4faa0a94ee4cb1b9c9503783ca8da7fac14107f4f893be36ab931f26f8409594

Analysis

max time kernel
150s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
12/05/2024, 05:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
Size

1.3MB
MD5

6fed287a09bdd29f1935e1fc0ef50840
SHA1

6f524e3acbf58c0daafc6bb67c5fcd4182e04dc8
SHA256

4faa0a94ee4cb1b9c9503783ca8da7fac14107f4f893be36ab931f26f8409594
SHA512

9a2699088635ebf3871315913aff56f280cacdc36853ec0ba218a736bf3dedfaadd75c7bce3ed27616426c18bffb00840158dcdeaa7877cfb8a16dfaff82e3b4
SSDEEP

12288:OHgn3FN92mrRUDkDTYNmN3Rus3SAFYq8Noz9qirzrEX1fsd7TOoOTd:OHa1N3RUDHNmdPCAaq8Nozgi/rE0TOj

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2452	alg.exe
4260	DiagnosticsHub.StandardCollector.Service.exe
2316	fxssvc.exe
1372	elevation_service.exe
1088	elevation_service.exe
4568	maintenanceservice.exe
3684	msdtc.exe
4420	OSE.EXE
2912	PerceptionSimulationService.exe
4232	perfhost.exe
2292	locator.exe
3904	SensorDataService.exe
2428	snmptrap.exe
2712	spectrum.exe
3260	ssh-agent.exe
1668	TieringEngineService.exe
2992	AgentService.exe
1112	vds.exe
1264	vssvc.exe
768	wbengine.exe
1576	WmiApSrv.exe
3668	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\locator.exe	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\alg.exe	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\a49e6b62b3e2edcd.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\msdtc.exe	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\spectrum.exe	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{1342F81A-D5C5-42B4-A5E8-933F7759DA30}\chrome_installer.exe	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\javaw.exe	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\javaws.exe	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\java.exe	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000813f9d762ca4da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fc4f5a7e2ca4da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006aa0a1792ca4da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006191337c2ca4da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000811b3d7c2ca4da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005f34b2712ca4da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000036f262772ca4da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
1300	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
1300	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
1300	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
1300	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
1300	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
1300	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
1300	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
1300	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
1300	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
1300	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
1300	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
1300	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
1300	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
1300	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
1300	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
1300	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
1300	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
1300	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
1300	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
1300	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
1300	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
1300	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
1300	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
1300	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
1300	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
1300	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
1300	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
1300	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
1300	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
1300	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
1300	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
1300	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
1300	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
1300	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
1300	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
676	Process not Found
676	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1300	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
Token: SeAuditPrivilege	2316	fxssvc.exe
Token: SeRestorePrivilege	1668	TieringEngineService.exe
Token: SeManageVolumePrivilege	1668	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2992	AgentService.exe
Token: SeBackupPrivilege	1264	vssvc.exe
Token: SeRestorePrivilege	1264	vssvc.exe
Token: SeAuditPrivilege	1264	vssvc.exe
Token: SeBackupPrivilege	768	wbengine.exe
Token: SeRestorePrivilege	768	wbengine.exe
Token: SeSecurityPrivilege	768	wbengine.exe
Token: 33	3668	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3668	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3668	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3668	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3668	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3668	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3668	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3668	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3668	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3668	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3668	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3668	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3668	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3668	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3668	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3668	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3668	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3668	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3668	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3668	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3668	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3668	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3668	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3668	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3668	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3668	SearchIndexer.exe
Token: SeDebugPrivilege	1300	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
Token: SeDebugPrivilege	1300	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
Token: SeDebugPrivilege	1300	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
Token: SeDebugPrivilege	1300	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
Token: SeDebugPrivilege	1300	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1300	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
1300	6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3668 wrote to memory of 4036	3668	SearchIndexer.exe	119
PID 3668 wrote to memory of 4036	3668	SearchIndexer.exe	119
PID 3668 wrote to memory of 2992	3668	SearchIndexer.exe	120
PID 3668 wrote to memory of 2992	3668	SearchIndexer.exe	120

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6fed287a09bdd29f1935e1fc0ef50840_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1300

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2452

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4260

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1568

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2316

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1372

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1088

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4568

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3684

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4420

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2912

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4232

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2292

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3904

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2428

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2712

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3260

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1256

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4072 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8
1⤵
PID:4376

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2992

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1112

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1264

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:768

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1576

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3668
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4036
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe

Filesize
2.2MB

MD5
4ad943ac3e9d5fce8dab62296e6c6e69

SHA1
194b1f8ada9298f7c09531a1562f8dbe6f2b8f33

SHA256
eec0e97e95f284ca2eb4f56538a2a0535463ce9dd6a61bd450c3d75478136405

SHA512
3126e530e7fd8d108ff642bfe2ad5bead132c4d0d9f92946f2fd7ae5c700e658472822623ed74baa199f6c3b931c0313aa1dd5c463ac73f03dae13600fc88c3a

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
3470a731fb35b9753fb53bed37f26e05

SHA1
73c5f205dcabdc40e51b5a5d1cf8af5a449167a4

SHA256
6647b508bbdd85d3443b29f2fba6ecddb437e82a820490883bdf5acc0a76b53f

SHA512
0dde38443b4ad205b69832d9f157e2a669a6e0ec1c1880ef0a65d1afb88200900bed14e467120f6f8255ea732c93af60e3bdd2d17151e55b4843d26278463d4a

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
e77b356613d741bfd7369a4c9425c449

SHA1
240dae61ed6417d36ecb25cae1bc0bd1988e79c3

SHA256
4a0a46a1bd0c785b1e4e7184c325dfb6298022a7fcaeb0310104f42a5b104560

SHA512
0e529bb94375a5a6ce18fb0b548f986f8ba620a8c4a46276ff50bc8f01fba2f455e50fbff21ac13e3cb9ffcc3e9e181271886c0e88a7161165940653e2a57ecb

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
a13c0c9fa80b7f9070b70c1bcfd6f070

SHA1
92b39674a2591ab1f4f20cc967ea9f0069a67366

SHA256
aa3bbc334c2cb71e87eda153094cb04316938b330dcb7f33db6d82a6024fbdb2

SHA512
f644e2ca457f1fc54e72eb8c8d349001df53d67c537a3adc7fad0fc5b01df92f82d82a8fa4bf8f09debf7dde52678fd8b158e59a3ad552a87e1a736c705cb4ad

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
697d6950365bc5580f7802164565420b

SHA1
29ca9da6d9c61552fc22e3272f406367a3f22bef

SHA256
1e8fb73d5e1da3622f979b60e7e7021f0ddadf7ae13353c331c21b670f8b90ea

SHA512
a8e63af23ccf1e68cfb9ed61916ff7af27780b50c9fad1efbc36b00b53f5cff9667f5c73c952a82f0b7e56becc4b26f87e55bae972748dd5f77678e4dde0aad5

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
01cfa237bdb7bb142a2aa2231f3f4903

SHA1
67b29bff769eb8d86ae521e95dac85943be77761

SHA256
65b6a9995ceb55e7c6f71868c588237cc5953af076dede967dd423134a430a62

SHA512
254c4b67c337b6bfa2ebe8cde27e869a2be294ddd30b3b75daffb083725d45557d05357f7ba8c5228c2fb28d34db7732548e17ccce13374d15109213139268af

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
d576ce99365b318ba8f9f7d40e3b9a37

SHA1
1ec578ad61bb6ff0fb0687bc2b9308c135758e07

SHA256
b23c3976bca6a7c26cfee4866a1e5276c248aa2225431f85dcfe42a06c71181c

SHA512
cf85f770def49a088eca461d6024d9e787ede46ade076ac2c659f3393aaa7e9155f37e06f8628c794690c0c51486018a56b6aa138b40bb12fbcda5bd40d73e8b

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
7d926aa8c3b7440ea4d73aebd0249f17

SHA1
8b2f66c34e1e1b7739dee5843d197e5a7cae5cba

SHA256
50185bd3ed413a2504fbb15ca99cdd287239f8f4d478484aefa27e80ae6d538a

SHA512
e295938d57aa36ce97adbe6c58718a97bbd715e082fc594d100087ea5773fee5bce59fa8434bc930e9c6cf0f23021a25638d3ad0121a35c3f3ba66ecf7e1840f

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
5f2fc43a91d85d84e0f913965ce8580a

SHA1
35904bd3c63778fbc20d8a50c01681bbb4091049

SHA256
4eeb846c20f71caa62850adc87c423c6b797e85b632535888d2bbc01671dd500

SHA512
216f69a71477acfee0c78fb432282097405080808f0050434ce7b3fd8804174da2cfcf90e179b3910f63e8e35672fd8221ff7b787c68fdedf4e3cce05f1788e9

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
1db125a5ab122eb0e5f1da75dd39fdd8

SHA1
3fecf26cd865cc217472ca45fc9313094dc55c1d

SHA256
d9579ba52e4d2c03aec09827404cc6c9126afde93b55453d2b18cbfd7136b3dc

SHA512
3023dcf610397ea6383f2f5c2be58b818abfced3c8a04374c530034efe6f770687b48057ab2da8a844ec1870cb08f1a35d98ac2101659ccfad4953fe79dde9f5

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
e5bdc59ad00884dcbada02c74cbfe917

SHA1
27b495e62daa28319fb7d0b5e20cec91a25d367c

SHA256
7de1b2934ad62c7821fafa573ea3f6aa1f55604d8c058243653377fef6b68266

SHA512
704e0401416e3a5e3904841c9d34f6d9549e92d1561652d16bc0a855ba90dc3bb7a5551c2800946608664cbbebd2e0e514d7f733b6389ee1a41d4c2348937e3d

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
cdbc91d04304392817da17318f061abe

SHA1
e9c72aeb5d1fb3c804619e6da26942e900942282

SHA256
05da2a5557b42c0030fe93d2d91f01c249bd7760cdf081c5b338e8d2fd310f1f

SHA512
aac34e691c91c93075dcf06142cddc460e760c741f83ee8911ac85823a1a075953c9a4dd61416c4132b4c93182b425821155f4f8541630d47d054287245e8576

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
705cf6c3ebc3bcaff2008cbc0e574405

SHA1
281eb2cdb1bb9016d537f12c4b42c5cebd5d8f09

SHA256
ea93f00235693544a4b98d9af8d9a33e04b29e4a025ead122920f05d8cf66209

SHA512
66b11463df011ffc33fbda5eb23af5f4cf984a58ecbdef06da981f86f7c81964d79831d3e43d73e9099b549610ecf5403936c24765a7fdce3df7500ff234b4f8

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
d0b4e366633a5ce75911f46c1d6a38bc

SHA1
851a0a8ec5a7753290fd74c7333d0179ffc479f5

SHA256
155c123be923269175574525b2fc83b416ae127b6eb36159aa49f9b39ecebeda

SHA512
4c4564374a6aab0dba74a09d2aa120eeec3b371cfd6f44c511950d79cf2a51bfa2af21719423a24855093abd37df277caed6e58f60ad21430167acbee2afe83b

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
81a684a03e3a7dac825d8aeef2a634ba

SHA1
b5cfb65b09843ddd97dd788304a5e349c3fb69d8

SHA256
0eb7cf4e086973314d973a11a3e675126cd24ddcd3593c590dbc9ec5fb6e1e01

SHA512
762c20cd08fdf8f334a6e6a0ac175c3c7b325b802b3e831a10120012354c0b4afe2599dd0c3006851f66623246f5178f77172ac800765bd6a30e40693cb76270

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
2d68f2f7ddc831cd5fabaa39d9cc598c

SHA1
18f569ece76800ea2b6b6d417949508cdccd31fe

SHA256
c06888687c3702b6f19e86e5608bd43cd0d1b7dd4ab00865086a597c78716996

SHA512
177ba5957212142cf7be4d6362fc4cb7d3d04e062399a8f5e34f395a21f34b82a9caffd4bf06f9a65374b1ad7475b3732a425e098b8d855450f78bb31fa168c7

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
f715eaa52357cc022dc73ae97204d73b

SHA1
7ea7aaa471aa724124fc63a8f01b1126828b444e

SHA256
4213f0516ccb3647f4d8f8c7f0b4d154ec6879d14923e8771f96bddcc9822129

SHA512
aaebfa779499704c7e87a2f9084b23956b777ac27cbea5c8d8bfce53b19c7a2098642bd1c85780c3c72a46c6cc82e441eddf0c8b5d360c4c0ccc9c8f2276d435

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
c404c6672431a46fa173c66ffa85c64c

SHA1
131a69511f4885de1a01fffcfb215dfdc217ab8f

SHA256
6343d09d060ad20956b4d25f410fe13a2b34aae3012b7517e7f21ce767b2d899

SHA512
695aa0ca6dc14082973fd44a38a8e7e3d6bd5bc8ddf0ab7125a82c98eca52bfac96a2f1cf2c7edc5e5ade035fdcb95eebc8cff1fc484c79cba6e89a9c19f8d2a

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
74efe9d77a22d0172861e92ad3c8d572

SHA1
f754f828064ebe1f5849c280180834fc75b3274e

SHA256
b0611bfc3186405fbdd4472d0de614455eee749b027a1aefea3f6cf435946883

SHA512
d6eeb1b905ea1cd595bba3d32891d3963d07e8db1e47a33e98d4d1de56c656807df0e912c0ed82f9cc97fbd7e55d25ada418434d61f9ee58b8b13f3ce969ff7c

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
06dd43d38fef7e8d6258d7bd16805043

SHA1
5a1a4bc0521a85345a7fb70abfb64089c218b748

SHA256
451411db3244041a7b9034327f21929f8cb38dcdea7d532a1c27bd5522f71e97

SHA512
142da5ec97385502938d9643e4475007cab81f7336cd1178b27c65372590abc962950594b6e7c133692aff5ee338e4664a8671b44c5cc05ceb652d9f835f1487

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
c620f9a4ff37db97e828b8767611dcff

SHA1
a8518c31502c9ab30e1dcbcea0848bbffbdd7127

SHA256
16d0129e61fb1a6805c22015aed8ab59858cd0262ca0711349b066aa0cbb25ae

SHA512
97264016a3a7f59816e487ce48de84ea76d09ae793d214c2367ce279bfa5b23c9e779991e4b787bb249a47c03414959b817a80590553d2909856e56d38c67daa

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
4ce9bab8813a35248357b6eea19154a5

SHA1
63416adba75eac284e5f1ba1b63110b598e64723

SHA256
f2a99417fd2e3a1ab1c7674654b9d49adf21d404117e1afee0e0378b2d540bab

SHA512
1fcee036ec4c7696fc79c974d15afb8d73c1ceb9b155588d14ec13f8ad0715d30b92fec2286d5b19945d0e982f4a31e547abef5ef879ecbc7698a6050b46f071

Download Submit
memory/768-252-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/768-394-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1088-70-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/1088-69-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/1088-63-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/1088-162-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/1112-345-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1112-224-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1264-361-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1264-236-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1300-0-0x0000000000400000-0x00000000005E8000-memory.dmp

Filesize
1.9MB

Download
memory/1300-35-0x0000000000400000-0x00000000005E8000-memory.dmp

Filesize
1.9MB

Download
memory/1300-7-0x0000000002420000-0x0000000002487000-memory.dmp

Filesize
412KB

Download
memory/1300-6-0x0000000002420000-0x0000000002487000-memory.dmp

Filesize
412KB

Download
memory/1300-1-0x0000000002420000-0x0000000002487000-memory.dmp

Filesize
412KB

Download
memory/1372-54-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/1372-149-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1372-52-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1372-59-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/1576-404-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1576-263-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1668-331-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1668-198-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2292-251-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/2292-146-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/2316-49-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2316-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2316-39-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/2316-45-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/2316-47-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/2428-163-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/2428-275-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/2452-74-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/2452-12-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/2452-13-0x00000000007A0000-0x0000000000800000-memory.dmp

Filesize
384KB

Download
memory/2452-21-0x00000000007A0000-0x0000000000800000-memory.dmp

Filesize
384KB

Download
memory/2712-328-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2712-174-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2912-125-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/2912-235-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/2992-209-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2992-220-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3260-330-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/3260-186-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/3668-284-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3668-414-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3684-197-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/3684-93-0x0000000000D50000-0x0000000000DB0000-memory.dmp

Filesize
384KB

Download
memory/3684-91-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/3904-239-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3904-150-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4232-240-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/4232-128-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/4260-34-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/4260-32-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4260-26-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4260-90-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/4420-223-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4420-109-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4568-87-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/4568-85-0x00000000016B0000-0x0000000001710000-memory.dmp

Filesize
384KB

Download
memory/4568-75-0x00000000016B0000-0x0000000001710000-memory.dmp

Filesize
384KB

Download
memory/4568-83-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/4568-81-0x00000000016B0000-0x0000000001710000-memory.dmp

Filesize
384KB

Download