084 svchost.com 5056 _CACHE~1.EXE 4184 svchost.com 4660 _CACHE~4.EXE 4712 ._cache__CACHE~1.EXE 2244 ._cache_Synaptics.exe 3196 Synaptics.exe -
Loads dropped DLL 6 IoCs
Processes:
Synaptics.exe_CACHE~1.EXESynaptics.exepid process 1684 Synaptics.exe 1684 Synaptics.exe 5056 _CACHE~1.EXE 5056 _CACHE~1.EXE 3196 Synaptics.exe 3196 Synaptics.exe -
Modifies system executable filetype association 2 TTPs 2 IoCs
Processes:
c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe._cache__CACHE~1.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" ._cache__CACHE~1.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe_CACHE~2.EXE_CACHE~1.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" _CACHE~2.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" _CACHE~1.EXE -
Drops file in Program Files directory 64 IoCs
Processes:
._cache_c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exec1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exedescription ioc process File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe ._cache_c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE ._cache_c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MICROS~4.EXE ._cache_c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MICROS~2.EXE c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13187~1.37\MICROS~1.EXE ._cache_c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe ._cache_c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe ._cache_c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE ._cache_c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe ._cache_c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE ._cache_c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe ._cache_c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MICROS~4.EXE c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MIA062~1.EXE c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE ._cache_c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE ._cache_c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~3\SYNAPT~1\SYNAPT~1.EXE c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE ._cache_c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe ._cache_c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE ._cache_c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE ._cache_c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe ._cache_c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE ._cache_c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe ._cache_c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE ._cache_c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe ._cache_c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\javaws.exe ._cache_c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe ._cache_c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MICROS~3.EXE ._cache_c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE ._cache_c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\Install\{AC9EC~1\MicrosoftEdgeUpdateSetup_X86_1.3.187.37.exe ._cache_c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe -
Drops file in Windows directory 23 IoCs
Processes:
svchost.com._cache__CACHE~2.EXE._cache__CACHE~3.EXEsvchost.com._cache_Synaptics.exe._cache__CACHE~1.EXE._cache__CACHE~1.EXEsvchost.comsvchost.comsvchost.comc1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe._cache_c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exedescription ioc process File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com ._cache__CACHE~2.EXE File opened for modification C:\Windows\directx.sys ._cache__CACHE~3.EXE File opened for modification C:\Windows\svchost.com ._cache__CACHE~3.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com ._cache_Synaptics.exe File opened for modification C:\Windows\directx.sys ._cache__CACHE~1.EXE File opened for modification C:\Windows\svchost.com ._cache__CACHE~1.EXE File opened for modification C:\Windows\directx.sys ._cache__CACHE~1.EXE File opened for modification C:\Windows\svchost.com ._cache__CACHE~1.EXE File opened for modification C:\Windows\directx.sys ._cache_Synaptics.exe File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\Windows\directx.sys ._cache_c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com ._cache_c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe File opened for modification C:\Windows\directx.sys ._cache__CACHE~2.EXE File opened for modification C:\Windows\svchost.com svchost.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 14 IoCs
Processes:
c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exeSynaptics.exe._cache__CACHE~2.EXE._cache__CACHE~3.EXE_CACHE~1.EXE._cache_c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe._cache_Synaptics.exe_CACHE~3.EXE_CACHE~1.EXE._cache__CACHE~1.EXE_CACHE~2.EXESynaptics.exec1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe._cache__CACHE~1.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Synaptics.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings ._cache__CACHE~2.EXE Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings ._cache__CACHE~3.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ _CACHE~1.EXE Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings ._cache_c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings ._cache_Synaptics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ _CACHE~3.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ _CACHE~1.EXE Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings ._cache__CACHE~1.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ _CACHE~2.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Synaptics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" ._cache__CACHE~1.EXE -
