Malware Analysis Report

2024-08-06 18:05

Sample ID 240629-1kj6caxamg
Target 0261b2f24b98b9d5646ed108e7a1e3081e95a9b42e60f1a31e7500144c2372bb_NeikiAnalytics.exe
SHA256 0261b2f24b98b9d5646ed108e7a1e3081e95a9b42e60f1a31e7500144c2372bb
Tags
xenorat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0261b2f24b98b9d5646ed108e7a1e3081e95a9b42e60f1a31e7500144c2372bb

Threat Level: Known bad

The file 0261b2f24b98b9d5646ed108e7a1e3081e95a9b42e60f1a31e7500144c2372bb_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

xenorat

Xenorat family

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Modifies Internet Explorer settings

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-29 21:42

Signatures

Xenorat family

xenorat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-29 21:42

Reported

2024-06-29 21:45

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0261b2f24b98b9d5646ed108e7a1e3081e95a9b42e60f1a31e7500144c2372bb_NeikiAnalytics.exe"

Signatures

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5000 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\0261b2f24b98b9d5646ed108e7a1e3081e95a9b42e60f1a31e7500144c2372bb_NeikiAnalytics.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5000 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\0261b2f24b98b9d5646ed108e7a1e3081e95a9b42e60f1a31e7500144c2372bb_NeikiAnalytics.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4424 wrote to memory of 3772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4424 wrote to memory of 3772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4424 wrote to memory of 2104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4424 wrote to memory of 2104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4424 wrote to memory of 2104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4424 wrote to memory of 2104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4424 wrote to memory of 2104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4424 wrote to memory of 2104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4424 wrote to memory of 2104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4424 wrote to memory of 2104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4424 wrote to memory of 2104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4424 wrote to memory of 2104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4424 wrote to memory of 2104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4424 wrote to memory of 2104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4424 wrote to memory of 2104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4424 wrote to memory of 2104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4424 wrote to memory of 2104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4424 wrote to memory of 2104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4424 wrote to memory of 2104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4424 wrote to memory of 2104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4424 wrote to memory of 2104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4424 wrote to memory of 2104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4424 wrote to memory of 2104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4424 wrote to memory of 2104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4424 wrote to memory of 2104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4424 wrote to memory of 2104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4424 wrote to memory of 2104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4424 wrote to memory of 2104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4424 wrote to memory of 2104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4424 wrote to memory of 2104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4424 wrote to memory of 2104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4424 wrote to memory of 2104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4424 wrote to memory of 2104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4424 wrote to memory of 2104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4424 wrote to memory of 2104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4424 wrote to memory of 2104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4424 wrote to memory of 2104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4424 wrote to memory of 2104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4424 wrote to memory of 2104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4424 wrote to memory of 2104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4424 wrote to memory of 2104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4424 wrote to memory of 2104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4424 wrote to memory of 2296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4424 wrote to memory of 2296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4424 wrote to memory of 5864 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4424 wrote to memory of 5864 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4424 wrote to memory of 5864 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4424 wrote to memory of 5864 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4424 wrote to memory of 5864 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4424 wrote to memory of 5864 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4424 wrote to memory of 5864 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4424 wrote to memory of 5864 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4424 wrote to memory of 5864 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4424 wrote to memory of 5864 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4424 wrote to memory of 5864 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4424 wrote to memory of 5864 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4424 wrote to memory of 5864 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4424 wrote to memory of 5864 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4424 wrote to memory of 5864 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4424 wrote to memory of 5864 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4424 wrote to memory of 5864 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4424 wrote to memory of 5864 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0261b2f24b98b9d5646ed108e7a1e3081e95a9b42e60f1a31e7500144c2372bb_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\0261b2f24b98b9d5646ed108e7a1e3081e95a9b42e60f1a31e7500144c2372bb_NeikiAnalytics.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=0261b2f24b98b9d5646ed108e7a1e3081e95a9b42e60f1a31e7500144c2372bb_NeikiAnalytics.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xb8,0x108,0x7ffd9bc146f8,0x7ffd9bc14708,0x7ffd9bc14718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,12878332411216028620,14012902955477846718,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2076 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,12878332411216028620,14012902955477846718,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2072,12878332411216028620,14012902955477846718,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2972 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,12878332411216028620,14012902955477846718,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,12878332411216028620,14012902955477846718,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,12878332411216028620,14012902955477846718,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5020 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,12878332411216028620,14012902955477846718,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5320 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,12878332411216028620,14012902955477846718,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5320 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,12878332411216028620,14012902955477846718,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,12878332411216028620,14012902955477846718,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,12878332411216028620,14012902955477846718,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,12878332411216028620,14012902955477846718,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=0261b2f24b98b9d5646ed108e7a1e3081e95a9b42e60f1a31e7500144c2372bb_NeikiAnalytics.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd9bc146f8,0x7ffd9bc14708,0x7ffd9bc14718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,12878332411216028620,14012902955477846718,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,12878332411216028620,14012902955477846718,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,12878332411216028620,14012902955477846718,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 101.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 learn.microsoft.com udp
BE 104.90.26.174:443 learn.microsoft.com tcp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 8.8.8.8:53 js.monitor.azure.com udp
US 13.107.246.64:443 js.monitor.azure.com tcp
US 13.107.246.64:443 js.monitor.azure.com tcp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp
US 8.8.8.8:53 174.26.90.104.in-addr.arpa udp
US 8.8.8.8:53 64.246.107.13.in-addr.arpa udp
US 8.8.8.8:53 browser.events.data.microsoft.com udp
US 20.189.173.5:443 browser.events.data.microsoft.com tcp
US 20.189.173.5:443 browser.events.data.microsoft.com tcp
US 8.8.8.8:53 5.173.189.20.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 3a09f853479af373691d131247040276
SHA1 1b6f098e04da87e9cf2d3284943ec2144f36ac04
SHA256 a358de2c0eba30c70a56022c44a3775aa99ffa819cd7f42f7c45ac358b5e739f
SHA512 341cf0f363621ee02525cd398ae0d462319c6a80e05fd25d9aca44234c42a3071b51991d4cf102ac9d89561a1567cbe76dfeaad786a304bec33821ca77080016

