e48d108728cf9d8cab46b083bcd261d6c5a15b34a8150ad6ee4bff6feb12049f

Analysis

max time kernel
153s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10/05/2024, 20:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
Size

622KB
MD5

00cc3d2a446330f64c2f00c81c3f7ea0
SHA1

b75cfbcbb77d898af5730a3697237481e747551e
SHA256

e48d108728cf9d8cab46b083bcd261d6c5a15b34a8150ad6ee4bff6feb12049f
SHA512

d6c58fdd544343af2815097ad59b2e97491c9c758ce66287775b06c264b918fd6f672bdeb87b5a0e2b35b3f937a4ee90fc13f77891ec956a42d2233bf9a2cd2a
SSDEEP

12288:Wu2yndwCg6/xjPHFFBwpRDftD7IBUgbScDQCSkb6wjfRMVviOvf7sibN3A1G31f9:Wu2e1g6p7HF/w/ftDsBUiScD7WGfWVbF

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4592	alg.exe
2872	DiagnosticsHub.StandardCollector.Service.exe
432	fxssvc.exe
800	elevation_service.exe
2424	elevation_service.exe
2908	maintenanceservice.exe
1740	msdtc.exe
612	OSE.EXE
5080	PerceptionSimulationService.exe
4524	perfhost.exe
2544	locator.exe
1100	SensorDataService.exe
3848	snmptrap.exe
3252	spectrum.exe
5036	ssh-agent.exe
4560	TieringEngineService.exe
3020	AgentService.exe
2980	vds.exe
1400	vssvc.exe
2720	wbengine.exe
2136	WmiApSrv.exe
3556	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\msdtc.exe	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\spectrum.exe	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\alg.exe	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\86f28b1bb3e2edcd.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{1342F81A-D5C5-42B4-A5E8-933F7759DA30}\chrome_installer.exe	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009e365b671ca3da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001b42af691ca3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e40eec651ca3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cce81c5a1ca3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004179ad631ca3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
3484	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
3484	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
3484	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
3484	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
3484	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
3484	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
3484	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
3484	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
3484	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
3484	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
3484	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
3484	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
3484	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
3484	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
3484	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
3484	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
3484	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
3484	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
3484	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
3484	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
3484	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
3484	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
3484	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
3484	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
3484	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
3484	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
3484	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
3484	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
3484	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
3484	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
3484	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
3484	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
3484	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
3484	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
3484	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3484	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
Token: SeAuditPrivilege	432	fxssvc.exe
Token: SeRestorePrivilege	4560	TieringEngineService.exe
Token: SeManageVolumePrivilege	4560	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3020	AgentService.exe
Token: SeBackupPrivilege	1400	vssvc.exe
Token: SeRestorePrivilege	1400	vssvc.exe
Token: SeAuditPrivilege	1400	vssvc.exe
Token: SeBackupPrivilege	2720	wbengine.exe
Token: SeRestorePrivilege	2720	wbengine.exe
Token: SeSecurityPrivilege	2720	wbengine.exe
Token: 33	3556	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3556	SearchIndexer.exe
Token: SeDebugPrivilege	3484	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
Token: SeDebugPrivilege	3484	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
Token: SeDebugPrivilege	3484	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
Token: SeDebugPrivilege	3484	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
Token: SeDebugPrivilege	3484	00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3556 wrote to memory of 3676	3556	SearchIndexer.exe	118
PID 3556 wrote to memory of 3676	3556	SearchIndexer.exe	118
PID 3556 wrote to memory of 2440	3556	SearchIndexer.exe	120
PID 3556 wrote to memory of 2440	3556	SearchIndexer.exe	120

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\00cc3d2a446330f64c2f00c81c3f7ea0_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3484

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:4592

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2872

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2196

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:432

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:800

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2424

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2908

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1740

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:612

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:5080

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4524

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2544

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1100

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3848

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3252

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5036

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4560

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4252

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3020

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2980

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1400

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2720

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2136

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3556
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3676
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 804 808 816 8192 812 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:2440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4252 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
1⤵
PID:1168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe

Filesize
2.2MB

MD5
17205fc45a4a4273801df7df2a978527

SHA1
ef1bb31bbb1ebfb7c67dd630a578081d10cb3a17

SHA256
bfd785e9136783572a58f9a721bdaa8aa164fe63e13f86e1a6781da800a475e0

SHA512
0432a1702be26571a8a71e6b69d39adbd0398bca0936746340b6f618e1a3867d54bb3b50f0e7e491ccadf29eee13df7cc878d2c86e793ac1745e703a44fc6037

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
cf56fb2b46f33360f40fcadc112ec758

SHA1
964a168e38b54374c52928b8afec625f6f968781

SHA256
cae2fb694c89e7709d8232fbd3c3f03ab72d41027a277bd529d53a1fee2f63ab

SHA512
f08aa306472dad8f85ecd73eca5c7a1f0b5e8530f71beb90ca63f64090f5d9cbe935b6b0f20e1e5891473a5176aba8f05537bea1a2a9170c117469e63caad5f0

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
b644c7dc302524360d72e4e3651c4967

SHA1
25557dcaef4ad46e0ae170880a061ac1eb8454bb

SHA256
7aeefa697ecf0ad703d65cdf16d3e07ae0123055d8a7ebb8c3f926269646b01c

SHA512
049d167895482410a1a289050fbd14d95bd3ea3316a7440ccea4e6f1c2964f1f7e8c6449a9b9ca38e96bd284c26549da42199df19645ce38c977c577eb74b79a

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
3e50b843e7638e22c3c1dc8ab1373efd

SHA1
01b9ca0e16c9e6ba90805a444343401f3033d170

SHA256
1ac1a1e77c1836efb8cc80df9bea2ca4ed05e6968f37993bdd3db1faa3f92958

SHA512
ead771947ca11533f91680019c3cd09d5fc9f9e108e7608f7080b426c5184acd968cf452ebe61c3fc01ad9fcebacbd0fda338a30918d39685a9809ac1e5208c3

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
b563ed9e2a2046d42e6aa57d136f2ad2

SHA1
7c71a3c771c5fea50f373fb862ff254b2b013136

SHA256
7d8cfed0e3c3eded894a614f628477aa5fc9fb0afb269303f95631f1fa91fc43

SHA512
9819ffc9687aa9e5521731e870ff2d723720fe0e2c9f90303c97df66a7f495075f53ef66b698b7c433ba072322e9cbf3f73709f36f290f2fad1cfb734741c02f

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
e1e4e0344cb24cd00732c7d76af20d47

SHA1
5c7ef56cdf7c61e131805f96cbde90d9a801b66e

SHA256
a7899e9087347614dc74092f1c3c5a430738c771395801cd0e8895e8666680b0

SHA512
f84f11b4c5bdb2ba15dc917c3df198dbc79e4261c051a0019509e35b765c78390d9d406787d362fa3277bdfe8574f6ecbb6568588efac495aef5c33be633fa27

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
1e37575726dcce24493ad5eeace80629

SHA1
7ab24f0770f51abf3efbf981f7f7e41a861cdee5

SHA256
35b53fbaba92c6854637d49164130f03b824807f31092f8b1d83e3a733e21460

SHA512
274be70185ddb57e9f52a486d7d6a55ae8dbf608c02d1faabfa3a0081ca75374dd4aee21e55687dec938ea3263f56a0988c72589016b9f29467032c32a00352a

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
76fe98e00da7a345974d79869bd23c3e

SHA1
299fadfc1decfb9e93fe87780359d38e53a62d19

SHA256
5e959b12d7685e776ea18c0fdb871a3b73545e03263a10ca7a4652656fb4fea0

SHA512
62d4e1c575f5daed4db63bdb52e38a8ca10a1e966a7117a90a58ee3261668c57739c947b5bf7968e9f48010b4c403cf9056b1974ebe8a90c62086c97e2d71c91

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
bc95031dbfff63e016f07e34649b957b

SHA1
d24a1559261317ddd35ac81ae0807f04deb65cee

SHA256
061e729fde6f42a2f931fd27b18e33a75fa10979bd709799dae10c1ca2a641ff

SHA512
99825884d838055904de0a0db9fd7ad8c2955e21d0c56d693682248ce9fc321d0cb463ac020ddb566e20edfa87339683ac008125e0becbb27523431060f06465

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
0017c0d83baf2ccab6cb92c30f13a1fb

SHA1
229f68eb204238f6b64d3366254784394d29432d

SHA256
52b5c3d6de1070821eceaf00f9ec5abe319db12ed88d6e860a8d35044a7a2aa4

SHA512
6bb10d56bd7409b453f4e7bf2a0d6a921a43db06e589a61145dd582d287dd1fd0a46e186a7750363757d0f34a0794c6f59dbbc61c48b1129dc082fd459b76bb7

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
97f6123999c20d7ac97beb7dade80dc4

SHA1
b0568aeee389392dc2ebcce80dcdb0453fadc40b

SHA256
895cdd128918063104587617d2d024cf5a5decc52cd9eeae8ff7f9ba8ff1cb4b

SHA512
e17d3e096295aa6bea95f5154052fa6df0f9e882e630d4c9202d79c6026faecdbaad1806d6cbf130dea020fc7b633669afd4b2f65255b8951e26d6a89aaba113

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
003c11f91bd1a15f417906d12e87d880

SHA1
1777fb420f0dd39617a71c3716a66f76871cb6c5

SHA256
dc40f2a0e31fda8418f37ffc37ef6d53116b6c9c3fb48fda3017aff708a588d1

SHA512
7c4f20a8bb7beda27f3fdcbee472818d7a960532f70fed63303c872a505c0cd91f52d16e68435da75a7a3191a68d05f7b6bfb0ebdcad865c3249aacc145c3b78

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
84de04a33492866bc6b41fe0992c76c6

SHA1
794560cf5df41a119dcba703c7cc2b006bafe930

SHA256
8651982c20015048356ecc01202d2b4b539fefe6586c7841b5a5b67c5dc276b9

SHA512
107dbbd66ed54ebc85d89a12dab5fe20600897a8622a9fa6c3fc9dc932b0f93ff4dd1c1a5313009023d35432a22055cdedd6bee23ce28aa1018f7bc8caf75614

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
779fb5de4f16db64063aa2320770c956

SHA1
dc016946ce975abadb4ed93e049e8894e7e35b05

SHA256
04c2f8f81daa2204f7ccb8c3e6ad2cf4078893889ee10dcd29648896e8e9d7e7

SHA512
f55cefea7d500e7da99eb86a3b1084f647fa6ba123bc0e9cfc5045a1d5ba6ffa7628b7e4046be8c58e917c2f364387c55d1aed09c4fefac6f5efd61773c9fddc

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
6c3e396f7920e860c3c3544f37a99d4d

SHA1
038c74fe485b2f2b102e870acaac944efe91f489

SHA256
41b23c5daf2b4239918a3cb79ff2601f1b3e5427dd0a84c5f1d91638b0ca6896

SHA512
ec3dd8b78184d693a3ad326f89af922e1251f0deed1d70e03f17f46b659cbdc1ff8cdc51394d738ed4eb799b41407672fc98e80ff635f1be2179d5f199af9374

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
3ecbea05ea2665dba732d53be7737a81

SHA1
0ca677a96d63e1ea6238d804f9deffbba1941f27

SHA256
405dc10aab48535a984105a83eb060983b9f42dd1bb7c2151158da8b2857227c

SHA512
f5a0b05a48170d774d3c78f26c25fc75c5eb3b6bb831a06fe8febbbb23bb33a0b1da6064f737e47b9fb0bdbd6d144915132908868c495e7fc2c23bfc5fe4ded1

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
0fde7d66eb9030ec76b90d145a9d5b49

SHA1
fec624c1add81a6e53a0a36a7821d550c405f2bf

SHA256
528aa1e14b878e6a9c53097dd95ceb679392a05a10f41786faa04db41bea462f

SHA512
af90602a1a115924de44865c3b9db7573a7eb5b28eb83f92ccbb1f71e454953ef306f0686091c270df7e75ec85faff40cf095eb8d32fbbc0c7649f0b80b19421

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
fd0de7a0f9833b5efecc67ca1c5bc481

SHA1
bff146ed364307f735a8c54d29d5231ea5f11cf9

SHA256
8f65f0e2f86f0a1999c5722311b271476b37825c6d6cc0f43a28ce950b82accd

SHA512
7d88262dabc047280c1f14934addcd9b0467f04dd56e8f55d7294d690bdcc83d99f9cc98b16e20520a3512c3f4200953f8b74bfc6461b5deed74ae180b0386d2

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
a182a8622a696888ca55f9f05e7f67c6

SHA1
2c035855a5e824475c457bf23659669fda198b87

SHA256
0ff0e1f3712e74c6d8537c9075738d060a123eefe181f2ef37712e415c8cc122

SHA512
a5cc95739a2a6c92da290ad74669390a5b80cb236af890982ba964e50fbaa39d27024b936593d4fb502fbcb3c95bf97b363fb12b3b480460883d8ac86c1c7507

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
acbb06e08e2a2b11adf6d08d02f76634

SHA1
5b346a4806e85bcab557b3ce9d3dded550b9d1c7

SHA256
a6b830b9a42f043b37360ecf180985b99a2aa261c2fdebc56d2ebbe22d8c751a

SHA512
5203288f32a3067bd021b8f867b76e2e3487511599bf7a50fb386300e7b5dcd9a9b79b0a45d82f826be27013e66f78f3bd8e38179032c9105f85243948e3832b

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
4addd60e1d3c49b71b3bc9e0bb0c5c4f

SHA1
90b46dc1ebce136c6744c47e12edc4ee0d1e7f99

SHA256
952d528d16603cd81affac3ef6632758522364d76f166388e8509bceb2530d3f

SHA512
11bad99fe1cd22e20386df4acaf9a00c021f81cccd0450799f2e24f1583c755ad7a388e65320bed3f5d40f6b9f9cebd27c3aedc55374224804d9dcb160e81249

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
3d2a9540386cf1bb9b126ca299af9698

SHA1
96428365d6cd46255947de92c395831dc9abc479

SHA256
3a40d12a5d752da94d9e1b4230e1ddf1df42f11b5b2996b4f6bc758a68344587

SHA512
a81f9078d56f098935b05e33118ac9d283a477068de9c3c7284096fa3fcb31732b90b289a681bacd3fdbcbd36fd710556386f3bad10073235900a504907da48f

Download Submit
memory/432-29-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/432-31-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/612-75-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/612-81-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/612-155-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/612-83-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/800-122-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/800-39-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/800-41-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/800-33-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/1100-170-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1100-115-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1400-304-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1400-160-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1740-71-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1740-150-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2136-332-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2136-168-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2424-51-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/2424-135-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/2424-45-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/2424-44-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/2544-112-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2544-167-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2720-164-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2720-321-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2872-16-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2872-25-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/2872-17-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/2872-111-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2908-67-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2908-66-0x0000000002270000-0x00000000022D0000-memory.dmp

Filesize
384KB

Download
memory/2908-55-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2908-62-0x0000000002270000-0x00000000022D0000-memory.dmp

Filesize
384KB

Download
memory/2908-56-0x0000000002270000-0x00000000022D0000-memory.dmp

Filesize
384KB

Download
memory/2980-298-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2980-156-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3020-153-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3020-151-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3252-123-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3252-227-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3484-70-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/3484-1-0x0000000002210000-0x0000000002277000-memory.dmp

Filesize
412KB

Download
memory/3484-6-0x0000000002210000-0x0000000002277000-memory.dmp

Filesize
412KB

Download
memory/3484-7-0x0000000002210000-0x0000000002277000-memory.dmp

Filesize
412KB

Download
memory/3484-0-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/3556-173-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3556-334-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3848-119-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4524-102-0x00000000006D0000-0x0000000000737000-memory.dmp

Filesize
412KB

Download
memory/4524-107-0x00000000006D0000-0x0000000000737000-memory.dmp

Filesize
412KB

Download
memory/4524-163-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4524-101-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4560-280-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4560-147-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4592-100-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4592-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/5036-136-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/5036-251-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/5080-96-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/5080-90-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/5080-89-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/5080-159-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download