Suspicious behavior: EnumeratesProcesses 62 IoCs
Processes:
_CACHE~2.EXEpid process 3760 _CACHE~2.EXE 3760 _CACHE~2.EXE 3760 _CACHE~2.EXE 3760 _CACHE~2.EXE 3760 _CACHE~2.EXE 3760 _CACHE~2.EXE 3760 _CACHE~2.EXE 3760 _CACHE~2.EXE 3760 _CACHE~2.EXE 3760 _CACHE~2.EXE 3760 _CACHE~2.EXE 3760 _CACHE~2.EXE 3760 _CACHE~2.EXE 3760 _CACHE~2.EXE 3760 _CACHE~2.EXE 3760 _CACHE~2.EXE 3760 _CACHE~2.EXE 3760 _CACHE~2.EXE 3760 _CACHE~2.EXE 3760 _CACHE~2.EXE 3760 _CACHE~2.EXE 3760 _CACHE~2.EXE 3760 _CACHE~2.EXE 3760 _CACHE~2.EXE 3760 _CACHE~2.EXE 3760 _CACHE~2.EXE 3760 _CACHE~2.EXE 3760 _CACHE~2.EXE 3760 _CACHE~2.EXE 3760 _CACHE~2.EXE 3760 _CACHE~2.EXE 3760 _CACHE~2.EXE 3760 _CACHE~2.EXE 3760 _CACHE~2.EXE 3760 _CACHE~2.EXE 3760 _CACHE~2.EXE 3760 _CACHE~2.EXE 3760 _CACHE~2.EXE 3760 _CACHE~2.EXE 3760 _CACHE~2.EXE 3760 _CACHE~2.EXE 3760 _CACHE~2.EXE 3760 _CACHE~2.EXE 3760 _CACHE~2.EXE 3760 _CACHE~2.EXE 3760 _CACHE~2.EXE 3760 _CACHE~2.EXE 3760 _CACHE~2.EXE 3760 _CACHE~2.EXE 3760 _CACHE~2.EXE 3760 _CACHE~2.EXE 3760 _CACHE~2.EXE 3760 _CACHE~2.EXE 3760 _CACHE~2.EXE 3760 _CACHE~2.EXE 3760 _CACHE~2.EXE 3760 _CACHE~2.EXE 3760 _CACHE~2.EXE 3760 _CACHE~2.EXE 3760 _CACHE~2.EXE 3760 _CACHE~2.EXE 3760 _CACHE~2.EXE -
Suspicious use of AdjustPrivilegeToken 31 IoCs
Processes:
_CACHE~2.EXEdescription pid process Token: SeSystemProfilePrivilege 3760 _CACHE~2.EXE Token: SeSystemProfilePrivilege 3760 _CACHE~2.EXE Token: SeSystemProfilePrivilege 3760 _CACHE~2.EXE Token: SeSystemProfilePrivilege 3760 _CACHE~2.EXE Token: SeSystemProfilePrivilege 3760 _CACHE~2.EXE Token: SeSystemProfilePrivilege 3760 _CACHE~2.EXE Token: SeSystemProfilePrivilege 3760 _CACHE~2.EXE Token: SeSystemProfilePrivilege 3760 _CACHE~2.EXE Token: SeSystemProfilePrivilege 3760 _CACHE~2.EXE Token: SeSystemProfilePrivilege 3760 _CACHE~2.EXE Token: SeSystemProfilePrivilege 3760 _CACHE~2.EXE Token: SeSystemProfilePrivilege 3760 _CACHE~2.EXE Token: SeSystemProfilePrivilege 3760 _CACHE~2.EXE Token: SeSystemProfilePrivilege 3760 _CACHE~2.EXE Token: SeSystemProfilePrivilege 3760 _CACHE~2.EXE Token: SeSystemProfilePrivilege 3760 _CACHE~2.EXE Token: SeSystemProfilePrivilege 3760 _CACHE~2.EXE Token: SeSystemProfilePrivilege 3760 _CACHE~2.EXE Token: SeSystemProfilePrivilege 3760 _CACHE~2.EXE Token: SeSystemProfilePrivilege 3760 _CACHE~2.EXE Token: SeSystemProfilePrivilege 3760 _CACHE~2.EXE Token: SeSystemProfilePrivilege 3760 _CACHE~2.EXE Token: SeSystemProfilePrivilege 3760 _CACHE~2.EXE Token: SeSystemProfilePrivilege 3760 _CACHE~2.EXE Token: SeSystemProfilePrivilege 3760 _CACHE~2.EXE Token: SeSystemProfilePrivilege 3760 _CACHE~2.EXE Token: SeSystemProfilePrivilege 3760 _CACHE~2.EXE Token: SeSystemProfilePrivilege 3760 _CACHE~2.EXE Token: SeSystemProfilePrivilege 3760 _CACHE~2.EXE Token: SeSystemProfilePrivilege 3760 _CACHE~2.EXE Token: SeSystemProfilePrivilege 3760 _CACHE~2.EXE -
Suspicious use of WriteProcessMemory 62 IoCs
Processes:
c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exec1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe._cache_c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exesvchost.comSynaptics.exe_CACHE~1.EXE._cache_Synaptics.exesvchost.com._cache__CACHE~1.EXEsvchost.com_CACHE~2.EXE_CACHE~3.EXE._cache__CACHE~2.EXEsvchost.com._cache__CACHE~3.EXEsvchost.com_CACHE~1.EXESynaptics.exedescription pid process target process PID 2468 wrote to memory of 632 2468 c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe PID 2468 wrote to memory of 632 2468 c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe PID 2468 wrote to memory of 632 2468 c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe PID 632 wrote to memory of 1508 632 c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe ._cache_c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe PID 632 wrote to memory of 1508 632 c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe ._cache_c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe PID 632 wrote to memory of 1508 632 c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe ._cache_c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe PID 632 wrote to memory of 3276 632 c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe Synaptics.exe PID 632 wrote to memory of 3276 632 c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe Synaptics.exe PID 632 wrote to memory of 3276 632 c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe Synaptics.exe PID 1508 wrote to memory of 2324 1508 ._cache_c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe svchost.com PID 1508 wrote to memory of 2324 1508 ._cache_c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe svchost.com PID 1508 wrote to memory of 2324 1508 ._cache_c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe svchost.com PID 2324 wrote to memory of 408 2324 svchost.com _CACHE~1.EXE PID 2324 wrote to memory of 408 2324 svchost.com _CACHE~1.EXE PID 2324 wrote to memory of 408 2324 svchost.com _CACHE~1.EXE PID 3276 wrote to memory of 2276 3276 Synaptics.exe ._cache_Synaptics.exe PID 3276 wrote to memory of 2276 3276 Synaptics.exe ._cache_Synaptics.exe PID 3276 wrote to memory of 2276 3276 Synaptics.exe ._cache_Synaptics.exe PID 408 wrote to memory of 540 408 _CACHE~1.EXE ._cache__CACHE~1.EXE PID 408 wrote to memory of 540 408 _CACHE~1.EXE ._cache__CACHE~1.EXE PID 408 wrote to memory of 540 408 _CACHE~1.EXE ._cache__CACHE~1.EXE PID 2276 wrote to memory of 3036 2276 ._cache_Synaptics.exe svchost.com PID 2276 wrote to memory of 3036 2276 ._cache_Synaptics.exe svchost.com PID 2276 wrote to memory of 3036 2276 ._cache_Synaptics.exe svchost.com PID 3036 wrote to memory of 3760 3036 svchost.com _CACHE~2.EXE PID 3036 wrote to memory of 3760 3036 svchost.com _CACHE~2.EXE PID 3036 wrote to memory of 3760 3036 svchost.com _CACHE~2.EXE PID 540 wrote to memory of 240 540 ._cache__CACHE~1.EXE ._cache_Synaptics.exe PID 540 wrote to memory of 240 540 ._cache__CACHE~1.EXE ._cache_Synaptics.exe PID 540 wrote to memory of 240 540 ._cache__CACHE~1.EXE ._cache_Synaptics.exe PID 240 wrote to memory of 2296 240 svchost.com _CACHE~3.EXE PID 240 wrote to memory of 2296 240 svchost.com _CACHE~3.EXE PID 240 wrote to memory of 2296 240 svchost.com _CACHE~3.EXE PID 3760 wrote to memory of 5004 3760 _CACHE~2.EXE ._cache__CACHE~2.EXE PID 3760 wrote to memory of 5004 3760 _CACHE~2.EXE ._cache__CACHE~2.EXE PID 3760 wrote to memory of 5004 3760 _CACHE~2.EXE ._cache__CACHE~2.EXE PID 2296 wrote to memory of 4916 2296 _CACHE~3.EXE ._cache__CACHE~3.EXE PID 2296 wrote to memory of 4916 2296 _CACHE~3.EXE ._cache__CACHE~3.EXE PID 2296 wrote to memory of 4916 2296 _CACHE~3.EXE ._cache__CACHE~3.EXE PID 3760 wrote to memory of 1684 3760 _CACHE~2.EXE Synaptics.exe PID 3760 wrote to memory of 1684 3760 _CACHE~2.EXE Synaptics.exe PID 3760 wrote to memory of 1684 3760 _CACHE~2.EXE Synaptics.exe PID 5004 wrote to memory of 2084 5004 ._cache__CACHE~2.EXE Synaptics.exe PID 5004 wrote to memory of 2084 5004 ._cache__CACHE~2.EXE Synaptics.exe PID 5004 wrote to memory of 2084 5004 ._cache__CACHE~2.EXE Synaptics.exe PID 2084 wrote to memory of 5056 2084 svchost.com _CACHE~1.EXE PID 2084 wrote to memory of 5056 2084 svchost.com _CACHE~1.EXE PID 2084 wrote to memory of 5056 2084 svchost.com _CACHE~1.EXE PID 4916 wrote to memory of 4184 4916 ._cache__CACHE~3.EXE svchost.com PID 4916 wrote to memory of 4184 4916 ._cache__CACHE~3.EXE svchost.com PID 4916 wrote to memory of 4184 4916 ._cache__CACHE~3.EXE svchost.com PID 4184 wrote to memory of 4660 4184 svchost.com _CACHE~4.EXE PID 4184 wrote to memory of 4660 4184 svchost.com _CACHE~4.EXE PID 5056 wrote to memory of 4712 5056 _CACHE~1.EXE ._cache__CACHE~1.EXE PID 5056 wrote to memory of 4712 5056 _CACHE~1.EXE ._cache__CACHE~1.EXE PID 5056 wrote to memory of 4712 5056 _CACHE~1.EXE ._cache__CACHE~1.EXE PID 1684 wrote to memory of 2244 1684 Synaptics.exe ._cache_Synaptics.exe PID 1684 wrote to memory of 2244 1684 Synaptics.exe ._cache_Synaptics.exe PID 1684 wrote to memory of 2244 1684 Synaptics.exe ._cache_Synaptics.exe PID 5056 wrote to memory of 3196 5056 _CACHE~1.EXE svchost.com PID 5056 wrote to memory of 3196 5056 _CACHE~1.EXE svchost.com PID 5056 wrote to memory of 3196 5056 _CACHE~1.EXE svchost.com
Processes
-
C:\Users\Admin\AppData\Local\Temp\c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe"1⤵
- Checks computer location settings
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\._cache_c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE5⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"6⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE"7⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE8⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE"9⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE"10⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE11⤵
- Executes dropped EXE
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate3⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate5⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate6⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate7⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate8⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate9⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate10⤵
- Executes dropped EXE
- Modifies system executable filetype association
- Drops file in Windows directory
- Modifies registry class
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate10⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate11⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate12⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate13⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate14⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate15⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate16⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate17⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE" InjUpdate18⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE InjUpdate19⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE" InjUpdate20⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE" InjUpdate21⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE InjUpdate22⤵
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate20⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate21⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate22⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate23⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate24⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate25⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate26⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate27⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE" InjUpdate28⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE InjUpdate29⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE" InjUpdate30⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE" InjUpdate31⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE InjUpdate32⤵
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate30⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate31⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate32⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate33⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate34⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate35⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate36⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate37⤵