\??\pipe\LOCAL\crashpad_4424_VTDWGOCISOKHPDYE

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 db9081c34e133c32d02f593df88f047a
SHA1 a0da007c14fd0591091924edc44bee90456700c6
SHA256 c9cd202ebb55fe8dd3e5563948bab458e947d7ba33bc0f38c6b37ce5d0bd7c3e
SHA512 12f9809958b024571891fae646208a76f3823ae333716a5cec303e15c38281db042b7acf95bc6523b6328ac9c8644794d39a0e03d9db196f156a6ee1fb4f2744

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 22f4defc39145702d62c877829307b1c
SHA1 2ee7ff56bf2715ad192c9c93718d8402f56f0ddc
SHA256 337d6a022da3983f30638f71b2f22350765e2aba4ef7a1b739df3ee702fb9711
SHA512 4d0cff9b65c6eddebed487299eb07616c9a09dbadc0a6f0c0bcc235eed3f51d61bdcea97ed7565f59f5c5d94b77abb55f024f1b3bac6dd5114fc7b58a93150b2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 ea900eb7256062f8a707494ff89ebe6c
SHA1 731c0c01d9b48026b168af890f3f4bb4a972661e
SHA256 09e28c59da02bfe09a6755b243482fd374f2b256a1203031844102f283c1cc0a
SHA512 1647392b5b41fdc5cf66d6764047099c458a66776705d64ee3b9d3cf4b201ef12bff7a9f552a5a98c1f7adbafce3fef246e1e3c0e0c689a0803cfb8a25866a70

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 1f493dc0dbc7aa60d1dcf10e8c137ec4
SHA1 c00db73c6dc52f5f792bb4bf7b477fc8e8d5da67
SHA256 4fcd3aef9c9856f330f5e3d4f4982f90fc121a9be3a3e08ad3233c439124b7cc
SHA512 5d3e59e71a3a299d43f253981070ecfa0731aa5deec9df13f7bed5d07334a94b1f9749caf2f0122e173225905c691cbcab7b15e3be1b4f2d4ab5aa3dfa754e1e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 40999ff60c86401c5cc33549b35a6ddb
SHA1 62c94c33fd1f9286c3c0dcab8dd68b9fd33c7325
SHA256 bbddbe40fcd6eb899d61e4e6862c76004970277294bd66924fd48945abbc759b
SHA512 7a530a9ca7d9cd57a2b2b569e737557f5016e6212865823cb3c1ff8da6b96a1e12c2e7364dd7e044b2f63df42f2b560114805fa80e351a052099e41ad4aad802

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57a9ec.TMP

MD5 a928065b4423735db9d8b5ec226df240
SHA1 7c87e6fb6fa3672d796307236698f9a1cb20c05f
SHA256 43b3b64f450149689e6ef1ad5ef9f7002e0613800487bcae759c9a55687e3bad
SHA512 15b3b0725197c62879ffc4656d9e0d1683c1f693fd914c791c3307333977e3e761c5a3745b45bf14973039a350cd7fbf6daa7d41886e8121675394684bc24952

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 a7d474325dcdca43517f9882317b1d5d
SHA1 92ef2348cd755d7ad732b06dad651ae9b937db81
SHA256 8d2704890a820f5c25a6a08bdf0edc515ae2db5db42a03e8b8436d472ba9884d
SHA512 a47e5b52c5841376c5d9175ae41e52b54b15d745b2b4ce0eea145d78ea332c653d296edd266210a2e18fe22f0a1110c9581247a2772f78557446bfae7315719b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 b756eb23ac5464272f7d7ceee62aaf00
SHA1 6983bab07a494fc28668c931459d7f17e3172bbb
SHA256 3e8e5b9af05fe90d047bd627ad8f15ef2dff5ce7147fcfcbdc36d43fc2f94f47
SHA512 1c65def566b0293c1d200e0dff078191eb17e77eafbcb048dee4b912872a367b0f369d588379083cd1eb1946b04339f3119232ddd874514ac4311283da8c9d63

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 05592d6b429a6209d372dba7629ce97c
SHA1 b4d45e956e3ec9651d4e1e045b887c7ccbdde326
SHA256 3aacb982b8861c38a392829ee3156d05dfdd46b0ecb46154f0ea9374557bc0fd
SHA512 caa85bdccabea9250e8a5291f987b8d54362a7b3eec861c56f79cebb06277aa35d411e657ec632079f46affd4d6730e82115e7b317fbda55dacc16378528abaa

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-29 21:42

Reported

2024-06-29 21:45

Platform

win7-20240611-en

Max time kernel

119s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0261b2f24b98b9d5646ed108e7a1e3081e95a9b42e60f1a31e7500144c2372bb_NeikiAnalytics.exe"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{80A85AE1-3660-11EF-A550-7E1039193522} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425859225" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 1028e4566dcada01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000b2968c6cf60b74b94229c882944fb81000000000200000000001066000000010000200000002c15390391786b52b5c92ea85bc6b1336494b36401de78e2b67214293a522afb000000000e8000000002000020000000ad211cc4ecdb4c36b1aec22212c03154cb6fdfe70fb6ed29c91ab2067f2dfcd7900000005e0c36eb74a40019463185d995be9c3004d8a481e4ed34ca376f4cf5b2e06700d6efe79a0c716b317a5f67eaa585b966f4f703449b932844e75a5f376e63c873535a60286e55e88f16fde5bcd64993650087657c106d92254a87d693edbafaf9ce2b33732aece71ac325e30a0e9e151d5f8cc6a95eaa447863c8880949ce2a73b7a8aa238d1f12211fcaf3831cd43046400000000c2135d3c8d04caea437477fb99b677cc7be0b8606caa2732b7a45871a4f5265c956970139f093dedc5da52166b22a7d853368c54d022665e330971d3a1d1213 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000b2968c6cf60b74b94229c882944fb8100000000020000000000106600000001000020000000c3fba9e7e16ead7bc76da059e4620be6a8953de069182a67ed8ab65dcbe5b84d000000000e80000000020000200000007198ef26091efbb3a174400fbdc7209da4648fbe35d60ac21519f175b22ec845200000007eb57013a04560610f549b8143270c14ab656fcb9d4d067c21e223f3ca2cea9a40000000a7d01f7e40f2d443b0639a20a75660fdaf0b3a9a5766778d8b68adfdc617b8d14bd8490f5e63eac93d4ac1aa7f372c62043dffc1156d9257a47a8076fe4f8356 C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2204 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\0261b2f24b98b9d5646ed108e7a1e3081e95a9b42e60f1a31e7500144c2372bb_NeikiAnalytics.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2204 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\0261b2f24b98b9d5646ed108e7a1e3081e95a9b42e60f1a31e7500144c2372bb_NeikiAnalytics.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2204 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\0261b2f24b98b9d5646ed108e7a1e3081e95a9b42e60f1a31e7500144c2372bb_NeikiAnalytics.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2204 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\0261b2f24b98b9d5646ed108e7a1e3081e95a9b42e60f1a31e7500144c2372bb_NeikiAnalytics.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1912 wrote to memory of 2732 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1912 wrote to memory of 2732 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1912 wrote to memory of 2732 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1912 wrote to memory of 2732 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\0261b2f24b98b9d5646ed108e7a1e3081e95a9b42e60f1a31e7500144c2372bb_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\0261b2f24b98b9d5646ed108e7a1e3081e95a9b42e60f1a31e7500144c2372bb_NeikiAnalytics.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=0261b2f24b98b9d5646ed108e7a1e3081e95a9b42e60f1a31e7500144c2372bb_NeikiAnalytics.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1912 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 learn.microsoft.com udp
BE 104.90.26.174:443 learn.microsoft.com tcp
BE 104.90.26.174:443 learn.microsoft.com tcp
BE 104.90.26.174:443 learn.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab3015.tmp

MD5 2d3dcf90f6c99f47e7593ea250c9e749
SHA1 51be82be4a272669983313565b4940d4b1385237
SHA256 8714e7be9f9b6de26673d9d09bd4c9f41b1b27ae10b1d56a7ad83abd7430ebd4
SHA512 9c11dd7d448ffebe2167acde37be77d42175edacf5aaf6fb31d3bdfe6bb1f63f5fdbc9a0a2125ed9d5ce0529b6b548818c8021532e1ea6b324717cc9bec0aaa5

C:\Users\Admin\AppData\Local\Temp\Tar30D9.tmp

MD5 7186ad693b8ad9444401bd9bcd2217c2
SHA1 5c28ca10a650f6026b0df4737078fa4197f3bac1
SHA256 9a71fa0cb44aa51412b16a0bf83a275977ba4e807d022f78364338b99b3a3eed
SHA512 135be0e6370fd057762c56149526f46bf6a62fb65ef5b3b26ae01fa07b4c4e37188e203bd3812f31e260ec5cccff5924633dd55ab17e9fa106479783c2fb212b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3fae2d2f2dcd024f02a789112f8322c2
SHA1 b52c99402ad3b86b169ba3e893e76dd6bcb6458c
SHA256 ab1d8573ab78e93b0d52c3839baa29956ed838809517aedfaefa15dbc91ad4ce
SHA512 16de295abe209d2d5ac89b465b1792fc26a2856bbac5984a67b8372451b9f0017d1d5f46f86c2db2eb8bf605b5f3a09b9fd4f48ad232104f1bdfda9c62cd6895

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7861220dce9b1bb221fe6852f273fe5c
SHA1 bb19fbcb6b16398f9feadb29d25b6a7091effe6f
SHA256 6d405ca9706ac80677e8c17db38a9d7b0442351042dd9138c1902a28235b8f4d
SHA512 ae591ae54c723bcd7251b8c8d18dd05a8162ab326e5662c293e666b98d7dcab87c7a087f9e8fba1633aa9392489f301dbd569055040bc7b2a12e80237c8164c5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5fd55eedff14355670d2f3a597c56d51
SHA1 48cac731a05bac36f1dc4a22462c1140b3a5d71d
SHA256 15cc7b5f7c803ea740de3a6a6973b5d3d8aacd61b83f0d5062611b3b24683055
SHA512 8caf6ae4328e3b33bbe8569fec8f762ecc888e175a5ee304b69fb5efd863ba52a9c509e810978f06539691976d1f52ca3e01f752eee112b46f8c86457fb6fc43

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 becb82a82ebe8191c68b15393c63ea45
SHA1 3ecb0db39ec144c7f1f3f0a51703c83ae824f30b
SHA256 94fa726d3d4a8583e4b6006f3bf9b614662dcfa984a911e080620e81319afea9
SHA512 0090f89e5b77394fcf4aaaa174cad17d9e1ca942f932e0fbc3b9dfd80209fa3a118a6910db5be881674dcf866caf2d53f951f69b5e194d4cc02656827ffbee66

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 47e85d019f11a723536ce79604c30b52
SHA1 6061efff0cbe5ceefbbff73a9f6695d42d07d948
SHA256 b7c14e459266db1a2f3605641ecf702414c74166b374fb4eb20164bca78d3536
SHA512 25420758b9dc6539be95e9c47897cb25d79c2b4b0dfda0c8977343bd6e7e5814eecbfcfe9d482a36da89f2b420ab34d4a6e1f5becd244c1cc4fcb465daeb475e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5145bf37de33f5520ca23f5ce1f61226
SHA1 1c28b3f3657fd4bd4819e2fc75fe4486fe8a0cd9
SHA256 1738fde22e60db39757796b45765340021a54cf5c7bde546f510a468ede0f22b
SHA512 06c8c36edfb7f093aad915d4c29f89c927281ac1bf5c4e087f4edcba9b67c143f03fb85ad1ca9f30e2ba7f744d8390c39335a97e405fd7573289fc1188b34f23

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6B2043001D270792DFFD725518EAFE2C

MD5 03fa99bebb89164039cbca1466f9c68a
SHA1 8eef5b82e473ef8b9107d901aeefcc9041877a8c
SHA256 1c70bb0b94d4e4133e050ada230d9a1f228d2f4ae059c229c83a67a7572c50c4
SHA512 cf74273485bbb9d1f29b6b2a8b53df5b92e609d2fea545a641dcf62a6295b732b39e1cc322e59af36eb374ab6b213b3c0c75ef6a841006bcd84cbb1b9de9f068

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6B2043001D270792DFFD725518EAFE2C

MD5 f55da450a5fb287e1e0f0dcc965756ca
SHA1 7e04de896a3e666d00e687d33ffad93be83d349e
SHA256 31ad6648f8104138c738f39ea4320133393e3a18cc02296ef97c2ac9ef6731d0
SHA512 19bd9a319dfdaad7c13a6b085e51c67c0f9cb1eb4babc4c2b5cdf921c13002ca324e62dfa05f344e340d0d100aa4d6fac0683552162ccc7c0321a8d146da0630

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 42402e0bfd7afe9be8153afb6de8e462
SHA1 791dc94671d16925d7c29da9d5fb754075f5b99c
SHA256 43e5cb97a6011a0a5493f52480379f8376739f28730fda989fb786f696e2ebb6
SHA512 11145fb7b501b2b5c764650ff9f09bb5443bc295135e98ce9aca150be00252538cba5adaff76c5b628416ce11ab5c0d040bae87975ad47b0be4b0ef224d1588f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9d3a58a11fc86f4166f48abc4bd5ce66
SHA1 6f07697514cfa00662084b151665ac1da7974106
SHA256 1532e8a68fadce069d3add38697d016b0ccb7c62ca2a1f1d101c719b985a0937
SHA512 d43430848fbb107f9be67051ee67d4e60d53863f87951a59d0880f354e8a86ea8751da4839d3ad2a0ffe8c2fe5875aea1f1912e33dc61296e8ecd9331fdbcfdc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3a6b4cbb34df825cb43f457c65728922
SHA1 70e1c7c934880a15960e142dcd4e60042aef8b6f
SHA256 79c790a8e3cf16adacf434a5d70b9a13cc49cbe6d3bee4fc4479a27e823bf418
SHA512 1abc4cb4eb26aa6de00c9d7d5c0db5414677a87a70f6c595f3302c849553f534d32f03677773ae062e46212efa5d51d2a237a6459f11ff776530021fc7bf2cee

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0eb898be86306551e6fc757c57cebb4b
SHA1 ba2d5c6ce43da1178d04db8bab9574a6c486bb40
SHA256 db68a0805cea238904beba91f60617f01869e4d428a69457177eccc873597b9f
SHA512 b1f259f7c1653794cde35c64f1c3bf3c118fee3eadbce666e8e2a59f2d504e7e7efbce32fbc96d633b66e1421c7322bbb1b7b6cc8e033488654b78e64f8ed998

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dccc97a78f41d2cac908b4c81f424437
SHA1 ed38618454d1be09ec8aff02429d2fd084af78ad
SHA256 0589e57a7a3144b90eae7222f5068a42249e8809bfe5b713a9a947668e3cf3ca
SHA512 6e580c8d27ce086b6d46362386fd7d190d2f644f5572c927642ea21d36b6fa36995e585f25eae4f9e2204994bd276d4e2cd8640c59086b7d41c4fd927a0bf8c8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e8616d5f84279240a8b5f5b4f8bc752b
SHA1 924b7da1e9125b693cb75b585f003bd0dbe91f3f
SHA256 25d5fe3f50d79060009ce01eb2ddb5c5ba113af22a36fa036808d29dc75da59d
SHA512 b2fff531f6b4454892edf4774775a094a582600370417166ead3731c46d521c37be78011b969f0af1b42e20314790f2581ba919b82eddb00e0bd40bf2e1279b1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5d1c40ba452e2a77f219709ccf9700aa
SHA1 41662d06174572454aa2d7d5bfb011748906467b
SHA256 6a8ad5461b7a6c411dc8904fc3f9533ff5effd3cf858ec6b706ebe4076ac0626
SHA512 78c0b58a78146fd4aef4c740bc1faa3d10a8e23498b8c100d975d0c59694e405115c7f51f6c274447ed3c7e30543299449a8e6ee6ea73c80db9579115b60f616

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 84459318d481441318eb5b1afbdbac7e
SHA1 b27b39e18d9f5146af90022cf1e041bec723385f
SHA256 f61caddd42205b209ad35f6a52c70c6f74e7944e4eb8d161aa862d63304ab64a
SHA512 2766b233eefa4655694b7066674363896696da7168e3592a0971429e98d5bbab91f4637ada0b16dad34474cc6e5bb5a5399d7b370518338cb23a50a7d86314c0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a37860ffaaa607f14221df340db784a6
SHA1 048e24ae6be9a0ac1a9d94d2fc333c79dbcfd51b
SHA256 e848201cf1691e48e09205cd0288b0fedff146120f151dabd4d74ec2c335b874
SHA512 9f06b9c03d5b0307128215bbcff014e9404db1e0755673944d7a91a793b67b1f952dda2694297a592ebc5b1fd0dae4195ae1416d5ff560ddb09f44ec4b1336e7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ee4b966af9a0eef3a3f6dc89497db477
SHA1 cabafb9aff538dab4bc83f552af8cba91216a55a
SHA256 9a4f5ed0e5298694435c52c9f0b78e87b9d1d70628ce45db2ca67cefb01e67bd
SHA512 b53c62860bfd33331eefa71aa07e97e8f6f64b8f191fd7b9022efb80ec7e22324adc910f62de852fffd5ba70352fb841e0c7b531df0fc160f9e52100c346bce5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c96e60e5c84874758ccfdf64ce99ffce
SHA1 31cc9c3cbf5cdc458ba0de44ee8015aabdb14f0c
SHA256 6ea197ad858e2e37ad0b9b4f42fb0ed15c68133c5493e320db005a8a24ce4d47
SHA512 91527322eece7f4dead28065c3e13ec36ea5c665b4a262f970a88a250d199064a817cb874e09943edc6799897cdac555e253cceb39a9e0ff13224c76172f78f2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 24ddb6d7c6be64889c9fdf053e05335f
SHA1 e86ba9ed120a6f37bea0ba441e5f6e5083974f6b
SHA256 954b9253748527d4a91ad2103b633c7813ea73e91953e3096e61d46343755804
SHA512 d25ba468e8c1fd0656f5c843f537028384f3f43b7099969275a3ba0c98a17ea535985e5a9ca07338452fc1cfad02afa266b29fbf6e4f47f1dff00b530449ea0e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 aec3461253364b77fd500a1aa7af31fa
SHA1 0ced4ac700b9dacda5f12284d617c077f1e08d8d
SHA256 4cd3e017ebcefd72519d8c9cf4271081b660e2f812aa62761e4e104db4e24496
SHA512 45f39fa82575cd7a1a7bd6d2d403ca648f149f397872d51d1766257756a6ab403325e9de6c30d492001a6c75a4b1eb540220639e6de8519713a5158e864e1e5e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2c7defcebb150654c3b1732b4217d5b9
SHA1 45738b7ccb67429a924a77394bdb7df8fab53e0d
SHA256 710edac3c5b97a28222011c871b3b8aeb7e91b5fe24a266c848014dc7c55cb34
SHA512 3b2cdef911d18c79e3c9dd39ef58e24eea72113cc9d834478f984de600cad0feea62438c08f3068dafabe6e1e0754499f12b39a1843ef72fbabc86dc7f7849db

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9cfbef8ef44219815bc160a6505bce15
SHA1 f0c7c023c731d0ab51c06c6c71cd9baf40a43456
SHA256 1bc84654e8fe1a430915ded37a14c2a89b30125dbbb9525e1e8a5fa20a3f17a0
SHA512 f9b3bce8aa0f723bbd63be85b4e754807046f6a0c701a3bf6ee9bf44a8167e940dda56578e87acff7e78a6e19f89f75e2be145fe6b6b525721eb5533ead0c12e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 37760e0a4a92d323c01abb828bcb1856
SHA1 f06da6308ad95b14bf406b72228b15bcec5c3e13
SHA256 e88e24739f742e361db92a7ef14d771b81296931602585f9df789886a28df212
SHA512 5c1ab2cf31af6fc7d32eee87e32960b2292ada8c291166b83e967b7e11847cdbdce9a53fd51523a255b8657b0e22c50e18c0b60b8008f359d02221b465efb1d7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3d62b69ba8ec827bd7374c29cda8f759
SHA1 9d064240774cb7272997523ca55639dd30ed2c20
SHA256 5cf87e0b859778061c863af90a2ea0018632b4e98ef5c0c1c9fa6e22883cf87b
SHA512 fde1eabf8cf8741ae44a8ffd00a747144dd86fb7fa24feda32ab497dae85be93b3334a32b82e96a42768ddaf62a76b80890ed844ae17e3f0f8426aa7f8a6300c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9b7a212a0bd871da3943911549b85a6c
SHA1 288df459b1404602afdd260db65127378dfed5f1
SHA256 50f3cd3d10bc83b84102bd2f652e1c37e303560f43c1af7865b6d34ab272344d
SHA512 e1d367452e39f9d16f6031ee5e51c82f79a9421bbe2b7bd10b651fb342f6ab7ea3ff91203cfea94ba06a790b348371e3f5d64b4768d183eea846ff75dbfb17a9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 345c0983d9c25d2100493dbdf0026665
SHA1 e50db366ee08d92ee9b62e454d732a31b983241f
SHA256 81818346330e8a0e93e02c78dbd12810623784f18c44505714fe18b2b88aab42
SHA512 186f72d23e2cdc57b4e8a43c005c17fb5dcb49fa245c9a2ef9e75cca5452a73ec236048a87a278afd1f7db307240d6129ec4f8077d8a946ebe3945d44c1f1864

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f36c913e3fab1a1a69ff46a2309ba209
SHA1 e3c0340f01167b85a88ccc99e7a7ff13a3000dd5
SHA256 30b6796ab31d895162aba575b6d92c3886ad2b88fef4f94fc64c7f872e7b653a
SHA512 d2640b0ae15848c4d77c89d6ee8ae691382b495bf77b6fe50b9b407027521eea432c0c9533fd9be6915003f44c04628f4a6f1a5f36981871a72d383fe17163d6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ca1b724755d6e0f9e90857cedcf0a7a6
SHA1 ee0979033f6c4e3c81274a76cea92db6db85bd1f
SHA256 3023a86aca01f1d56af57031e208d534d98c0b021039d376f9183dde0904b029
SHA512 5be5995958e53a12576296e3f30650ec161fb136a7d7ee31f7ccd452060e365dd185d99e034ecf71ef8b1efeced2c57374e51dfdece85c9a98f1250edcf3adda

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b5137b62b590129ae2d76413caf0e6e7
SHA1 78dadea8136fd81265085562052117dfb89c5a3a
SHA256 9824824382c9fd1d4c74160890dc2e8799c7fc0a8b898e8a135b2f2c20368c84
SHA512 8b92b37fb0f41a1fc96c74ba392229ea9da2138f094acd3950a14c512065145323f3f7b72ff6e7fb85630ae761fb855d9905da45ff112de3dd0a6695beb6f2a1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 88350a1b70b9fcb0e1a6cca5ca38599b
SHA1 ce0070ebda1fd0d9365d4e5cfa120042812d6139
SHA256 e52ebc2a27eb7c826c6a5c32f41d3cc3d104d86c66249aa4cd18ce09ff9270fc
SHA512 dcbb6385f44845c858dc26f326fb2c84a76ff66b3935b900de6000cf007da49f51e4cc4fb15ada24451b0b7376e01ecc9b82f2929e1c7ebbba68937f91fd15cf