Analysis

  • max time kernel
    3s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    19-06-2024 13:33

General

  • Target

    c0a844b5d843b03c4c8d9f6e8fac4090_NeikiAnalytics.exe

  • Size

    3.2MB

  • MD5

    c0a844b5d843b03c4c8d9f6e8fac4090

  • SHA1

    dd3d641d0ccad097c5eeef459fb8b101a8a56bbd

  • SHA256

    a5aa1d2e2d56445ff55b92223f9b77c6da17458bdfcdc2c0da439ad1459257ce

  • SHA512

    11296eec923d469bd755b36d30d4db5226c2fb2f0fef514fc3606dcf282bf8e01955bbf38255a1525b3e1312b49cb0db375de749a9e11f54d4ac6b2893e524a7

  • SSDEEP

    98304:Vmtk2abmtk2aTmtk2abmtk2a5n/nTnun9:IH/HmPrw9

Malware Config

Signatures

  • Detect Neshta payload 64 IoCs
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

  • Executes dropped EXE 20 IoCs
  • Loads dropped DLL 38 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Drops file in Windows directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c0a844b5d843b03c4c8d9f6e8fac4090_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\c0a844b5d843b03c4c8d9f6e8fac4090_NeikiAnalytics.exe"
    1⤵
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2204
    • C:\Users\Admin\AppData\Local\Temp\3582-490\c0a844b5d843b03c4c8d9f6e8fac4090_NeikiAnalytics.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\c0a844b5d843b03c4c8d9f6e8fac4090_NeikiAnalytics.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1640
      • C:\Users\Admin\AppData\Local\Temp\._cache_c0a844b5d843b03c4c8d9f6e8fac4090_NeikiAnalytics.exe
        "C:\Users\Admin\AppData\Local\Temp\._cache_c0a844b5d843b03c4c8d9f6e8fac4090_NeikiAnalytics.exe"
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:2184
        • C:\Windows\svchost.com
          "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in Windows directory
          • Suspicious use of WriteProcessMemory
          PID:2772
          • C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
            C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:2752
            • C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
              "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
              6⤵
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of WriteProcessMemory
              PID:2556
              • C:\Windows\svchost.com
                "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE"
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Drops file in Windows directory
                • Suspicious use of WriteProcessMemory
                PID:2864
                • C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE
                  C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE
                  8⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  PID:836
                  • C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE
                    "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE"
                    9⤵
                    • Executes dropped EXE
                    PID:1964
                    • C:\Windows\svchost.com
                      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE"
                      10⤵
                        PID:900
                        • C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
                          C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE
                          11⤵
                            PID:1620
                            • C:\Users\Admin\AppData\Local\Temp\._cache__C578E~1.EXE
                              "C:\Users\Admin\AppData\Local\Temp\._cache__C578E~1.EXE"
                              12⤵
                                PID:1852
                              • C:\ProgramData\Synaptics\Synaptics.exe
                                "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
                                12⤵
                                  PID:3032
                                  • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
                                    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
                                    13⤵
                                      PID:1652
                                      • C:\Windows\svchost.com
                                        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
                                        14⤵
                                          PID:1456
                                          • C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
                                            C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
                                            15⤵
                                              PID:2512
                                              • C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
                                                "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate
                                                16⤵
                                                  PID:1552
                                                  • C:\Windows\svchost.com
                                                    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE" InjUpdate
                                                    17⤵
                                                      PID:1956
                                                      • C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE
                                                        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE InjUpdate
                                                        18⤵
                                                          PID:992
                                                          • C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE
                                                            "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE" InjUpdate
                                                            19⤵
                                                              PID:2992
                                                              • C:\Windows\svchost.com
                                                                "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C1267~1.EXE" InjUpdate
                                                                20⤵
                                                                  PID:2828
                                                                  • C:\Users\Admin\AppData\Local\Temp\3582-490\_C1267~1.EXE
                                                                    C:\Users\Admin\AppData\Local\Temp\3582-490\_C1267~1.EXE InjUpdate
                                                                    21⤵
                                                                      PID:1876
                                                                      • C:\Users\Admin\AppData\Local\Temp\._cache__C1267~1.EXE
                                                                        "C:\Users\Admin\AppData\Local\Temp\._cache__C1267~1.EXE" InjUpdate
                                                                        22⤵
                                                                          PID:1572
                                  • C:\ProgramData\Synaptics\Synaptics.exe
                                    "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
                                    3⤵
                                    • Executes dropped EXE
                                    • Loads dropped DLL
                                    • Suspicious use of WriteProcessMemory
                                    PID:2880
                                    • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
                                      "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
                                      4⤵
                                      • Executes dropped EXE
                                      • Drops file in Windows directory
                                      • Suspicious use of WriteProcessMemory
                                      PID:2540
                                      • C:\Windows\svchost.com
                                        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
                                        5⤵
                                        • Executes dropped EXE
                                        • Loads dropped DLL
                                        • Drops file in Windows directory
                                        • Suspicious use of WriteProcessMemory
                                        PID:2148
                                        • C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
                                          C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
                                          6⤵
                                          • Executes dropped EXE
                                          • Loads dropped DLL
                                          • Adds Run key to start application
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          • Suspicious use of WriteProcessMemory
                                          PID:1588
                                          • C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
                                            "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate
                                            7⤵
                                            • Executes dropped EXE
                                            • Drops file in Windows directory
                                            • Suspicious use of WriteProcessMemory
                                            PID:1452
                                            • C:\Windows\svchost.com
                                              "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE" InjUpdate
                                              8⤵
                                              • Executes dropped EXE
                                              • Loads dropped DLL
                                              • Drops file in Windows directory
                                              • Suspicious use of WriteProcessMemory
                                              PID:844
                                              • C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE
                                                C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE InjUpdate
                                                9⤵
                                                • Executes dropped EXE
                                                • Loads dropped DLL
                                                • Adds Run key to start application
                                                • Suspicious use of WriteProcessMemory
                                                PID:2716
                                                • C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE
                                                  "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE" InjUpdate
                                                  10⤵
                                                  • Executes dropped EXE
                                                  • Drops file in Windows directory
                                                  PID:812
                                                  • C:\Windows\svchost.com
                                                    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C1267~1.EXE" InjUpdate
                                                    11⤵
                                                    • Executes dropped EXE
                                                    • Loads dropped DLL
                                                    • Drops file in Windows directory
                                                    PID:1984
                                                    • C:\Users\Admin\AppData\Local\Temp\3582-490\_C1267~1.EXE
                                                      C:\Users\Admin\AppData\Local\Temp\3582-490\_C1267~1.EXE InjUpdate
                                                      12⤵
                                                      • Executes dropped EXE
                                                      PID:1220
                                                      • C:\Users\Admin\AppData\Local\Temp\._cache__C1267~1.EXE
                                                        "C:\Users\Admin\AppData\Local\Temp\._cache__C1267~1.EXE" InjUpdate
                                                        13⤵
                                                          PID:1204
                                                        • C:\ProgramData\Synaptics\Synaptics.exe
                                                          "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
                                                          13⤵
                                                            PID:1892
                                                            • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
                                                              "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
                                                              14⤵
                                                                PID:2484
                                                                • C:\Windows\svchost.com
                                                                  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
                                                                  15⤵
                                                                    PID:2536
                                                                    • C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
                                                                      C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
                                                                      16⤵
                                                                        PID:2336
                                                                        • C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
                                                                          "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate
                                                                          17⤵
                                                                            PID:652