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate37⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate38⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate39⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate40⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate41⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate42⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate43⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate44⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE" InjUpdate45⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE InjUpdate46⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE" InjUpdate47⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE" InjUpdate48⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE InjUpdate49⤵
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate47⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate48⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate49⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate50⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate51⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate52⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate53⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate54⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE" InjUpdate55⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE InjUpdate56⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE" InjUpdate57⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE" InjUpdate58⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE InjUpdate59⤵
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate44⤵
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate41⤵
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate34⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate35⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate36⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate37⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate38⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate39⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate40⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate41⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE" InjUpdate42⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE InjUpdate43⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE" InjUpdate44⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE" InjUpdate45⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE InjUpdate46⤵
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate44⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate45⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate46⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate47⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate48⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate49⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate50⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate51⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE" InjUpdate52⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE InjUpdate53⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE" InjUpdate54⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE" InjUpdate55⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE InjUpdate56⤵
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate48⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate49⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate50⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate51⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate52⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate53⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate54⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate55⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE" InjUpdate56⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE InjUpdate57⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE" InjUpdate58⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE" InjUpdate59⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE InjUpdate60⤵
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate41⤵
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate38⤵
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate27⤵
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate24⤵
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate24⤵
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate17⤵
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate14⤵
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate7⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate8⤵
- Executes dropped EXE
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate9⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate10⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate11⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate12⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate13⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate14⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE" InjUpdate15⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE InjUpdate16⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE" InjUpdate17⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE" InjUpdate18⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE InjUpdate19⤵
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate17⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate18⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate19⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate20⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate21⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate22⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate23⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate24⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE" InjUpdate25⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE InjUpdate26⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE" InjUpdate27⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE" InjUpdate28⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE InjUpdate29⤵
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate27⤵
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate24⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate25⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\._cache_Synaptics.exe" InjUpdate26⤵
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate21⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate22⤵
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate14⤵
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate11⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Event Triggered Execution
1Change Default File Association
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXEFilesize
328KB
MD539c8a4c2c3984b64b701b85cb724533b
SHA1c911f4c4070dfe9a35d9adcb7de6e6fb1482ce00
SHA256888a1dd0033e5d758a4e731e3e55357de866e80d03b1b194375f714e1fd4351d
SHA512f42ca2962fe60cff1a13dea8b81ff0647b317c785ee4f5159c38487c34d33aecba8478757047d31ab2ee893fbdcb91a21655353456ba6a018fc71b2278db4db2
-
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXEFilesize
86KB
MD53b73078a714bf61d1c19ebc3afc0e454
SHA19abeabd74613a2f533e2244c9ee6f967188e4e7e
SHA256ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29
SHA51275959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4
-
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXEFilesize
5.7MB
MD509acdc5bbec5a47e8ae47f4a348541e2
SHA1658f64967b2a9372c1c0bdd59c6fb2a18301d891
SHA2561b5c715d71384f043843ea1785a6873a9f39d2daae112ccdeffcd88b10a3a403
SHA5123867bf98e1a0e253114a98b78b047b0d8282b5abf4aaf836f31cc0e26224e2a1b802c65df9d90dc7696a6dbcb9a8e4b900f1d1299e1b11e36f095ebaf8a2e5b8
-
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exeFilesize
175KB
MD5576410de51e63c3b5442540c8fdacbee
SHA18de673b679e0fee6e460cbf4f21ab728e41e0973
SHA2563f00404dd591c2856e6f71bd78423ed47199902e0b85f228e6c4de72c59ddffe
SHA512f7761f3878775b30cc3d756fa122e74548dfc0a27e38fa4109e34a59a009df333d074bf14a227549ae347605f271be47984c55148685faac479aeb481f7191db
-
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exeFilesize
9.4MB
MD5322302633e36360a24252f6291cdfc91
SHA1238ed62353776c646957efefc0174c545c2afa3d
SHA25631da9632f5d25806b77b617d48da52a14afc574bbe1653120f97705284ea566c
SHA5125a1f7c44ce7f5036bffc18ebac39e2bf70e6f35fa252617d665b26448f4c4473adfa115467b7e2d9b7068823e448f74410cdcdfef1ac1c09021e051921787373
-
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exeFilesize
2.4MB
MD58ffc3bdf4a1903d9e28b99d1643fc9c7
SHA1919ba8594db0ae245a8abd80f9f3698826fc6fe5
SHA2568268d3fefe8ca96a25a73690d14bacf644170ab5e9e70d2f8eeb350a4c83f9f6
SHA5120b94ead97374d74eaee87e7614ddd3911d2cf66d4c49abbfd06b02c03e5dd56fd00993b4947e8a4bcd9d891fa39cab18cc6b61efc7d0812e91eb3aea9cd1a427
-
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXEFilesize
183KB
MD59dfcdd1ab508b26917bb2461488d8605
SHA14ba6342bcf4942ade05fb12db83da89dc8c56a21
SHA256ecd5e94da88c653e4c34b6ab325e0aca8824247b290336f75c410caa16381bc5
SHA5121afc1b95f160333f1ff2fa14b3f22a28ae33850699c6b5498915a8b6bec1cfc40f33cb69583240aa9206bc2ea7ab14e05e071275b836502a92aa8c529fc1b137
-
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exeFilesize
131KB
MD55791075058b526842f4601c46abd59f5
SHA1b2748f7542e2eebcd0353c3720d92bbffad8678f
SHA2565c3ef3ec7594c040146e908014791dd15201ba58b4d70032770bb661b6a0e394
SHA51283e303971ed64019fde9e4ba6f6e889f8fb105088490dfa7dcf579a12baff20ef491f563d132d60c7b24a4fd3cac29bd9dc974571cd162000fae8fba4e0e54fb
-
C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXEFilesize
254KB
MD54ddc609ae13a777493f3eeda70a81d40
SHA18957c390f9b2c136d37190e32bccae3ae671c80a
SHA25616d65f2463658a72dba205dcaa18bc3d0bab4453e726233d68bc176e69db0950
SHA5129d7f90d1529cab20078c2690bf7bffab5a451a41d8993781effe807e619da0e7292f991da2f0c5c131b111d028b3e6084e5648c90816e74dfb664e7f78181bc5
-
C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXEFilesize
386KB
MD58c753d6448183dea5269445738486e01
SHA1ebbbdc0022ca7487cd6294714cd3fbcb70923af9
SHA256473eb551101caeaf2d18f811342e21de323c8dd19ed21011997716871defe997
SHA5124f6fddefc42455540448eac0b693a4847e21b68467486376a4186776bfe137337733d3075b7b87ed7dac532478dc9afc63883607ec8205df3f155fee64c7a9be
-
C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXEFilesize
92KB
MD5176436d406fd1aabebae353963b3ebcf
SHA19ffdfdb8cc832a0c6501c4c0e85b23a0f7eff57a
SHA2562f947e3ca624ce7373080b4a3934e21644fb070a53feeaae442b15b849c2954f
SHA512a2d1a714e0c1e5463260c64048ba8fd5064cfa06d4a43d02fc04a30748102ff5ba86d20a08e611e200dc778e2b7b3ae808da48132a05a61aa09ac424a182a06a
-
C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exeFilesize
125KB
MD5cce8964848413b49f18a44da9cb0a79b
SHA10b7452100d400acebb1c1887542f322a92cbd7ae
SHA256fe44ca8d5050932851aa54c23133277e66db939501af58e5aeb7b67ec1dde7b5
SHA512bf8fc270229d46a083ced30da6637f3ca510b0ce44624a9b21ec6aacac81666dffd41855053a936aa9e8ea6e745a09b820b506ec7bf1173b6f1837828a35103d
-
C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXEFilesize
142KB
MD592dc0a5b61c98ac6ca3c9e09711e0a5d
SHA1f809f50cfdfbc469561bced921d0bad343a0d7b4
SHA2563e9da97a7106122245e77f13f3f3cc96c055d732ab841eb848d03ac25401c1bc
SHA512d9eefb19f82e0786d9be0dbe5e339d25473fb3a09682f40c6d190d4c320cca5556abb72b5d97c6b0da4f8faefdc6d39ac9d0415fdf94ebcc90ecdf2e513c6a31
-
C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXEFilesize
278KB
MD512c29dd57aa69f45ddd2e47620e0a8d9
SHA1ba297aa3fe237ca916257bc46370b360a2db2223
SHA25622a585c183e27b3c732028ff193733c2f9d03700a0e95e65c556b0592c43d880
SHA512255176cd1a88dfa2af3838769cc20dc7ad9d969344801f07b9ebb372c12cee3f47f2dba3559f391deab10650875cad245d9724acfa23a42b336bfa96559a5488
-
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exeFilesize
773KB
MD5e7a27a45efa530c657f58fda9f3b9f4a
SHA16c0d29a8b75574e904ab1c39fc76b39ca8f8e461
SHA256d6f11401f57293922fb36cd7542ae811ab567a512449e566f83ce0dcef5ff8e5
SHA5120c37b41f3c075cd89a764d81f751c3a704a19240ad8e4ebab591f399b9b168b920575749e9d24c2a8f0400b9f340ab9fea4db76ff7060d8af00e2b36ac0c4a54
-
C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXEFilesize
121KB
MD5cbd96ba6abe7564cb5980502eec0b5f6
SHA174e1fe1429cec3e91f55364e5cb8385a64bb0006
SHA256405b8bd647fa703e233b8b609a18999abe465a8458168f1daf23197bd2ea36aa
SHA512a551001853f6b93dfbc6cf6a681820af31330a19d5411076ff3dbce90937b3d92173085a15f29ebf56f2ef12a4e86860ac6723ebc89c98ea31ea7a6c7e3d7cdc
-
C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\java.exeFilesize
325KB
MD50511abca39ed6d36fff86a8b6f2266cd
SHA1bfe55ac898d7a570ec535328b6283a1cdfa33b00
SHA25676ae68fc7c6c552c4a98c5df640cd96cf27b62e7e1536b7f7d08eff56fcde8b8
SHA5126608412e3ed0057f387bafcddcb07bfe7da4f207c7300c460e5acc4bd234cec3362191800789eb465eb120ec069e3ed49eabb6bd7db30d9e9245a89bb20e4346
-
C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\javaw.exeFilesize
325KB
MD56f87ccb8ab73b21c9b8288b812de8efa
SHA1a709254f843a4cb50eec3bb0a4170ad3e74ea9b3
SHA25614e7a1f2f930380903ae3c912b4a70fd0a59916315c46874805020fe41215c22
SHA512619b45b9728880691a88fbfc396c9d34b41d5e349e04d2eb2d18c535fffc079395835af2af7ca69319954a98852d2f9b7891eff91864d63bf25759c156e192ee
-
C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXEFilesize
155KB
MD5f7c714dbf8e08ca2ed1a2bfb8ca97668
SHA1cc78bf232157f98b68b8d81327f9f826dabb18ab
SHA256fc379fda348644fef660a3796861c122aa2dd5498e80279d1279a7ddb259e899
SHA51228bc04c4df3f632865e68e83d045b3ecd2a263e62853c922b260d0734026e8a1541988fcbf4ddc9cf3aba6863214d6c6eb51f8bbb2586122a7cb01a70f08d16c
-
C:\PROGRA~2\Google\Update\DISABL~1.EXEFilesize
207KB
MD53b0e91f9bb6c1f38f7b058c91300e582
SHA16e2e650941b1a96bb0bb19ff26a5d304bb09df5f
SHA25657c993cadf4bf84810cea23a7112c6e260624beaab48d0e4332d3462900fec1d
SHA512a4fbe28a0135f4632e0a5b6bd775f8d010250b0fbfe223db1fe81d18552a6bc166ebce807853ba02e6a476e9829454805e415ca828a5e043bd1e63dc53599d0f
-
C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MI391D~1.EXEFilesize
139KB
MD549139daa5597eaad0979962066bc0d6b
SHA1530c87363f416a7dce92316c5941ec535029ca98
SHA256013c02a79be19f930a74cb081f0ba048dfd54d82c236ee3a524f4d5784f67d77
SHA512b5b636e313281eb1d398c1aec2f973503f4384ffb169fc691a7b340dc4f6f5bc14ba14bc6c242ac65da4469fd610d4fa52d84ed1fb6db0db22fad55974f908e0
-
C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MI9C33~1.EXEFilesize
139KB
MD5a15016441259c3704235b7c1cb654d06
SHA1c9277f066c26446758df4fff5045a367f2a799ce
SHA256d2c00ac573df0c4eb408c4cba1add7e24bd0ce3fb151b943e1a924f88b5d4595
SHA512f4b1c0c5693a5f1d847d3ef8a6cc45ac5c87a763439605ad5bc5bfbcf05ad5911ef250639585233a1c73bd35a591b4fb7ef9bde841db8d9334998759fd0b8d17
-
C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MICROS~1.EXEFilesize
242KB
MD564f984b2f82f24ff3afe653fa78ae2c1
SHA133ed1c8686a7ee0ef7efeb3628a814873461f54f
SHA256a4d51e8cbc9a30dc847c6b0913e1d5a6c1643d0b013b4c93cd1a505ce59ffcf9
SHA5127aa1eb9630ecb63e70de516f16fb8769cce1f4659b206c80ec284fc061d714aafbebc5ed69cdd971831ed1ee2194a1b55002de45386dcd095919c1fc031780ac
-
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXEFilesize
138KB
MD55e08d87c074f0f8e3a8e8c76c5bf92ee
SHA1f52a554a5029fb4749842b2213d4196c95d48561
SHA2565d548c2cc25d542f2061ed9c8e38bd5ca72bddb37dd17654346cae8a19645714
SHA512dd98d6fa7d943604914b2e3b27e1f21a95f1fe1feb942dd6956e864da658f4fbd9d1d0cf775e79ceaae6a025aafd4e633763389c37034134bd5245969bec383e
-
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXEFilesize
1.6MB
MD511486d1d22eaacf01580e3e650f1da3f
SHA1a47a721efec08ade8456a6918c3de413a2f8c7a2
SHA2565e1b1daa9968ca19a58714617b7e691b6b6f34bfacaf0dcf4792c48888b1a5d3
SHA5125bd54e1c1308e04a769e089ab37bd9236ab97343b486b85a018f2c8ad060503c97e8bc51f911a63f9b96dd734eb7d21e0a5c447951246d972b05fafeef4633da
-
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXEFilesize
1.3MB
MD527543bab17420af611ccc3029db9465a
SHA1f0f96fd53f9695737a3fa6145bc5a6ce58227966
SHA25675530dc732f35cc796d19edd11ae6d6f6ef6499ddcf2e57307582b1c5299554c
SHA512a62c2dd60e1df309ec1bb48ea85184914962ba83766f29d878569549ca20fca68f304f4494702d9e5f09adedc2166e48ee0bc1f4a5d9e245c5490daf15036bea
-
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXEFilesize
1.1MB
MD55c78384d8eb1f6cb8cb23d515cfe7c98
SHA1b732ab6c3fbf2ded8a4d6c8962554d119f59082e
SHA2569abd7f0aa942ee6b263cdc4b32a4110ddb95e43ad411190f0ea48c0064884564
SHA51299324af5f8fb70a9d01f97d845a4c6999053d6567ba5b80830a843a1634b02eaf3c0c04ced924cf1b1be9b4d1dbbcb95538385f7f85ad84d3eaaa6dcdebcc8a6
-
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exeFilesize
3.2MB
MD55119e350591269f44f732b470024bb7c
SHA14ccd48e4c6ba6e162d1520760ee3063e93e2c014
SHA2562b3aa9642b291932ba7f9f3d85221402a9d27078f56ef0e9c6bca633616e3873
SHA512599b4ec673169d42a348d1117737b4ad4d7539574153df5a5c7689130c9ac5ff5cd00f3c8ec39adf32ff2b56be074081efcabb6456272c649703c3ea6cdaded4
-
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXEFilesize
1.1MB
MD5a5d9eaa7d52bffc494a5f58203c6c1b5
SHA197928ba7b61b46a1a77a38445679d040ffca7cc8
SHA25634b8662d38e7d3d6394fa6c965d943d2c82ea06ba9d7a0af4f8e0571fb5a9c48
SHA512b6fdc8389bb4d736d608600469be6a4b0452aa3ea082f9a0791022a14c02b8fb7dcd62df133b0518e91283094eaba2be9318316f72d2c4aae6286d3e8686e787
