sality | 3cd43564b5be851aa99978593a1be701004072a51112efbee18d9bac9cfb2d6e

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies firewall policy service 2 TTPs 6 IoCs

evasion

Modify Registry

Windows Service

T1543.003

Processes:

a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exeexplorer.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

UAC bypass 3 TTPs 2 IoCs

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

Processes:

explorer.exea2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe

Windows security bypass 2 TTPs 12 IoCs

Disable or Modify Tools

T1562.001

Modify Registry

Processes:

a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exeexplorer.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	explorer.exe

Modifies Installed Components in the registry 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

Processes:

explorer.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe

Deletes itself 1 IoCs

Processes:

explorer.exe

pid process

2800 explorer.exe
Executes dropped EXE 4 IoCs

Processes:

explorer.exespoolsv.exesvchost.exespoolsv.exe

pid process

2800 explorer.exe
1144 spoolsv.exe
4288 svchost.exe
2576 spoolsv.exe

pid	process
2800	explorer.exe

pid	process
2800	explorer.exe
1144	spoolsv.exe
4288	svchost.exe
2576	spoolsv.exe

UPX packed file 35 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1332-1-0x00000000029C0000-0x0000000003A4E000-memory.dmp	upx
behavioral2/memory/1332-4-0x00000000029C0000-0x0000000003A4E000-memory.dmp	upx
behavioral2/memory/1332-9-0x00000000029C0000-0x0000000003A4E000-memory.dmp	upx
behavioral2/memory/1332-5-0x00000000029C0000-0x0000000003A4E000-memory.dmp	upx
behavioral2/memory/1332-6-0x00000000029C0000-0x0000000003A4E000-memory.dmp	upx
behavioral2/memory/1332-12-0x00000000029C0000-0x0000000003A4E000-memory.dmp	upx
behavioral2/memory/1332-23-0x00000000029C0000-0x0000000003A4E000-memory.dmp	upx
behavioral2/memory/1332-16-0x00000000029C0000-0x0000000003A4E000-memory.dmp	upx
behavioral2/memory/1332-11-0x00000000029C0000-0x0000000003A4E000-memory.dmp	upx
behavioral2/memory/1332-36-0x00000000029C0000-0x0000000003A4E000-memory.dmp	upx
behavioral2/memory/1332-34-0x00000000029C0000-0x0000000003A4E000-memory.dmp	upx
behavioral2/memory/1332-56-0x00000000029C0000-0x0000000003A4E000-memory.dmp	upx
behavioral2/memory/2800-75-0x0000000003510000-0x000000000459E000-memory.dmp	upx
behavioral2/memory/2800-72-0x0000000003510000-0x000000000459E000-memory.dmp	upx
behavioral2/memory/2800-84-0x0000000003510000-0x000000000459E000-memory.dmp	upx
behavioral2/memory/2800-83-0x0000000003510000-0x000000000459E000-memory.dmp	upx
behavioral2/memory/2800-78-0x0000000003510000-0x000000000459E000-memory.dmp	upx
behavioral2/memory/2800-85-0x0000000003510000-0x000000000459E000-memory.dmp	upx
behavioral2/memory/2800-77-0x0000000003510000-0x000000000459E000-memory.dmp	upx
behavioral2/memory/2800-76-0x0000000003510000-0x000000000459E000-memory.dmp	upx
behavioral2/memory/2800-74-0x0000000003510000-0x000000000459E000-memory.dmp	upx
behavioral2/memory/2800-88-0x0000000003510000-0x000000000459E000-memory.dmp	upx
behavioral2/memory/2800-89-0x0000000003510000-0x000000000459E000-memory.dmp	upx
behavioral2/memory/2800-90-0x0000000003510000-0x000000000459E000-memory.dmp	upx
behavioral2/memory/2800-92-0x0000000003510000-0x000000000459E000-memory.dmp	upx
behavioral2/memory/2800-91-0x0000000003510000-0x000000000459E000-memory.dmp	upx
behavioral2/memory/2800-94-0x0000000003510000-0x000000000459E000-memory.dmp	upx
behavioral2/memory/2800-95-0x0000000003510000-0x000000000459E000-memory.dmp	upx
behavioral2/memory/2800-96-0x0000000003510000-0x000000000459E000-memory.dmp	upx
behavioral2/memory/2800-97-0x0000000003510000-0x000000000459E000-memory.dmp	upx
behavioral2/memory/2800-99-0x0000000003510000-0x000000000459E000-memory.dmp	upx
behavioral2/memory/2800-100-0x0000000003510000-0x000000000459E000-memory.dmp	upx
behavioral2/memory/2800-103-0x0000000003510000-0x000000000459E000-memory.dmp	upx
behavioral2/memory/2800-106-0x0000000003510000-0x000000000459E000-memory.dmp	upx
behavioral2/memory/2800-107-0x0000000003510000-0x000000000459E000-memory.dmp	upx

Windows security modification 2 TTPs 14 IoCs

Disable or Modify Tools

T1562.001

Modify Registry

Processes:

a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exeexplorer.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	explorer.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

Processes:

svchost.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

System Information Discovery

T1082

Processes:

a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exeexplorer.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe

Enumerates connected drives 3 TTPs 11 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

explorer.exe

description	ioc	process
File opened (read-only)	\??\N:	explorer.exe
File opened (read-only)	\??\P:	explorer.exe
File opened (read-only)	\??\E:	explorer.exe
File opened (read-only)	\??\G:	explorer.exe
File opened (read-only)	\??\H:	explorer.exe
File opened (read-only)	\??\K:	explorer.exe
File opened (read-only)	\??\O:	explorer.exe
File opened (read-only)	\??\I:	explorer.exe
File opened (read-only)	\??\J:	explorer.exe
File opened (read-only)	\??\L:	explorer.exe
File opened (read-only)	\??\M:	explorer.exe

Drops file in Program Files directory 4 IoCs

Processes:

explorer.exe

description	ioc	process
File opened for modification	C:\PROGRAM FILES\7-ZIP\7z.exe	explorer.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\7zFM.exe	explorer.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\7zG.exe	explorer.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\Uninstall.exe	explorer.exe

Drops file in Windows directory 6 IoCs

Processes:

explorer.exesvchost.exea2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exespoolsv.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SYSTEM.INI	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\system\explorer.exe	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exeexplorer.exesvchost.exe

pid	process
1332	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe
1332	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe
1332	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe
1332	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
4288	svchost.exe
2800	explorer.exe
4288	svchost.exe
4288	svchost.exe
4288	svchost.exe
2800	explorer.exe
4288	svchost.exe
4288	svchost.exe
2800	explorer.exe
4288	svchost.exe
4288	svchost.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
4288	svchost.exe
2800	explorer.exe
4288	svchost.exe
2800	explorer.exe
4288	svchost.exe
2800	explorer.exe
4288	svchost.exe
2800	explorer.exe
4288	svchost.exe
4288	svchost.exe
2800	explorer.exe
4288	svchost.exe
2800	explorer.exe
4288	svchost.exe
2800	explorer.exe
2800	explorer.exe
4288	svchost.exe
2800	explorer.exe
4288	svchost.exe
2800	explorer.exe
4288	svchost.exe
2800	explorer.exe
4288	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exesvchost.exe

pid process

2800 explorer.exe
4288 svchost.exe

pid	process
2800	explorer.exe
4288	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe

description	pid	process
Token: SeDebugPrivilege	1332	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe
Token: SeDebugPrivilege	1332	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe
Token: SeDebugPrivilege	1332	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe
Token: SeDebugPrivilege	1332	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe
Token: SeDebugPrivilege	1332	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe
Token: SeDebugPrivilege	1332	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe
Token: SeDebugPrivilege	1332	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe
Token: SeDebugPrivilege	1332	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe
Token: SeDebugPrivilege	1332	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe
Token: SeDebugPrivilege	1332	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe
Token: SeDebugPrivilege	1332	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe
Token: SeDebugPrivilege	1332	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe
Token: SeDebugPrivilege	1332	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe
Token: SeDebugPrivilege	1332	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe
Token: SeDebugPrivilege	1332	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe
Token: SeDebugPrivilege	1332	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe
Token: SeDebugPrivilege	1332	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe
Token: SeDebugPrivilege	1332	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe
Token: SeDebugPrivilege	1332	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe
Token: SeDebugPrivilege	1332	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe
Token: SeDebugPrivilege	1332	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe
Token: SeDebugPrivilege	1332	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe
Token: SeDebugPrivilege	1332	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe
Token: SeDebugPrivilege	1332	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe
Token: SeDebugPrivilege	1332	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe
Token: SeDebugPrivilege	1332	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe
Token: SeDebugPrivilege	1332	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe
Token: SeDebugPrivilege	1332	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe
Token: SeDebugPrivilege	1332	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe
Token: SeDebugPrivilege	1332	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe
Token: SeDebugPrivilege	1332	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe
Token: SeDebugPrivilege	1332	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe
Token: SeDebugPrivilege	1332	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe
Token: SeDebugPrivilege	1332	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe
Token: SeDebugPrivilege	1332	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe
Token: SeDebugPrivilege	1332	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe
Token: SeDebugPrivilege	1332	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe
Token: SeDebugPrivilege	1332	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe
Token: SeDebugPrivilege	1332	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe
Token: SeDebugPrivilege	1332	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe
Token: SeDebugPrivilege	1332	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe
Token: SeDebugPrivilege	1332	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe
Token: SeDebugPrivilege	1332	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe
Token: SeDebugPrivilege	1332	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe
Token: SeDebugPrivilege	1332	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe
Token: SeDebugPrivilege	1332	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe
Token: SeDebugPrivilege	1332	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe
Token: SeDebugPrivilege	1332	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe
Token: SeDebugPrivilege	1332	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe
Token: SeDebugPrivilege	1332	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe
Token: SeDebugPrivilege	1332	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe
Token: SeDebugPrivilege	1332	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe
Token: SeDebugPrivilege	1332	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe
Token: SeDebugPrivilege	1332	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe
Token: SeDebugPrivilege	1332	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe
Token: SeDebugPrivilege	1332	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe
Token: SeDebugPrivilege	1332	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe
Token: SeDebugPrivilege	1332	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe
Token: SeDebugPrivilege	1332	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe
Token: SeDebugPrivilege	1332	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe
Token: SeDebugPrivilege	1332	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe
Token: SeDebugPrivilege	1332	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe
Token: SeDebugPrivilege	1332	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe
Token: SeDebugPrivilege	1332	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	process
1332	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe
1332	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe
2800	explorer.exe
2800	explorer.exe
1144	spoolsv.exe
1144	spoolsv.exe
4288	svchost.exe
4288	svchost.exe
2576	spoolsv.exe
2576	spoolsv.exe
2800	explorer.exe
2800	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exe

description	pid	process	target process
PID 1332 wrote to memory of 776	1332	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe	fontdrvhost.exe
PID 1332 wrote to memory of 780	1332	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe	fontdrvhost.exe
PID 1332 wrote to memory of 1016	1332	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe	dwm.exe
PID 1332 wrote to memory of 2652	1332	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe	sihost.exe
PID 1332 wrote to memory of 2664	1332	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe	svchost.exe
PID 1332 wrote to memory of 2864	1332	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe	taskhostw.exe
PID 1332 wrote to memory of 3524	1332	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe	Explorer.EXE
PID 1332 wrote to memory of 3696	1332	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe	svchost.exe
PID 1332 wrote to memory of 3876	1332	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe	DllHost.exe
PID 1332 wrote to memory of 3980	1332	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe	StartMenuExperienceHost.exe
PID 1332 wrote to memory of 4084	1332	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe	RuntimeBroker.exe
PID 1332 wrote to memory of 1360	1332	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe	SearchApp.exe
PID 1332 wrote to memory of 4012	1332	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe	RuntimeBroker.exe
PID 1332 wrote to memory of 4444	1332	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe	RuntimeBroker.exe
PID 1332 wrote to memory of 3888	1332	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe	TextInputHost.exe
PID 1332 wrote to memory of 1204	1332	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe	msedge.exe
PID 1332 wrote to memory of 2776	1332	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe	msedge.exe
PID 1332 wrote to memory of 1324	1332	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe	msedge.exe
PID 1332 wrote to memory of 1516	1332	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe	msedge.exe
PID 1332 wrote to memory of 1980	1332	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe	msedge.exe
PID 1332 wrote to memory of 2344	1332	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe	backgroundTaskHost.exe
PID 1332 wrote to memory of 3812	1332	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe	backgroundTaskHost.exe
PID 1332 wrote to memory of 2800	1332	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe	explorer.exe
PID 1332 wrote to memory of 2800	1332	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe	explorer.exe
PID 1332 wrote to memory of 2800	1332	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe	explorer.exe
PID 2800 wrote to memory of 1144	2800	explorer.exe	spoolsv.exe
PID 2800 wrote to memory of 1144	2800	explorer.exe	spoolsv.exe
PID 2800 wrote to memory of 1144	2800	explorer.exe	spoolsv.exe
PID 1144 wrote to memory of 4288	1144	spoolsv.exe	svchost.exe
PID 1144 wrote to memory of 4288	1144	spoolsv.exe	svchost.exe
PID 1144 wrote to memory of 4288	1144	spoolsv.exe	svchost.exe
PID 4288 wrote to memory of 2576	4288	svchost.exe	spoolsv.exe
PID 4288 wrote to memory of 2576	4288	svchost.exe	spoolsv.exe
PID 4288 wrote to memory of 2576	4288	svchost.exe	spoolsv.exe
PID 4288 wrote to memory of 1160	4288	svchost.exe	at.exe
PID 4288 wrote to memory of 1160	4288	svchost.exe	at.exe
PID 4288 wrote to memory of 1160	4288	svchost.exe	at.exe
PID 2800 wrote to memory of 776	2800	explorer.exe	fontdrvhost.exe
PID 2800 wrote to memory of 780	2800	explorer.exe	fontdrvhost.exe
PID 2800 wrote to memory of 1016	2800	explorer.exe	dwm.exe
PID 2800 wrote to memory of 2652	2800	explorer.exe	sihost.exe
PID 2800 wrote to memory of 2664	2800	explorer.exe	svchost.exe
PID 2800 wrote to memory of 2864	2800	explorer.exe	taskhostw.exe
PID 2800 wrote to memory of 3524	2800	explorer.exe	Explorer.EXE
PID 2800 wrote to memory of 3696	2800	explorer.exe	svchost.exe
PID 2800 wrote to memory of 3876	2800	explorer.exe	DllHost.exe
PID 2800 wrote to memory of 3980	2800	explorer.exe	StartMenuExperienceHost.exe
PID 2800 wrote to memory of 4084	2800	explorer.exe	RuntimeBroker.exe
PID 2800 wrote to memory of 1360	2800	explorer.exe	SearchApp.exe
PID 2800 wrote to memory of 4012	2800	explorer.exe	RuntimeBroker.exe
PID 2800 wrote to memory of 4444	2800	explorer.exe	RuntimeBroker.exe
PID 2800 wrote to memory of 3888	2800	explorer.exe	TextInputHost.exe
PID 2800 wrote to memory of 1204	2800	explorer.exe	msedge.exe
PID 2800 wrote to memory of 2776	2800	explorer.exe	msedge.exe
PID 2800 wrote to memory of 1324	2800	explorer.exe	msedge.exe
PID 2800 wrote to memory of 1516	2800	explorer.exe	msedge.exe
PID 2800 wrote to memory of 1980	2800	explorer.exe	msedge.exe
PID 2800 wrote to memory of 2344	2800	explorer.exe	backgroundTaskHost.exe
PID 2800 wrote to memory of 3812	2800	explorer.exe	backgroundTaskHost.exe
PID 2800 wrote to memory of 3488	2800	explorer.exe	msedge.exe
PID 2800 wrote to memory of 4288	2800	explorer.exe	svchost.exe
PID 2800 wrote to memory of 4288	2800	explorer.exe	svchost.exe
PID 2800 wrote to memory of 4056	2800	explorer.exe	RuntimeBroker.exe
PID 2800 wrote to memory of 3840	2800	explorer.exe	RuntimeBroker.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

Processes:

a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exeexplorer.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:776

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:780

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:1016

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2652

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2664

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2864

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3524

C:\Users\Admin\AppData\Local\Temp\a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a2a935649fbc3eb38195bcb7f218b280_NeikiAnalytics.exe"
2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1332

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
3⤵
- Modifies WinLogon for persistence
- Modifies firewall policy service
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Windows security bypass
- Modifies Installed Components in the registry
- Deletes itself
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2800

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1144

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
5⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4288

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe PR
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2576

C:\Windows\SysWOW64\at.exe
at 01:59 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
6⤵
PID:1160

C:\Windows\SysWOW64\at.exe
at 02:00 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
6⤵
PID:1136

C:\Windows\SysWOW64\at.exe
at 02:01 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
6⤵
PID:4396

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3696

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3876

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3980

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4084

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1360

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4012

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4444

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:3888

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
1⤵
PID:1204

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=124.0.6367.118 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=124.0.2478.80 --initial-client-data=0x238,0x23c,0x240,0x234,0x25c,0x7fffde21ceb8,0x7fffde21cec4,0x7fffde21ced0
2⤵
PID:2776

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2276,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=2268 /prefetch:2
2⤵
PID:1324

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1836,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=2552 /prefetch:3
2⤵
PID:1516

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1716,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=3440 /prefetch:8
2⤵
PID:1980

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3804,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=4532 /prefetch:8
2⤵
PID:3488

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:2344

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:3812

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4056

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3840

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:4228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

2

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

2

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery