fec5a46b3342e1625e64d348b4a60eace1626fce6d45bc67f414dd1c40a61514

Analysis

max time kernel
147s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09/05/2024, 04:43 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f5c46342c6119e9dac82830cb4f477f0_NEIKI.exe
Size

830KB
MD5

f5c46342c6119e9dac82830cb4f477f0
SHA1

e5467d75e91eae6c9de62fa696dfb5576a5491a8
SHA256

fec5a46b3342e1625e64d348b4a60eace1626fce6d45bc67f414dd1c40a61514
SHA512

4cfe6745bde2908047607889d4d814dd37bc4eaee4da5fab63543557dbd43d700c569a6e0811fbf302a8cc6b68fef51da8ea6e4187053cdbc2b12749e933f543
SSDEEP

24576:2PIaQ7kTm5AWHRlMugdD+JsRgZRJ4fM430Eg6nET7M/IiN:6IfYTKxlMPdlR8v4UC0Eg6ET7M/I

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 21 IoCs

pid	Process
5104	alg.exe
4952	DiagnosticsHub.StandardCollector.Service.exe
1608	fxssvc.exe
2384	elevation_service.exe
1080	maintenanceservice.exe
5056	OSE.EXE
4976	msdtc.exe
184	PerceptionSimulationService.exe
2088	perfhost.exe
3664	locator.exe
564	SensorDataService.exe
1748	snmptrap.exe
468	spectrum.exe
4560	ssh-agent.exe
4564	TieringEngineService.exe
2828	AgentService.exe
2732	vds.exe
4000	vssvc.exe
4796	wbengine.exe
3980	WmiApSrv.exe
448	SearchIndexer.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1836	icacls.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 29 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	f5c46342c6119e9dac82830cb4f477f0_NEIKI.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	f5c46342c6119e9dac82830cb4f477f0_NEIKI.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	f5c46342c6119e9dac82830cb4f477f0_NEIKI.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\8c54901dc3136770.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	f5c46342c6119e9dac82830cb4f477f0_NEIKI.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	f5c46342c6119e9dac82830cb4f477f0_NEIKI.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_104468\java.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{372EF552-D8CF-402C-B62E-CA3A4C643A96}\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_104468\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_104468\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	f5c46342c6119e9dac82830cb4f477f0_NEIKI.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a1f6302ccca1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f55bf52bcca1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000aa6c272ccca1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000080942e2ccca1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c6d00a2ccca1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004cd5ad2bcca1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
4952	DiagnosticsHub.StandardCollector.Service.exe
4952	DiagnosticsHub.StandardCollector.Service.exe
4952	DiagnosticsHub.StandardCollector.Service.exe
4952	DiagnosticsHub.StandardCollector.Service.exe
4952	DiagnosticsHub.StandardCollector.Service.exe
4952	DiagnosticsHub.StandardCollector.Service.exe
2384	elevation_service.exe
2384	elevation_service.exe
2384	elevation_service.exe
2384	elevation_service.exe
2384	elevation_service.exe
2384	elevation_service.exe
2384	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
672	Process not Found
672	Process not Found

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4540	f5c46342c6119e9dac82830cb4f477f0_NEIKI.exe
Token: SeAuditPrivilege	1608	fxssvc.exe
Token: SeDebugPrivilege	4952	DiagnosticsHub.StandardCollector.Service.exe
Token: SeTakeOwnershipPrivilege	2384	elevation_service.exe
Token: SeRestorePrivilege	4564	TieringEngineService.exe
Token: SeManageVolumePrivilege	4564	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2828	AgentService.exe
Token: SeBackupPrivilege	4000	vssvc.exe
Token: SeRestorePrivilege	4000	vssvc.exe
Token: SeAuditPrivilege	4000	vssvc.exe
Token: SeBackupPrivilege	4796	wbengine.exe
Token: SeRestorePrivilege	4796	wbengine.exe
Token: SeSecurityPrivilege	4796	wbengine.exe
Token: 33	448	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	448	SearchIndexer.exe
Token: SeDebugPrivilege	2384	elevation_service.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4540 wrote to memory of 1836	4540	f5c46342c6119e9dac82830cb4f477f0_NEIKI.exe	85
PID 4540 wrote to memory of 1836	4540	f5c46342c6119e9dac82830cb4f477f0_NEIKI.exe	85
PID 448 wrote to memory of 820	448	SearchIndexer.exe	112
PID 448 wrote to memory of 820	448	SearchIndexer.exe	112
PID 448 wrote to memory of 5004	448	SearchIndexer.exe	113
PID 448 wrote to memory of 5004	448	SearchIndexer.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\f5c46342c6119e9dac82830cb4f477f0_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\f5c46342c6119e9dac82830cb4f477f0_NEIKI.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4540
- C:\Windows\system32\icacls.exe
  C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
  2⤵
  - Modifies file permissions
  PID:1836

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:5104

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4952

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1620

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1608

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2384

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1080

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:5056

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4976

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:184

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2088

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3664

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:564

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1748

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:468

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4560

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4932

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4564

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2828

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2732

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4000

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4796

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3980

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:448
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:820
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 804 808 816 8192 812 788
  2⤵
  - Modifies data under HKEY_USERS
  PID:5004

Network

DNS

pywolwnvd.biz

DiagnosticsHub.StandardCollector.Service.exe

Remote address:

8.8.8.8:53

Request

pywolwnvd.biz

IN A

Response
DNS

pywolwnvd.biz

DiagnosticsHub.StandardCollector.Service.exe

Remote address:

8.8.8.8:53

Request

pywolwnvd.biz

IN A

Response
DNS

pywolwnvd.biz

DiagnosticsHub.StandardCollector.Service.exe

Remote address:

8.8.8.8:53

Request

pywolwnvd.biz

IN A

Response
DNS

pywolwnvd.biz

DiagnosticsHub.StandardCollector.Service.exe

Remote address:

8.8.8.8:53

Request

pywolwnvd.biz

IN A

Response
DNS

17.160.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

17.160.190.20.in-addr.arpa

IN PTR

Response
DNS

ssbzmoy.biz

DiagnosticsHub.StandardCollector.Service.exe

Remote address:

8.8.8.8:53

Request

ssbzmoy.biz

IN A

Response

ssbzmoy.biz

IN A

34.128.82.12
POST

http://ssbzmoy.biz/gbwvwfcxqgndwr

DiagnosticsHub.StandardCollector.Service.exe

Remote address:

34.128.82.12:80

Request

POST /gbwvwfcxqgndwr HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: ssbzmoy.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 876

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 09 May 2024 04:47:15 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=13f3a2a7be7ccff0b281b90904f9626e|191.101.209.39|1715230035|1715230035|0|1|0; path=/; domain=.ssbzmoy.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=191.101.209.39; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
DNS

cvgrf.biz

DiagnosticsHub.StandardCollector.Service.exe

Remote address:

8.8.8.8:53

Request

cvgrf.biz

IN A

Response

cvgrf.biz

IN A

104.198.2.251
DNS

12.82.128.34.in-addr.arpa

Remote address:

8.8.8.8:53

Request

12.82.128.34.in-addr.arpa

IN PTR

Response

12.82.128.34.in-addr.arpa

IN PTR

128212834bcgoogleusercontentcom
POST

http://cvgrf.biz/rwfivrvhp

DiagnosticsHub.StandardCollector.Service.exe

Remote address:

104.198.2.251:80

Request

POST /rwfivrvhp HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: cvgrf.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 876

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 09 May 2024 04:47:15 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=af73461c43605c489a2dc96ccbd26118|191.101.209.39|1715230035|1715230035|0|1|0; path=/; domain=.cvgrf.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=191.101.209.39; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
DNS

npukfztj.biz

DiagnosticsHub.StandardCollector.Service.exe

Remote address:

8.8.8.8:53

Request

npukfztj.biz

IN A

Response

npukfztj.biz

IN A

34.174.61.199
POST

http://npukfztj.biz/yqtq

DiagnosticsHub.StandardCollector.Service.exe

Remote address:

34.174.61.199:80

Request

POST /yqtq HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: npukfztj.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 876

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 09 May 2024 04:47:16 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=9b3c3e39fc5fc4e9d8d711c7e086b3aa|191.101.209.39|1715230036|1715230036|0|1|0; path=/; domain=.npukfztj.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=191.101.209.39; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
DNS

przvgke.biz

DiagnosticsHub.StandardCollector.Service.exe

Remote address:

8.8.8.8:53

Request

przvgke.biz

IN A

Response

przvgke.biz

IN A

54.157.24.8
POST

http://przvgke.biz/qaullfj

DiagnosticsHub.StandardCollector.Service.exe

Remote address:

54.157.24.8:80

Request

POST /qaullfj HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: przvgke.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 876
DNS

251.2.198.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

251.2.198.104.in-addr.arpa

IN PTR

Response

251.2.198.104.in-addr.arpa

IN PTR

2512198104bcgoogleusercontentcom
DNS

199.61.174.34.in-addr.arpa

Remote address:

8.8.8.8:53

Request

199.61.174.34.in-addr.arpa

IN PTR

Response

199.61.174.34.in-addr.arpa

IN PTR

1996117434bcgoogleusercontentcom
POST

http://przvgke.biz/meqrgqvstkytik

DiagnosticsHub.StandardCollector.Service.exe

Remote address:

54.157.24.8:80

Request

POST /meqrgqvstkytik HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: przvgke.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 876
DNS

zlenh.biz

DiagnosticsHub.StandardCollector.Service.exe

Remote address:

8.8.8.8:53

Request

zlenh.biz

IN A

Response
DNS

knjghuig.biz

DiagnosticsHub.StandardCollector.Service.exe

Remote address:

8.8.8.8:53

Request

knjghuig.biz

IN A

Response

knjghuig.biz

IN A

34.128.82.12
POST

http://knjghuig.biz/bfgkivospuard

DiagnosticsHub.StandardCollector.Service.exe

Remote address:

34.128.82.12:80

Request

POST /bfgkivospuard HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: knjghuig.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 876

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 09 May 2024 04:47:18 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=7726f8cc17e1521e503470e4e1db0d34|191.101.209.39|1715230038|1715230038|0|1|0; path=/; domain=.knjghuig.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=191.101.209.39; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
DNS

8.24.157.54.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.24.157.54.in-addr.arpa

IN PTR

Response

8.24.157.54.in-addr.arpa

IN PTR

ec2-54-157-24-8 compute-1 amazonawscom
DNS

uhxqin.biz

DiagnosticsHub.StandardCollector.Service.exe

Remote address:

8.8.8.8:53

Request

uhxqin.biz

IN A

Response
DNS

uhxqin.biz

DiagnosticsHub.StandardCollector.Service.exe

Remote address:

8.8.8.8:53

Request

uhxqin.biz

IN A
DNS

anpmnmxo.biz

DiagnosticsHub.StandardCollector.Service.exe

Remote address:

8.8.8.8:53

Request

anpmnmxo.biz

IN A

Response
DNS

lpuegx.biz

DiagnosticsHub.StandardCollector.Service.exe

Remote address:

8.8.8.8:53

Request

lpuegx.biz

IN A

Response

lpuegx.biz

IN A

82.112.184.197
DNS

vjaxhpbji.biz

DiagnosticsHub.StandardCollector.Service.exe

Remote address:

8.8.8.8:53

Request

vjaxhpbji.biz

IN A

Response

vjaxhpbji.biz

IN A

82.112.184.197
DNS

79.190.18.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

79.190.18.2.in-addr.arpa

IN PTR

Response

79.190.18.2.in-addr.arpa

IN PTR

a2-18-190-79deploystaticakamaitechnologiescom
DNS

11.227.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

11.227.111.52.in-addr.arpa

IN PTR

Response
DNS

xlfhhhm.biz

DiagnosticsHub.StandardCollector.Service.exe

Remote address:

8.8.8.8:53

Request

xlfhhhm.biz

IN A

Response

xlfhhhm.biz

IN A

34.29.71.138
POST

http://xlfhhhm.biz/yyaqotkyufjohv

DiagnosticsHub.StandardCollector.Service.exe

Remote address:

34.29.71.138:80

Request

POST /yyaqotkyufjohv HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: xlfhhhm.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 876

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 09 May 2024 04:48:44 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=3aa223ce098c2cd94f88d6679107d87f|191.101.209.39|1715230124|1715230124|0|1|0; path=/; domain=.xlfhhhm.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=191.101.209.39; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
DNS

ifsaia.biz

DiagnosticsHub.StandardCollector.Service.exe

Remote address:

8.8.8.8:53

Request

ifsaia.biz

IN A

Response

ifsaia.biz

IN A

34.143.166.163
POST

http://ifsaia.biz/mtoswsxv

DiagnosticsHub.StandardCollector.Service.exe

Remote address:

34.143.166.163:80

Request

POST /mtoswsxv HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: ifsaia.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 876

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 09 May 2024 04:48:45 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=10e27c1201b18d5725a453264a6df36b|191.101.209.39|1715230125|1715230125|0|1|0; path=/; domain=.ifsaia.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=191.101.209.39; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
DNS

138.71.29.34.in-addr.arpa

Remote address:

8.8.8.8:53

Request

138.71.29.34.in-addr.arpa

IN PTR

Response

138.71.29.34.in-addr.arpa

IN PTR

138712934bcgoogleusercontentcom
DNS

saytjshyf.biz

DiagnosticsHub.StandardCollector.Service.exe

Remote address:

8.8.8.8:53

Request

saytjshyf.biz

IN A

Response

saytjshyf.biz

IN A

34.67.9.172
POST

http://saytjshyf.biz/pgxwrjaoeu

DiagnosticsHub.StandardCollector.Service.exe

Remote address:

34.67.9.172:80

Request

POST /pgxwrjaoeu HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: saytjshyf.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 876

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 09 May 2024 04:48:46 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=680f218567b0ac1b7e51fb0d9ddb7b50|191.101.209.39|1715230126|1715230126|0|1|0; path=/; domain=.saytjshyf.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=191.101.209.39; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
DNS

vcddkls.biz

DiagnosticsHub.StandardCollector.Service.exe

Remote address:

8.8.8.8:53

Request

vcddkls.biz

IN A

Response

vcddkls.biz

IN A

34.128.82.12
POST

http://vcddkls.biz/qhuxhkbve

DiagnosticsHub.StandardCollector.Service.exe

Remote address:

34.128.82.12:80

Request

POST /qhuxhkbve HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: vcddkls.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 876

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 09 May 2024 04:48:47 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=e2ba237034015119546b8fffeb36a5e6|191.101.209.39|1715230127|1715230127|0|1|0; path=/; domain=.vcddkls.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=191.101.209.39; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
DNS

163.166.143.34.in-addr.arpa

Remote address:

8.8.8.8:53

Request

163.166.143.34.in-addr.arpa

IN PTR

Response

163.166.143.34.in-addr.arpa

IN PTR

16316614334bcgoogleusercontentcom
DNS

172.9.67.34.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.9.67.34.in-addr.arpa

IN PTR

Response

172.9.67.34.in-addr.arpa

IN PTR

17296734bcgoogleusercontentcom
DNS

fwiwk.biz

DiagnosticsHub.StandardCollector.Service.exe

Remote address:

8.8.8.8:53

Request

fwiwk.biz

IN A

Response

fwiwk.biz

IN CNAME

77980.bodis.com

77980.bodis.com

IN A

199.59.243.225
DNS

tbjrpv.biz

DiagnosticsHub.StandardCollector.Service.exe

Remote address:

8.8.8.8:53

Request

tbjrpv.biz

IN A

Response

tbjrpv.biz

IN A

34.91.32.224
POST

http://tbjrpv.biz/paospdfemlfr

DiagnosticsHub.StandardCollector.Service.exe

Remote address:

34.91.32.224:80

Request

POST /paospdfemlfr HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: tbjrpv.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 876

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 09 May 2024 04:49:29 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=035c35fcc8996a6d1889481c04da2633|191.101.209.39|1715230169|1715230169|0|1|0; path=/; domain=.tbjrpv.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=191.101.209.39; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
DNS

deoci.biz

DiagnosticsHub.StandardCollector.Service.exe

Remote address:

8.8.8.8:53

Request

deoci.biz

IN A

Response

deoci.biz

IN A

34.174.78.212
POST

http://deoci.biz/xbsugeglsjc

DiagnosticsHub.StandardCollector.Service.exe

Remote address:

34.174.78.212:80

Request

POST /xbsugeglsjc HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: deoci.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 876

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 09 May 2024 04:49:30 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=fba595d5bef1913d24fa6907e2eeb724|191.101.209.39|1715230170|1715230170|0|1|0; path=/; domain=.deoci.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=191.101.209.39; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
DNS

gytujflc.biz

DiagnosticsHub.StandardCollector.Service.exe

Remote address:

8.8.8.8:53

Request

gytujflc.biz

IN A

Response

gytujflc.biz

IN A

208.100.26.245
POST

http://gytujflc.biz/rrhbsofsgdwxt

DiagnosticsHub.StandardCollector.Service.exe

Remote address:

208.100.26.245:80

Request

POST /rrhbsofsgdwxt HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: gytujflc.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 876

Response

HTTP/1.1 404 Not Found

Server: nginx/1.14.0 (Ubuntu)
Date: Thu, 09 May 2024 04:49:30 GMT
Content-Type: text/html
Content-Length: 580
Connection: keep-alive
POST

http://gytujflc.biz/wdabemyb

DiagnosticsHub.StandardCollector.Service.exe

Remote address:

208.100.26.245:80

Request

POST /wdabemyb HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: gytujflc.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 876

Response

HTTP/1.1 404 Not Found

Server: nginx/1.14.0 (Ubuntu)
Date: Thu, 09 May 2024 04:49:30 GMT
Content-Type: text/html
Content-Length: 580
Connection: keep-alive
DNS

qaynky.biz

DiagnosticsHub.StandardCollector.Service.exe

Remote address:

8.8.8.8:53

Request

qaynky.biz

IN A

Response

qaynky.biz

IN A

34.143.166.163
POST

http://qaynky.biz/k

DiagnosticsHub.StandardCollector.Service.exe

Remote address:

34.143.166.163:80

Request

POST /k HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: qaynky.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 876

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 09 May 2024 04:49:31 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=c82b3e22cf1de8eda840efa1f0dadb71|191.101.209.39|1715230171|1715230171|0|1|0; path=/; domain=.qaynky.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=191.101.209.39; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
DNS

224.32.91.34.in-addr.arpa

Remote address:

8.8.8.8:53

Request

224.32.91.34.in-addr.arpa

IN PTR

Response

224.32.91.34.in-addr.arpa

IN PTR

224329134bcgoogleusercontentcom
DNS

212.78.174.34.in-addr.arpa

Remote address:

8.8.8.8:53

Request

212.78.174.34.in-addr.arpa

IN PTR

Response

212.78.174.34.in-addr.arpa

IN PTR

2127817434bcgoogleusercontentcom
DNS

245.26.100.208.in-addr.arpa

Remote address:

8.8.8.8:53

Request

245.26.100.208.in-addr.arpa

IN PTR

Response

245.26.100.208.in-addr.arpa

IN PTR

ip245 208-100-26staticsteadfastdnsnet
DNS

bumxkqgxu.biz

DiagnosticsHub.StandardCollector.Service.exe

Remote address:

8.8.8.8:53

Request

bumxkqgxu.biz

IN A

Response

bumxkqgxu.biz

IN A

34.174.61.199
POST

http://bumxkqgxu.biz/deambiguafphx

DiagnosticsHub.StandardCollector.Service.exe

Remote address:

34.174.61.199:80

Request

POST /deambiguafphx HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: bumxkqgxu.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 876

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 09 May 2024 04:49:31 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=ea92f3ff6e719a2289bb69f28a4339e2|191.101.209.39|1715230171|1715230171|0|1|0; path=/; domain=.bumxkqgxu.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=191.101.209.39; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
DNS

dwrqljrr.biz

DiagnosticsHub.StandardCollector.Service.exe

Remote address:

8.8.8.8:53

Request

dwrqljrr.biz

IN A

Response

dwrqljrr.biz

IN A

34.41.229.245
POST

http://dwrqljrr.biz/tlxaveykcq

DiagnosticsHub.StandardCollector.Service.exe

Remote address:

34.41.229.245:80

Request

POST /tlxaveykcq HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: dwrqljrr.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 876

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 09 May 2024 04:49:32 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=c08cc639e2ed405d9e1863a136418419|191.101.209.39|1715230172|1715230172|0|1|0; path=/; domain=.dwrqljrr.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=191.101.209.39; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
DNS

nqwjmb.biz

DiagnosticsHub.StandardCollector.Service.exe

Remote address:

8.8.8.8:53

Request

nqwjmb.biz

IN A
DNS

nqwjmb.biz

DiagnosticsHub.StandardCollector.Service.exe

Remote address:

8.8.8.8:53

Request

nqwjmb.biz

IN A
DNS

nqwjmb.biz

DiagnosticsHub.StandardCollector.Service.exe

Remote address:

8.8.8.8:53

Request

nqwjmb.biz

IN A
DNS

245.229.41.34.in-addr.arpa

Remote address:

8.8.8.8:53

Request

245.229.41.34.in-addr.arpa

IN PTR

Response

245.229.41.34.in-addr.arpa

IN PTR

2452294134bcgoogleusercontentcom

34.128.82.12:80

http://ssbzmoy.biz/gbwvwfcxqgndwr

http

DiagnosticsHub.StandardCollector.Service.exe

1.6kB
659 B
7
6

HTTP Request

POST http://ssbzmoy.biz/gbwvwfcxqgndwr

HTTP Response

200
104.198.2.251:80

http://cvgrf.biz/rwfivrvhp

http

DiagnosticsHub.StandardCollector.Service.exe

1.5kB
657 B
6
6

HTTP Request

POST http://cvgrf.biz/rwfivrvhp

HTTP Response

200
34.174.61.199:80

http://npukfztj.biz/yqtq

http

DiagnosticsHub.StandardCollector.Service.exe

1.5kB
660 B
6
6

HTTP Request

POST http://npukfztj.biz/yqtq

HTTP Response

200
54.157.24.8:80

http://przvgke.biz/qaullfj

http

DiagnosticsHub.StandardCollector.Service.exe

1.4kB
172 B
4
4

HTTP Request

POST http://przvgke.biz/qaullfj
54.157.24.8:80

http://przvgke.biz/meqrgqvstkytik

http

DiagnosticsHub.StandardCollector.Service.exe

1.5kB
252 B
6
6

HTTP Request

POST http://przvgke.biz/meqrgqvstkytik
34.128.82.12:80

http://knjghuig.biz/bfgkivospuard

http

DiagnosticsHub.StandardCollector.Service.exe

1.6kB
708 B
9
7

HTTP Request

POST http://knjghuig.biz/bfgkivospuard

HTTP Response

200
82.112.184.197:80

lpuegx.biz

DiagnosticsHub.StandardCollector.Service.exe

260 B
5
82.112.184.197:80

lpuegx.biz

DiagnosticsHub.StandardCollector.Service.exe

260 B
5
82.112.184.197:80

vjaxhpbji.biz

DiagnosticsHub.StandardCollector.Service.exe

260 B
5
82.112.184.197:80

vjaxhpbji.biz

DiagnosticsHub.StandardCollector.Service.exe

260 B
5
34.29.71.138:80

http://xlfhhhm.biz/yyaqotkyufjohv

http

DiagnosticsHub.StandardCollector.Service.exe

1.5kB
659 B
6
6

HTTP Request

POST http://xlfhhhm.biz/yyaqotkyufjohv

HTTP Response

200
34.143.166.163:80

http://ifsaia.biz/mtoswsxv

http

DiagnosticsHub.StandardCollector.Service.exe

1.5kB
658 B
6
6

HTTP Request

POST http://ifsaia.biz/mtoswsxv

HTTP Response

200
34.67.9.172:80

http://saytjshyf.biz/pgxwrjaoeu

http

DiagnosticsHub.StandardCollector.Service.exe

1.5kB
661 B
6
6

HTTP Request

POST http://saytjshyf.biz/pgxwrjaoeu

HTTP Response

200
34.128.82.12:80

http://vcddkls.biz/qhuxhkbve

http

DiagnosticsHub.StandardCollector.Service.exe

1.5kB
659 B
6
6

HTTP Request

POST http://vcddkls.biz/qhuxhkbve

HTTP Response

200
64.31.75.0:80

DiagnosticsHub.StandardCollector.Service.exe

260 B
5
64.31.75.0:80

DiagnosticsHub.StandardCollector.Service.exe

260 B
5
34.91.32.224:80

http://tbjrpv.biz/paospdfemlfr

http

DiagnosticsHub.StandardCollector.Service.exe

1.5kB
666 B
6
6

HTTP Request

POST http://tbjrpv.biz/paospdfemlfr

HTTP Response

200
34.174.78.212:80

http://deoci.biz/xbsugeglsjc

http

DiagnosticsHub.StandardCollector.Service.exe

1.5kB
665 B
6
6

HTTP Request

POST http://deoci.biz/xbsugeglsjc

HTTP Response

200
208.100.26.245:80

http://gytujflc.biz/wdabemyb

http

DiagnosticsHub.StandardCollector.Service.exe

2.8kB
1.7kB
7
6

HTTP Request

POST http://gytujflc.biz/rrhbsofsgdwxt

HTTP Response

404

HTTP Request

POST http://gytujflc.biz/wdabemyb

HTTP Response

404
34.143.166.163:80

http://qaynky.biz/k

http

DiagnosticsHub.StandardCollector.Service.exe

1.5kB
658 B
6
6

HTTP Request

POST http://qaynky.biz/k

HTTP Response

200
34.174.61.199:80

http://bumxkqgxu.biz/deambiguafphx

http

DiagnosticsHub.StandardCollector.Service.exe

1.5kB
661 B
6
6

HTTP Request

POST http://bumxkqgxu.biz/deambiguafphx

HTTP Response

200
34.41.229.245:80

http://dwrqljrr.biz/tlxaveykcq

http

DiagnosticsHub.StandardCollector.Service.exe

1.5kB
668 B
6
6

HTTP Request

POST http://dwrqljrr.biz/tlxaveykcq

HTTP Response

200

8.8.8.8:53

pywolwnvd.biz

dns

DiagnosticsHub.StandardCollector.Service.exe

236 B
236 B
4
4

DNS Request

pywolwnvd.biz

DNS Request

pywolwnvd.biz

DNS Request

pywolwnvd.biz

DNS Request

pywolwnvd.biz
8.8.8.8:53

17.160.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

17.160.190.20.in-addr.arpa
8.8.8.8:53

ssbzmoy.biz

dns

DiagnosticsHub.StandardCollector.Service.exe

57 B
73 B
1
1

DNS Request

ssbzmoy.biz

DNS Response

34.128.82.12
8.8.8.8:53

cvgrf.biz

dns

DiagnosticsHub.StandardCollector.Service.exe

55 B
71 B
1
1

DNS Request

cvgrf.biz

DNS Response

104.198.2.251
8.8.8.8:53

12.82.128.34.in-addr.arpa

dns

71 B
122 B
1
1

DNS Request

12.82.128.34.in-addr.arpa
8.8.8.8:53

npukfztj.biz

dns

DiagnosticsHub.StandardCollector.Service.exe

58 B
74 B
1
1

DNS Request

npukfztj.biz

DNS Response

34.174.61.199
8.8.8.8:53

przvgke.biz

dns

DiagnosticsHub.StandardCollector.Service.exe

57 B
73 B
1
1

DNS Request

przvgke.biz

DNS Response

54.157.24.8
8.8.8.8:53

251.2.198.104.in-addr.arpa

dns

72 B
124 B
1
1

DNS Request

251.2.198.104.in-addr.arpa
8.8.8.8:53

199.61.174.34.in-addr.arpa

dns

72 B
124 B
1
1

DNS Request

199.61.174.34.in-addr.arpa
8.8.8.8:53

zlenh.biz

dns

DiagnosticsHub.StandardCollector.Service.exe

55 B
117 B
1
1

DNS Request

zlenh.biz
8.8.8.8:53

knjghuig.biz

dns

DiagnosticsHub.StandardCollector.Service.exe

58 B
74 B
1
1

DNS Request

knjghuig.biz

DNS Response

34.128.82.12
8.8.8.8:53

8.24.157.54.in-addr.arpa

dns

70 B
123 B
1
1

DNS Request

8.24.157.54.in-addr.arpa
8.8.8.8:53

uhxqin.biz

dns

DiagnosticsHub.StandardCollector.Service.exe

112 B
118 B
2
1

DNS Request

uhxqin.biz

DNS Request

uhxqin.biz
8.8.8.8:53

anpmnmxo.biz

dns

DiagnosticsHub.StandardCollector.Service.exe

58 B
120 B
1
1

DNS Request

anpmnmxo.biz
8.8.8.8:53

lpuegx.biz

dns

DiagnosticsHub.StandardCollector.Service.exe

56 B
72 B
1
1

DNS Request

lpuegx.biz

DNS Response

82.112.184.197
8.8.8.8:53

vjaxhpbji.biz

dns

DiagnosticsHub.StandardCollector.Service.exe

59 B
75 B
1
1

DNS Request

vjaxhpbji.biz

DNS Response

82.112.184.197
8.8.8.8:53

79.190.18.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

79.190.18.2.in-addr.arpa
8.8.8.8:53

11.227.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

11.227.111.52.in-addr.arpa
8.8.8.8:53

xlfhhhm.biz

dns

DiagnosticsHub.StandardCollector.Service.exe

57 B
73 B
1
1

DNS Request

xlfhhhm.biz

DNS Response

34.29.71.138
8.8.8.8:53

ifsaia.biz

dns

DiagnosticsHub.StandardCollector.Service.exe

56 B
72 B
1
1

DNS Request

ifsaia.biz

DNS Response

34.143.166.163
8.8.8.8:53

138.71.29.34.in-addr.arpa

dns

71 B
122 B
1
1

DNS Request

138.71.29.34.in-addr.arpa
8.8.8.8:53

saytjshyf.biz

dns

DiagnosticsHub.StandardCollector.Service.exe

59 B
75 B
1
1

DNS Request

saytjshyf.biz

DNS Response

34.67.9.172
8.8.8.8:53

vcddkls.biz

dns

DiagnosticsHub.StandardCollector.Service.exe

57 B
73 B
1
1

DNS Request

vcddkls.biz

DNS Response

34.128.82.12
8.8.8.8:53

163.166.143.34.in-addr.arpa

dns

73 B
126 B
1
1

DNS Request

163.166.143.34.in-addr.arpa
8.8.8.8:53

172.9.67.34.in-addr.arpa

dns

70 B
120 B
1
1

DNS Request

172.9.67.34.in-addr.arpa
8.8.8.8:53

fwiwk.biz

dns

DiagnosticsHub.StandardCollector.Service.exe

55 B
100 B
1
1

DNS Request

fwiwk.biz

DNS Response

199.59.243.225
8.8.8.8:53

tbjrpv.biz

dns

DiagnosticsHub.StandardCollector.Service.exe

56 B
72 B
1
1

DNS Request

tbjrpv.biz

DNS Response

34.91.32.224
8.8.8.8:53

deoci.biz

dns

DiagnosticsHub.StandardCollector.Service.exe

55 B
71 B
1
1

DNS Request

deoci.biz

DNS Response

34.174.78.212
8.8.8.8:53

gytujflc.biz

dns

DiagnosticsHub.StandardCollector.Service.exe

58 B
74 B
1
1

DNS Request

gytujflc.biz

DNS Response

208.100.26.245
8.8.8.8:53

qaynky.biz

dns

DiagnosticsHub.StandardCollector.Service.exe

56 B
72 B
1
1

DNS Request

qaynky.biz

DNS Response

34.143.166.163
8.8.8.8:53

224.32.91.34.in-addr.arpa

dns

71 B
122 B
1
1

DNS Request

224.32.91.34.in-addr.arpa
8.8.8.8:53

212.78.174.34.in-addr.arpa

dns

72 B
124 B
1
1

DNS Request

212.78.174.34.in-addr.arpa
8.8.8.8:53

245.26.100.208.in-addr.arpa

dns

73 B
127 B
1
1

DNS Request

245.26.100.208.in-addr.arpa
8.8.8.8:53

bumxkqgxu.biz

dns

DiagnosticsHub.StandardCollector.Service.exe

59 B
75 B
1
1

DNS Request

bumxkqgxu.biz

DNS Response

34.174.61.199
8.8.8.8:53

dwrqljrr.biz

dns

DiagnosticsHub.StandardCollector.Service.exe

58 B
74 B
1
1

DNS Request

dwrqljrr.biz

DNS Response

34.41.229.245
8.8.8.8:53

nqwjmb.biz

dns

DiagnosticsHub.StandardCollector.Service.exe

168 B
3

DNS Request

nqwjmb.biz

DNS Request

nqwjmb.biz

DNS Request

nqwjmb.biz
8.8.8.8:53

245.229.41.34.in-addr.arpa

dns

72 B
124 B
1
1

DNS Request

245.229.41.34.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
974bb9bd93a84ea6a97500e22ad551d7

SHA1
c928e5e14730f198378bfdac5fe4b7804cbe077c

SHA256
a4c6d2b92d2eb7be72cc182c3dbf821df86b488684891fca7dae516e44f0f108

SHA512
8ee25fb402a92d9fec06bbef7e6f6a1cddee744ba59e66bec5f2a07ad22907e36c0539ef0c7b9d42035a189bcd87235175f83243e55a5561d93b3068afabadbf

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
d244ed8faaef80c3fe78b4781c911b2b

SHA1
9a08e33c3b5853d4671516afdcb046b08e3cb78e

SHA256
b9df6da50c42b01055a4ae3af8e403ed86a69c1a912952d0ea53084960225795

SHA512
8d7125da8a373b620388c9e348e1a919dbafd6a5ec0875a7949caf409d87d01a3422ffa434e49911aafca0272f814e49a77ce7107008c85b74bf4b8fd2ba7110

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
4395a25dffc3545ba44fe41ba1326fd3

SHA1
4bb4749b1624cce82d24010eed1baa55bb6c1626

SHA256
89c070beb4f76a8b737d1eab7e15e52e48aac0687aa978a97f5b95c029fb1804

SHA512
a7b8c46a4324776fbd7c7c43e03f44b2af5ef5db92fcf660add09861a22780889629df239e751fed58bf20c3abcc3ea2502b8a18f81125728c1f8d4f0f7d2faa

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
979902a523c00c9f5b3228e4be08a827

SHA1
76df342157460014f3d609f22b52409da02a05fb

SHA256
463436b64726574583a394c1ef7c49f251177c49812a2ad1e1f0ebafdd8cb5f8

SHA512
13713a87f509e02236231876a360580438f83e776d98fcc10b30e2513b872eb396a7910a006acb1aa45219c34f188574ed3c912cc0129d42e8014ee3ad919b05

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
9d7591f08eb245abc0c7f8030e86e045

SHA1
e6d83279a2c11df30cbec3281be376b8f972d915

SHA256
2b43324213e5c8b78aae5d6dc5229c97f4ba80b21bbd5e885550a65d95ebd19b

SHA512
864ebcea0b161957b8709b7a98f97897384b2abb16a6164459f38f0e704fe3172ddd202f9c51e851fb62eb2cfbf5f6e48c8857ca1f397248f7e9377491edc4ae

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
508b0fb3cf7f391f790e9daf3d9b5d5d

SHA1
73b4a0710436a7d1f31abd5161e82423ad8994c3

SHA256
9592fbc914e39464cc85260a9e6a536cf4d21ba0ed98c903434a9599fc8fca9d

SHA512
c83ddee492a4697813d376ffc7da6256dbabd979583df02a6187fc176b3829bd8a9de233492d3e6e1c3c451822ada38d6fffac9f047b8202cba57f0a93f507ff

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
240f21fa3d5fafc90b6c01fd078fbef2

SHA1
f99956b374992e68d3b4504121121726494d06ad

SHA256
3e67aac176d32fe02c8ea99820563c6f98dcae9621667645088ae6463060480c

SHA512
610c65ad38cf608f6df5a3807f1ca0378857f7f0db64bf883873f485d86b46e07976b13f8d70ac0eafd3130f8f75f5cbf4a90222bc4a01c311b482ccc873c02b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
b53c188280a8f133acde178ae811b7e6

SHA1
4fb956425bdcc213707fdccfe7906dbfd71cd208

SHA256
ae4208b63e74f0ce8f355308111a4e3c466bdc571c344fff874972115d309c1a

SHA512
0dbd40b54345df0bf9ac73050827df6a2d72a60ba5175c73d4ba76787815a70a27c4f18cfd27108309c00afdab2a1a5b8ef7c90fd89e8b5446b8bf046c3b0591

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
85cb9d5524b74e7c9fa383510c472e54

SHA1
c071120dae3f1366e4aa0c361733cac20082281b

SHA256
3f68c1bbb661e7113f9ae472b98558f2878ea22e969ac6a8f9bf364d69e75a97

SHA512
9933c8293f962d161709072a18b814de5b8ad5db3ea8912880cbfa31cc98ff124d782145cbcd8fcacd5337f44539d0033ddc5642a3b8f37b6d9e81dee2c04a0b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
8d74351a0da17ca6a4edf9b6204ebfc4

SHA1
e18a0958c7812a391db918310b9c2625f3e6ce47

SHA256
9ddead390f0237e25bbe31b60c99255c5028eff8a178f2bc605e704262c6831a

SHA512
fc7d2163930a2073f75e02ba59926562b66672f6c0fa7586651a203ed022b4d5d4932db1d21c1e1fc2422f4629a655c3d8bc1d3adb20b95081c9ba25e7326ae3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
2947afef852c146549c57d7b01fb144b

SHA1
c2a3223aeb0041e6e9bf4de92d3773cd458874f5

SHA256
94e6ad754e8f27f668cf1b79ba895af4378ab84c498e2f7fb515248d34c1e5ac

SHA512
d746c3f7fcbb6c5855d256862d079d7d096032fd349af34e1af8fa8b63bbf396d259c11eca07c0e67bc09418dda172fcf4578a55be4d8ed80f9aa59653760ba0

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
1d51afd3bbac0120cdbda67f75594230

SHA1
d74bf35e14d87db64de57730f59ad10e8a051f21

SHA256
09f95e0b698fced00199bffdaf93792d38720c68a057cb72a8afe24ab8e4f2ff

SHA512
40be31dbdd4d42986510af448e00ead2e3b8555af6c06271a2205fb09a7d7072a2360285ae44bec9bbd33adf9d8977b59e1f912b69ce278b006922bc2166ab97

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
69a876ccecc7b0314e75e6120c46460d

SHA1
061dabcd4595ffacbb8390bec7950dbf5de974df

SHA256
75e02ab52a56c83f9015de6f63da627be51f47828171682534cd31e07f65e03a

SHA512
84ad34585772448911ed77a03ad9dbb672b4875646b81411940942513ca2ba1228748337575f64e9c10fd621db92c0f8616f23ee415c1409b931711c2ff0ee3a

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
a818e17be79cc1dbb36b0be8ede00879

SHA1
e06ddb7bea5d0d68858abb651d9655201bb231cf

SHA256
89e868cf477a7b56283cebdc1d27a92a50a8e26b8f7ca4751bdf8920a7f206a2

SHA512
529521c08b7392816a7e2f6d5082268f4923bb2211489fae82b6cc0af15af33fd68255fbceaa7ea26f4e9a0234f5244209df39228525329349451dc2aa394502

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
fa4a6850932ba893e28aab455a8b06fd

SHA1
7c30b4b5c880e1282f96d5dc3fcca016658ec376

SHA256
4b7fbe9cc7762dc3fe874457e204d227765f101bdfded58603d863f2365f96f1

SHA512
7283b5831834442309236d1af40721b5ef0554111e1dc3538e83e1dd01c8af6d265dc5761301ed041fba524a522e24254ee7b079c607351c36518cb5635af264

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
2f3b7cd29d2c31a58c46795a0c39dc87

SHA1
315cf571b427f7db716153cef4ad696058a63d62

SHA256
07e3801bc38f39952e1f708537d5973e84dd2089f73dd65b9248b67f53117125

SHA512
8a2ce481d8bc07afde831e4471522a0a2f0cb5656984e8e1134847a0c5003f3d732ce8bc3655f53c0d6ec0f8fc4c1cf5f3abc061a2982424278c2615e0bedcb2

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
001012f381fb1394451abc5c81b133e1

SHA1
d0be26cb8e90b62081662858ef0b0b76c69d8a0a

SHA256
464f2fbb77000319df6e77fae30f47c1c6c8805911c70c15d80f01f4f5944cae

SHA512
61d5e5c4f7fe000dddbf4b423705517d13178c17d97c4d8ae1b6396b274398b77f4b677c03d3680d76541290c665b4351620c03adc9d15b6ace03238fd99d444

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
bf6809bce1f4470599d40c0068818ecb

SHA1
98240c6742acf57ba8bc126c6a0fd7c016f2a2e9

SHA256
e6027cafa32febb628ee3629497fece41f144654e2c5d89e69ea9c55bb3867f0

SHA512
d2493c2449e094b31ca5cc2f5b67ee7c28ff00481167a8dcbb9199d9f7bd4ccce64b088f973b2a753fe82a391ede847440943df5dc22b4ed5741678ba7428573

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
c3a79b37956cf58574826bc28ea97a5a

SHA1
90e7c0bb275b4bfcec8aa1caaea625aff4cf39db

SHA256
1d00d9e0c8428a4042d125f64d4da8ac6302017b2e29a27c2e79415447ea7bad

SHA512
9f8d40a033955ecbc748e5c198f261da1278a2e639b52aa4f4d489316782dd2af89ad89b7219af3be67bd3d1b14f244d5a95a84d12964d118d8975ccf380b8b2

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
86b9f03f0d2c579a77111b81197a111d

SHA1
f65baf4c16c7c190f1c9082a982a5f20f6ac4773

SHA256
138afd8c4d15494b0709b33d01098df83c4c3ae9e356405d584d19817bb74779

SHA512
0ba5d19052faf67ddb7f64db55e901a09e7a69e3416d0bbd806c661ddeac42505e4eff161a1e806d2ebfe5b59a8364db200f863fb4919dc523207e8f6caa1b82

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
d26497c5574b487883fde46934a9e52f

SHA1
6e7ec8d3f35b3448559ce7b54d15f86fdb2d4d63

SHA256
27909780256dfa432be8310da69dc3641958e3ddd270c79fd80176988e463f33

SHA512
ea28696e30ca44844ded5ecaf13654c770e64ee9b5dcfdaf417ea14de8bd4f605101cede59dbd1e2dc972a0224944e7abee0002703085295e6ab66e3239afabf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
8a4b93d1bfcefabe394bf4c9330f7707

SHA1
a4091b6a00370e02ca61f44ac0d8691f18d25f0b

SHA256
4770b1cfbdce77730827bd75aa4a1b627d29a4ee2aef9089520df5070987f6a7

SHA512
389b62bc25430cd50f72fa199a5068c3132bca464ac80c2c66d60e387dc11011429c2af5c96b2da7cc8af8b7bbb9e4bb4cd94837273b8ee937191f0dd41a2f30

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
64a3fa9c0ee376425b87945246ab48ee

SHA1
6a2b9589e7d282cbed9f71d8b6be17b1050cc8b4

SHA256
1f3c20f071bda3417bcbaec4e08ac47678beadd37b5ed5cb30aba5b4e8c2155c

SHA512
5c237a628becb0a290b69a4f2ede36f75d65fa13539fdd3b56020e8502aad64c8d907263068782100889ad20f341ff8ead7ae341fc199610c60700ebc490fe77

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
26fd3297e82d1a33220e567f6c5a7ea8

SHA1
a61017cac693843c9d8d6fa1873d6f122beedee4

SHA256
8457d08724a18cb10c9b2494c6361a3d4ae56bbc85892dca2116cadecf161fb3

SHA512
c03554de7e511b0064326e0aa7c06752ec3cbf4ab1a1c2298e1f784e607a16d32f04d04facb453588b4b04b49a6b19b2c00f3275fb51cb7c01c89faf3a4f862e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
047cfd61f5d3dd337c642c181e3feb3b

SHA1
95e7e02f241a6990c84e357a8320e7ee9a24743a

SHA256
7da0854962954c6d0657f15ea8acecf051cabc71e20d3865d02d65a203e0168e

SHA512
4fdcf08f6ad4bde8e9f82bb8c9c2346e1297088307294e767c1f8f04762c5550b5ff366cd5d302067809eca0c7b0dbb5cdbd04d1146fd414d184e89a79064488

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
f7b2493ebcf6d14536e013790d1fce8f

SHA1
efde9b0ffe485ea10b42260d38ce99ed6de3ddd3

SHA256
247066fc49c1cd96afb369801c788ceaeb95a29f3362ea91c343688fd30e5d1c

SHA512
22a7637e425046dc92a7be2e267b2ff01a0aea7c9c2634638fb1364c9ab7fd46f6b948c7754b6efba1b58fd112eccdb532edbfd670d4c29baa86811a19a852c4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
f5431350b2c003f7e521969fc35b7af0

SHA1
af099e88422a200ae60ec1a509ddd305c6f2b354

SHA256
5c33840bce6a2de5a9f7c8692b822c5220b3860b1fceff30104da1bc6a03c5d4

SHA512
bc16fa4aeffd107c11ee8a47ff0d685eade312a1e5a29cd85d2a8e44f4519ae1cc78ca87279b67615e47f602189c5b47f9fd6cef0c3bdc5631ddc23e598e2a43

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
caeae4d5bc505343906231f22b5679b5

SHA1
5181ebed63926c5033547347547505bef05937a9

SHA256
2c0088e8ddfdb116816faad1c3906ffe353870161db30792afdceebd4918cd3b

SHA512
4586bc3de6b7846dec51be9d6980f51246b4491ebe467d9576eb5e28ccbcdcb9dedfd7d629a7eb64c6d7e70af083028124c74bfe4f9e0eba8fb26f8dc711cb48

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
79eaf1ab92db6b71b3e500318c6fb4d4

SHA1
ce305b9aeec4a3102d436bef0fbe23058490f44a

SHA256
c5137e151f048ef974bd3c814ab85154dc6cfce99f938eb68947697af3dca324

SHA512
13e783d19154c31568999e4cd6aa4ab3b769f1310c23d121d71e63b1d8661364a2c72006548e869de8e719c5900e81b50e10486c29dbda5a1c6e757835142d19

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
df5dd1f745b5a5ccd7f43d349d1883c2

SHA1
bd7fba06282329d06734f4572e01a7bdce38d0b2

SHA256
3f4e5df64a1c8d0480a17331a966302e46ac19c1217a82fd16ee452fb7481d4f

SHA512
b60a168156c1b407c97b856894c24272e1b8eb780f7deb9c9645112f2ac5f84db006cec872f7473b3241066451d8862dd14d74f0ed30c7afb0c516cea638f76d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
f23b8bfa8700b39f76d4fc360113cdda

SHA1
417be4e7a766ea58a87da79ccfcb2dd70975799a

SHA256
273a49cb47b70191b4e84056c9e2438e45dcc86e1d6084473e4d1f13581812c6

SHA512
4ebc077b5768071db481e1f5a83f7f331274da2fe2cf5452695525aee00c6db361377cdd1439136d53963f3a416711b1813e287626049ceab89395c25a6e9ae8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
338c87f0d213e166fc51da686c051d11

SHA1
b7263e244c690761116496aeaa5d8a183ba6d69e

SHA256
5ecb3ec872ee9d33a6a46c2e093883c4e49b761f01c83188f435b6cf019a192c

SHA512
eec49d9a0ce4a68c6c6dd202f2232bc6d78da6a7eb55a0fa852a69d2860e2e0baccdc70ca346c85d2810cc68b27f0300679e01e88a6304f406e3e2d16f43f79a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
8f0b5407b7fc7bdb73bc20d9dafa3143

SHA1
b652062c274b5345a99bae7d262eea9e8334c08f

SHA256
0604220654bc13dded75c0489f09bb74dc3a234a7d0337126c0fb4e33738513f

SHA512
0c788589234921609d11f62b8ed511beb34b3d192e66c5db0954c5448b957eff576a496721129d7e1bd782b363791a3362433557933bf64350a1c938a7e52380

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
002bd84b6f589b349a4ef19e19d8107f

SHA1
8d3c7de24c285a4945dfaf6bd2b25117f3d17fb0

SHA256
652e457e81f6c667f1f86cb968f315e86456cd35f72e8497b37e006586129c05

SHA512
a4f945b25e3989e2b5d28e0ee3abffeab071dadd68f516c27e08bb0c740ce6a0031f3fcea7b36368adfbf2c39d4dca0a27da9668df94f5831a790f3d8f7a3f17

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
06b3540ea969de3d9c2a8f53b5463749

SHA1
91f388ea838c91afb2483660905b58131a87343f

SHA256
e4512a8b8883226d3e573a578f334001178a68e52809e78653a9ad4cb183b0c9

SHA512
ade1fa945094b78d6314a353b294258a24951a949556b900cabae8a328e16f8c3c01e84e0e43e8064f4f7ef2a6cba0db1c05d423e053419213354b090c4bd3ab

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
c7a03afb4fe0221a0717ffee51b7f7e2

SHA1
ad042bffd7da4a74e2ba8e68147ce9da1334373e

SHA256
584c81709e8599446c709075cd75ec4111928fdfe91f7c78e9c6944818acc37e

SHA512
a4cb0a3adc7a07a8730850462db11e5f243e55876fa6a84bd1b124e909e2d24ce50c2e54ec4943c9651bd15258e7f930e50e6f8a2b9cbf2c77ef80006f01f490

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
a8663e42cf4fa8ec32e5f2a0034ff6d8

SHA1
53691d60791ec0c380f2b6469be0f58c75d5ef5e

SHA256
d8d2f40fa9dd4f00130f34fa9329249cef5b38bfd0458a37598583ac7031e057

SHA512
5857b50da8c5e9cc38f1bd08bf3a53d2bc6560a38af43cc4c1746390ba8c7655ed47aa1729af3f343d238922c198a14a5cfead9779446e821abad09e9ff130d4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
e0f3041a1bfc02493e6e78d8523a8160

SHA1
b823c69588dc1d6c79e2752e6e1581e0871a38cf

SHA256
52e6a5413e27cb8d97b203c1b299c9bb90cb77533e6ed1a58fbe1152e957b027

SHA512
8c1cbb30b22e7c965768cdb849419468aed4549613b51978f19d2c58b322035ba3532d1a4a20e7fbe153c9831e80b8b1bc295b981463da707f8f1df3721da25d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
f2c1aa9f023e6abe0091340ce8e5234b

SHA1
b3b8bf7ada864149b1298cce6b3d0acd88ea2a45

SHA256
e49b0320652e22510a4331a50fc383e1da421a6098761e9c4311c5ab94017936

SHA512
584579bcff64bc85d7b2ecaa7ea7fa69555125c4246034a7b18d13f9849d362645a045bb5403144a315aa2b87c1797d2c8c59239668c120cfce275aade10cb65

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
71b55300cd12f21ddd193043ab2d7124

SHA1
5e28701126cbd443fa5582c5be59c5f05365978b

SHA256
c99e9180dc5ae4cdf2e7af1374b250c7ba3f221b716a3aa01ea1ec18c8cecfa8

SHA512
61c52c2e947485c0d02257760e85ee38e830880dcbb6d214017820be1b4d2f80271423788a5dec04d4d5526d518f455b7934ce8e568294e677fb0fc91a5f5b0b

Download Submit
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
ea7c3eb1af289a41bdb79ea62cf1361f

SHA1
a4491a4ced3f477a513c3e3cdc33e93bf2127be7

SHA256
fb4c2fec7a4ac9df82be17270909799a7108f6db7c07e595d366a12264bc3d94

SHA512
c6a27c4f63164dd94aa3a97cd7e029a116ba55d5ac0976dca3cf7dcaabee81d8b1be4f4e8df11c67f43d4fe424ec84a45eb17f0636c47cead59944e3036ee75a

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
4602c904de50e133816a91d04277237a

SHA1
dff24d7ef2819a0ce0a94ef2995026706845ab73

SHA256
488701dc4cf7549dd50745924944adc30179a7f9583870ace5abeb3759d10538

SHA512
08ca9ca26a8ba8d386b194f8d2d61a68088fd361b54cb5269d0cda5498488ba06340e9f1d662e5745ec6a76cf335f23ca910a74ad7ec9e8625ca4ff55b4c73a0

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
3de8ee7495f01288d1c3ccea7a11db78

SHA1
b4796fe4ca0748868e48e6c0bd53a5df1ed15d3c

SHA256
3c0642697b08db2d5d8c6cf4edb267d9d51c09fddfe9ee16f4e9899855971c18

SHA512
08ce7e5efad36539414fce42a21909365610ced420a7200f465db2f791ee94b2bbf006a1b046ab57dc864f68b846d5143ec403dfdf578d3547de3375903db18a

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
98732faeb22fe02178003b8ef0ed645c

SHA1
b11016160891ae5d32e23da5a730f1b506422462

SHA256
1772f52a46ff497e121d06ed2b383262ce570e82dfe3586aeff4c2760ab84b87

SHA512
ba9320cce5d1dc65ad771cd3b015e86b0ea67d04a6fcdc9bff2c012844e4d79930c887d8586506156fa320b44168a7464342e77182de863ec5bbcf70c225db76

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
fbe2441c0efb372b3c0a6853671c181c

SHA1
b7be7c0e7ccdd8112d5309eb9937a81601d47aee

SHA256
0c6f18039f1b14b60210fe841e21426de8ce6b16189b183cd2ea90d97578c850

SHA512
c89907812c00cd62ae8395de801fcad269d9883d5c9bfa2e5e0bbc3297d10e8e293192c588e0d0dabb136903f9752c906d29b72d9c5c6369caddaedf4c3e57f7

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
b284a7d6424ce5efb6dbcdb37232f30c

SHA1
4f36c227ebeebccd4ff6acc884411c1c91247803

SHA256
125caf783c9a1abb984a2b2ac93049e52e55780cc15a9a054170ba46f21e6162

SHA512
4e4df5eda7e1ebfb79986d4c77da770f1c3d10592a9a184c8cacd08fbd73b6e8d32e121a1144fc7ff093d6e876e9534070144f0336e8c6c89d5543f5198d71f8

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
1c870a061203d0524f3c8fe02ad8881c

SHA1
dcd5080f7aac7a71990171cfa38e6eb649d99768

SHA256
12983cdd81b0e335314c65b32b2bc17facd43414aa8ce9dadb3f886469a8ea78

SHA512
4801f14ef12d00759fbf2d87c14bf1d5af8a83dd77040bd42ef5bfc632016285f73fd4f0be08de8dedce2b3e3a397230202e51c4525bf8562ac81f90cebaa417

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
8808699b31b6a8272cf83c42bde857c5

SHA1
2371e01193f6016c1b6375c80bffb7d16e21ee27

SHA256
b8af21794036ee6e8bfceb646b6f6d607bc16308eee7ff64c08cfa19d0d37bc1

SHA512
a4d4dbbd743f5177ddcb78c86fce8b4b353053dc490d03bd69530f362e3bb7d72b9c34391bd9bdf6eb96e8cf01e68cb544ac173ed9cbbf23a189ba5107bd1166

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
dc844240625150eb9e2206c3f032b745

SHA1
c221f3621c8e9efd7b43d04b02d0c248803f46d9

SHA256
a8248100a6be779c006c394db7fd2cb374d549ad24288539f3196256568a5d2b

SHA512
68d20a9b7314e536e65bd69af5e67829feafef781bbc43eb796a914051abd3711febdd1460f1c1be8b6b3a9372d9f0d10a09a1a686dbfaf202f9c21071aec0b2

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
b60c76d16c5296861addebc2b4212383

SHA1
c1fcf3e54d80ae8662a1809d6f7ae688a488da76

SHA256
72e095598a393a95640e447f8e790d1ab99601eb634d1cec9f0183cd1f2207a1

SHA512
e0b382be7221471ca340e2c95c5d0d13436db855a8384e4bc7d05f44fb08b8776dc281575ad177bf6835efc081dabdb8545ef07f646c469df66707f37f36e326

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
40dc1aefadd00237f0385c79f592876d

SHA1
1c2f51f9500a5f5d99f1b4132f7c9c2525635a05

SHA256
19af816956c287e35e46d5ec65afca7c448c032ce2518205495aa930edd2cd1a

SHA512
d490e51c713616e0f45bef2876c831deb22f17cf0213eddc8b61eb251265e26ae2d5c533a2631ab78a0d8db76d26f5ac16bcbc8fde54010794ed0cdffdf7bf39

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
50d4c1e278e746f3e4e95be75255156e

SHA1
0d5bc246060a7826fd1cadbe89e60d0c2f6280d8

SHA256
9b88d99d33a8d60ed6d1d9ae9caf9315600698f57509578908be80ac226d15f7

SHA512
8950a5ca337efb0c4e06961171b39b15125bf1193aaea7733207185ac79d15f311dcb778f8dbb071ecf713034b558c561863cd269635a37ba6aa4b018336d7c8

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
5dff9056df03905c0ba87abf31602f98

SHA1
d6ab75b5259758ff1bc5ef614d1bd74ada41011c

SHA256
4f5a02bfe7f974015c920791c30e42ad3404129e4e556519c4820ad8dd5dc40c

SHA512
2a320b1a26658d6d70eaf75417d8ea735444facd8ae446712b2d2b8f3620ad5f21759a52db9127d774abd5ee4076f4cd10aa5d4703ed58035f696d866d755ee9

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
29c5883091e723577d195ed73878b1f1

SHA1
d7917e45170564f932a60f1733808f4d50566d3e

SHA256
9248078b3f6e5413a5aed454ab787e24cb6d7608ff7cc640e03fbe3f781a7de9

SHA512
1dc0505b4abb1003270f9311708d6385f04b5d8e7a9400a7bed619f179485c8885034042df14ed67036c2f007e05f03fb28f93eb1f8304430ae1c8978078a269

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
ffc9fdd8f39664fb0cca0a3b2028f198

SHA1
3fc4a3f569bdbd1d7c1a1fd04b94f11e476f94e1

SHA256
8a1d26f365f377ca322d7154e373b07620b22025e92c56dfe4c31190fefcf517

SHA512
220680b7c9c8afeed4a172aaa805c5d0a1b644b80998458d44318e9e490dd8afe467658f618bb2c5cd67671093b50828bc53d207066718702279ac00c6667532

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
24f17c14c4385c7e9bf6f57da3c32510

SHA1
8dfbc4653c8b3d905129aeb07de79240542cf42a

SHA256
a9f4c685df1d91a7fd9269ebdf959a40820fe8f745e6f055a1c29d003df19d08

SHA512
5b50aeaeb7932e57807da3121be3aa77ca831b37c63a05029987c62ca00daa1868d13b578b2fc0a1870e84afa8ce96afee834a79c5eff1c471669516a79cd786

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
3bc9e29028931c7692f6dd8428d6bd1f

SHA1
479f0f00007ec36ceabff38b4a24873635a9d8c1

SHA256
6adac21d9efe3d442338ce333277b2b5f252e95d06726458a9649076700281fd

SHA512
9a63eceec5d3b2059fd199b729d3798b3d1b440a8f2c076e71667e8090bbccc63e7d3215dd7af002d12242b9b69f50d8d8772642066a474981cf634453f0573e

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
51c65237e511902b2e2639e5e84ed3d4

SHA1
95d1f51b2297c8d067aefa75f8c40827b3208628

SHA256
c1293b644b3bb9b62e7898f4df3b76895148b014e7cfbee93d84615a4c77f84e

SHA512
c62e13ab02ffe845f01d51689ace6b6768c5ad8aa8166cf3cbd7609e8325762a7931efad85a1d3c0da9f8d58744d1b97d95375ce03ad190ea471e1d7b2e19730

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
ea42a4d21926cdc2ab8e2b7b76627e33

SHA1
efd6748428fa6837b160fabed873eccce891acab

SHA256
2ac92bfae5211c044438fe9d4d4298907e0e09c73b1488e36b6ca7d19f2bc810

SHA512
cf6ff28158478598408f1685229ad1e01b8c9e981a25dbaeb5bd81f60a83d85c45726ebb029b1096293afbc13156a1e67fd17ef9a4aaee0a534cd33a955aae8f

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
18ce75c4691f95ef6c06536afdc20331

SHA1
93bd0630596fe402b63d893e47de6775a510d537

SHA256
a6d25351d78cf5ac2b17a179cf18e29a802c1e3e86b0d2de0ac087718d42d137

SHA512
28580d4ce2fd67dab456fb1ddd83167336d330b03f286dc1d3fda9ff36fe3fbaec4d9aa1c27db0828a84e2a06bd67ded21f06f129cc238edcb685e4b0dc3cd42

Download Submit
memory/184-266-0x0000000000BE0000-0x0000000000C40000-memory.dmp

Filesize
384KB

Download
memory/184-272-0x0000000000BE0000-0x0000000000C40000-memory.dmp

Filesize
384KB

Download
memory/184-263-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/184-331-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/448-528-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/448-345-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/468-297-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/468-515-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/564-290-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/564-344-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/564-516-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1080-65-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/1080-85-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/1080-88-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1080-71-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/1080-75-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1608-52-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1608-41-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1748-294-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1748-418-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2088-335-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2088-283-0x00000000007A0000-0x0000000000807000-memory.dmp

Filesize
412KB

Download
memory/2088-278-0x00000000007A0000-0x0000000000807000-memory.dmp

Filesize
412KB

Download
memory/2088-277-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2384-60-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2384-251-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2384-63-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2384-54-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2732-523-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2732-328-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2828-325-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2828-323-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3664-339-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3664-287-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3980-340-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3980-526-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4000-332-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4000-524-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4540-50-0x0000000002A30000-0x0000000002CA0000-memory.dmp

Filesize
2.4MB

Download
memory/4540-1-0x0000000000450000-0x00000000004B0000-memory.dmp

Filesize
384KB

Download
memory/4540-49-0x0000000000450000-0x00000000004B0000-memory.dmp

Filesize
384KB

Download
memory/4540-16-0x0000000002A30000-0x0000000002CA0000-memory.dmp

Filesize
2.4MB

Download
memory/4540-0-0x0000000140000000-0x00000001400D5000-memory.dmp

Filesize
852KB

Download
memory/4540-9-0x0000000000450000-0x00000000004B0000-memory.dmp

Filesize
384KB

Download
memory/4540-43-0x0000000002800000-0x0000000002801000-memory.dmp

Filesize
4KB

Download
memory/4540-48-0x0000000140000000-0x00000001400D5000-memory.dmp

Filesize
852KB

Download
memory/4560-317-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4560-517-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4564-520-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4564-320-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4796-525-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4796-336-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4952-27-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4952-21-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4952-20-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4952-248-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4976-259-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4976-327-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/5056-87-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5056-83-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/5056-77-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/5056-252-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5104-15-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/5104-247-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request