-
C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXEFilesize
650KB
MD572d0addae57f28c993b319bfafa190ac
SHA18082ad7a004a399f0edbf447425f6a0f6c772ff3
SHA256671be498af4e13872784eeae4bae2e462dfac62d51d7057b2b3bebff511b7d18
SHA51298bcde1133edbff713aa43b944dceb5dae20a9cbdf8009f5b758da20ccfbcdf6d617f609a7094aa52a514373f6695b0fd43c3d601538483816cd08832edd15ab
-
C:\ProgramData\Synaptics\RCX7F42.tmpFilesize
753KB
MD502897faa98bb7b124155dc43b1504d57
SHA1a09167f95ca0327fceaebae3438d244baeaecbe8
SHA256610c75b1ae3062f4896bf0fb822036de8d04402fc4267955aec1d1d04993743d
SHA51205f48e90a5eb7c00b78c659a95925a31a534c55bd38f8b62c854c6266390036ee934f6d9f11ac32a7be476875d52a3e7a9562f3f8f3e31fa8bc2addee78a1c0e
-
C:\Users\ALLUSE~1\Adobe\Setup\{AC76B~1\setup.exeFilesize
534KB
MD58a403bc371b84920c641afa3cf9fef2f
SHA1d6c9d38f3e571b54132dd7ee31a169c683abfd63
SHA256614a701b90739e7dbf66b14fbdb6854394290030cc87bbcb3f47e1c45d1f06c3
SHA512b376ef1f49b793a8cd8b7af587f538cf87cb2fffa70fc144e1d1b7e2e8e365ba4ad0568321a0b1c04e69b4b8b694d77e812597a66be1c59eda626cbf132e2c72
-
C:\Users\ALLUSE~1\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXEFilesize
6.7MB
MD563dc05e27a0b43bf25f151751b481b8c
SHA1b20321483dac62bce0aa0cef1d193d247747e189
SHA2567d607fb69c69a72a5bf4305599279f46318312ce1082b6a34ac9100b8c7762ce
SHA512374d705704d456cc5f9f79b7f465f6ec7c775dc43001c840e9d6efbbdef20926ed1fa97f8a9b1e73161e17f72520b96c05fa58ac86b3945208b405f9166e7ba3
-
C:\Users\ALLUSE~1\PACKAG~1\{33D1F~1\VCREDI~1.EXEFilesize
485KB
MD586749cd13537a694795be5d87ef7106d
SHA1538030845680a8be8219618daee29e368dc1e06c
SHA2568c35dcc975a5c7c687686a3970306452476d17a89787bc5bd3bf21b9de0d36a5
SHA5127b6ae20515fb6b13701df422cbb0844d26c8a98087b2758427781f0bf11eb9ec5da029096e42960bf99ddd3d4f817db6e29ac172039110df6ea92547d331db4c
-
C:\Users\ALLUSE~1\PACKAG~1\{4D8DC~1\VC_RED~1.EXEFilesize
674KB
MD597510a7d9bf0811a6ea89fad85a9f3f3
SHA12ac0c49b66a92789be65580a38ae9798237711db
SHA256c48abbc29405559e68cc9f8fc6d218aa317a9d0023839c7846ca509c1f563fea
SHA5122a93e2a3bd187fdde160f87ef777ccd1d1c398d547b7c869e6b64469b9418ad04d887cdfe94af7407476377bf2d009f576de3935c025b7aefbab26fbcd8f90fb
-
C:\Users\ALLUSE~1\PACKAG~1\{57A73~1\VC_RED~1.EXEFilesize
674KB
MD59c10a5ec52c145d340df7eafdb69c478
SHA157f3d99e41d123ad5f185fc21454367a7285db42
SHA256ccf37e88447a7afdb0ba4351b8c5606dbb05b984fb133194d71bcc00d7be4e36
SHA5122704cfd1a708bfca6db7c52467d3abf0b09313db0cdd1ea8e5d48504c8240c4bf24e677f17c5df9e3ac1f6a678e0328e73e951dc4481f35027cb03b2966dc38f
-
C:\Users\ALLUSE~1\PACKAG~1\{61087~1\VCREDI~1.EXEFilesize
495KB
MD59597098cfbc45fae685d9480d135ed13
SHA184401f03a7942a7e4fcd26e4414b227edd9b0f09
SHA25645966655baaed42df92cd6d8094b4172c0e7a0320528b59cf63fca7c25d66e9c
SHA51216afbdffe4b4b2e54b4cc96fe74e49ca367dea50752321ddf334756519812ba8ce147ef5459e421dc42e103bc3456aab1d185588cc86b35fa2315ac86b2a0164
-
C:\Users\ALLUSE~1\PACKAG~1\{D87AE~1\WINDOW~1.EXEFilesize
650KB
MD52f826daacb184077b67aad3fe30e3413
SHA1981d415fe70414aaac3a11024e65ae2e949aced8
SHA256a6180f0aa9c56c32e71fe8dc150131177e4036a5a2111d0f3ec3c341fd813222
SHA5122a6d9bdf4b7be9b766008e522cbb2c21921ba55d84dfde653ca977f70639e342a9d5548768de29ae2a85031c11dac2ae4b3c76b9136c020a6e7c9a9a5879caeb
-
C:\Users\Admin\AppData\Local\MICROS~1\OneDrive\181510~1.001\FILESY~1.EXEFilesize
293KB
MD5f3228c24035b3f54f78bb4fd11c36aeb
SHA12fe73d1f64575bc4abf1d47a9dddfe7e2d9c9cbb
SHA256d2767c9c52835f19f6695c604081bf03cdd772a3731cd2e320d9db5e477d8af7
SHA512b526c63338d9167060bc40ffa1d13a8c2e871f46680cd4a0efc2333d9f15bf21ae75af45f8932de857678c5bf785011a28862ce7879f4bffdb9753c8bc2c19b5
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXEFilesize
918KB
MD51f2d31de738d923eb7d41f0c98706b8c
SHA1d1ea22a446f9a72727c4fbfd8f4efa9ce8d9d9fe
SHA256297ecec2de8c1a5ceb6c282122b399a71e9afdbd2bbe8a64221016f0537eedc6
SHA5126e1e79cb9a62f800a789eaabedd089838253c546b72b1caec483160a515637723778a6039847dfb8083d795def49216f7ba9cdd3ddc4abb73938dd0a3ee19929
-
C:\Users\Admin\AppData\Local\Temp\._cache_c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exeFilesize
1.7MB
MD5e55c49f2a991537646875937ca47effb
SHA17663b801a90a0458f5340735c4495a2d5ad0bd05
SHA256d5883da8a53b0072eb6a2b85e8227f6d16639eaca1167cc5e240e616d18bbe00
SHA51248560369845c5b3315de8e0c5821aee9ce97b3ec8c712c699f37c9294cfabb8a23f2d969a05a3b40a431d187ee836cddb259b367805b297ed7742cb410181ef0
-
C:\Users\Admin\AppData\Local\Temp\3582-490\._cache__CACHE~1.EXEFilesize
878KB
MD5a8469ddf986bcb4f537fc485c54f978b
SHA10702f0ae7439eb364529ecfc20b02bd29d6ceaa9
SHA2560bfc09be218031d20af69113ae93f523b3c36e5433f17b930ad5855ed8a0bc19
SHA512e8ba54557042264e86a4bc7523981db7d9bb87a6afadc9a7423f9e1b7180839c0392b3a6fc6da0ed424b4d09bd45654cc5a422598458664dd14f8df4c5835817
-
C:\Users\Admin\AppData\Local\Temp\3582-490\._cache__CACHE~3.EXEFilesize
84KB
MD5bb9748e58595512b974386181b330fe0
SHA147abc7936f5b02d3c74d17df409d202f1302568b
SHA256d44ba366ff01efc1f2a288ff461cde52020d1c9549f0c4aa5e9bdd560e902b5e
SHA512210d734d2638c4cf1d4818f68d1fd0436828279c438c89968a42617424ca980cee742dc3c943a607c02c951920044bdc69a3056f7895723a8fe890214f161b0a
-
C:\Users\Admin\AppData\Local\Temp\3582-490\._cache_c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exeFilesize
1.6MB
MD5e930adc587d1844dfeba862f8e2400ce
SHA18cb7df27da77b1144478333701e2f58460d70e13
SHA256626978116cd621e2bde6915f8e04883bf2aaa925eeb724ea6587e94d119245df
SHA512b07ef9c7fa33f587a57b7733bb774d53e986e8e2bd28496f28c89541500e0e24b8e98ccbff7082f0bf1e5bc3d7b8991cacd2269c75057be38cb6002ad0885a97
-
C:\Users\Admin\AppData\Local\Temp\3582-490\c1779426d93c21f8a8225ae0771a41c0_NeikiAnalytics.exeFilesize
2.4MB
MD52f80797c60331299f3d30144650ed45b
SHA1707e60c90ea8defb5b52398abd3ce51a6f65cea1
SHA2563f10b6b47789e3eff7b0f9b6e121fb9aa3e2b93786b891b01e1f23ad60d06f15