                                                                            • C:\Windows\svchost.com
                                                                              "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE" InjUpdate
                                                                              18⤵
                                                                                PID:1544
                                                                                • C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE
                                                                                  C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE InjUpdate
                                                                                  19⤵
                                                                                    PID:1916
                                                                                    • C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE
                                                                                      "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE" InjUpdate
                                                                                      20⤵
                                                                                        PID:2416
                                                                                        • C:\Windows\svchost.com
                                                                                          "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C1267~1.EXE" InjUpdate
                                                                                          21⤵
                                                                                            PID:1620
                                                                                            • C:\Users\Admin\AppData\Local\Temp\3582-490\_C1267~1.EXE
                                                                                              C:\Users\Admin\AppData\Local\Temp\3582-490\_C1267~1.EXE InjUpdate
                                                                                              22⤵
                                                                                                PID:2560
                                                                                                • C:\Users\Admin\AppData\Local\Temp\._cache__C1267~1.EXE
                                                                                                  "C:\Users\Admin\AppData\Local\Temp\._cache__C1267~1.EXE" InjUpdate
                                                                                                  23⤵
                                                                                                    PID:2608
                                                                        • C:\ProgramData\Synaptics\Synaptics.exe
                                                                          "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
                                                                          10⤵
                                                                          • Executes dropped EXE
                                                                          • Loads dropped DLL
                                                                          PID:1956
                                                                          • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
                                                                            "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
                                                                            11⤵
                                                                              PID:356
                                                                              • C:\Windows\svchost.com
                                                                                "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
                                                                                12⤵
                                                                                  PID:1888
                                                                                  • C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
                                                                                    C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
                                                                                    13⤵
                                                                                      PID:1432
                                                                                      • C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
                                                                                        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate
                                                                                        14⤵
                                                                                          PID:2616
                                                                                          • C:\Windows\svchost.com
                                                                                            "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE" InjUpdate
                                                                                            15⤵
                                                                                              PID:2604
                                                                                              • C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE
                                                                                                C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE InjUpdate
                                                                                                16⤵
                                                                                                  PID:2152
                                                                                                  • C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE
                                                                                                    "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE" InjUpdate
                                                                                                    17⤵
                                                                                                      PID:536
                                                                                                      • C:\Windows\svchost.com
                                                                                                        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C1267~1.EXE" InjUpdate
                                                                                                        18⤵
                                                                                                          PID:2436
                                                                                                          • C:\Users\Admin\AppData\Local\Temp\3582-490\_C1267~1.EXE
                                                                                                            C:\Users\Admin\AppData\Local\Temp\3582-490\_C1267~1.EXE InjUpdate
                                                                                                            19⤵
                                                                                                              PID:1984
                                                                                                              • C:\Users\Admin\AppData\Local\Temp\._cache__C1267~1.EXE
                                                                                                                "C:\Users\Admin\AppData\Local\Temp\._cache__C1267~1.EXE" InjUpdate
                                                                                                                20⤵
                                                                                                                  PID:2040
                                                                                                    • C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
                                                                                                      14⤵
                                                                                                        PID:2764
                                                                                                        • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
                                                                                                          "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
                                                                                                          15⤵
                                                                                                            PID:1360
                                                                                                            • C:\Windows\svchost.com
                                                                                                              "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
                                                                                                              16⤵
                                                                                                                PID:584
                                                                                                                • C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
                                                                                                                  C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
                                                                                                                  17⤵
                                                                                                                    PID:1040
                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate
                                                                                                                      18⤵
                                                                                                                        PID:2396
                                                                                                                        • C:\Windows\svchost.com
                                                                                                                          "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE" InjUpdate
                                                                                                                          19⤵
                                                                                                                            PID:2236
                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE
                                                                                                                              C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE InjUpdate
                                                                                                                              20⤵
                                                                                                                                PID:1928
                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE
                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE" InjUpdate
                                                                                                                                  21⤵
                                                                                                                                    PID:3000
                                                                                                                                    • C:\Windows\svchost.com
                                                                                                                                      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C1267~1.EXE" InjUpdate
                                                                                                                                      22⤵
                                                                                                                                        PID:2888
                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\3582-490\_C1267~1.EXE
                                                                                                                                          C:\Users\Admin\AppData\Local\Temp\3582-490\_C1267~1.EXE InjUpdate
                                                                                                                                          23⤵
                                                                                                                                            PID:2964
                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\._cache__C1267~1.EXE
                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\._cache__C1267~1.EXE" InjUpdate
                                                                                                                                              24⤵
                                                                                                                                                PID:2488
                                                                                                            • C:\ProgramData\Synaptics\Synaptics.exe
                                                                                                              "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
                                                                                                              7⤵
                                                                                                              • Executes dropped EXE
                                                                                                              PID:1568

                                                                                                Network

                                                                                                MITRE ATT&CK Matrix ATT&CK v13

                                                                                                Persistence

                                                                                                Event Triggered Execution

                                                                                                1
                                                                                                T1546

                                                                                                Change Default File Association

                                                                                                1
                                                                                                T1546.001

                                                                                                Boot or Logon Autostart Execution

                                                                                                1
                                                                                                T1547

                                                                                                Registry Run Keys / Startup Folder

                                                                                                1
                                                                                                T1547.001

                                                                                                Privilege Escalation

                                                                                                Event Triggered Execution

                                                                                                1
                                                                                                T1546

                                                                                                Change Default File Association

                                                                                                1
                                                                                                T1546.001

                                                                                                Boot or Logon Autostart Execution

                                                                                                1
                                                                                                T1547

                                                                                                Registry Run Keys / Startup Folder

                                                                                                1
                                                                                                T1547.001

                                                                                                Defense Evasion

                                                                                                Modify Registry

                                                                                                2
                                                                                                T1112

                                                                                                Discovery

                                                                                                System Information Discovery

                                                                                                1
                                                                                                T1082

                                                                                                Replay Monitor

                                                                                                Loading Replay Monitor...

                                                                                                Downloads

                                                                                                • C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE
                                                                                                  Filesize

                                                                                                  859KB

                                                                                                  MD5

                                                                                                  02ee6a3424782531461fb2f10713d3c1

                                                                                                  SHA1

                                                                                                  b581a2c365d93ebb629e8363fd9f69afc673123f

                                                                                                  SHA256

                                                                                                  ead58c483cb20bcd57464f8a4929079539d634f469b213054bf737d227c026dc

                                                                                                  SHA512

                                                                                                  6c9272cb1b6bde3ee887e1463ab30ea76568cb1a285d11393337b78c4ad1c3b7e6ce47646a92ab6d70bff4b02ab9d699b84af9437b720e52dcd35579fe2693ec

                                                                                                • C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe
                                                                                                  Filesize

                                                                                                  547KB

                                                                                                  MD5

                                                                                                  cf6c595d3e5e9667667af096762fd9c4

                                                                                                  SHA1

                                                                                                  9bb44da8d7f6457099cb56e4f7d1026963dce7ce

                                                                                                  SHA256

                                                                                                  593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d

                                                                                                  SHA512

                                                                                                  ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

                                                                                                • C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe
                                                                                                  Filesize

                                                                                                  186KB

                                                                                                  MD5

                                                                                                  58b58875a50a0d8b5e7be7d6ac685164

                                                                                                  SHA1

                                                                                                  1e0b89c1b2585c76e758e9141b846ed4477b0662

                                                                                                  SHA256

                                                                                                  2a0aa0763fdef9c38c5dd4d50703f0c7e27f4903c139804ec75e55f8388139ae

                                                                                                  SHA512

                                                                                                  d67214077162a105d01b11a8e207fab08b45b08fbfba0615a2ea146e1dd99eea35e4f02958a1754d3192292c00caf777f186f0a362e4b8b0da51fabbdb76375b

                                                                                                • C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe
                                                                                                  Filesize

                                                                                                  1.1MB

                                                                                                  MD5

                                                                                                  566ed4f62fdc96f175afedd811fa0370

                                                                                                  SHA1

                                                                                                  d4b47adc40e0d5a9391d3f6f2942d1889dd2a451

                                                                                                  SHA256

                                                                                                  e17cd94c08fc0e001a49f43a0801cea4625fb9aee211b6dfebebec446c21f460

                                                                                                  SHA512

                                                                                                  cdf8f508d396a1a0d2e0fc25f2ae46398b25039a0dafa0919737cc44e3e926ebae4c3aa26f1a3441511430f1a36241f8e61c515a5d9bd98ad4740d4d0f7b8db7

                                                                                                • C:\Users\Admin\AppData\Local\Temp\._cache__C1267~1.EXE
                                                                                                  Filesize

                                                                                                  60KB

                                                                                                  MD5

                                                                                                  0b0e2167a29c4693e4989c094ec85df1

                                                                                                  SHA1

                                                                                                  d4827c0da703a67abcb87ba314aeffd8bef5e480

                                                                                                  SHA256

                                                                                                  2e53914c194124fc1663d9c38f16130555eccaf3a8808207c06276878be37ea2

                                                                                                  SHA512

                                                                                                  5e5557e4acdd6093797ab14fc56eeb09c5dd34e9f5274ec1b13669a58330b0f6475457e45d23c9e61acf2b883814878f0f456623baad9e99d299f99c3264f0eb

                                                                                                • C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
                                                                                                  Filesize

                                                                                                  1.6MB

                                                                                                  MD5

                                                                                                  b2bf519f9b24d2851dd54c542c8797e0

                                                                                                  SHA1

                                                                                                  0dc2e285b163d581686d7f12d8e30f74ca23f35f

                                                                                                  SHA256

                                                                                                  6fb8a52395f7ea2e52877f5d9b30e9a052182bc8681a8a822c6a23830096c51b

                                                                                                  SHA512

                                                                                                  bf17c7f347df23cdc1053ed7b80e373449d5722f1d837dcb1579771fa787bebe4b3dcb05b19377d4576f6c6d22971a86db18c3877ec7432d5aa130d5aa3cae0e

                                                                                                • C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
                                                                                                  Filesize

                                                                                                  2.3MB

                                                                                                  MD5

                                                                                                  dd1e0435e1ef178ff2a90071af0d99f7

                                                                                                  SHA1

                                                                                                  cd690abaf78c271304d62206969b0e0254e28da3

                                                                                                  SHA256

                                                                                                  f378301369260a04ddeebfbdac2bcc45d1eba95a83718d17968becd4f1134c06

                                                                                                  SHA512

                                                                                                  fe0d18cbbbf15809836a2899e2fe91e9b9f911e9c2fbdb5e1a5201d6e355dc516749bf075515d9bf4323b34fb2a9e58e56cf4b8f085a9f845e1a98de2d40c78a

                                                                                                • C:\Windows\directx.sys
                                                                                                  Filesize

                                                                                                  57B

                                                                                                  MD5

                                                                                                  b42f2603883dadf133cee3ae5d767bb2

                                                                                                  SHA1

                                                                                                  dc4161551044405353e870b029afff27c8030e22

                                                                                                  SHA256

                                                                                                  998e1546bc98d29ffccb70e81ed00a01f3dbd3015e947d1aabca4cb01775ce28

                                                                                                  SHA512

                                                                                                  a4c33c9b87f84b4aba84ecf8b0b2d8a90703ef8523f1d057824196e584451072ab5bbc96e0c95a319baaffd16ba7a26f940fec2e28e9228e1275c87fb061c02d

                                                                                                • C:\Windows\directx.sys
                                                                                                  Filesize

                                                                                                  57B

                                                                                                  MD5

                                                                                                  8e4bd9619c227ef2bc20a2cb2aa55e7b

                                                                                                  SHA1

                                                                                                  a6214b7678b83c4db74b210625b4812300df3a74

                                                                                                  SHA256

                                                                                                  84ba3f2b07e112efaff6ee034b84db960521db9e504a4ac77a5e8e5e988d86d9

                                                                                                  SHA512

                                                                                                  12a6a559b89441983e9aab70f0ea17dc790bc48c7938dd573c888e33811db8fb210539ebebaa6c8f5c04971d72d037be6603de15ea3a1ffc0f5ea3dd5132b4bf

                                                                                                • C:\Windows\directx.sys
                                                                                                  Filesize

                                                                                                  57B

                                                                                                  MD5

                                                                                                  f9d50095200245f4da0ddb25d68b981a

                                                                                                  SHA1

                                                                                                  ab4aea8f393579322ff923ba6a0b7a6de224005c

                                                                                                  SHA256

                                                                                                  4bfbff29fe4d64d0a4162850264ba0adc5bff90905201a1937162d64c92958f3

                                                                                                  SHA512

                                                                                                  b5f92b54f2920bef0045e97e9f8a7fccfa29f5d19d7b063b28eb1dce248cb0a6adfe2adb7f1084a70caaba39ebbe850987383fcdd93f2db2eaf03d4cd63b0198

                                                                                                • C:\Windows\directx.sys
                                                                                                  Filesize

                                                                                                  57B

                                                                                                  MD5

                                                                                                  6b3bfceb3942a9508a2148acbee89007

                                                                                                  SHA1

                                                                                                  3622ac7466cc40f50515eb6fcdc15d1f34ad3be3

                                                                                                  SHA256

                                                                                                  e0a7bae2a9ac263cff5d725922e40272d8854278d901233a93a5267859c00a3c

                                                                                                  SHA512

                                                                                                  fa222bfcade636824af32124b45450c92b1abec7a33e6e647a9248eef5371c127d22ccb7cc5a096b4d5d52e2457f3841293a1b34304e8e5523549856ac02f224

                                                                                                • C:\Windows\svchost.com
                                                                                                  Filesize

                                                                                                  40KB

                                                                                                  MD5

                                                                                                  87f4580a70956c2ec61f1e3cc1748f2e

                                                                                                  SHA1

                                                                                                  6eb0b2159e00472d5d649e815cff78f1f269751b

                                                                                                  SHA256

                                                                                                  2547ea3f1ef06289d28607bb848ff372121d6c58759226631294df427f1e92aa

                                                                                                  SHA512

                                                                                                  4383574b73de8e9b9d92ff6fb2b240e63f415b48dd0adfacee10016303aa5e776266b66009fc58584572624fe9ad974d1ebabecc0afbeb13eb42b2948fc39d31

                                                                                                • \Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE
                                                                                                  Filesize

                                                                                                  854KB

                                                                                                  MD5

                                                                                                  90a9e3857fd3ff62c806fd7a013f9449

                                                                                                  SHA1

                                                                                                  0194d925f9cc440c932060d36b6eb4029732867f

                                                                                                  SHA256

                                                                                                  4501374e845e97b713c8b9605a14117defb2049f376f3e529e7101a0252cc283

                                                                                                  SHA512

                                                                                                  ccb7d0b0e081b665354a617c97473eeca97ad70bb8928dd253182a5489356665afe626cd84b07d85087905afdb918e56fe85834f98f091268d313e954d0ba18d

                                                                                                • \Users\Admin\AppData\Local\Temp\._cache_c0a844b5d843b03c4c8d9f6e8fac4090_NeikiAnalytics.exe
                                                                                                  Filesize

                                                                                                  2.4MB

                                                                                                  MD5

                                                                                                  314f9d1767462f1ccb9e129c6770d2bb

                                                                                                  SHA1

                                                                                                  28f37ea23af62c9da3c0508cc45a66f95483bd0c

                                                                                                  SHA256

                                                                                                  243e3a20fbeb87ddf5fa7bd432debf295dd9a88ff8ccb7cb98437837f3a1de75

                                                                                                  SHA512

                                                                                                  d4a1ea0374c17b79b4a23c87ddb565dacce687758dbc3f7a811965cb2ccd11bb140f4a6020b0aa1eb962008fe2784f93ccd01e32e475c68a069daadb46a8b889

                                                                                                • \Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE
                                                                                                  Filesize

                                                                                                  1.6MB

                                                                                                  MD5

                                                                                                  4ef2d35f76a957485f9c460607ac7d6c

                                                                                                  SHA1

                                                                                                  759b1352a29f397be6b949cc321acc917c4be52f

                                                                                                  SHA256

                                                                                                  ed36f3fe570e549401b0f0ebb655c8f5ef82b788437b6d0994c522d70d9d6ccb

                                                                                                  SHA512

                                                                                                  7e8176a0389d45bfb1e9436479723cd1f7a0ce0379c26c5b5e1ac3f7475ff1d84f4996fa3dd238bad19d2512563f29b80c98f4e1a9a109473223398ed211fde0

                                                                                                • \Users\Admin\AppData\Local\Temp\3582-490\c0a844b5d843b03c4c8d9f6e8fac4090_NeikiAnalytics.exe
                                                                                                  Filesize

                                                                                                  3.1MB

                                                                                                  MD5

                                                                                                  fc1deaf1b12a863f0539ec58f33bbaf6

                                                                                                  SHA1

                                                                                                  e9351bebea31a2a0055bc86f4ae181452183344f

                                                                                                  SHA256

                                                                                                  32646d57cc5f64b914b0acb6fd2339248b46085c41818c977606389c12e10329

                                                                                                  SHA512

                                                                                                  9a2d082725259beab9b8efb645420e65f591e73608a082e5b6b18973a38d633cb3e97a10becb672feccb6560e50757012fa9f275e4f0f98ea8ad61ef1010482c

                                                                                                • memory/356-206-0x0000000000400000-0x000000000041B000-memory.dmp
                                                                                                  Filesize

                                                                                                  108KB

                                                                                                • memory/536-331-0x0000000000400000-0x000000000041B000-memory.dmp
                                                                                                  Filesize

                                                                                                  108KB

                                                                                                • memory/584-301-0x0000000000400000-0x000000000041B000-memory.dmp
                                                                                                  Filesize

                                                                                                  108KB

                                                                                                • memory/652-335-0x0000000000400000-0x000000000041B000-memory.dmp
                                                                                                  Filesize

                                                                                                  108KB

                                                                                                • memory/812-182-0x0000000000400000-0x000000000041B000-memory.dmp
                                                                                                  Filesize

                                                                                                  108KB

                                                                                                • memory/836-180-0x0000000000400000-0x0000000000598000-memory.dmp
                                                                                                  Filesize

                                                                                                  1.6MB

                                                                                                • memory/844-141-0x0000000000400000-0x000000000041B000-memory.dmp
                                                                                                  Filesize

                                                                                                  108KB

                                                                                                • memory/900-209-0x0000000000400000-0x000000000041B000-memory.dmp
                                                                                                  Filesize

                                                                                                  108KB

                                                                                                • memory/992-413-0x0000000000400000-0x0000000000598000-memory.dmp
                                                                                                  Filesize

                                                                                                  1.6MB

                                                                                                • memory/1040-410-0x0000000000400000-0x000000000065E000-memory.dmp
                                                                                                  Filesize

                                                                                                  2.4MB

                                                                                                • memory/1204-199-0x0000000000E60000-0x0000000000E87000-memory.dmp
                                                                                                  Filesize

                                                                                                  156KB

                                                                                                • memory/1204-212-0x0000000000E60000-0x0000000000E87000-memory.dmp
                                                                                                  Filesize

                                                                                                  156KB

                                                                                                • memory/1220-210-0x0000000000400000-0x00000000004D1000-memory.dmp
                                                                                                  Filesize

                                                                                                  836KB

                                                                                                • memory/1220-197-0x0000000003E70000-0x0000000003E97000-memory.dmp
                                                                                                  Filesize

                                                                                                  156KB

                                                                                                • memory/1360-283-0x0000000000400000-0x000000000041B000-memory.dmp
                                                                                                  Filesize

                                                                                                  108KB

                                                                                                • memory/1432-220-0x0000000000400000-0x000000000065E000-memory.dmp
                                                                                                  Filesize

                                                                                                  2.4MB

                                                                                                • memory/1452-111-0x0000000000400000-0x000000000041B000-memory.dmp
                                                                                                  Filesize

                                                                                                  108KB

                                                                                                • memory/1456-273-0x0000000000400000-0x000000000041B000-memory.dmp
                                                                                                  Filesize

                                                                                                  108KB

                                                                                                • memory/1544-343-0x0000000000400000-0x000000000041B000-memory.dmp
                                                                                                  Filesize

                                                                                                  108KB

                                                                                                • memory/1552-342-0x0000000000400000-0x000000000041B000-memory.dmp
                                                                                                  Filesize

                                                                                                  108KB

                                                                                                • memory/1572-397-0x0000000000E50000-0x0000000000E77000-memory.dmp
                                                                                                  Filesize

                                                                                                  156KB

                                                                                                • memory/1572-401-0x0000000000E50000-0x0000000000E77000-memory.dmp
                                                                                                  Filesize

                                                                                                  156KB

                                                                                                • memory/1588-153-0x0000000000400000-0x000000000065E000-memory.dmp
                                                                                                  Filesize

                                                                                                  2.4MB

                                                                                                • memory/1620-373-0x0000000000400000-0x000000000041B000-memory.dmp
                                                                                                  Filesize

                                                                                                  108KB

                                                                                                • memory/1620-219-0x0000000000400000-0x00000000004D1000-memory.dmp
                                                                                                  Filesize

                                                                                                  836KB

                                                                                                • memory/1620-217-0x0000000003F00000-0x0000000003F27000-memory.dmp
                                                                                                  Filesize

                                                                                                  156KB

                                                                                                • memory/1640-12-0x0000000000220000-0x0000000000221000-memory.dmp
                                                                                                  Filesize

                                                                                                  4KB

                                                                                                • memory/1640-60-0x0000000000400000-0x0000000000725000-memory.dmp
                                                                                                  Filesize

                                                                                                  3.1MB

                                                                                                • memory/1652-248-0x0000000000400000-0x000000000041B000-memory.dmp
                                                                                                  Filesize

                                                                                                  108KB

                                                                                                • memory/1852-218-0x0000000000BF0000-0x0000000000C17000-memory.dmp
                                                                                                  Filesize

                                                                                                  156KB

                                                                                                • memory/1852-222-0x0000000000BF0000-0x0000000000C17000-memory.dmp
                                                                                                  Filesize

                                                                                                  156KB

                                                                                                • memory/1876-427-0x0000000001E80000-0x0000000001EA7000-memory.dmp
                                                                                                  Filesize

                                                                                                  156KB

                                                                                                • memory/1876-396-0x0000000003E80000-0x0000000003EA7000-memory.dmp
                                                                                                  Filesize

                                                                                                  156KB

                                                                                                • memory/1876-394-0x0000000001E80000-0x0000000001EA7000-memory.dmp
                                                                                                  Filesize

                                                                                                  156KB

                                                                                                • memory/1876-434-0x0000000003E80000-0x0000000003EA7000-memory.dmp
                                                                                                  Filesize

                                                                                                  156KB

                                                                                                • memory/1888-213-0x0000000000400000-0x000000000041B000-memory.dmp
                                                                                                  Filesize

                                                                                                  108KB

                                                                                                • memory/1892-299-0x0000000000400000-0x0000000000725000-memory.dmp
                                                                                                  Filesize

                                                                                                  3.1MB

                                                                                                • memory/1916-412-0x0000000000400000-0x0000000000598000-memory.dmp
                                                                                                  Filesize

                                                                                                  1.6MB

                                                                                                • memory/1928-414-0x0000000000400000-0x0000000000598000-memory.dmp
                                                                                                  Filesize

                                                                                                  1.6MB

                                                                                                • memory/1956-198-0x0000000000400000-0x0000000000725000-memory.dmp
                                                                                                  Filesize

                                                                                                  3.1MB

                                                                                                • memory/1956-365-0x0000000000400000-0x000000000041B000-memory.dmp
                                                                                                  Filesize

                                                                                                  108KB

                                                                                                • memory/1964-185-0x0000000000400000-0x000000000041B000-memory.dmp
                                                                                                  Filesize

                                                                                                  108KB

                                                                                                • memory/1984-398-0x0000000000520000-0x0000000000547000-memory.dmp
                                                                                                  Filesize

                                                                                                  156KB

                                                                                                • memory/1984-411-0x0000000000400000-0x00000000004D1000-memory.dmp
                                                                                                  Filesize

                                                                                                  836KB

                                                                                                • memory/1984-188-0x0000000000400000-0x000000000041B000-memory.dmp
                                                                                                  Filesize

                                                                                                  108KB

                                                                                                • memory/1984-402-0x00000000040F0000-0x0000000004117000-memory.dmp
                                                                                                  Filesize

                                                                                                  156KB

                                                                                                • memory/1984-349-0x00000000040F0000-0x0000000004117000-memory.dmp
                                                                                                  Filesize

                                                                                                  156KB

                                                                                                • memory/1984-332-0x0000000000520000-0x0000000000547000-memory.dmp
                                                                                                  Filesize

                                                                                                  156KB

                                                                                                • memory/2040-364-0x00000000011B0000-0x00000000011D7000-memory.dmp
                                                                                                  Filesize

                                                                                                  156KB

                                                                                                • memory/2040-360-0x00000000011B0000-0x00000000011D7000-memory.dmp
                                                                                                  Filesize

                                                                                                  156KB

                                                                                                • memory/2148-95-0x0000000000400000-0x000000000041B000-memory.dmp
                                                                                                  Filesize

                                                                                                  108KB

                                                                                                • memory/2152-407-0x0000000000400000-0x0000000000598000-memory.dmp
                                                                                                  Filesize

                                                                                                  1.6MB

                                                                                                • memory/2184-405-0x0000000000400000-0x000000000041B000-memory.dmp
                                                                                                  Filesize

                                                                                                  108KB

                                                                                                • memory/2204-404-0x0000000000400000-0x000000000041B000-memory.dmp
                                                                                                  Filesize

                                                                                                  108KB

                                                                                                • memory/2236-362-0x0000000000400000-0x000000000041B000-memory.dmp
                                                                                                  Filesize

                                                                                                  108KB

                                                                                                • memory/2336-408-0x0000000000400000-0x000000000065E000-memory.dmp
                                                                                                  Filesize

                                                                                                  2.4MB

                                                                                                • memory/2396-358-0x0000000000400000-0x000000000041B000-memory.dmp
                                                                                                  Filesize

                                                                                                  108KB

                                                                                                • memory/2416-367-0x0000000000400000-0x000000000041B000-memory.dmp
                                                                                                  Filesize

                                                                                                  108KB

                                                                                                • memory/2436-333-0x0000000000400000-0x000000000041B000-memory.dmp
                                                                                                  Filesize

                                                                                                  108KB

                                                                                                • memory/2484-246-0x0000000000400000-0x000000000041B000-memory.dmp
                                                                                                  Filesize

                                                                                                  108KB

                                                                                                • memory/2488-403-0x0000000000E50000-0x0000000000E77000-memory.dmp
                                                                                                  Filesize

                                                                                                  156KB

                                                                                                • memory/2512-409-0x0000000000400000-0x000000000065E000-memory.dmp
                                                                                                  Filesize

                                                                                                  2.4MB

                                                                                                • memory/2536-271-0x0000000000400000-0x000000000041B000-memory.dmp
                                                                                                  Filesize

                                                                                                  108KB

                                                                                                • memory/2540-89-0x0000000000400000-0x000000000041B000-memory.dmp
                                                                                                  Filesize

                                                                                                  108KB

                                                                                                • memory/2556-140-0x0000000000400000-0x000000000041B000-memory.dmp
                                                                                                  Filesize

                                                                                                  108KB

                                                                                                • memory/2560-374-0x0000000000550000-0x0000000000577000-memory.dmp
                                                                                                  Filesize

                                                                                                  156KB

                                                                                                • memory/2560-416-0x00000000040F0000-0x0000000004117000-memory.dmp
                                                                                                  Filesize

                                                                                                  156KB

                                                                                                • memory/2560-406-0x0000000000550000-0x0000000000577000-memory.dmp
                                                                                                  Filesize

                                                                                                  156KB

                                                                                                • memory/2560-375-0x00000000040F0000-0x0000000004117000-memory.dmp
                                                                                                  Filesize

                                                                                                  156KB

                                                                                                • memory/2604-262-0x0000000000400000-0x000000000041B000-memory.dmp
                                                                                                  Filesize

                                                                                                  108KB

                                                                                                • memory/2608-376-0x0000000000F30000-0x0000000000F57000-memory.dmp
                                                                                                  Filesize

                                                                                                  156KB

                                                                                                • memory/2608-391-0x0000000000F30000-0x0000000000F57000-memory.dmp
                                                                                                  Filesize

                                                                                                  156KB

                                                                                                • memory/2616-224-0x0000000000400000-0x000000000041B000-memory.dmp
                                                                                                  Filesize

                                                                                                  108KB

                                                                                                • memory/2716-173-0x0000000000400000-0x0000000000598000-memory.dmp
                                                                                                  Filesize

                                                                                                  1.6MB

                                                                                                • memory/2752-129-0x0000000000400000-0x000000000065E000-memory.dmp
                                                                                                  Filesize

                                                                                                  2.4MB

                                                                                                • memory/2764-300-0x0000000000400000-0x0000000000725000-memory.dmp
                                                                                                  Filesize

                                                                                                  3.1MB

                                                                                                • memory/2772-65-0x0000000000400000-0x000000000041B000-memory.dmp
                                                                                                  Filesize

                                                                                                  108KB

                                                                                                • memory/2828-395-0x0000000000400000-0x000000000041B000-memory.dmp
                                                                                                  Filesize

                                                                                                  108KB

                                                                                                • memory/2864-167-0x0000000000400000-0x000000000041B000-memory.dmp
                                                                                                  Filesize

                                                                                                  108KB

                                                                                                • memory/2880-107-0x0000000000400000-0x0000000000725000-memory.dmp
                                                                                                  Filesize

                                                                                                  3.1MB

                                                                                                • memory/2888-393-0x0000000000400000-0x000000000041B000-memory.dmp
                                                                                                  Filesize

                                                                                                  108KB

                                                                                                • memory/2964-399-0x0000000004130000-0x0000000004157000-memory.dmp
                                                                                                  Filesize

                                                                                                  156KB

                                                                                                • memory/2964-392-0x0000000000670000-0x0000000000697000-memory.dmp
                                                                                                  Filesize

                                                                                                  156KB

                                                                                                • memory/2964-421-0x0000000000670000-0x0000000000697000-memory.dmp
                                                                                                  Filesize

                                                                                                  156KB

                                                                                                • memory/2964-446-0x0000000004130000-0x0000000004157000-memory.dmp
                                                                                                  Filesize

                                                                                                  156KB

                                                                                                • memory/2992-378-0x0000000000400000-0x000000000041B000-memory.dmp
                                                                                                  Filesize

                                                                                                  108KB

                                                                                                • memory/3000-380-0x0000000000400000-0x000000000041B000-memory.dmp
                                                                                                  Filesize

                                                                                                  108KB

                                                                                                • memory/3032-302-0x0000000000400000-0x0000000000725000-memory.dmp
                                                                                                  Filesize

                                                                                                  3.1MB