cba4e6ab604a405396ec928f1991a1b24eac20519e905dcf79d3666654771731

Analysis

max time kernel
11s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
31-05-2024 17:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8e2cd24a9b2fa8ea9713fa3706fd3700_NeikiAnalytics.exe
Size

582KB
MD5

8e2cd24a9b2fa8ea9713fa3706fd3700
SHA1

cd53b8c6a502cbd64c2b6475cc47e25b13e9e55a
SHA256

cba4e6ab604a405396ec928f1991a1b24eac20519e905dcf79d3666654771731
SHA512

2649ee81ee3b92845bfbe4215ad40a3826b5ff2033a5acbd962ad6e908cb9979934a8962b5f061bf4c3a61d8d16de87c24988348324de653fae670cad4c073a6
SSDEEP

12288:8Gt/sB1KcYmqgZvAMlUoUjG+YKtMfnkOeZb5JYiNAgAPh:jt/sBlDqgZQd6XKtiMJYiPU

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1548	alg.exe
1480	DiagnosticsHub.StandardCollector.Service.exe
4032	fxssvc.exe
5000	elevation_service.exe
2552	elevation_service.exe
4140	maintenanceservice.exe
4864	msdtc.exe
3772	OSE.EXE
2632	PerceptionSimulationService.exe
4572	perfhost.exe
4508	locator.exe
2144	SensorDataService.exe
4732	snmptrap.exe
4852	spectrum.exe
4100	ssh-agent.exe
3884	TieringEngineService.exe
3124	AgentService.exe
2072	vds.exe
3784	vssvc.exe
4964	wbengine.exe
2556	WmiApSrv.exe
544	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	8e2cd24a9b2fa8ea9713fa3706fd3700_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\msdtc.exe	8e2cd24a9b2fa8ea9713fa3706fd3700_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	8e2cd24a9b2fa8ea9713fa3706fd3700_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\locator.exe	8e2cd24a9b2fa8ea9713fa3706fd3700_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	8e2cd24a9b2fa8ea9713fa3706fd3700_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	8e2cd24a9b2fa8ea9713fa3706fd3700_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	8e2cd24a9b2fa8ea9713fa3706fd3700_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbengine.exe	8e2cd24a9b2fa8ea9713fa3706fd3700_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	8e2cd24a9b2fa8ea9713fa3706fd3700_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	8e2cd24a9b2fa8ea9713fa3706fd3700_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	8e2cd24a9b2fa8ea9713fa3706fd3700_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\msiexec.exe	8e2cd24a9b2fa8ea9713fa3706fd3700_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	8e2cd24a9b2fa8ea9713fa3706fd3700_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	8e2cd24a9b2fa8ea9713fa3706fd3700_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	8e2cd24a9b2fa8ea9713fa3706fd3700_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\dllhost.exe	8e2cd24a9b2fa8ea9713fa3706fd3700_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\ec5820c84a48edc7.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	8e2cd24a9b2fa8ea9713fa3706fd3700_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\spectrum.exe	8e2cd24a9b2fa8ea9713fa3706fd3700_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	8e2cd24a9b2fa8ea9713fa3706fd3700_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\AgentService.exe	8e2cd24a9b2fa8ea9713fa3706fd3700_NeikiAnalytics.exe
File opened for modification	C:\Windows\System32\vds.exe	8e2cd24a9b2fa8ea9713fa3706fd3700_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\vssvc.exe	8e2cd24a9b2fa8ea9713fa3706fd3700_NeikiAnalytics.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	8e2cd24a9b2fa8ea9713fa3706fd3700_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	8e2cd24a9b2fa8ea9713fa3706fd3700_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	8e2cd24a9b2fa8ea9713fa3706fd3700_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	8e2cd24a9b2fa8ea9713fa3706fd3700_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	8e2cd24a9b2fa8ea9713fa3706fd3700_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	8e2cd24a9b2fa8ea9713fa3706fd3700_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	8e2cd24a9b2fa8ea9713fa3706fd3700_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	8e2cd24a9b2fa8ea9713fa3706fd3700_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	8e2cd24a9b2fa8ea9713fa3706fd3700_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	8e2cd24a9b2fa8ea9713fa3706fd3700_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	8e2cd24a9b2fa8ea9713fa3706fd3700_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	8e2cd24a9b2fa8ea9713fa3706fd3700_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	8e2cd24a9b2fa8ea9713fa3706fd3700_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	8e2cd24a9b2fa8ea9713fa3706fd3700_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{72342474-B513-4DE5-9360-4F37AA503DB7}\chrome_installer.exe	8e2cd24a9b2fa8ea9713fa3706fd3700_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	8e2cd24a9b2fa8ea9713fa3706fd3700_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	8e2cd24a9b2fa8ea9713fa3706fd3700_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	8e2cd24a9b2fa8ea9713fa3706fd3700_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	8e2cd24a9b2fa8ea9713fa3706fd3700_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	8e2cd24a9b2fa8ea9713fa3706fd3700_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	8e2cd24a9b2fa8ea9713fa3706fd3700_NeikiAnalytics.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	8e2cd24a9b2fa8ea9713fa3706fd3700_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	8e2cd24a9b2fa8ea9713fa3706fd3700_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	8e2cd24a9b2fa8ea9713fa3706fd3700_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	8e2cd24a9b2fa8ea9713fa3706fd3700_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	8e2cd24a9b2fa8ea9713fa3706fd3700_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	8e2cd24a9b2fa8ea9713fa3706fd3700_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	8e2cd24a9b2fa8ea9713fa3706fd3700_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	8e2cd24a9b2fa8ea9713fa3706fd3700_NeikiAnalytics.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	8e2cd24a9b2fa8ea9713fa3706fd3700_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	8e2cd24a9b2fa8ea9713fa3706fd3700_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	8e2cd24a9b2fa8ea9713fa3706fd3700_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	8e2cd24a9b2fa8ea9713fa3706fd3700_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	8e2cd24a9b2fa8ea9713fa3706fd3700_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	8e2cd24a9b2fa8ea9713fa3706fd3700_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	8e2cd24a9b2fa8ea9713fa3706fd3700_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	8e2cd24a9b2fa8ea9713fa3706fd3700_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	8e2cd24a9b2fa8ea9713fa3706fd3700_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	8e2cd24a9b2fa8ea9713fa3706fd3700_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	8e2cd24a9b2fa8ea9713fa3706fd3700_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	8e2cd24a9b2fa8ea9713fa3706fd3700_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	8e2cd24a9b2fa8ea9713fa3706fd3700_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	8e2cd24a9b2fa8ea9713fa3706fd3700_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	8e2cd24a9b2fa8ea9713fa3706fd3700_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	8e2cd24a9b2fa8ea9713fa3706fd3700_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	8e2cd24a9b2fa8ea9713fa3706fd3700_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	8e2cd24a9b2fa8ea9713fa3706fd3700_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	8e2cd24a9b2fa8ea9713fa3706fd3700_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	8e2cd24a9b2fa8ea9713fa3706fd3700_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	8e2cd24a9b2fa8ea9713fa3706fd3700_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	8e2cd24a9b2fa8ea9713fa3706fd3700_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	8e2cd24a9b2fa8ea9713fa3706fd3700_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	8e2cd24a9b2fa8ea9713fa3706fd3700_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	8e2cd24a9b2fa8ea9713fa3706fd3700_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	8e2cd24a9b2fa8ea9713fa3706fd3700_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	8e2cd24a9b2fa8ea9713fa3706fd3700_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	8e2cd24a9b2fa8ea9713fa3706fd3700_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	8e2cd24a9b2fa8ea9713fa3706fd3700_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	8e2cd24a9b2fa8ea9713fa3706fd3700_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	8e2cd24a9b2fa8ea9713fa3706fd3700_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	8e2cd24a9b2fa8ea9713fa3706fd3700_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	8e2cd24a9b2fa8ea9713fa3706fd3700_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	8e2cd24a9b2fa8ea9713fa3706fd3700_NeikiAnalytics.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	8e2cd24a9b2fa8ea9713fa3706fd3700_NeikiAnalytics.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 21 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 37 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	316	8e2cd24a9b2fa8ea9713fa3706fd3700_NeikiAnalytics.exe
Token: SeAuditPrivilege	4032	fxssvc.exe
Token: SeRestorePrivilege	3884	TieringEngineService.exe
Token: SeManageVolumePrivilege	3884	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3124	AgentService.exe
Token: SeBackupPrivilege	3784	vssvc.exe
Token: SeRestorePrivilege	3784	vssvc.exe
Token: SeAuditPrivilege	3784	vssvc.exe
Token: SeBackupPrivilege	4964	wbengine.exe
Token: SeRestorePrivilege	4964	wbengine.exe
Token: SeSecurityPrivilege	4964	wbengine.exe
Token: 33	544	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	544	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	544	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	544	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	544	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	544	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	544	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	544	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	544	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	544	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	544	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	544	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	544	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	544	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	544	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	544	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	544	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	544	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	544	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	544	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	544	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	544	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	544	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	544	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	544	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	544	SearchIndexer.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 544 wrote to memory of 3696	544	SearchIndexer.exe	112
PID 544 wrote to memory of 3696	544	SearchIndexer.exe	112
PID 544 wrote to memory of 3940	544	SearchIndexer.exe	113
PID 544 wrote to memory of 3940	544	SearchIndexer.exe	113

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\8e2cd24a9b2fa8ea9713fa3706fd3700_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\8e2cd24a9b2fa8ea9713fa3706fd3700_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:316

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1548

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1480

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4428

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4032

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5000

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2552

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4140

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4864

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3772

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2632

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4572

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4508

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2144

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4732

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4852

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4100

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3932

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3884

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3124

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2072

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3784

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4964

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2556

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:544
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3696
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  PID:3940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
5b111a67674e9ef65c54157fe472eb68

SHA1
9c5fba9e1dd88fb5cd5bba50cf28db2856a1c3c6

SHA256
4f709c5f2c7cc46bfc2bb34cb8eab46cbbeb258d88d1d876baecae6ed9ea0f42

SHA512
6df2c8e046685b904d1293b0a7a21958f4df9e1968b001498f9455912cfe3218bfdd7212bb3d4c8210b193d1e3420994f37fd8448dbfecaa715840d6bdae492e

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
5058dcfcc735477a455eff7f775fa912

SHA1
69223ad71bdb3247ff98d6f0b42e3f42cda2f441

SHA256
31697bbce1dc358087b2b11d5223b911d609e84da2163cf01fec74b50fd09c22

SHA512
bb54ad9289b11cfa3831adf2222cdf2419eca1bce4acf6dc1fe90ace222ad9b63cf96959aa30c894729a6333d1d004cf64035a51f5eeb481b05216064d4990ee

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
2dd88f6a1ada97d956f0f2e6e783f462

SHA1
9472f0255b7e332be2c5d3b77f0d5d890e689b2b

SHA256
f3cd08d0360267f08fda2d6636c1a8dc2840fa85e78c24cd3a5f3d19cf9bf1ac

SHA512
50ffadc23d56267e85cf9f68fd529dac2a924fbb055fcac10bcf297fd1a4aff4f808781cd89a5b55e1af6a4b3522a5e643b250f1da837232b4c299ac31744203

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
a7d494f79af18aec3067b2e4debe6fb3

SHA1
f162dc02a181ad15b20362c5a0f7070f8a4c1104

SHA256
200f3c02fb34a8b84f94ca4b020ca65b48e68faaaef1838436c3a6c2c0e5060f

SHA512
4c3db22c2b45882113b468314fd0441d69ffd8852347bee581295991207e0e2079ccfa602825ed356199a712061f2bdf55b88337fbde0a02e9f6780c4a35575c

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
a93bc1b2316057266c424d339ab99ffa

SHA1
edb3f2222f3a605631ce5799f87f6f60d91df1a8

SHA256
08b1a9e2a52410ccb5e1c0d404080c84b5ee90a4a8d749e6b58a034e3307a228

SHA512
1a961b85d52550bd1fb7be3d56a5d016470a10359632bc1b3b9375676e7c75167d05d18a79e360d235285b1447fa4987bdb5ec299576e376812ad6213ee7e4d5

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
3c14daaebc543aa06e7ba47b1289ac25

SHA1
35c45517eed34a8afd03aa3f0435b388d48a423a

SHA256
ab9ce4c98df556457258466e5b68eacbfd618b3f7fb983d8dcb6eb7e56783e20

SHA512
ed3477e349b20c09d2d6e65ac64990112540c9a5548b5d4638c989c1fa5738f13c4b5ea995f73a99bb5574cfd0d53405daf5739225d6df41661cc33c29cf70d2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
4c0ec17bbc7630d90116663c8e59a830

SHA1
f6a1c19afd7f841953a28821012c016cb6e9bcad

SHA256
7d3c28959e4f161d9a83801b5b74e398be2b164937affb86be27d1c2e962d65c

SHA512
8ced667510318a52d2ef11cdce68f38fde7724051067a353de3adc4eab19a9968c9316914be2af2b0c6b698d0643da1c0e6ec5095aea01f2ff64ad0dbac9d5d4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
3a1f2f78f26e5df26af16d97d121fe4b

SHA1
ab7b706ba797725c340765ba2f007726a1398003

SHA256
1153e6b20d366f24369643b1ef78b79fdb7536a56bb5f74fe09c01a65df1bdf2

SHA512
21d2c78ce8e941a2cbbd3aab2820e24c932db25080b078c682222b9c6cc3f9c89e96f5cf92f7a26ea010b7d1a052c5b69ab179e3a192ee364e8855f7cf15cd0a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
6a21ad76ac29f5beab8240daff80cfff

SHA1
9f4bac5266096cecda1a1b303e8b409393afe4ea

SHA256
f6309a7129b7ac16b2edc2b5145c86595a0b6c1f7571eea49d5f5e611751754b

SHA512
546b8d3360574571676f2ddc3ee1f1bcad58b5c2df33f48bae2f89fcd0b829f91cc21ec29b0ec00d001ed54bd59c0e7033da7cdc7dd76d721b2728a336f87140

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
f7de17352f1afb41ac62f8de5d0c2cd3

SHA1
3ae265d7669db10b5c77a7ecbcf5506dcfec6f24

SHA256
6199199ccb30d8b98808fe9a6a386aff373e9c147ea73d70dd1a17287c63dd9a

SHA512
8c34782cde885bb1b2abf3d4555f94be898e3c25a376904c975cc8d169fe80bd66789ee3847a79435c06943fc05fa012b81d4e90eb9e44d6c71d033417a33cdb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
c766b120fe8ee335df6dc50e8c9a4915