SHA512a9257e4a83270e515c751e59966efea2fbd9de0d2585abf5f375a49512392593b9610e19d409bd29c015eeabb1c7cf687ceff6160ba0c3a984d9b7db5b1910f7
-
C:\Windows\directx.sysFilesize
57B
MD58e4bd9619c227ef2bc20a2cb2aa55e7b
SHA1a6214b7678b83c4db74b210625b4812300df3a74
SHA25684ba3f2b07e112efaff6ee034b84db960521db9e504a4ac77a5e8e5e988d86d9
SHA51212a6a559b89441983e9aab70f0ea17dc790bc48c7938dd573c888e33811db8fb210539ebebaa6c8f5c04971d72d037be6603de15ea3a1ffc0f5ea3dd5132b4bf
-
C:\Windows\directx.sysMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Windows\directx.sysFilesize
57B
MD5b42f2603883dadf133cee3ae5d767bb2
SHA1dc4161551044405353e870b029afff27c8030e22
SHA256998e1546bc98d29ffccb70e81ed00a01f3dbd3015e947d1aabca4cb01775ce28
SHA512a4c33c9b87f84b4aba84ecf8b0b2d8a90703ef8523f1d057824196e584451072ab5bbc96e0c95a319baaffd16ba7a26f940fec2e28e9228e1275c87fb061c02d
-
C:\Windows\svchost.comFilesize
40KB
MD5795dec5bafd15c555abfede51795b91b
SHA1f16953ae5c96220776d37b971ba00a191c4b083c
SHA256d0e01f71c109b1c9ab478d5da4e1dd393d524aabfb4bfabedcc8940d70a41e2a
SHA51237484352af113d6a874f0a32ada106589e789b0784400004c973915601abe5d0fb3f42a52711bd4259d03468f2ffa89c3a849d89575464d3aef079f656c4e6d8
-
memory/240-846-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/240-379-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/408-272-0x0000000000400000-0x00000000005A8000-memory.dmpFilesize
1.7MB
-
memory/428-955-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/540-375-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/632-120-0x0000000000400000-0x000000000066E000-memory.dmpFilesize
2.4MB
-
memory/632-12-0x00000000023D0000-0x00000000023D1000-memory.dmpFilesize
4KB
-
memory/652-1040-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/876-815-0x0000000000400000-0x00000000004E1000-memory.dmpFilesize
900KB
-
memory/1080-827-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1420-571-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1508-746-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1540-826-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1552-855-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1684-569-0x0000000000400000-0x00000000005A8000-memory.dmpFilesize
1.7MB
-
memory/1792-561-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1800-633-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1856-1033-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1880-843-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1988-664-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2036-943-0x0000000000400000-0x00000000005A8000-memory.dmpFilesize
1.7MB
-
memory/2084-535-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2084-741-0x0000000000400000-0x00000000004E1000-memory.dmpFilesize
900KB
-
memory/2140-749-0x0000000000400000-0x00000000004E1000-memory.dmpFilesize
900KB
-
memory/2228-857-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2232-654-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2244-560-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2252-737-0x0000000000400000-0x00000000004E1000-memory.dmpFilesize
900KB
-
memory/2276-346-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2296-498-0x0000000000400000-0x00000000004E1000-memory.dmpFilesize
900KB
-
memory/2320-854-0x0000000000400000-0x00000000004E1000-memory.dmpFilesize
900KB
-
memory/2324-151-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2344-1046-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2468-745-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2668-844-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2812-670-0x0000000000400000-0x00000000005A8000-memory.dmpFilesize
1.7MB
-
memory/2812-936-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/3036-376-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/3056-853-0x0000000000400000-0x00000000004E1000-memory.dmpFilesize
900KB
-
memory/3084-663-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/3196-570-0x0000000000400000-0x00000000005A8000-memory.dmpFilesize
1.7MB
-
memory/3276-433-0x0000000000400000-0x000000000066E000-memory.dmpFilesize
2.4MB
-
memory/3520-1032-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/3524-938-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/3580-642-0x0000000000400000-0x00000000005A8000-memory.dmpFilesize
1.7MB
-
memory/3592-828-0x0000000000400000-0x00000000004E1000-memory.dmpFilesize
900KB
-
memory/3632-944-0x0000000000400000-0x00000000005A8000-memory.dmpFilesize
1.7MB
-
memory/3736-742-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/3760-507-0x0000000000400000-0x00000000005A8000-memory.dmpFilesize
1.7MB
-
memory/3764-632-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/3944-744-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/4184-537-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/4264-937-0x0000000000400000-0x00000000005A8000-memory.dmpFilesize
1.7MB
-
memory/4268-728-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/4384-1031-0x0000000000400000-0x00000000004E1000-memory.dmpFilesize
900KB
-
memory/4584-743-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/4604-646-0x0000000000400000-0x00000000005A8000-memory.dmpFilesize
1.7MB
-
memory/4712-856-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/4744-1029-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/4916-536-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/4952-563-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/5004-528-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/5052-1038-0x0000000000400000-0x00000000004E1000-memory.dmpFilesize
900KB
-
memory/5056-545-0x0000000000400000-0x00000000004E1000-memory.dmpFilesize
900KB
-
memory/5116-1047-0x0000000000400000-0x00000000004E1000-memory.dmpFilesize
900KB