Resubmissions
30/05/2024, 13:08
240530-qdcsksag45 1030/05/2024, 13:02
240530-p95b2ahe21 1030/05/2024, 12:54
240530-p46ynsad65 10Analysis
-
max time kernel
553s -
max time network
1347s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
30/05/2024, 13:08
Behavioral task
behavioral1
Sample
e6968cc7b4d1529eee69703e493a1410_NeikiAnalytics.exe
Resource
win7-20240215-en
windows7-x64
10 signatures
1800 seconds
General
-
Target
e6968cc7b4d1529eee69703e493a1410_NeikiAnalytics.exe
-
Size
89KB
-
MD5
e6968cc7b4d1529eee69703e493a1410
-
SHA1
7e1eb7bbc5aa3c3fe75db460a7fae8e2cd8cdf94
-
SHA256
3998381253d79bb07a422cc66f884e605b0ade3935b66666ac4daca611574a88
-
SHA512
f8aca4e6201741a3f49b6526fa7573dc92f9bbde4e362714b07e653438f60e58794b4223975a0886a610857582e0634bf2f52a5415ba960d40f415b8e683a11e
-
SSDEEP
1536:cvQBeOGtrYS3srx93UBWfwC6Ggnouy8mVeygryFU2li0gx4EBbhnyLFW+Ye:chOmTsF93UYfwC6GIoutieyhC2lbgGiw
Malware Config
Signatures
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4424-7-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/2824-8-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/4388-13-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/4680-20-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/1648-32-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/1704-26-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/2928-44-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/5020-45-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/4100-55-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/2004-60-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/4312-76-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/4720-84-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/3204-93-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/1828-104-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/2080-117-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/4536-132-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/3944-140-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/1444-138-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/2944-152-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/4760-165-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/448-168-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/2548-177-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/2216-186-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/4148-190-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/3900-196-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/4128-207-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/1316-198-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/428-212-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/4724-221-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/3120-230-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/4996-240-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/2856-253-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/1244-257-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/1296-261-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/4416-265-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/440-266-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/2916-279-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/436-299-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/3748-305-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/1148-313-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/3244-317-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/2192-321-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/4788-325-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/2380-343-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/60-352-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/3652-357-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/4496-363-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/632-420-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/1224-426-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/2856-434-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/4108-476-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/728-483-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/516-487-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/1896-500-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/4772-510-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/1900-529-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/4560-591-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/2568-641-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/4644-690-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/2720-753-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/2216-801-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/2248-809-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/1100-859-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral2/memory/3604-873-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon -
Downloads MZ/PE file
-
Drops file in Drivers directory 3 IoCs
description ioc Process File created C:\Windows\system32\drivers\hitmanpro37.sys Process not Found File opened for modification C:\Windows\system32\drivers\hitmanpro37.sys Process not Found File opened for modification C:\Windows\system32\drivers\hitmanpro37.sys Process not Found -
Executes dropped EXE 64 IoCs
pid Process 2824 tbbttt.exe 4388 hbhbnt.exe 4680 xxxfllf.exe 1704 ttbbtb.exe 1648 hhnhbb.exe 2928 jdddd.exe 5020 fflrfll.exe 3332 flxlfff.exe 4100 nntnhh.exe 2004 nthhhn.exe 1008 dpjdd.exe 4312 xrrrxxx.exe 4720 9xllfff.exe 1996 bbnttn.exe 3204 3pjjj.exe 4812 xrrllfx.exe 1828 hbnttb.exe 2720 pjjdv.exe 3348 vvdpj.exe 2080 xxrxxxr.exe 4520 fxxxxxx.exe 4536 btthhb.exe 1444 djppj.exe 3944 frxxxxl.exe 2784 xrxrrrl.exe 2944 nhnhhb.exe 3040 bthbtt.exe 4760 vpppj.exe 448 xxrxxfx.exe 2548 hbtbtt.exe 1572 jvdjj.exe 2216 xlrrlrl.exe 4148 llfxrrr.exe 3900 hbhbbn.exe 1316 hbnnhh.exe 2440 rrxrrxx.exe 4128 llllfff.exe 4196 hbthnt.exe 428 tntttt.exe 4928 dvddj.exe 4724 jjdjp.exe 3668 rrlrrll.exe 916 bthbtt.exe 3120 dvvpp.exe 4232 jjddd.exe 4996 frxxlrl.exe 1704 bththh.exe 1224 jdppj.exe 2008 xrfxxrl.exe 2856 lrffffr.exe 1244 tbhnnn.exe 1296 pjjdv.exe 4416 rlrllll.exe 440 rlxxxxf.exe 1108 nbnbhh.exe 3416 pjdvd.exe 2916 xrxrffx.exe 3788 llllffl.exe 3688 3bhhhh.exe 2408 jvvjd.exe 1204 jddvj.exe 1272 rfxxlrr.exe 1372 7lxrlll.exe 436 tnhhnn.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/memory/4424-0-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/4424-7-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/files/0x0007000000023278-5.dat upx behavioral2/memory/2824-8-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/files/0x00080000000233fb-10.dat upx behavioral2/memory/4388-13-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/files/0x0007000000023400-14.dat upx behavioral2/memory/4680-20-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/files/0x0007000000023401-22.dat upx behavioral2/files/0x0007000000023402-28.dat upx behavioral2/memory/1648-32-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/1704-26-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/files/0x0007000000023403-35.dat upx behavioral2/memory/2928-36-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/files/0x0007000000023404-40.dat upx behavioral2/memory/2928-44-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/5020-45-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/files/0x0007000000023405-47.dat upx behavioral2/files/0x0007000000023406-52.dat upx behavioral2/memory/4100-55-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/2004-60-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/files/0x0007000000023407-59.dat upx behavioral2/files/0x0007000000023408-65.dat upx behavioral2/files/0x0007000000023409-69.dat upx behavioral2/files/0x000700000002340a-74.dat upx behavioral2/memory/4312-76-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/4720-78-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/files/0x000700000002340b-81.dat upx behavioral2/memory/4720-84-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/files/0x000700000002340c-87.dat upx behavioral2/memory/3204-93-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/files/0x000700000002340d-94.dat upx behavioral2/files/0x000700000002340e-98.dat upx behavioral2/memory/1828-104-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/files/0x000700000002340f-103.dat upx behavioral2/files/0x0007000000023410-108.dat upx behavioral2/files/0x0007000000023411-114.dat upx behavioral2/files/0x0007000000023412-121.dat upx behavioral2/memory/2080-117-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/files/0x0007000000023413-125.dat upx behavioral2/files/0x0007000000023414-130.dat upx behavioral2/memory/4536-132-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/files/0x0007000000023415-136.dat upx behavioral2/files/0x0007000000023416-142.dat upx behavioral2/memory/3944-140-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/1444-138-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/files/0x0007000000023417-148.dat upx behavioral2/memory/2944-152-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/files/0x0007000000023418-153.dat upx behavioral2/files/0x0007000000023419-159.dat upx behavioral2/files/0x000700000002341a-163.dat upx behavioral2/memory/4760-165-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/448-168-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/files/0x000700000002341c-171.dat upx behavioral2/memory/2548-172-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/2548-177-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/files/0x00080000000233fc-179.dat upx behavioral2/files/0x000700000002341d-182.dat upx behavioral2/memory/2216-186-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/4148-190-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/3900-196-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/4128-207-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/1316-198-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/428-212-0x0000000000400000-0x0000000000436000-memory.dmp upx -
Unexpected DNS network traffic destination 4 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 185.228.168.9 Destination IP 185.228.168.9 Destination IP 185.228.168.9 Destination IP 185.228.168.9 -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 4 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: Process not Found File opened (read-only) \??\D: Process not Found File opened (read-only) \??\F: Process not Found File opened (read-only) \??\D: Process not Found -
Maps connected drives based on registry 3 TTPs 6 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\ Process not Found Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum Process not Found Key value enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\ Process not Found Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum Process not Found Key value enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum Process not Found -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log Process not Found -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\ Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters\Storport\ Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters\ Process not Found Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\ Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\ Process not Found Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters Process not Found Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters Process not Found Key value enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 Process not Found Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters Process not Found Key value enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\ Process not Found Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters\Storport Process not Found Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\ Process not Found Key value enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\ Process not Found Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM Process not Found Key value enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters\ Process not Found Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 Process not Found Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters Process not Found Key value enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Storport Process not Found Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Storport\ Process not Found Key value enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters\Storport Process not Found Key value enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 Process not Found Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Storport Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters\Storport\ Process not Found Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Process not Found Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters\Storport\ Process not Found Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 Process not Found Key value enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters Process not Found Key value enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters\Storport Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters\ Process not Found Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters\Storport Process not Found Key value enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Storport Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\ Process not Found Key value enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters Process not Found Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters Process not Found Key value enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\ Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ Process not Found Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters\Storport Process not Found Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000005b1010511f65dd1c0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800005b1010510000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809005b101051000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d5b101051000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000005b10105100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Process not Found Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\ Process not Found Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters\Storport Process not Found Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\ Process not Found Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters Process not Found Key value enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters Process not Found Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 Process not Found Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters Process not Found Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 Process not Found Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\ Process not Found Key value enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 Process not Found Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 Process not Found Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 Process not Found -
Checks processor information in registry 2 TTPs 18 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ Process not Found Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 Process not Found Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 Process not Found Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor Process not Found Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ Process not Found Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor Process not Found Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\ Process not Found Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor Process not Found Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ Process not Found Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Process not Found Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 Process not Found Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\ Process not Found Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor Process not Found Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Process not Found Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Process not Found Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Process not Found Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ Process not Found Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 Process not Found -
Enumerates system info in registry 2 TTPs 64 IoCs
description ioc Process Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus Process not Found Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController Process not Found Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\ Process not Found Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer Process not Found Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\ Process not Found Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\ Process not Found Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000\ Process not Found Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1 Process not Found Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\ Process not Found Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 Process not Found Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral Process not Found Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\ Process not Found Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral Process not Found Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController Process not Found Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral Process not Found Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 Process not Found Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\ Process not Found Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 Process not Found Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 Process not Found Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 Process not Found Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Process not Found Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\ Process not Found Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController Process not Found Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\ Process not Found Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter Process not Found Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 Process not Found Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController Process not Found Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\ Process not Found Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\ Process not Found Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 Process not Found Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 Process not Found Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\ Process not Found Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0 Process not Found Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0 Process not Found Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus Process not Found Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\ Process not Found Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000 Process not Found Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\ Process not Found Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral Process not Found Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral Process not Found Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 Process not Found Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\ Process not Found Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\ Process not Found Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer Process not Found Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 Process not Found Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus Process not Found Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 Process not Found Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Process not Found Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController Process not Found Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 Process not Found Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor Process not Found Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\ Process not Found Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\ Process not Found Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\ Process not Found Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000 Process not Found Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Process not Found Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses Process not Found Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 Process not Found Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\ Process not Found Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\ Process not Found Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses Process not Found Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter Process not Found Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0 Process not Found Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\ Process not Found -
Modifies data under HKEY_USERS 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry Process not Found Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133615482960386890" Process not Found Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry Process not Found -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings Process not Found -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4 Process not Found Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 0f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b06010505070301620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae4140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee420000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f Process not Found Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 19000000010000001000000063664b080559a094d10f0a3c5f4f62900300000001000000140000002796bae63f1801e277261ba0d77770028f20eee41d000000010000001000000099949d2179811f6b30a8c99c4f6b4226140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e3620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae409000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec537261877620000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 Process not Found Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a Process not Found -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 3476 Process not Found -
Suspicious behavior: EnumeratesProcesses 31 IoCs
pid Process 2940 Process not Found 2940 Process not Found 3996 Process not Found 3996 Process not Found 3996 Process not Found 3996 Process not Found 3996 Process not Found 3996 Process not Found 3996 Process not Found 3996 Process not Found 3996 Process not Found 3996 Process not Found 3996 Process not Found 4392 Process not Found 4392 Process not Found 3128 Process not Found 3128 Process not Found 4664 Process not Found 4664 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found -
Suspicious behavior: LoadsDriver 24 IoCs
pid Process 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs
pid Process 2940 Process not Found 2940 Process not Found 2940 Process not Found 2940 Process not Found 2940 Process not Found 2940 Process not Found 2940 Process not Found 2940 Process not Found 4664 Process not Found 4664 Process not Found 4664 Process not Found 4664 Process not Found 4664 Process not Found -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2940 Process not Found Token: SeCreatePagefilePrivilege 2940 Process not Found Token: SeShutdownPrivilege 2940 Process not Found Token: SeCreatePagefilePrivilege 2940 Process not Found Token: SeShutdownPrivilege 2940 Process not Found Token: SeCreatePagefilePrivilege 2940 Process not Found Token: SeShutdownPrivilege 2940 Process not Found Token: SeCreatePagefilePrivilege 2940 Process not Found Token: SeShutdownPrivilege 2940 Process not Found Token: SeCreatePagefilePrivilege 2940 Process not Found Token: SeShutdownPrivilege 2940 Process not Found Token: SeCreatePagefilePrivilege 2940 Process not Found Token: SeShutdownPrivilege 2940 Process not Found Token: SeCreatePagefilePrivilege 2940 Process not Found Token: SeShutdownPrivilege 2940 Process not Found Token: SeCreatePagefilePrivilege 2940 Process not Found Token: SeShutdownPrivilege 2940 Process not Found Token: SeCreatePagefilePrivilege 2940 Process not Found Token: SeShutdownPrivilege 2940 Process not Found Token: SeCreatePagefilePrivilege 2940 Process not Found Token: SeShutdownPrivilege 2940 Process not Found Token: SeCreatePagefilePrivilege 2940 Process not Found Token: SeShutdownPrivilege 2940 Process not Found Token: SeCreatePagefilePrivilege 2940 Process not Found Token: SeShutdownPrivilege 2940 Process not Found Token: SeCreatePagefilePrivilege 2940 Process not Found Token: SeShutdownPrivilege 2940 Process not Found Token: SeCreatePagefilePrivilege 2940 Process not Found Token: SeShutdownPrivilege 2940 Process not Found Token: SeCreatePagefilePrivilege 2940 Process not Found Token: SeShutdownPrivilege 2940 Process not Found Token: SeCreatePagefilePrivilege 2940 Process not Found Token: SeShutdownPrivilege 2940 Process not Found Token: SeCreatePagefilePrivilege 2940 Process not Found Token: SeShutdownPrivilege 2940 Process not Found Token: SeCreatePagefilePrivilege 2940 Process not Found Token: SeShutdownPrivilege 2940 Process not Found Token: SeCreatePagefilePrivilege 2940 Process not Found Token: SeShutdownPrivilege 2940 Process not Found Token: SeCreatePagefilePrivilege 2940 Process not Found Token: SeShutdownPrivilege 2940 Process not Found Token: SeCreatePagefilePrivilege 2940 Process not Found Token: SeShutdownPrivilege 2940 Process not Found Token: SeCreatePagefilePrivilege 2940 Process not Found Token: SeShutdownPrivilege 2940 Process not Found Token: SeCreatePagefilePrivilege 2940 Process not Found Token: SeShutdownPrivilege 2940 Process not Found Token: SeCreatePagefilePrivilege 2940 Process not Found Token: SeShutdownPrivilege 2940 Process not Found Token: SeCreatePagefilePrivilege 2940 Process not Found Token: SeShutdownPrivilege 2940 Process not Found Token: SeCreatePagefilePrivilege 2940 Process not Found Token: SeShutdownPrivilege 2940 Process not Found Token: SeCreatePagefilePrivilege 2940 Process not Found Token: SeShutdownPrivilege 2940 Process not Found Token: SeCreatePagefilePrivilege 2940 Process not Found Token: SeShutdownPrivilege 2940 Process not Found Token: SeCreatePagefilePrivilege 2940 Process not Found Token: SeShutdownPrivilege 2940 Process not Found Token: SeCreatePagefilePrivilege 2940 Process not Found Token: SeShutdownPrivilege 2940 Process not Found Token: SeCreatePagefilePrivilege 2940 Process not Found Token: SeShutdownPrivilege 2940 Process not Found Token: SeCreatePagefilePrivilege 2940 Process not Found -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2940 Process not Found 2940 Process not Found 2940 Process not Found 2940 Process not Found 2940 Process not Found 2940 Process not Found 2940 Process not Found 2940 Process not Found 2940 Process not Found 2940 Process not Found 2940 Process not Found 2940 Process not Found 2940 Process not Found 2940 Process not Found 2940 Process not Found 2940 Process not Found 2940 Process not Found 2940 Process not Found 2940 Process not Found 2940 Process not Found 2940 Process not Found 2940 Process not Found 2940 Process not Found 2940 Process not Found 2940 Process not Found 2940 Process not Found 2940 Process not Found 2940 Process not Found 2940 Process not Found 2940 Process not Found 2940 Process not Found 2940 Process not Found 2940 Process not Found 2940 Process not Found 2940 Process not Found 2940 Process not Found 3996 Process not Found 3996 Process not Found 2940 Process not Found 3996 Process not Found 3996 Process not Found 4664 Process not Found 4664 Process not Found 4664 Process not Found 4664 Process not Found 4664 Process not Found 4664 Process not Found 4664 Process not Found 4664 Process not Found 4664 Process not Found 4664 Process not Found 4664 Process not Found 4664 Process not Found 4664 Process not Found 4664 Process not Found 4664 Process not Found 4664 Process not Found 4664 Process not Found 4664 Process not Found 4664 Process not Found 4664 Process not Found 4664 Process not Found 4664 Process not Found 4664 Process not Found -
Suspicious use of SendNotifyMessage 54 IoCs
pid Process 2940 Process not Found 2940 Process not Found 2940 Process not Found 2940 Process not Found 2940 Process not Found 2940 Process not Found 2940 Process not Found 2940 Process not Found 2940 Process not Found 2940 Process not Found 2940 Process not Found 2940 Process not Found 2940 Process not Found 2940 Process not Found 2940 Process not Found 2940 Process not Found 2940 Process not Found 2940 Process not Found 2940 Process not Found 2940 Process not Found 2940 Process not Found 2940 Process not Found 2940 Process not Found 2940 Process not Found 3996 Process not Found 3996 Process not Found 3996 Process not Found 4664 Process not Found 4664 Process not Found 4664 Process not Found 4664 Process not Found 4664 Process not Found 4664 Process not Found 4664 Process not Found 4664 Process not Found 4664 Process not Found 4664 Process not Found 4664 Process not Found 4664 Process not Found 4664 Process not Found 4664 Process not Found 4664 Process not Found 4664 Process not Found 4664 Process not Found 4664 Process not Found 4664 Process not Found 4664 Process not Found 4664 Process not Found 4664 Process not Found 4664 Process not Found 4664 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 3128 Process not Found 3128 Process not Found 3128 Process not Found 3128 Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4424 wrote to memory of 2824 4424 e6968cc7b4d1529eee69703e493a1410_NeikiAnalytics.exe 83 PID 4424 wrote to memory of 2824 4424 e6968cc7b4d1529eee69703e493a1410_NeikiAnalytics.exe 83 PID 4424 wrote to memory of 2824 4424 e6968cc7b4d1529eee69703e493a1410_NeikiAnalytics.exe 83 PID 2824 wrote to memory of 4388 2824 tbbttt.exe 84 PID 2824 wrote to memory of 4388 2824 tbbttt.exe 84 PID 2824 wrote to memory of 4388 2824 tbbttt.exe 84 PID 4388 wrote to memory of 4680 4388 hbhbnt.exe 85 PID 4388 wrote to memory of 4680 4388 hbhbnt.exe 85 PID 4388 wrote to memory of 4680 4388 hbhbnt.exe 85 PID 4680 wrote to memory of 1704 4680 xxxfllf.exe 86 PID 4680 wrote to memory of 1704 4680 xxxfllf.exe 86 PID 4680 wrote to memory of 1704 4680 xxxfllf.exe 86 PID 1704 wrote to memory of 1648 1704 ttbbtb.exe 87 PID 1704 wrote to memory of 1648 1704 ttbbtb.exe 87 PID 1704 wrote to memory of 1648 1704 ttbbtb.exe 87 PID 1648 wrote to memory of 2928 1648 hhnhbb.exe 88 PID 1648 wrote to memory of 2928 1648 hhnhbb.exe 88 PID 1648 wrote to memory of 2928 1648 hhnhbb.exe 88 PID 2928 wrote to memory of 5020 2928 jdddd.exe 89 PID 2928 wrote to memory of 5020 2928 jdddd.exe 89 PID 2928 wrote to memory of 5020 2928 jdddd.exe 89 PID 5020 wrote to memory of 3332 5020 fflrfll.exe 90 PID 5020 wrote to memory of 3332 5020 fflrfll.exe 90 PID 5020 wrote to memory of 3332 5020 fflrfll.exe 90 PID 3332 wrote to memory of 4100 3332 flxlfff.exe 91 PID 3332 wrote to memory of 4100 3332 flxlfff.exe 91 PID 3332 wrote to memory of 4100 3332 flxlfff.exe 91 PID 4100 wrote to memory of 2004 4100 nntnhh.exe 92 PID 4100 wrote to memory of 2004 4100 nntnhh.exe 92 PID 4100 wrote to memory of 2004 4100 nntnhh.exe 92 PID 2004 wrote to memory of 1008 2004 nthhhn.exe 93 PID 2004 wrote to memory of 1008 2004 nthhhn.exe 93 PID 2004 wrote to memory of 1008 2004 nthhhn.exe 93 PID 1008 wrote to memory of 4312 1008 dpjdd.exe 94 PID 1008 wrote to memory of 4312 1008 dpjdd.exe 94 PID 1008 wrote to memory of 4312 1008 dpjdd.exe 94 PID 4312 wrote to memory of 4720 4312 xrrrxxx.exe 95 PID 4312 wrote to memory of 4720 4312 xrrrxxx.exe 95 PID 4312 wrote to memory of 4720 4312 xrrrxxx.exe 95 PID 4720 wrote to memory of 1996 4720 9xllfff.exe 96 PID 4720 wrote to memory of 1996 4720 9xllfff.exe 96 PID 4720 wrote to memory of 1996 4720 9xllfff.exe 96 PID 1996 wrote to memory of 3204 1996 bbnttn.exe 97 PID 1996 wrote to memory of 3204 1996 bbnttn.exe 97 PID 1996 wrote to memory of 3204 1996 bbnttn.exe 97 PID 3204 wrote to memory of 4812 3204 3pjjj.exe 99 PID 3204 wrote to memory of 4812 3204 3pjjj.exe 99 PID 3204 wrote to memory of 4812 3204 3pjjj.exe 99 PID 4812 wrote to memory of 1828 4812 xrrllfx.exe 100 PID 4812 wrote to memory of 1828 4812 xrrllfx.exe 100 PID 4812 wrote to memory of 1828 4812 xrrllfx.exe 100 PID 1828 wrote to memory of 2720 1828 hbnttb.exe 101 PID 1828 wrote to memory of 2720 1828 hbnttb.exe 101 PID 1828 wrote to memory of 2720 1828 hbnttb.exe 101 PID 2720 wrote to memory of 3348 2720 pjjdv.exe 102 PID 2720 wrote to memory of 3348 2720 pjjdv.exe 102 PID 2720 wrote to memory of 3348 2720 pjjdv.exe 102 PID 3348 wrote to memory of 2080 3348 vvdpj.exe 103 PID 3348 wrote to memory of 2080 3348 vvdpj.exe 103 PID 3348 wrote to memory of 2080 3348 vvdpj.exe 103 PID 2080 wrote to memory of 4520 2080 xxrxxxr.exe 104 PID 2080 wrote to memory of 4520 2080 xxrxxxr.exe 104 PID 2080 wrote to memory of 4520 2080 xxrxxxr.exe 104 PID 4520 wrote to memory of 4536 4520 fxxxxxx.exe 105 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\e6968cc7b4d1529eee69703e493a1410_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\e6968cc7b4d1529eee69703e493a1410_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4424 -
\??\c:\tbbttt.exec:\tbbttt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2824 -
\??\c:\hbhbnt.exec:\hbhbnt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4388 -
\??\c:\xxxfllf.exec:\xxxfllf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4680 -
\??\c:\ttbbtb.exec:\ttbbtb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1704 -
\??\c:\hhnhbb.exec:\hhnhbb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1648 -
\??\c:\jdddd.exec:\jdddd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2928 -
\??\c:\fflrfll.exec:\fflrfll.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5020 -
\??\c:\flxlfff.exec:\flxlfff.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3332 -
\??\c:\nntnhh.exec:\nntnhh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4100 -
\??\c:\nthhhn.exec:\nthhhn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2004 -
\??\c:\dpjdd.exec:\dpjdd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1008 -
\??\c:\xrrrxxx.exec:\xrrrxxx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4312 -
\??\c:\9xllfff.exec:\9xllfff.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4720 -
\??\c:\bbnttn.exec:\bbnttn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1996 -
\??\c:\3pjjj.exec:\3pjjj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3204 -
\??\c:\xrrllfx.exec:\xrrllfx.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4812 -
\??\c:\hbnttb.exec:\hbnttb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1828 -
\??\c:\pjjdv.exec:\pjjdv.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2720 -
\??\c:\vvdpj.exec:\vvdpj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3348 -
\??\c:\xxrxxxr.exec:\xxrxxxr.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2080 -
\??\c:\fxxxxxx.exec:\fxxxxxx.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4520 -
\??\c:\btthhb.exec:\btthhb.exe23⤵
- Executes dropped EXE
PID:4536 -
\??\c:\djppj.exec:\djppj.exe24⤵
- Executes dropped EXE
PID:1444 -
\??\c:\frxxxxl.exec:\frxxxxl.exe25⤵
- Executes dropped EXE
PID:3944 -
\??\c:\xrxrrrl.exec:\xrxrrrl.exe26⤵
- Executes dropped EXE
PID:2784 -
\??\c:\nhnhhb.exec:\nhnhhb.exe27⤵
- Executes dropped EXE
PID:2944 -
\??\c:\bthbtt.exec:\bthbtt.exe28⤵
- Executes dropped EXE
PID:3040 -
\??\c:\vpppj.exec:\vpppj.exe29⤵
- Executes dropped EXE
PID:4760 -
\??\c:\xxrxxfx.exec:\xxrxxfx.exe30⤵
- Executes dropped EXE
PID:448 -
\??\c:\hbtbtt.exec:\hbtbtt.exe31⤵
- Executes dropped EXE
PID:2548 -
\??\c:\jvdjj.exec:\jvdjj.exe32⤵
- Executes dropped EXE
PID:1572 -
\??\c:\xlrrlrl.exec:\xlrrlrl.exe33⤵
- Executes dropped EXE
PID:2216 -
\??\c:\llfxrrr.exec:\llfxrrr.exe34⤵
- Executes dropped EXE
PID:4148 -
\??\c:\hbhbbn.exec:\hbhbbn.exe35⤵
- Executes dropped EXE
PID:3900 -
\??\c:\hbnnhh.exec:\hbnnhh.exe36⤵
- Executes dropped EXE
PID:1316 -
\??\c:\rrxrrxx.exec:\rrxrrxx.exe37⤵
- Executes dropped EXE
PID:2440 -
\??\c:\llllfff.exec:\llllfff.exe38⤵
- Executes dropped EXE
PID:4128 -
\??\c:\hbthnt.exec:\hbthnt.exe39⤵
- Executes dropped EXE
PID:4196 -
\??\c:\tntttt.exec:\tntttt.exe40⤵
- Executes dropped EXE
PID:428 -
\??\c:\dvddj.exec:\dvddj.exe41⤵
- Executes dropped EXE
PID:4928 -
\??\c:\jjdjp.exec:\jjdjp.exe42⤵
- Executes dropped EXE
PID:4724 -
\??\c:\rrlrrll.exec:\rrlrrll.exe43⤵
- Executes dropped EXE
PID:3668 -
\??\c:\fxfffff.exec:\fxfffff.exe44⤵PID:4448
-
\??\c:\bthbtt.exec:\bthbtt.exe45⤵
- Executes dropped EXE
PID:916 -
\??\c:\dvvpp.exec:\dvvpp.exe46⤵
- Executes dropped EXE
PID:3120 -
\??\c:\jjddd.exec:\jjddd.exe47⤵
- Executes dropped EXE
PID:4232 -
\??\c:\frxxlrl.exec:\frxxlrl.exe48⤵
- Executes dropped EXE
PID:4996 -
\??\c:\bththh.exec:\bththh.exe49⤵
- Executes dropped EXE
PID:1704 -
\??\c:\jdppj.exec:\jdppj.exe50⤵
- Executes dropped EXE
PID:1224 -
\??\c:\xrfxxrl.exec:\xrfxxrl.exe51⤵
- Executes dropped EXE
PID:2008 -
\??\c:\lrffffr.exec:\lrffffr.exe52⤵
- Executes dropped EXE
PID:2856 -
\??\c:\tbhnnn.exec:\tbhnnn.exe53⤵
- Executes dropped EXE
PID:1244 -
\??\c:\pjjdv.exec:\pjjdv.exe54⤵
- Executes dropped EXE
PID:1296 -
\??\c:\rlrllll.exec:\rlrllll.exe55⤵
- Executes dropped EXE
PID:4416 -
\??\c:\rlxxxxf.exec:\rlxxxxf.exe56⤵
- Executes dropped EXE
PID:440 -
\??\c:\nbnbhh.exec:\nbnbhh.exe57⤵
- Executes dropped EXE
PID:1108 -
\??\c:\pjdvd.exec:\pjdvd.exe58⤵
- Executes dropped EXE
PID:3416 -
\??\c:\xrxrffx.exec:\xrxrffx.exe59⤵
- Executes dropped EXE
PID:2916 -
\??\c:\llllffl.exec:\llllffl.exe60⤵
- Executes dropped EXE
PID:3788 -
\??\c:\3bhhhh.exec:\3bhhhh.exe61⤵
- Executes dropped EXE
PID:3688 -
\??\c:\jvvjd.exec:\jvvjd.exe62⤵
- Executes dropped EXE
PID:2408 -
\??\c:\jddvj.exec:\jddvj.exe63⤵
- Executes dropped EXE
PID:1204 -
\??\c:\rfxxlrr.exec:\rfxxlrr.exe64⤵
- Executes dropped EXE
PID:1272 -
\??\c:\7lxrlll.exec:\7lxrlll.exe65⤵
- Executes dropped EXE
PID:1372 -
\??\c:\tnhhnn.exec:\tnhhnn.exe66⤵
- Executes dropped EXE
PID:436 -
\??\c:\bbnnbb.exec:\bbnnbb.exe67⤵PID:3748
-
\??\c:\pvdpj.exec:\pvdpj.exe68⤵PID:4592
-
\??\c:\pjjdv.exec:\pjjdv.exe69⤵PID:1148
-
\??\c:\5fxrlrl.exec:\5fxrlrl.exe70⤵PID:3244
-
\??\c:\nhhhbb.exec:\nhhhbb.exe71⤵PID:2192
-
\??\c:\dppjj.exec:\dppjj.exe72⤵PID:4788
-
\??\c:\lfxrffl.exec:\lfxrffl.exe73⤵PID:1692
-
\??\c:\hbnbht.exec:\hbnbht.exe74⤵PID:4212
-
\??\c:\hbhbtb.exec:\hbhbtb.exe75⤵PID:4580
-
\??\c:\pjddd.exec:\pjddd.exe76⤵PID:4804
-
\??\c:\flrllff.exec:\flrllff.exe77⤵PID:2944
-
\??\c:\rxrlffx.exec:\rxrlffx.exe78⤵PID:2380
-
\??\c:\tttnnh.exec:\tttnnh.exe79⤵PID:4492
-
\??\c:\dvvvd.exec:\dvvvd.exe80⤵PID:60
-
\??\c:\dvjjp.exec:\dvjjp.exe81⤵PID:3400
-
\??\c:\rxrllll.exec:\rxrllll.exe82⤵PID:3652
-
\??\c:\7ttnnb.exec:\7ttnnb.exe83⤵PID:5092
-
\??\c:\bhhhbb.exec:\bhhhbb.exe84⤵PID:4496
-
\??\c:\jdjjp.exec:\jdjjp.exe85⤵PID:4084
-
\??\c:\llxfflr.exec:\llxfflr.exe86⤵PID:2868
-
\??\c:\frxxffr.exec:\frxxffr.exe87⤵PID:1968
-
\??\c:\1hhnnt.exec:\1hhnnt.exe88⤵PID:4748
-
\??\c:\hhbnhb.exec:\hhbnhb.exe89⤵PID:2740
-
\??\c:\pjppv.exec:\pjppv.exe90⤵PID:1732
-
\??\c:\jvdjj.exec:\jvdjj.exe91⤵PID:2700
-
\??\c:\xrrrrrx.exec:\xrrrrrx.exe92⤵PID:64
-
\??\c:\xfffxxx.exec:\xfffxxx.exe93⤵PID:4400
-
\??\c:\5tbnnn.exec:\5tbnnn.exe94⤵PID:1560
-
\??\c:\bbbbbh.exec:\bbbbbh.exe95⤵PID:2648
-
\??\c:\jpvvd.exec:\jpvvd.exe96⤵PID:2824
-
\??\c:\lxffffx.exec:\lxffffx.exe97⤵PID:4600
-
\??\c:\bnnnnt.exec:\bnnnnt.exe98⤵PID:4680
-
\??\c:\nnhhhh.exec:\nnhhhh.exe99⤵PID:3496
-
\??\c:\vdjjp.exec:\vdjjp.exe100⤵PID:632
-
\??\c:\pjvpv.exec:\pjvpv.exe101⤵PID:1704
-
\??\c:\frxfffx.exec:\frxfffx.exe102⤵PID:1224
-
\??\c:\rlfrrfr.exec:\rlfrrfr.exe103⤵PID:4104
-
\??\c:\1hnhhh.exec:\1hnhhh.exe104⤵PID:2856
-
\??\c:\hhnhbt.exec:\hhnhbt.exe105⤵PID:2864
-
\??\c:\pjddv.exec:\pjddv.exe106⤵PID:2004
-
\??\c:\rrlxxff.exec:\rrlxxff.exe107⤵PID:2452
-
\??\c:\tbbtnt.exec:\tbbtnt.exe108⤵PID:3380
-
\??\c:\dvpjd.exec:\dvpjd.exe109⤵PID:3604
-
\??\c:\9vjjd.exec:\9vjjd.exe110⤵PID:1108
-
\??\c:\rflrrxx.exec:\rflrrxx.exe111⤵PID:2540
-
\??\c:\ffffrxl.exec:\ffffrxl.exe112⤵PID:3680
-
\??\c:\hnthnn.exec:\hnthnn.exe113⤵PID:1808
-
\??\c:\3tnnhn.exec:\3tnnhn.exe114⤵PID:1280
-
\??\c:\vjdvp.exec:\vjdvp.exe115⤵PID:4796
-
\??\c:\ppjdv.exec:\ppjdv.exe116⤵PID:1828
-
\??\c:\xrrrlll.exec:\xrrrlll.exe117⤵PID:2816
-
\??\c:\tnbtnb.exec:\tnbtnb.exe118⤵PID:3600
-
\??\c:\dddpp.exec:\dddpp.exe119⤵PID:4108
-
\??\c:\vjpjj.exec:\vjpjj.exe120⤵PID:728
-
\??\c:\xxrlrrl.exec:\xxrlrrl.exe121⤵PID:1336
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-