SHA1
f83710d693083caca16dd90a5427fed33581043d

SHA256
45f0072920df9a1f6d526d438f96f9b54eadfe4af589a11e148d3e7dc6652428

SHA512
02216819ca5e3f77cb30d4de1f10cdabf491308484251aa3676206a5cdf63ec4a03b7fd47b580747386ad55d350b51457e25f31961844d751b8e4e0474a1e83c

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
3de609b86accbc252cc62b002c21dc88

SHA1
a7da247949bfb0d959cc472bedf6d8becc038484

SHA256
dd2904c8595d3abde4bc9cdaf717e87fb7718365ee5c4058efee08608136c135

SHA512
29ba29fcedf86830edb1b448d26e6252280e537c46f6a2a8fc7a59e0aa0816187ab72e5f147a05ff3795594b9cdbeb00439963663e53bf40325a357d57c78b6e

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
88199098674ce96e0686dc8514d928f4

SHA1
668558b6e2ee6f3e9ca896e27a2183a609d20cb0

SHA256
b490c032206b9be5ecebe6a204fa209ec8a7949ba14741227ce5670acb2291c7

SHA512
a905ecb252bdca9d1e7a0b7d57c20459f16b7ed9d31a0eb0ae4045e0bebdb8d30dec97c31576093f04385e712e44b36e45f8af3219c0cd18a352a83b8fb25770

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
9076c99622f34ac13514d163e1c1d5ff

SHA1
a01803eab7e6006acf14e6ed9940f8c899a1b996

SHA256
bc4d9f742a225274f96307913924fdc0c7894be6f9829a4d2266c72a8cb0508f

SHA512
1b912c554ee2c8260f0e1c674a33a01f62992460c84fdb5fad7110e78485a95b406ab47229814da140380b1400d106a17a1a40e06a5fd270d67f2cdfd1b1f090

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
1e53097823b37de2e4c1206f941f264f

SHA1
f779a9a66385e63b01dde256ef12196fe15340f6

SHA256
5383394f74b292105e31c3378959abf5c3cab514b7a6429158bf8bed2b363b2a

SHA512
8f89f14e39b2393321742c9f9b3a9ce8e437abb9880c4b61a83347c33ae9d11e18c80d02f6037927395424f8d618e6636a8aa96f6a545c3526b9ea5b1d54269a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
3d1eac6683d494a770bac57a06af361c

SHA1
18d586d838bd175efed469ccd0c279785a4ccd84

SHA256
fd7ab6f91f8a8c55c2241ecbcbd0e587d16e98412723e780d9c3493a82c540a3

SHA512
166bf2db08a7662e9162ef57e555b9425efd0e960ef2d84d763558d5d6e0ff9715e84da2ae6a484ea440600dd9548f11201f46d2ed7b7e3820866af114395114

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
a755050bfb52d74751e3d2f3980e8360

SHA1
f649ef369d99a990276177cd0ce9a52cb6fa0d77

SHA256
ff4d4490657cf7fdc43430c12d68ca945761242ea778bb92364726dc32f1c12b

SHA512
c368f8ff99b42dec930cbb01a094656a8d5b7e7262cc8be1c05b31b1dd514faa4f9ad5f68f64a3aad8dc84f7121d9d853b1506e406affc783626017624448540

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
ab3bcf876b8d0880bdf2808eabfb70c8

SHA1
4f054b32b31bbd5f00854c16bd8f1b01f4c6d3c9

SHA256
9f646eb48be22684ae95751edd7e12075c7c74b5a5202550570eabb5e8688f8e

SHA512
04dd2b1cfeacc8f644f6db1f334e0df6a07a9d93342d35526a135fefc103417ad72ddae3ab84d9aaeb7421a7bd8f6421c660d82ebc479b8d2ffcf7dbee9cfc52

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
9210d9147465b160be4811764b2c24de

SHA1
eb965a761919dd38f22d4ad9a4d0cab9ac68ac6d

SHA256
6e09cd3f089093191084ff8a3b57f5bad4cc3588fd345c2877453b66193975e8

SHA512
d26b72437fa443834ebde240ff5449a339ef96faceb6920dff0baa0660152a28dbe2fecd3c492fe5950db151ee9bf8a111e6ef377968b954c1a9820681126f5d

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
0f6831c207bbfd93bc8859124e07a587

SHA1
d37c5f4ccb19e3b32513df633caa4321380fc9c5

SHA256
7fde773523a9c483ea70dd06cf4a6bce2cd8efeba1e4acd236422fa6c5c1b0ec

SHA512
35a46d51751bf52e33823b268029ac26f9dbd5a6645fcf82595cadfea66f7672763dc771d3eca4975c2e54cd0509adaeefbc213a1015a452d19f2d3d0721be19

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
5b91fa5ed3af485ff2af6c3d580405cf

SHA1
80c2166178ffb12d234c99b057ae7bf2893947c1

SHA256
e3089c107bf5bc22f47ae8154f1c447b306865818bae1205afc9d1f0cdcf8d06

SHA512
0a2f123762ac8de2aa378fe26337352a8b998aa0597a3deabd50c7687960e2a722a58e73ec66cac82a81e3c9404d2334ea86f78a69bdebea36f939e15bb58b0f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
6f784783390a9e8087bb0be03392dd13

SHA1
0b585092135c25ac001550e764bb4d5a6c9c8c77

SHA256
fab56cb6aed9d6d78c98d67b0e11945f012b84176fb99ec26f7fbc474f7c1d69

SHA512
e3ae44ebf2a3650b5ebf1d67c13d1a4effa6f400066565305642fcb7bd18f008a9729a27b882c170586ac64f3049ac890576891cc9ce5a0459b5ddbeeaf6339f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
dd23d1c58fb3ae2b96145fb9fd344b39

SHA1
b4cf8776070891879eb6418f15fe27c76216f07e

SHA256
9b9dd577fb910dd691482ef4dd65620ba76faa73c1bb4429ea017f716217ca58

SHA512
d9be821bdb000091c936e63629339ca4659e30ec2d8394ce072ad1a0c84b1fd479e1f26bc3e1cca98490060481a5fc350deeccea6315c5cf9d59fa027672de4b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
e6b19df6d4116c0b9d24f14aa8f65e30

SHA1
3c6a4cd49d5753e7eefe4b347ebefc85b842d100

SHA256
fb4331c2109d1120a65a85abb28e93ad5637023878b7c1ae9d5dc9e4405cf6a8

SHA512
4a1b6ecf8d2e07e74265c0eb85c555f7cf4f93d3591ac2503bbc3e55392bd49719ab0881669a007da43ce7c7171b44354a4b90440d1541471ac8a6f1697fe2d6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
1e616dc99b6afd160c1f50a615181e68

SHA1
2c73e8213a553158a6a847cd05b3da58d77be3f1

SHA256
e1babba0f783c095d3fe2798fa63c4beca23b6a0751a5c5e1c17908e0f0145f5

SHA512
6d60f2235471aa045ab19ff10cfdd2da290c5fa34a029e2a948a580dcf54aea78e37be38aededd34ad9eca37c8328ac4e1368f0b3091e008629a7440a592b47d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
b10331bb9cddcfb4f8d8691ffcafbd07

SHA1
9d3b37a1ce6d8325f321d2b6432f2023f6857270

SHA256
f8282b494934741de11605344a6bbe0c0ae424725f31d652c50082d166318ad3

SHA512
f959bb3c03e05fe69b3a9aeb571ca63964e835a165fc2aef6a6b1b35d941f0798341fee0fcae3fb69d43195a329d8c5e4717d567ace21380655e222d8af9e506

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
44966350b1a7298fb5d13377180180fd

SHA1
57554dffdf10eb03e7c35d5c4f2c00f47f3cadee

SHA256
7188e2708e60a3dc198faf179c09c5cb4c1070013f32af9d412fc59cf90b468e

SHA512
fb04c6ad92642fe944e474def23b5676805c4ae5bba4018ab901560dcdbdd55153e15e3a41bc630df4eb85da256877509a5e834c70a0383a1342d39be2a8fbe7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
6233087c62110ac026829392949b40d4

SHA1
1e36aaac2efef773af2b25c5127f2f30aae15320

SHA256
e7092b2163a786305364e41acb218c9860adef6808cdb7d9ab0915f7b72838f3

SHA512
c6f44cec6a47983f8793cdfa006b70fce488415f5bc7baf077d310ddf39c8a999609cfdd7ba015b3f6aa87c82184b58aad21be8a92eb37dbb07c8cf0a28345ab

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
04f53d58a1c2da675097e37b08977374

SHA1
7805c0c74e4f5fa8e175c5362d1f10f7e7768e32

SHA256
3d7c5365c7600d571fe4270efa101c60649acbf70598597d1dcda540e2590533

SHA512
386b9c480ed61d58adff5e900e56c9a36f0c067c6a7eb61fa46950e788d9cee34a6fe58cf311a3d95b6eb6bf2a9563cd4df72cbf0d878db6aa58160611876b98

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
8295cb95728c03cf47c82779b670cbc1

SHA1
2b84f2900c22a53adc2fd142cdd55147a4b65ee7

SHA256
b74eaebe6b1aa2e8447cfef2f8830d42c4513e4008bdebb58aa5a5ae0a3b40ea

SHA512
a0bb23a43114b895147d2c1a92f2021d3e7a50afd6875ce4c4fba7984eff94da3fd8089d19374558647f84aac79e9efd92230c3ee993d38d1d616877e284d32a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
fef091b7fa3dd768119e92f9dd29ccca

SHA1
afb8f95e91fea0abaec8f9d169fabd3642489a3d

SHA256
8bebe94e29a9480a60edb7eed9cdb3ca93fcfa671800dc5653391fde03ee0dab

SHA512
c12d8129d8c2f04f94c340e5c758271ca49d95018585bfac060344c3a7261c7224cd8c2ba9d84b31252a2680f88464b90ed91dd213d132aef04ada6039d664eb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
f301aec8fc2c30c8382d1b109099111b

SHA1
a34aaf43fde5045a10ba9a839fc9faebce5ca417

SHA256
b5c83bab512369ee8e94fd1987fd8754f4fecb3551a71e340ba430c94559699d

SHA512
db44baa66460d7e2757959a2d3efb8f8aac35ebf48600be64454765657c5dd28b83b26eb2426f5dc49592b381d8eb961850f67a137e5fc652cee086d4f83b36e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
99af2ef4a8f460691a7f8efa2cc53c6f

SHA1
76721cc6a48c5d8fabc6b915302427a0e426748e

SHA256
82e8cb05eaab5b06fb5c1b2fdb1de9e14cac501b5b41e7045c35abf808b2f831

SHA512
5106b5bbb09f3e393e072099e2bc4bbf09b791122fe1be5b0a639aedf789a32fd3ee3a6bd9948d866e40db1d3a7d019593678bbe48d9c418017c94b2177c999d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
656057e03a48fee8ac6514a6dbfa15df

SHA1
b59d562293ee4bd533f876cbe0b7a267038960b2

SHA256
8876472423f0bc85ea76d770a0a65f668fb858aa37ed72fbb9c05041810e4b8d

SHA512
f67df475343621018aa58a7a128d283ef5b4cbe6b287a8cf35d9f37a2c687de809316bb7c2a97a45479c5be99ddbf7b7fd036574c9a52ce915a6cb28ba491ea3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
3f3b94d55c2c3132ed786f0577e78e2b

SHA1
b3872a3fd9762e1eddf78b717a448cafec4ec4ca

SHA256
3ddc0751d8bf206fdab007095a30e31e550bdb5ae5af3311769cb1a2fec23701

SHA512
cec0d41f71599098b024973fc109467ce228ea5f91dd7354cab561c7609a23eb8698869239d683d34cab018de17b524495c227f9983d1e27c8bee693b8f52c18

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
03036d2383f97a3c5a8c9498b4cd70b2

SHA1
af15a2194f1a5927b8df21a7aa6dd9f0051fb486

SHA256
8f68df2c48c08e45e96b73adb3f8a278b21789581888aa39f59574edfb726b54

SHA512
98feb2c3fb53185dc624f036bcabc3d411673d650bb4dead6eefeb2c7d0b5f4ee80ed23133f270ca1e93572b6552b963869afffe2ee507ec059bac6d78fc332c

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
7bfe535fcbe63e905ec744e7e3dc66f3

SHA1
ed3a9fbf1bfbe320f6aa18bdf53fd1337f5ef90a

SHA256
e768d1362cf04540a65ed924f47558e29346565f60af0dc2f93687b10309a5a8

SHA512
1afb9a176830783b6db87e57ffa81d9ff9b4737efa5469977eb9436c3b3583f10bd71a9fcdec3d90458a3751cd0ac07b7cbaa7ecaa1403fbd99c761e6e3aac1c

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
0dd7cc398e4747330db071ecec3ff2b3

SHA1
9e0b194e7df728e941a6f1d0bf0f968b8d90f7ce

SHA256
c117692c63a350e9403f28c60bee264b36ccbf0c0916ccc7f3d67a8ebe2115ac

SHA512
4b28b861782ad18f95d902ed703556634bd5bc0a36e856b1d3c4008b6654e293ef333ad781f99a9a2164e392935ba5603ec7570e891c1cb83862150176a3f8a8

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
e1e5bd0ffc823b86b57e71846a94dbf1

SHA1
e811cc4fc9335d31e49bdaa1a23fb478ea9e86ff

SHA256
9c7ce9f539525141cf44838a00af926bfd737797bf9e03bc43ce933267ddac25

SHA512
117459316a12b54ef40f892427d248f0166defbd106147c134727e60544d6116cf92bb8e94b97a495055fcefff89e1b592bcf096f1add33b8265ed2fc0bf8184

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
d3229922b4a02ae5acec8a1a153bf075

SHA1
f210611dac4b685bdc316f1491c9424d0bbbaa6c

SHA256
c19449c8b8de98128c7ace3bcca6089a03c9526fc1633abfd10ac40703589570

SHA512
96e35fa3eb182bba6c22ccedb49356f252fa0ca7a7485384afd2d67c85f6ed1a02ec2a4834f054b36f5af05997a7c3b578df1f0b3dc8b422fc0aeb8a397d8063

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
a27c30053b9024c4d31733d957fee812

SHA1
5f5c59f13037b515b06eefd3b75fbaf1008a24d6

SHA256
2d631da96ad60edb3405c9cd863cf4de315dbedd63c3afc4b29b74dda43be2cd

SHA512
070d116fd52290f59dd752b48605f363870ca0415d72b3a283be5b1792e2e4b45056ad7c08b716a6a5d2d6e6c70aaa9ee08f146b0ab2042b57b17fd44f032433

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
0a4fdb9e80c9809c1e7647c0e260584d

SHA1
09096246b42ea2b569bf04388960efe6786b0b81

SHA256
d7fff68eb9dd554061562b541c3a398bf68eac21d488bd2a6d27302f27211ccf

SHA512
733ce577bb392981dcbdcca9d4cb8b5ff6126c1d0eacbc8a1363653b2e5fa831bb9eaf5c2c162f0151c4c7eb1ab812dab2b152add704a2f7dc6398acaa68ef96

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
991db24dd25b4ba09e6a6d8a27a4a02a

SHA1
5ac8b9c6dcb11aa50a5b1255da33cb18bced21e3

SHA256
961f614ea3673f3a5f84b00285139ce902c338522f53d6755e8e1acc3278861a

SHA512
9aadafed06b938be6c8f2b5bff02b3b63f6eb47002bd634ef0486ea1b74c95a76c8089d601f8ae18bd3119ce329e13204a0f02a17b321e5ed625ba72f3524387

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
4e33b713d4836f0bb6ddc00fa8ae6ad9

SHA1
f3dbe14241678166342219440dedac4920bd8339

SHA256
e70f7897cca68eb755d0a628f77917027a417f6ef20f106a6c6e83dec693ee04

SHA512
b66941717d40a2b0ea7c5bbdbfed4aab1ebf588aa33f3f0ee3ec7afa3fdde64840c7169a46fa1240d2e516a175711511626b49affc49ff59654fbbc98ffd0f06

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
16bc54e84073337e4a8fca438d98300c

SHA1
20e1d092c4c3af5a8326b4e2d8c021408d2eb72d

SHA256
f399ef8d19c0deb062a1af5abd4fe8d93615161a343bdc0ff557c144f050f006

SHA512
7b45b6845a5791a144aa7b0bdac8aa0723e5cfb06ad77bb865c58f853f6031957fb6f3e150ecd005c2f4cfc70444c1bd89a0ff6d323c16486a977d110a89d98d

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
53ad0d93f6c6b1e3ac14c67564d541ab

SHA1
d1e2fdb534792db2e02a97c8d1286d506e1b4944

SHA256
590b1a1c5190e2caf7bad9e9ca4f6407cd24efe05bbd2336dfd51af46cb14004

SHA512
e1ba34cc9859d715f6dcc7ff34a8dbeefc9b9bcfe67f96968ea020ca79a4c8886f687269531be850869f773d70d67042ed3c9323c3d260901f0718ecab0c6bd5

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
a45b616206743cea1554ee1e675acfbc

SHA1
aa5701da666b15262d6c582c8d6f486863cd01a4

SHA256
cbb76bcdfd63dce23ce78eb18bdc89ac7a7625911869c8321e98d521e090d822

SHA512
d89ff73f98c1a39852b71e4a411e8280c90e9d1c2e435b674c59cc2c3415ec3c94df83a9cc5c10917d85c8a00ec66cf2cb0750beaebd112fdf042f087e6098ae

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
83bb80f3a37691568d5c576b89398eed

SHA1
f64eb7de49ceb239ef7b0a7057079c42f870e26a

SHA256
855800b8abcc0714394678544ad94142e47ebec9c8162a27ba28718dfa3447ee

SHA512
82f0d7ca25e6f79b685318673f79945584c3b4efab8d3def93bcec035263b6e3ce67900a1a3f39e51418c3f03bee6f3743fade6299b06ec0944e23465e0fb220

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
9fff1492951f6634a6451c377833f09a

SHA1
7d59242635a687134441b3c728343db8c6465cb5

SHA256
8fc07e18bd9a53c479bd03e55485d8d06a6f252f35ab98bcd9100d5e403bf9be

SHA512
e2f4244001e6da1adadb08761efbedc58e18e8fea99045f293726e668877770d19ab45b291960557730efab4388fb976c404c9048aa02ce79cc7ad2a3fd11ef4

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
8911ee71ab26946cf0027c8481144197

SHA1
714cb46df6499a1ae1a44157eb93a4ccdeb38050

SHA256
b1f50fb81f364377d2cd12d6ded82049e78bab43f763855908b5addee303b76e

SHA512
0017c34e21a8129006a92747739e5da3e96cd06ed27e05ce530450fc66150c523812738e9dbfc5a2d6ef00e5a49687960939578c5409de70c4aab6c44dba2404

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
d998878a0c44e041838462580133c6dc

SHA1
f8eafdfd63fbb3c12eed6c7fc96eb5f52e193d40

SHA256
1aedd7fbd089c61599e0b97c42b2e6706da9a8293ba5976daefc4d42da8a75de

SHA512
20a91bc57f4bedb20b63227e9bbadf806073499ea59d33644154bf3a0662a350cde8159d73c70e9d7056d48b6166803e14f13109749b1ad172226a9026e30466

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
8c98243eb5c205b9e2fd0a6eb97cf40f

SHA1
b86e86749ba749c04cef8eee86cd872cc8f4fb4a

SHA256
2d0f262cd01cd5b10f3ab0bfc4004ed4fe9e6c98538cffd40b92fb94bbd7a0f1

SHA512
f21bbed9c445980c6493f5da21cb713610a1ee267c4605a2f78439483f0919e14342e57c46a6e14a98a335f2a3ea749ab09c9b78ea871209a3bae31b880eeb1e

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
80e14dfb09624471f16e48533609f138

SHA1
b88427a2bf321d7ffc72b370297761ff61e98132

SHA256
1f259567be9651ea6e7f06a63527360fdd3cf598e5ca3281242f7908008b87ba

SHA512
803ca1ee969cf8016b7d89d7d79a6d6c9dae2fd2b62f27b1a8f9b201b9d1cab38ac99a6dfe1c3f9267f8736c737ecfc0767d029add8413eb77ecbffac45b5dde

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
9fcc57b41898771f7d2070364089eddf

SHA1
8879dd0816939d8e6703e137f968155759e7a484

SHA256
f10f60c7445f0eec08d6878eeafbfb18141ba6de9e8d1880f689150f099852e6

SHA512
8ba3e001dc9d14b766f6204abc622aee199576f5d8afa78465b7eb095c8f04f027098b1f4954a17b1cb7c1f8c9d09e42e80deef40b38d60ac72b1832fb54e839

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
eb5e44845e417274d207cfe4659f2d83

SHA1
220b83d2966b23ae310ce4f5181d52c178c4d8c8

SHA256
508fbd69ff44e0b070a72d8009a7c01caf91aca65193c75f82e51b1594caefb3

SHA512
7156e9e000850777458abe563f4e70aa7309cdf8e5111b9d2ff90b2fea1b49c7e912d3dd4374d28cb2454eee0152e641ff44400e3aba4afa59c80cd1fa39cf88

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
05c4dbfb71b577e474f9b8ffc66fc943

SHA1
211e684863070bff6c72b047ab7dbe1c133ed4f8

SHA256
9ea427fcbeb132c227d89a5e1d760d4989f2687aa0e5206d4c54762f33cc7c15

SHA512
9b2e3a91006ce2a9f61fbd31d24e1cf8564005b7b73c951e2ff639d39288ca04cd0c03145ffea5764e62d1298a6034c90602a0fb0fde95b4429ce6f37ab6e0ef

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
0c840db1b3fa2fdf04a6e955fe327b0d

SHA1
09afe28389f08230f4d73c0e9f0dc952de6ebbda

SHA256
e1e00bcabd534beb96a8ba091ae17129072fdac7142774c3947fc9796043487b

SHA512
77f6c545c1dba4fb842c32f9637dbeda379e39c0542e17e13c45b73f83f1cbbcf07701e98ae710920a52ee98b92e585bc1d9e311da129ad553da1df868b71c31

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
a4b9878d72db935b8d0ced6d8183b829

SHA1
7f3e7dda074cee9e230cca0253061a44e5041808

SHA256
36d35b013e9301e7811718598bb61c42f75c580f8f25b59aba2c8e5879c9caac

SHA512
630bfb9866cba63deb559cbf5cbc7fc0e306536b8943938c8c5a6b99fd29689ddce0a98f64b41646be6841d00b1d1f906a26e16e17b324040672675a9c9d3325

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
85d7ed5bb19848b2d6a11bd3cf3d8e83

SHA1
86109cb06f42638e61686092bc697d3be5b33603

SHA256
4dc55142432fe18c77c65136b6308b8a8a06c4b5a80ebecaefce8174a353633e

SHA512
c2a15ab04745b79f739f9268de5af61b1243bda5c850166410ff8a0a2f6a2189011d2bee322a224bcae2b93def92474f94fa293514f2e096dc280bb7961dde44

Download Submit
memory/316-7-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/316-1-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/316-0-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/316-548-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/316-97-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/544-280-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/544-614-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1480-33-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1480-25-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1480-34-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1548-19-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/1548-13-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/1548-115-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1548-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2072-231-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2072-592-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2144-479-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2144-157-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2144-279-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2552-71-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2552-69-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2552-190-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2552-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2556-267-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2556-613-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2632-234-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2632-117-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3124-220-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3124-216-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3772-230-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3772-102-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3784-235-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3784-593-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3884-591-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3884-197-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4032-44-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/4032-58-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/4032-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4032-38-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/4032-60-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4100-480-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4100-194-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4140-87-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4140-85-0x0000000001A90000-0x0000000001AF0000-memory.dmp

Filesize
384KB

Download
memory/4140-74-0x0000000001A90000-0x0000000001AF0000-memory.dmp

Filesize
384KB

Download
memory/4140-82-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4140-80-0x0000000001A90000-0x0000000001AF0000-memory.dmp

Filesize
384KB

Download
memory/4508-266-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4508-146-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4572-128-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4572-254-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4732-170-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4732-471-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4852-181-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4852-476-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4864-98-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4964-594-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4964-255-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5000-49-0x0000000000460000-0x00000000004C0000-memory.dmp

Filesize
384KB

Download
memory/5000-178-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/5000-57-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/5000-55-0x0000000000460000-0x00000000004C0000-memory.dmp

Filesize
384KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads