Analysis
-
max time kernel
3s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
19-06-2024 13:33
Behavioral task
behavioral1
Sample
c0a844b5d843b03c4c8d9f6e8fac4090_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
c0a844b5d843b03c4c8d9f6e8fac4090_NeikiAnalytics.exe
Resource
win10v2004-20240611-en
General
-
Target
c0a844b5d843b03c4c8d9f6e8fac4090_NeikiAnalytics.exe
-
Size
3.2MB
-
MD5
c0a844b5d843b03c4c8d9f6e8fac4090
-
SHA1
dd3d641d0ccad097c5eeef459fb8b101a8a56bbd
-
SHA256
a5aa1d2e2d56445ff55b92223f9b77c6da17458bdfcdc2c0da439ad1459257ce
-
SHA512
11296eec923d469bd755b36d30d4db5226c2fb2f0fef514fc3606dcf282bf8e01955bbf38255a1525b3e1312b49cb0db375de749a9e11f54d4ac6b2893e524a7
-
SSDEEP
98304:Vmtk2abmtk2aTmtk2abmtk2a5n/nTnun9:IH/HmPrw9
Malware Config
Signatures
-
Detect Neshta payload 64 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\3582-490\c0a844b5d843b03c4c8d9f6e8fac4090_NeikiAnalytics.exe family_neshta C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe family_neshta \Users\Admin\AppData\Local\Temp\._cache_c0a844b5d843b03c4c8d9f6e8fac4090_NeikiAnalytics.exe family_neshta C:\Windows\svchost.com family_neshta C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE family_neshta behavioral1/memory/1640-60-0x0000000000400000-0x0000000000725000-memory.dmp family_neshta behavioral1/memory/2772-65-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE family_neshta C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe family_neshta C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe family_neshta behavioral1/memory/2540-89-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE family_neshta behavioral1/memory/2880-107-0x0000000000400000-0x0000000000725000-memory.dmp family_neshta behavioral1/memory/2148-95-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta \Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE family_neshta behavioral1/memory/2864-167-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/836-180-0x0000000000400000-0x0000000000598000-memory.dmp family_neshta \Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE family_neshta behavioral1/memory/1588-153-0x0000000000400000-0x000000000065E000-memory.dmp family_neshta behavioral1/memory/2716-173-0x0000000000400000-0x0000000000598000-memory.dmp family_neshta behavioral1/memory/812-182-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/844-141-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2556-140-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1964-185-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1984-188-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2752-129-0x0000000000400000-0x000000000065E000-memory.dmp family_neshta behavioral1/memory/900-209-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1956-198-0x0000000000400000-0x0000000000725000-memory.dmp family_neshta behavioral1/memory/356-206-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1452-111-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1888-213-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1432-220-0x0000000000400000-0x000000000065E000-memory.dmp family_neshta behavioral1/memory/2616-224-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2484-246-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1652-248-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2604-262-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2536-271-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1456-273-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1360-283-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/3032-302-0x0000000000400000-0x0000000000725000-memory.dmp family_neshta behavioral1/memory/584-301-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2764-300-0x0000000000400000-0x0000000000725000-memory.dmp family_neshta behavioral1/memory/1892-299-0x0000000000400000-0x0000000000725000-memory.dmp family_neshta behavioral1/memory/536-331-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2436-333-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/652-335-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1552-342-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1544-343-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2396-358-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2236-362-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1956-365-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2416-367-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1620-373-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/3000-380-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2992-378-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2828-395-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2888-393-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2184-405-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2204-404-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2152-407-0x0000000000400000-0x0000000000598000-memory.dmp family_neshta behavioral1/memory/1928-414-0x0000000000400000-0x0000000000598000-memory.dmp family_neshta behavioral1/memory/992-413-0x0000000000400000-0x0000000000598000-memory.dmp family_neshta behavioral1/memory/1916-412-0x0000000000400000-0x0000000000598000-memory.dmp family_neshta behavioral1/memory/1040-410-0x0000000000400000-0x000000000065E000-memory.dmp family_neshta -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Executes dropped EXE 20 IoCs
Processes:
c0a844b5d843b03c4c8d9f6e8fac4090_NeikiAnalytics.exe._cache_c0a844b5d843b03c4c8d9f6e8fac4090_NeikiAnalytics.exesvchost.com_CACHE~1.EXESynaptics.exe._cache_Synaptics.exesvchost.com_CACHE~2.EXE._cache__CACHE~2.EXEsvchost.com_CACHE~3.EXE._cache__CACHE~1.EXEsvchost.com_CACHE~4.EXESynaptics.exe._cache__CACHE~3.EXESynaptics.exesvchost.com._cache__CACHE~4.EXE_C1267~1.EXEpid process 1640 c0a844b5d843b03c4c8d9f6e8fac4090_NeikiAnalytics.exe 2184 ._cache_c0a844b5d843b03c4c8d9f6e8fac4090_NeikiAnalytics.exe 2772 svchost.com 2752 _CACHE~1.EXE 2880 Synaptics.exe 2540 ._cache_Synaptics.exe 2148 svchost.com 1588 _CACHE~2.EXE 1452 ._cache__CACHE~2.EXE 844 svchost.com 2716 _CACHE~3.EXE 2556 ._cache__CACHE~1.EXE 2864 svchost.com 836 _CACHE~4.EXE 1568 Synaptics.exe 812 ._cache__CACHE~3.EXE 1956 Synaptics.exe 1984 svchost.com 1964 ._cache__CACHE~4.EXE 1220 _C1267~1.EXE -
Loads dropped DLL 38 IoCs
Processes:
c0a844b5d843b03c4c8d9f6e8fac4090_NeikiAnalytics.exec0a844b5d843b03c4c8d9f6e8fac4090_NeikiAnalytics.exesvchost.comSynaptics.exesvchost.com_CACHE~2.EXE_CACHE~1.EXEsvchost.com_CACHE~3.EXEsvchost.com_CACHE~4.EXESynaptics.exesvchost.compid process 2204 c0a844b5d843b03c4c8d9f6e8fac4090_NeikiAnalytics.exe 2204 c0a844b5d843b03c4c8d9f6e8fac4090_NeikiAnalytics.exe 1640 c0a844b5d843b03c4c8d9f6e8fac4090_NeikiAnalytics.exe 1640 c0a844b5d843b03c4c8d9f6e8fac4090_NeikiAnalytics.exe 1640 c0a844b5d843b03c4c8d9f6e8fac4090_NeikiAnalytics.exe 2772 svchost.com 2772 svchost.com 1640 c0a844b5d843b03c4c8d9f6e8fac4090_NeikiAnalytics.exe 1640 c0a844b5d843b03c4c8d9f6e8fac4090_NeikiAnalytics.exe 2880 Synaptics.exe 2880 Synaptics.exe 2880 Synaptics.exe 2148 svchost.com 2148 svchost.com 1588 _CACHE~2.EXE 1588 _CACHE~2.EXE 1588 _CACHE~2.EXE 2752 _CACHE~1.EXE 844 svchost.com 2752 _CACHE~1.EXE 2752 _CACHE~1.EXE 844 svchost.com 2716 _CACHE~3.EXE 1588 _CACHE~2.EXE 2864 svchost.com 2864 svchost.com 2716 _CACHE~3.EXE 2716 _CACHE~3.EXE 836 _CACHE~4.EXE 2716 _CACHE~3.EXE 836 _CACHE~4.EXE 836 _CACHE~4.EXE 1956 Synaptics.exe 1956 Synaptics.exe 1956 Synaptics.exe 1956 Synaptics.exe 1984 svchost.com 1984 svchost.com -
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
c0a844b5d843b03c4c8d9f6e8fac4090_NeikiAnalytics.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" c0a844b5d843b03c4c8d9f6e8fac4090_NeikiAnalytics.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
c0a844b5d843b03c4c8d9f6e8fac4090_NeikiAnalytics.exe_CACHE~2.EXE_CACHE~3.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" c0a844b5d843b03c4c8d9f6e8fac4090_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" _CACHE~2.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" _CACHE~3.EXE -
Drops file in Windows directory 19 IoCs
Processes:
svchost.com._cache_c0a844b5d843b03c4c8d9f6e8fac4090_NeikiAnalytics.exesvchost.com._cache_Synaptics.exe._cache__CACHE~1.EXEsvchost.com._cache__CACHE~3.EXEc0a844b5d843b03c4c8d9f6e8fac4090_NeikiAnalytics.exesvchost.com._cache__CACHE~2.EXEsvchost.comdescription ioc process File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com ._cache_c0a844b5d843b03c4c8d9f6e8fac4090_NeikiAnalytics.exe File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com ._cache_Synaptics.exe File opened for modification C:\Windows\svchost.com ._cache__CACHE~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys ._cache__CACHE~3.EXE File opened for modification C:\Windows\svchost.com c0a844b5d843b03c4c8d9f6e8fac4090_NeikiAnalytics.exe File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys ._cache__CACHE~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys ._cache__CACHE~2.EXE File opened for modification C:\Windows\svchost.com ._cache__CACHE~2.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com ._cache__CACHE~3.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys ._cache_Synaptics.exe File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
c0a844b5d843b03c4c8d9f6e8fac4090_NeikiAnalytics.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" c0a844b5d843b03c4c8d9f6e8fac4090_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
_CACHE~2.EXEpid process 1588 _CACHE~2.EXE 1588 _CACHE~2.EXE 1588 _CACHE~2.EXE 1588 _CACHE~2.EXE 1588 _CACHE~2.EXE 1588 _CACHE~2.EXE 1588 _CACHE~2.EXE 1588 _CACHE~2.EXE 1588 _CACHE~2.EXE 1588 _CACHE~2.EXE 1588 _CACHE~2.EXE 1588 _CACHE~2.EXE 1588 _CACHE~2.EXE 1588 _CACHE~2.EXE 1588 _CACHE~2.EXE 1588 _CACHE~2.EXE 1588 _CACHE~2.EXE 1588 _CACHE~2.EXE 1588 _CACHE~2.EXE 1588 _CACHE~2.EXE 1588 _CACHE~2.EXE 1588 _CACHE~2.EXE 1588 _CACHE~2.EXE 1588 _CACHE~2.EXE 1588 _CACHE~2.EXE 1588 _CACHE~2.EXE 1588 _CACHE~2.EXE 1588 _CACHE~2.EXE 1588 _CACHE~2.EXE 1588 _CACHE~2.EXE 1588 _CACHE~2.EXE 1588 _CACHE~2.EXE 1588 _CACHE~2.EXE 1588 _CACHE~2.EXE 1588 _CACHE~2.EXE 1588 _CACHE~2.EXE 1588 _CACHE~2.EXE 1588 _CACHE~2.EXE 1588 _CACHE~2.EXE 1588 _CACHE~2.EXE 1588 _CACHE~2.EXE 1588 _CACHE~2.EXE 1588 _CACHE~2.EXE 1588 _CACHE~2.EXE 1588 _CACHE~2.EXE 1588 _CACHE~2.EXE 1588 _CACHE~2.EXE 1588 _CACHE~2.EXE 1588 _CACHE~2.EXE 1588 _CACHE~2.EXE 1588 _CACHE~2.EXE 1588 _CACHE~2.EXE 1588 _CACHE~2.EXE 1588 _CACHE~2.EXE 1588 _CACHE~2.EXE 1588 _CACHE~2.EXE 1588 _CACHE~2.EXE 1588 _CACHE~2.EXE 1588 _CACHE~2.EXE 1588 _CACHE~2.EXE 1588 _CACHE~2.EXE 1588 _CACHE~2.EXE 1588 _CACHE~2.EXE 1588 _CACHE~2.EXE -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
_CACHE~2.EXEdescription pid process Token: SeSystemProfilePrivilege 1588 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1588 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1588 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1588 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1588 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1588 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1588 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1588 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1588 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1588 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1588 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1588 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1588 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1588 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1588 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1588 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1588 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1588 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1588 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1588 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1588 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1588 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1588 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1588 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1588 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1588 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1588 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1588 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1588 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1588 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1588 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1588 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1588 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1588 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1588 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1588 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1588 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1588 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1588 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1588 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1588 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1588 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1588 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1588 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1588 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1588 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1588 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1588 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1588 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1588 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1588 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1588 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1588 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1588 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1588 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1588 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1588 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1588 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1588 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1588 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1588 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1588 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1588 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1588 _CACHE~2.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
c0a844b5d843b03c4c8d9f6e8fac4090_NeikiAnalytics.exec0a844b5d843b03c4c8d9f6e8fac4090_NeikiAnalytics.exe._cache_c0a844b5d843b03c4c8d9f6e8fac4090_NeikiAnalytics.exesvchost.comSynaptics.exe._cache_Synaptics.exesvchost.com_CACHE~2.EXE._cache__CACHE~2.EXE_CACHE~1.EXEsvchost.com._cache__CACHE~1.EXEsvchost.com_CACHE~3.EXEdescription pid process target process PID 2204 wrote to memory of 1640 2204 c0a844b5d843b03c4c8d9f6e8fac4090_NeikiAnalytics.exe c0a844b5d843b03c4c8d9f6e8fac4090_NeikiAnalytics.exe PID 2204 wrote to memory of 1640 2204 c0a844b5d843b03c4c8d9f6e8fac4090_NeikiAnalytics.exe c0a844b5d843b03c4c8d9f6e8fac4090_NeikiAnalytics.exe PID 2204 wrote to memory of 1640 2204 c0a844b5d843b03c4c8d9f6e8fac4090_NeikiAnalytics.exe c0a844b5d843b03c4c8d9f6e8fac4090_NeikiAnalytics.exe PID 2204 wrote to memory of 1640 2204 c0a844b5d843b03c4c8d9f6e8fac4090_NeikiAnalytics.exe c0a844b5d843b03c4c8d9f6e8fac4090_NeikiAnalytics.exe PID 1640 wrote to memory of 2184 1640 c0a844b5d843b03c4c8d9f6e8fac4090_NeikiAnalytics.exe ._cache_c0a844b5d843b03c4c8d9f6e8fac4090_NeikiAnalytics.exe PID 1640 wrote to memory of 2184 1640 c0a844b5d843b03c4c8d9f6e8fac4090_NeikiAnalytics.exe ._cache_c0a844b5d843b03c4c8d9f6e8fac4090_NeikiAnalytics.exe PID 1640 wrote to memory of 2184 1640 c0a844b5d843b03c4c8d9f6e8fac4090_NeikiAnalytics.exe ._cache_c0a844b5d843b03c4c8d9f6e8fac4090_NeikiAnalytics.exe PID 1640 wrote to memory of 2184 1640 c0a844b5d843b03c4c8d9f6e8fac4090_NeikiAnalytics.exe ._cache_c0a844b5d843b03c4c8d9f6e8fac4090_NeikiAnalytics.exe PID 2184 wrote to memory of 2772 2184 ._cache_c0a844b5d843b03c4c8d9f6e8fac4090_NeikiAnalytics.exe svchost.com PID 2184 wrote to memory of 2772 2184 ._cache_c0a844b5d843b03c4c8d9f6e8fac4090_NeikiAnalytics.exe svchost.com PID 2184 wrote to memory of 2772 2184 ._cache_c0a844b5d843b03c4c8d9f6e8fac4090_NeikiAnalytics.exe svchost.com PID 2184 wrote to memory of 2772 2184 ._cache_c0a844b5d843b03c4c8d9f6e8fac4090_NeikiAnalytics.exe svchost.com PID 2772 wrote to memory of 2752 2772 svchost.com _CACHE~1.EXE PID 2772 wrote to memory of 2752 2772 svchost.com _CACHE~1.EXE PID 2772 wrote to memory of 2752 2772 svchost.com _CACHE~1.EXE PID 2772 wrote to memory of 2752 2772 svchost.com _CACHE~1.EXE PID 1640 wrote to memory of 2880 1640 c0a844b5d843b03c4c8d9f6e8fac4090_NeikiAnalytics.exe Synaptics.exe PID 1640 wrote to memory of 2880 1640 c0a844b5d843b03c4c8d9f6e8fac4090_NeikiAnalytics.exe Synaptics.exe PID 1640 wrote to memory of 2880 1640 c0a844b5d843b03c4c8d9f6e8fac4090_NeikiAnalytics.exe Synaptics.exe PID 1640 wrote to memory of 2880 1640 c0a844b5d843b03c4c8d9f6e8fac4090_NeikiAnalytics.exe Synaptics.exe PID 2880 wrote to memory of 2540 2880 Synaptics.exe ._cache_Synaptics.exe PID 2880 wrote to memory of 2540 2880 Synaptics.exe ._cache_Synaptics.exe PID 2880 wrote to memory of 2540 2880 Synaptics.exe ._cache_Synaptics.exe PID 2880 wrote to memory of 2540 2880 Synaptics.exe ._cache_Synaptics.exe PID 2540 wrote to memory of 2148 2540 ._cache_Synaptics.exe svchost.com PID 2540 wrote to memory of 2148 2540 ._cache_Synaptics.exe svchost.com PID 2540 wrote to memory of 2148 2540 ._cache_Synaptics.exe svchost.com PID 2540 wrote to memory of 2148 2540 ._cache_Synaptics.exe svchost.com PID 2148 wrote to memory of 1588 2148 svchost.com _CACHE~2.EXE PID 2148 wrote to memory of 1588 2148 svchost.com _CACHE~2.EXE PID 2148 wrote to memory of 1588 2148 svchost.com _CACHE~2.EXE PID 2148 wrote to memory of 1588 2148 svchost.com _CACHE~2.EXE PID 1588 wrote to memory of 1452 1588 _CACHE~2.EXE ._cache__CACHE~2.EXE PID 1588 wrote to memory of 1452 1588 _CACHE~2.EXE ._cache__CACHE~2.EXE PID 1588 wrote to memory of 1452 1588 _CACHE~2.EXE ._cache__CACHE~2.EXE PID 1588 wrote to memory of 1452 1588 _CACHE~2.EXE ._cache__CACHE~2.EXE PID 1452 wrote to memory of 844 1452 ._cache__CACHE~2.EXE svchost.com PID 1452 wrote to memory of 844 1452 ._cache__CACHE~2.EXE svchost.com PID 1452 wrote to memory of 844 1452 ._cache__CACHE~2.EXE svchost.com PID 1452 wrote to memory of 844 1452 ._cache__CACHE~2.EXE svchost.com PID 2752 wrote to memory of 2556 2752 _CACHE~1.EXE ._cache__CACHE~1.EXE PID 2752 wrote to memory of 2556 2752 _CACHE~1.EXE ._cache__CACHE~1.EXE PID 2752 wrote to memory of 2556 2752 _CACHE~1.EXE ._cache__CACHE~1.EXE PID 2752 wrote to memory of 2556 2752 _CACHE~1.EXE ._cache__CACHE~1.EXE PID 844 wrote to memory of 2716 844 svchost.com _CACHE~3.EXE PID 844 wrote to memory of 2716 844 svchost.com _CACHE~3.EXE PID 844 wrote to memory of 2716 844 svchost.com _CACHE~3.EXE PID 844 wrote to memory of 2716 844 svchost.com _CACHE~3.EXE PID 2556 wrote to memory of 2864 2556 ._cache__CACHE~1.EXE svchost.com PID 2556 wrote to memory of 2864 2556 ._cache__CACHE~1.EXE svchost.com PID 2556 wrote to memory of 2864 2556 ._cache__CACHE~1.EXE svchost.com PID 2556 wrote to memory of 2864 2556 ._cache__CACHE~1.EXE svchost.com PID 1588 wrote to memory of 1568 1588 _CACHE~2.EXE Synaptics.exe PID 1588 wrote to memory of 1568 1588 _CACHE~2.EXE Synaptics.exe PID 1588 wrote to memory of 1568 1588 _CACHE~2.EXE Synaptics.exe PID 1588 wrote to memory of 1568 1588 _CACHE~2.EXE Synaptics.exe PID 2864 wrote to memory of 836 2864 svchost.com _CACHE~4.EXE PID 2864 wrote to memory of 836 2864 svchost.com _CACHE~4.EXE PID 2864 wrote to memory of 836 2864 svchost.com _CACHE~4.EXE PID 2864 wrote to memory of 836 2864 svchost.com _CACHE~4.EXE PID 2716 wrote to memory of 812 2716 _CACHE~3.EXE ._cache__CACHE~3.EXE PID 2716 wrote to memory of 812 2716 _CACHE~3.EXE ._cache__CACHE~3.EXE PID 2716 wrote to memory of 812 2716 _CACHE~3.EXE ._cache__CACHE~3.EXE PID 2716 wrote to memory of 812 2716 _CACHE~3.EXE ._cache__CACHE~3.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\c0a844b5d843b03c4c8d9f6e8fac4090_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\c0a844b5d843b03c4c8d9f6e8fac4090_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\c0a844b5d843b03c4c8d9f6e8fac4090_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\c0a844b5d843b03c4c8d9f6e8fac4090_NeikiAnalytics.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\._cache_c0a844b5d843b03c4c8d9f6e8fac4090_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_c0a844b5d843b03c4c8d9f6e8fac4090_NeikiAnalytics.exe"3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"6⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE8⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE"9⤵
- Executes dropped EXE
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE"10⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_C578E~1.EXE11⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__C578E~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__C578E~1.EXE"12⤵
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate12⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate13⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate14⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate15⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate16⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE" InjUpdate17⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE InjUpdate18⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE" InjUpdate19⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C1267~1.EXE" InjUpdate20⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_C1267~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_C1267~1.EXE InjUpdate21⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__C1267~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__C1267~1.EXE" InjUpdate22⤵
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate6⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate7⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE" InjUpdate8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE InjUpdate9⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE" InjUpdate10⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C1267~1.EXE" InjUpdate11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_C1267~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_C1267~1.EXE InjUpdate12⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\._cache__C1267~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__C1267~1.EXE" InjUpdate13⤵
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate13⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate14⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate15⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate16⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate17⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE" InjUpdate18⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE InjUpdate19⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE" InjUpdate20⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C1267~1.EXE" InjUpdate21⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_C1267~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_C1267~1.EXE InjUpdate22⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__C1267~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__C1267~1.EXE" InjUpdate23⤵
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate10⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate11⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate12⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate13⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate14⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE" InjUpdate15⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE InjUpdate16⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE" InjUpdate17⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C1267~1.EXE" InjUpdate18⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_C1267~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_C1267~1.EXE InjUpdate19⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__C1267~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__C1267~1.EXE" InjUpdate20⤵
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate14⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate15⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate16⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate17⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate18⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE" InjUpdate19⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE InjUpdate20⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE" InjUpdate21⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_C1267~1.EXE" InjUpdate22⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_C1267~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_C1267~1.EXE InjUpdate23⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__C1267~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__C1267~1.EXE" InjUpdate24⤵
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate7⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Event Triggered Execution
1Change Default File Association
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXEFilesize
859KB
MD502ee6a3424782531461fb2f10713d3c1
SHA1b581a2c365d93ebb629e8363fd9f69afc673123f
SHA256ead58c483cb20bcd57464f8a4929079539d634f469b213054bf737d227c026dc
SHA5126c9272cb1b6bde3ee887e1463ab30ea76568cb1a285d11393337b78c4ad1c3b7e6ce47646a92ab6d70bff4b02ab9d699b84af9437b720e52dcd35579fe2693ec
-
C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exeFilesize
547KB
MD5cf6c595d3e5e9667667af096762fd9c4
SHA19bb44da8d7f6457099cb56e4f7d1026963dce7ce
SHA256593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d
SHA512ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80
-
C:\MSOCache\ALLUSE~1\{9A861~1\ose.exeFilesize
186KB
MD558b58875a50a0d8b5e7be7d6ac685164
SHA11e0b89c1b2585c76e758e9141b846ed4477b0662
SHA2562a0aa0763fdef9c38c5dd4d50703f0c7e27f4903c139804ec75e55f8388139ae
SHA512d67214077162a105d01b11a8e207fab08b45b08fbfba0615a2ea146e1dd99eea35e4f02958a1754d3192292c00caf777f186f0a362e4b8b0da51fabbdb76375b
-
C:\MSOCache\ALLUSE~1\{9A861~1\setup.exeFilesize
1.1MB
MD5566ed4f62fdc96f175afedd811fa0370
SHA1d4b47adc40e0d5a9391d3f6f2942d1889dd2a451
SHA256e17cd94c08fc0e001a49f43a0801cea4625fb9aee211b6dfebebec446c21f460
SHA512cdf8f508d396a1a0d2e0fc25f2ae46398b25039a0dafa0919737cc44e3e926ebae4c3aa26f1a3441511430f1a36241f8e61c515a5d9bd98ad4740d4d0f7b8db7
-
C:\Users\Admin\AppData\Local\Temp\._cache__C1267~1.EXEFilesize
60KB
MD50b0e2167a29c4693e4989c094ec85df1
SHA1d4827c0da703a67abcb87ba314aeffd8bef5e480
SHA2562e53914c194124fc1663d9c38f16130555eccaf3a8808207c06276878be37ea2
SHA5125e5557e4acdd6093797ab14fc56eeb09c5dd34e9f5274ec1b13669a58330b0f6475457e45d23c9e61acf2b883814878f0f456623baad9e99d299f99c3264f0eb
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXEFilesize
1.6MB
MD5b2bf519f9b24d2851dd54c542c8797e0
SHA10dc2e285b163d581686d7f12d8e30f74ca23f35f
SHA2566fb8a52395f7ea2e52877f5d9b30e9a052182bc8681a8a822c6a23830096c51b
SHA512bf17c7f347df23cdc1053ed7b80e373449d5722f1d837dcb1579771fa787bebe4b3dcb05b19377d4576f6c6d22971a86db18c3877ec7432d5aa130d5aa3cae0e
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEFilesize
2.3MB
MD5dd1e0435e1ef178ff2a90071af0d99f7
SHA1cd690abaf78c271304d62206969b0e0254e28da3
SHA256f378301369260a04ddeebfbdac2bcc45d1eba95a83718d17968becd4f1134c06
SHA512fe0d18cbbbf15809836a2899e2fe91e9b9f911e9c2fbdb5e1a5201d6e355dc516749bf075515d9bf4323b34fb2a9e58e56cf4b8f085a9f845e1a98de2d40c78a
-
C:\Windows\directx.sysFilesize
57B
MD5b42f2603883dadf133cee3ae5d767bb2
SHA1dc4161551044405353e870b029afff27c8030e22
SHA256998e1546bc98d29ffccb70e81ed00a01f3dbd3015e947d1aabca4cb01775ce28
SHA512a4c33c9b87f84b4aba84ecf8b0b2d8a90703ef8523f1d057824196e584451072ab5bbc96e0c95a319baaffd16ba7a26f940fec2e28e9228e1275c87fb061c02d
-
C:\Windows\directx.sysFilesize
57B
MD58e4bd9619c227ef2bc20a2cb2aa55e7b
SHA1a6214b7678b83c4db74b210625b4812300df3a74
SHA25684ba3f2b07e112efaff6ee034b84db960521db9e504a4ac77a5e8e5e988d86d9
SHA51212a6a559b89441983e9aab70f0ea17dc790bc48c7938dd573c888e33811db8fb210539ebebaa6c8f5c04971d72d037be6603de15ea3a1ffc0f5ea3dd5132b4bf
-
C:\Windows\directx.sysFilesize
57B
MD5f9d50095200245f4da0ddb25d68b981a
SHA1ab4aea8f393579322ff923ba6a0b7a6de224005c
SHA2564bfbff29fe4d64d0a4162850264ba0adc5bff90905201a1937162d64c92958f3
SHA512b5f92b54f2920bef0045e97e9f8a7fccfa29f5d19d7b063b28eb1dce248cb0a6adfe2adb7f1084a70caaba39ebbe850987383fcdd93f2db2eaf03d4cd63b0198
-
C:\Windows\directx.sysFilesize
57B
MD56b3bfceb3942a9508a2148acbee89007
SHA13622ac7466cc40f50515eb6fcdc15d1f34ad3be3
SHA256e0a7bae2a9ac263cff5d725922e40272d8854278d901233a93a5267859c00a3c
SHA512fa222bfcade636824af32124b45450c92b1abec7a33e6e647a9248eef5371c127d22ccb7cc5a096b4d5d52e2457f3841293a1b34304e8e5523549856ac02f224
-
C:\Windows\svchost.comFilesize
40KB
MD587f4580a70956c2ec61f1e3cc1748f2e
SHA16eb0b2159e00472d5d649e815cff78f1f269751b
SHA2562547ea3f1ef06289d28607bb848ff372121d6c58759226631294df427f1e92aa
SHA5124383574b73de8e9b9d92ff6fb2b240e63f415b48dd0adfacee10016303aa5e776266b66009fc58584572624fe9ad974d1ebabecc0afbeb13eb42b2948fc39d31
-
\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXEFilesize
854KB
MD590a9e3857fd3ff62c806fd7a013f9449
SHA10194d925f9cc440c932060d36b6eb4029732867f
SHA2564501374e845e97b713c8b9605a14117defb2049f376f3e529e7101a0252cc283
SHA512ccb7d0b0e081b665354a617c97473eeca97ad70bb8928dd253182a5489356665afe626cd84b07d85087905afdb918e56fe85834f98f091268d313e954d0ba18d
-
\Users\Admin\AppData\Local\Temp\._cache_c0a844b5d843b03c4c8d9f6e8fac4090_NeikiAnalytics.exeFilesize
2.4MB
MD5314f9d1767462f1ccb9e129c6770d2bb
SHA128f37ea23af62c9da3c0508cc45a66f95483bd0c
SHA256243e3a20fbeb87ddf5fa7bd432debf295dd9a88ff8ccb7cb98437837f3a1de75
SHA512d4a1ea0374c17b79b4a23c87ddb565dacce687758dbc3f7a811965cb2ccd11bb140f4a6020b0aa1eb962008fe2784f93ccd01e32e475c68a069daadb46a8b889
-
\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXEFilesize
1.6MB
MD54ef2d35f76a957485f9c460607ac7d6c
SHA1759b1352a29f397be6b949cc321acc917c4be52f
SHA256ed36f3fe570e549401b0f0ebb655c8f5ef82b788437b6d0994c522d70d9d6ccb
SHA5127e8176a0389d45bfb1e9436479723cd1f7a0ce0379c26c5b5e1ac3f7475ff1d84f4996fa3dd238bad19d2512563f29b80c98f4e1a9a109473223398ed211fde0
-
\Users\Admin\AppData\Local\Temp\3582-490\c0a844b5d843b03c4c8d9f6e8fac4090_NeikiAnalytics.exeFilesize
3.1MB
MD5fc1deaf1b12a863f0539ec58f33bbaf6
SHA1e9351bebea31a2a0055bc86f4ae181452183344f
SHA25632646d57cc5f64b914b0acb6fd2339248b46085c41818c977606389c12e10329
SHA5129a2d082725259beab9b8efb645420e65f591e73608a082e5b6b18973a38d633cb3e97a10becb672feccb6560e50757012fa9f275e4f0f98ea8ad61ef1010482c
-
memory/356-206-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/536-331-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/584-301-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/652-335-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/812-182-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/836-180-0x0000000000400000-0x0000000000598000-memory.dmpFilesize
1.6MB
-
memory/844-141-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/900-209-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/992-413-0x0000000000400000-0x0000000000598000-memory.dmpFilesize
1.6MB
-
memory/1040-410-0x0000000000400000-0x000000000065E000-memory.dmpFilesize
2.4MB
-
memory/1204-199-0x0000000000E60000-0x0000000000E87000-memory.dmpFilesize
156KB
-
memory/1204-212-0x0000000000E60000-0x0000000000E87000-memory.dmpFilesize
156KB
-
memory/1220-210-0x0000000000400000-0x00000000004D1000-memory.dmpFilesize
836KB
-
memory/1220-197-0x0000000003E70000-0x0000000003E97000-memory.dmpFilesize
156KB
-
memory/1360-283-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1432-220-0x0000000000400000-0x000000000065E000-memory.dmpFilesize
2.4MB
-
memory/1452-111-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1456-273-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1544-343-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1552-342-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1572-397-0x0000000000E50000-0x0000000000E77000-memory.dmpFilesize
156KB
-
memory/1572-401-0x0000000000E50000-0x0000000000E77000-memory.dmpFilesize
156KB
-
memory/1588-153-0x0000000000400000-0x000000000065E000-memory.dmpFilesize
2.4MB
-
memory/1620-373-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1620-219-0x0000000000400000-0x00000000004D1000-memory.dmpFilesize
836KB
-
memory/1620-217-0x0000000003F00000-0x0000000003F27000-memory.dmpFilesize
156KB
-
memory/1640-12-0x0000000000220000-0x0000000000221000-memory.dmpFilesize
4KB
-
memory/1640-60-0x0000000000400000-0x0000000000725000-memory.dmpFilesize
3.1MB
-
memory/1652-248-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1852-218-0x0000000000BF0000-0x0000000000C17000-memory.dmpFilesize
156KB
-
memory/1852-222-0x0000000000BF0000-0x0000000000C17000-memory.dmpFilesize
156KB
-
memory/1876-427-0x0000000001E80000-0x0000000001EA7000-memory.dmpFilesize
156KB
-
memory/1876-396-0x0000000003E80000-0x0000000003EA7000-memory.dmpFilesize
156KB
-
memory/1876-394-0x0000000001E80000-0x0000000001EA7000-memory.dmpFilesize
156KB
-
memory/1876-434-0x0000000003E80000-0x0000000003EA7000-memory.dmpFilesize
156KB
-
memory/1888-213-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1892-299-0x0000000000400000-0x0000000000725000-memory.dmpFilesize
3.1MB
-
memory/1916-412-0x0000000000400000-0x0000000000598000-memory.dmpFilesize
1.6MB
-
memory/1928-414-0x0000000000400000-0x0000000000598000-memory.dmpFilesize
1.6MB
-
memory/1956-198-0x0000000000400000-0x0000000000725000-memory.dmpFilesize
3.1MB
-
memory/1956-365-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1964-185-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1984-398-0x0000000000520000-0x0000000000547000-memory.dmpFilesize
156KB
-
memory/1984-411-0x0000000000400000-0x00000000004D1000-memory.dmpFilesize
836KB
-
memory/1984-188-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1984-402-0x00000000040F0000-0x0000000004117000-memory.dmpFilesize
156KB
-
memory/1984-349-0x00000000040F0000-0x0000000004117000-memory.dmpFilesize
156KB
-
memory/1984-332-0x0000000000520000-0x0000000000547000-memory.dmpFilesize
156KB
-
memory/2040-364-0x00000000011B0000-0x00000000011D7000-memory.dmpFilesize
156KB
-
memory/2040-360-0x00000000011B0000-0x00000000011D7000-memory.dmpFilesize
156KB
-
memory/2148-95-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2152-407-0x0000000000400000-0x0000000000598000-memory.dmpFilesize
1.6MB
-
memory/2184-405-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2204-404-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2236-362-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2336-408-0x0000000000400000-0x000000000065E000-memory.dmpFilesize
2.4MB
-
memory/2396-358-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2416-367-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2436-333-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2484-246-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2488-403-0x0000000000E50000-0x0000000000E77000-memory.dmpFilesize
156KB
-
memory/2512-409-0x0000000000400000-0x000000000065E000-memory.dmpFilesize
2.4MB
-
memory/2536-271-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2540-89-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2556-140-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2560-374-0x0000000000550000-0x0000000000577000-memory.dmpFilesize
156KB
-
memory/2560-416-0x00000000040F0000-0x0000000004117000-memory.dmpFilesize
156KB
-
memory/2560-406-0x0000000000550000-0x0000000000577000-memory.dmpFilesize
156KB
-
memory/2560-375-0x00000000040F0000-0x0000000004117000-memory.dmpFilesize
156KB
-
memory/2604-262-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2608-376-0x0000000000F30000-0x0000000000F57000-memory.dmpFilesize
156KB
-
memory/2608-391-0x0000000000F30000-0x0000000000F57000-memory.dmpFilesize
156KB
-
memory/2616-224-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2716-173-0x0000000000400000-0x0000000000598000-memory.dmpFilesize
1.6MB
-
memory/2752-129-0x0000000000400000-0x000000000065E000-memory.dmpFilesize
2.4MB
-
memory/2764-300-0x0000000000400000-0x0000000000725000-memory.dmpFilesize
3.1MB
-
memory/2772-65-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2828-395-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2864-167-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2880-107-0x0000000000400000-0x0000000000725000-memory.dmpFilesize
3.1MB
-
memory/2888-393-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2964-399-0x0000000004130000-0x0000000004157000-memory.dmpFilesize
156KB
-
memory/2964-392-0x0000000000670000-0x0000000000697000-memory.dmpFilesize
156KB
-
memory/2964-421-0x0000000000670000-0x0000000000697000-memory.dmpFilesize
156KB
-
memory/2964-446-0x0000000004130000-0x0000000004157000-memory.dmpFilesize
156KB
-
memory/2992-378-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/3000-380-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/3032-302-0x0000000000400000-0x0000000000725000-memory.dmpFilesize
3.1MB