ebe2b6cfbfaa64335b910bf45541863f490bfa72a2bfe87f1bd43bbf89def851

Analysis

max time kernel
150s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11-05-2024 05:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8a16b59c8d096cdae5e2194c6c9ae4f0_NeikiAnalytics.exe
Size

5.8MB
MD5

8a16b59c8d096cdae5e2194c6c9ae4f0
SHA1

8c7705fc5108d0e968a566eaa4d7fbc8b4fe64ff
SHA256

ebe2b6cfbfaa64335b910bf45541863f490bfa72a2bfe87f1bd43bbf89def851
SHA512

f4c0b16fc368cac2f31ce38879566c4eec79c3532a28000f087eadd2525fd53048fc24d34df6f4d9fa27c8244bb2cf9e1bf310a0c093e5ae4023e573d1fdd6d1
SSDEEP

98304:WNDwSlUk9KPsUxfAdNmTVi+qkPZKOBuyaoY7cjG68:W1Uk9KmdNmTsOBuyaopjG68

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 19 IoCs

pid	Process
2876	alg.exe
4968	DiagnosticsHub.StandardCollector.Service.exe
2428	fxssvc.exe
3740	elevation_service.exe
2608	elevation_service.exe
2156	maintenanceservice.exe
4604	msdtc.exe
3976	OSE.EXE
632	PerceptionSimulationService.exe
1284	perfhost.exe
748	locator.exe
1712	SensorDataService.exe
1596	snmptrap.exe
5112	spectrum.exe
4596	ssh-agent.exe
4324	TieringEngineService.exe
2788	AgentService.exe
3056	vds.exe
2088	vssvc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 29 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	8a16b59c8d096cdae5e2194c6c9ae4f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	8a16b59c8d096cdae5e2194c6c9ae4f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\spectrum.exe	8a16b59c8d096cdae5e2194c6c9ae4f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	8a16b59c8d096cdae5e2194c6c9ae4f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	8a16b59c8d096cdae5e2194c6c9ae4f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	8a16b59c8d096cdae5e2194c6c9ae4f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	8a16b59c8d096cdae5e2194c6c9ae4f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	8a16b59c8d096cdae5e2194c6c9ae4f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\msdtc.exe	8a16b59c8d096cdae5e2194c6c9ae4f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	8a16b59c8d096cdae5e2194c6c9ae4f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	8a16b59c8d096cdae5e2194c6c9ae4f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	8a16b59c8d096cdae5e2194c6c9ae4f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\wbengine.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	8a16b59c8d096cdae5e2194c6c9ae4f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	8a16b59c8d096cdae5e2194c6c9ae4f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	8a16b59c8d096cdae5e2194c6c9ae4f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	8a16b59c8d096cdae5e2194c6c9ae4f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\384581bdb3e2edcd.bin	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	8a16b59c8d096cdae5e2194c6c9ae4f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\locator.exe	8a16b59c8d096cdae5e2194c6c9ae4f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	8a16b59c8d096cdae5e2194c6c9ae4f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	8a16b59c8d096cdae5e2194c6c9ae4f0_NeikiAnalytics.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	8a16b59c8d096cdae5e2194c6c9ae4f0_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{1342F81A-D5C5-42B4-A5E8-933F7759DA30}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	8a16b59c8d096cdae5e2194c6c9ae4f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3272	384	WerFault.exe	97

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4148	8a16b59c8d096cdae5e2194c6c9ae4f0_NeikiAnalytics.exe
Token: SeAuditPrivilege	2428	fxssvc.exe
Token: SeRestorePrivilege	4324	TieringEngineService.exe
Token: SeManageVolumePrivilege	4324	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2788	AgentService.exe
Token: SeBackupPrivilege	2088	vssvc.exe
Token: SeRestorePrivilege	2088	vssvc.exe
Token: SeAuditPrivilege	2088	vssvc.exe
Token: SeDebugPrivilege	2876	alg.exe
Token: SeDebugPrivilege	2876	alg.exe
Token: SeDebugPrivilege	2876	alg.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4148	8a16b59c8d096cdae5e2194c6c9ae4f0_NeikiAnalytics.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
4148	8a16b59c8d096cdae5e2194c6c9ae4f0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4148 wrote to memory of 384	4148	8a16b59c8d096cdae5e2194c6c9ae4f0_NeikiAnalytics.exe	97
PID 4148 wrote to memory of 384	4148	8a16b59c8d096cdae5e2194c6c9ae4f0_NeikiAnalytics.exe	97
PID 4148 wrote to memory of 384	4148	8a16b59c8d096cdae5e2194c6c9ae4f0_NeikiAnalytics.exe	97

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\8a16b59c8d096cdae5e2194c6c9ae4f0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\8a16b59c8d096cdae5e2194c6c9ae4f0_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4148
- C:\Users\Admin\AppData\Local\Temp\8a16b59c8d096cdae5e2194c6c9ae4f0_NeikiAnalytics.exe
  "C:\Users\Admin\AppData\Local\Temp\8a16b59c8d096cdae5e2194c6c9ae4f0_NeikiAnalytics.exe" --type=collab-renderer --proc=4148
  2⤵
  PID:384
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 384 -s 1120
    3⤵
    - Program crash
    PID:3272

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2876

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4968

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3856

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2428

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3740

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2608

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2156

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 384 -ip 384
1⤵
PID:1904

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3976

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:632

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1284

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:748

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1712

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1596

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5112

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4596

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1692

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4324

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2788

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3056

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2088

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1416 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8
1⤵
PID:4220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe

Filesize
2.2MB

MD5
e651424ca2fbe28c6112e749e867c1f7

SHA1
09a6fd937d6d30afc6b4016ca6a72a5204fd168f

SHA256
c0f1c18e2ba3ae89cb41c796de09346af655a4b5cb88bb7b2fac4f3afbe9fca8

SHA512
fc07686e5134cd535d9b10ceb313abd39407288ce4e706f3cc2faa880dcc8e4ec903b157551008d2ac333b725056e8bd92e26a9071c76f488b48ecf9e0965b34

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
3a21a1e6ba9e78d7342a6fb3fe6ccf73

SHA1
2e72abc5c430e4b67064e1d5636e6805f28262a0

SHA256
264b6d8637d5f510cbde649986e358da0202017dce645b17340821a5706ded4f

SHA512
9ebc20c36edc17fb7dbbc68a1e67c15c69847f64daffe90a96b0628ad3a9ba5ab3ee48c3a37b0373e4f287454cecdfc0bf92a295462ebb6d27ef2757f4af9ce4

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
e8c99d9b1bdc49fe4a1c5384321d55c6

SHA1
542d21aa77e56883ca6f30babd6f01474398eebf

SHA256
5fe4595a37904ea63fab29054a39abed37503f795a29034013b57731dcb7f766

SHA512
5ce0f0045cf2cc1bdd32e19d254c876abe75b44508ee370f8f74542195e83aa6a2c8d1b43ba117d62464bb62ca51bce4a690db2451dd2c48d906c342549a92b0

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
20ab271e552d44b1d2335e9e7fe58d86

SHA1
be49e1001fc876abc64b27b651a799b8cc4fb902

SHA256
9dc7b0d8b7b691b156254b297724b891c662611ccfb0316b57a93aad5b6366af

SHA512
26c891907463efb21dc05645986d08db08d129a3cc4d992538ee33e33e18d6a638b1cf497bbba8ea7e49e250132cf642d5992e5e82b7366f7a90b50a1511617f

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
75b43e4aca3cf2a378a68fd1209aa932

SHA1
727bd39305b961ab1f0df3891d081c8db3aac52a

SHA256
d53fc159ef90eebc73ede47ef028dd8479531c052f056412dab5d83f9e9f5644

SHA512
9736efd6326d5473a88ed56ac0e133e819a2272dc1c79ea4dc02e03f29f5a2df54f8103e5061514b2c367f777b5354209975fef2595cc65543b7aa15b3acb1c2

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
c84756021082d5680d9eef8f9257bdf0

SHA1
277f686d2694905f33289f61fb9bd41c30e3d4e1

SHA256
80ea691d76dc7242335c20ce14b2cab281b199df766455d4e472409139b1141b

SHA512
b980602fda6d99d8f2a640bee56f9f994b579b140532f964ed55a82eeec5816ff9f3ac5c7befcb811f84d65ff06c31752046e7e5469ddd416085f89b82fef809

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
a9010e7fcaf498e0bbc8ed18b4b71d99

SHA1
f3c0270a98a266ed5c352bddf1519d4a33d787ce

SHA256
f4fb9201688e1368737462af3f722b435f52dc385a2619aa3364653b3268197f

SHA512
021c3863297677e5b28fdceef30e26a5120ab624a8140ad9c2ed61cba2298cb5e78ee543c129022b04485fbc7986988c36806b73224d415390fd1e69349affc5

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
b6031e636e35566d195a2d97cca78861

SHA1
c78fa6b29a2710f1d6a2c1e32ba5626115a10468

SHA256
71dfa6fab99cc6df27115493cd33016a7c3519645e83403cbd0d70654cf99721

SHA512
f6975a630a400975e052aae7402fc9fe68fc03de2de698bc8bdfb68bc9b2e2f5d6f3bc70bb5e37b79871d785bc0943b659276ff41a89948f3cfe7bcfc6c2d5b4

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
c087c32e75ca7eda71d143d0ef14ac69

SHA1
0158b58991334a84725d738b31164bf6b1d8d7e2

SHA256
1243cfb19ee5bf217c95cc60caa5c8a69614d319b0ac2f9101acdadbb32c6750

SHA512
6c90b2352ca1500ca2e03bba6d032294a6c3de374e14c65234422412e48bb9b3c96b219844f1cbbe4a6994b96b1a3a4e3d069c5def4c56529096f34c110c5159

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
d47d5f5faba622ca14599b2f2788a75f

SHA1
fb51e89e05a2cd071f76f42ff63ccf4d0afa5ad8

SHA256
a7c44c6731a0015443c8d29bbbd05c67ee14d6c56d945c4b4ad218e3a68b81f1

SHA512
e43303c729bec41136a9ee62eeee5ba9dfa84d35225e56174d1a2556b29c95a869116403f25792a310f90cc06a1a4333bdc49ee95b63c4881aecc4fb258f036b

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
81d4bf961590f639bf38e2d6a429afa5

SHA1
15a08e7969232bf93544239ae0705118bf324b3f

SHA256
5bc888f6a3fb914c7816b8f814edc35d53a903c15ac45a2514751f4ce1bf360c

SHA512
fa2649de0f9bbbbe41f4d67e4142b068a5d51308d2b754ae77d0c9a6bceee106b49a8599a10c1da811288696ace7841d489e277ec55cf885a6d4f0193aa2d068

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
428503419c0b5ef8e709c79903b1d6c0

SHA1
9c2dceef3fc036135f87c6b2cece7f5fa1e1ca01

SHA256
47d5f9c5199a87fe9c943955a3f54c3a73af0dc991b2f95449adca68238f14ac

SHA512
4f23dfe7e00e83abeaa83fd64bb694ce73f28880f172370797db6e7d0340e7373be05c6b6e3811ed2f7faaea3e1467f433d5550cc88649597786ba13a9b993d5

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
73a85eb164a347b3f3913267aa8e1348

SHA1
27e225c67a60522d0f94809cc8eccde236a90349

SHA256
599c6dc336bce4c243a85c42125fc5a58914ab9ddc33ee8bd6b7a9373434ba22

SHA512
a1ff230cd49ff4040102f7eebddbc7b27acbb91a56f457e17bd4b539a591e1e08385082277c4dcdb175c520ed7a62be1b76ce8419f0ef340d35e1ee9c2d2d40a

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
4c386476f89d03a16ee0cd660233a302

SHA1
23492104b0d9e18462771738528016be80091869

SHA256
6932a14b0d2340c6ef5bc19e223d29a7d9c16c4fef1a689e250d00bc886c4cbc

SHA512
3963f9b81c240bfa83af7eb46ee6c7edc62c05bc4eedb16be9f1367bc7786b82241b2727d56f9e14a5ea26eaa6b90a9d079c97e509c91f53c62b0716a062cd1b

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
909c2771440ee8a302833dac51b0f4e4

SHA1
63040db4dab4693d133e8258fd9f320937ff569c

SHA256
30cdcb20b46539ead275234628678377292ab4106808bcb97fc902ba5e3a54d4

SHA512
f2876e3ec896eeac6f7e101d4190131357cd64f68da76f6e356cf106e6244f95da3a2ed82634cc6f2a7ed5f012f95bb8b48e250540c6a9a88c1fd969a04522b0

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
f150d46e76cbced1022978b064e50b01

SHA1
1cdf98a47aac48d0650f196e0afce7d9524235ee

SHA256
65fa5eaac626d65bc8ef2a85f7777b0e9342dbc2410a54dcab2d73770bb26daa

SHA512
15254550cac12a1e016ee3291620a2d302c747e3a721580a40d87e09d58251bfd746293898549a28a324f5b64035d90efa8e11c471ae7d6b36ea7176c7bb15e1

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
639f1e7531ef8cb062b86e8bbc9442d0

SHA1
439e9f115834a5f762af87d1e0b8a8649136c1cc

SHA256
59b34b1dee60c9e8f818c170c866d40540fb9b8a58d9a6b5303a7f5279866aa0

SHA512
83cba17f0ea025886c849981e8181a796f37940623d5fe102437f53d48751fec95853d69eda692c7774d8f579393d46806729d6d2c4b2cf2033e8f65e5e8bcb6

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
65fb6421a7e4916d6a6f351624bbaafe

SHA1
439d8bde00421eb3747054e51fca3f792a78706d

SHA256
d39686fc8ea2cb941d9de8c4e9bb3a4f055e5fcf350d1df5f6cfdfb11a5e7978

SHA512
94b7ced0f176a505381b3d2a8ccee058f3fc4d9874589caa09a74a64104800ab4c34dbe6780f56e9f83ae71785fb5fbe19de15dd4211d581419856195034f2d4

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
ab1e4776c52cfb3f7bffafceca20954d

SHA1
2af833cac659231433ba1b863ce72ed3704315b7

SHA256
5d91fa67914b8ef6b115da3cec1005c6f15d85af27ffc79cea5049b2b8c979a0

SHA512
293bc96903896c1fa6001ade1d43eb48a0ec12e9b8ac5adb2794f8f29de039e830ea50bd66d1b5b6da6782dea63d8b25540258a1e3228b4990156c5a47662b8a

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
30f5c1e538d74d9b2bc2a90f43dc45d0

SHA1
9e82da79284474d7b8c1706a500599095b70b812

SHA256
f4b8b9a59091229c95b7e32e716136267975cb647f79a3252a672d2a50c2e549

SHA512
c6196b265718247b63bebb5380089ed8d67fe136e7c10e29f53bfec6e25d6c34c06eaa1a01569ab811d96ed2eadba2aeab20bc298b3dc75937e2da0024aa5adc

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
11994cf7d81ec0665b882e62a5b49e6f

SHA1
33e81d801ead13f71c7d5f56ede2a81e6f1aacc9

SHA256
f7fe5573a1562a8562ef34357df6fb925ce4eee1cf60fe17525c08e2b2617720

SHA512
81aafe25897c5b41854c8e5223aca76c7d9224364c3290bad6572119daf2c0b481f197767487ff3189c86e2ec23a909739d5451bd140785136d3d62063e8b335

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
a0dbc71bbb5bed8eb718e3576a70ac4e

SHA1
aba29ddf724804afa612035660565960443e65e2

SHA256
5f09ea3a43c0b678d0c267a2284f2e259fa661b1e8af0eb09b6fe726dbc626f1

SHA512
9d342eaa6c8181af9b0f46a78a5cd244077c135f81708551d7ce008c99b99686a3479bf3bc3fd148a7bda9c063b1c0af7baa97dbf7c4051b29e514190d768cb1

Download Submit
C:\Windows\system32\wbengine.exe

Filesize
2.1MB

MD5
904c4acbfcf95f616ec7c6aa15fab749

SHA1
05df498e5724aaecefc4b2159b247dc3cf2c996f

SHA256
3cc06d0bdff360e0e603fab1813c064d18b61cffe53dbe0feaf70891136975dd

SHA512
3c99e446d3b63d20fab6449a8b34d34e17f755eba22391d85a21cb7fb67ff59126cf5a06b5f6f2de89f7c88f5d992daf17a0d37ff2958ffd84472d7e33ab265a

Download Submit
memory/384-195-0x0000000000400000-0x00000000009CF000-memory.dmp

Filesize
5.8MB

Download
memory/384-78-0x0000000002690000-0x00000000026F7000-memory.dmp

Filesize
412KB

Download
memory/384-73-0x0000000002690000-0x00000000026F7000-memory.dmp

Filesize
412KB

Download
memory/384-81-0x0000000000400000-0x00000000009CF000-memory.dmp

Filesize
5.8MB

Download
memory/632-126-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/632-245-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/748-147-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/748-285-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/1284-137-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/1284-278-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/1596-340-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/1596-171-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/1712-284-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1712-158-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2088-397-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2088-246-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2156-95-0x0000000140000000-0x00000001401AA000-memory.dmp

Filesize
1.7MB

Download
memory/2156-91-0x0000000140000000-0x00000001401AA000-memory.dmp

Filesize
1.7MB

Download
memory/2156-89-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/2156-83-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/2428-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2428-50-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2428-48-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/2428-46-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/2428-38-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/2608-71-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/2608-65-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/2608-64-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/2608-182-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/2788-219-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2788-230-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2876-98-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/2876-12-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/2876-19-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/2876-14-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/3056-394-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3056-234-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3740-61-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3740-58-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/3740-170-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3740-53-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/3976-123-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/3976-233-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4148-269-0x0000000000400000-0x00000000009CF000-memory.dmp

Filesize
5.8MB

Download
memory/4148-2-0x0000000002870000-0x00000000028D7000-memory.dmp

Filesize
412KB

Download
memory/4148-60-0x0000000000400000-0x00000000009CF000-memory.dmp

Filesize
5.8MB

Download
memory/4148-0-0x0000000000400000-0x00000000009CF000-memory.dmp

Filesize
5.8MB

Download
memory/4148-6-0x0000000002870000-0x00000000028D7000-memory.dmp

Filesize
412KB

Download
memory/4148-7-0x0000000002870000-0x00000000028D7000-memory.dmp

Filesize
412KB

Download
memory/4324-215-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/4324-384-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/4596-196-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/4596-375-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/4604-218-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/4604-99-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/4968-120-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/4968-33-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/4968-34-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4968-25-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/5112-365-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5112-183-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads